The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | Legislation

EU flag on keyboard

If this amendment passes, it will significantly reduce the perceived advantages of using servers outside the US. No only would the server still be subject to whatever legal process exists in the hosting country, but they would also be open to legal hacking by the USG.

Newly Proposed Amendment Will Allow FBI to Hack TOR and VPN Users | Hack Read

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

Email Privacy Hearing Set To Go Before The House On Tuesday | WebProNews

The House Judiciary Committee is going to be discussing the Electronic Communications Privacy Act. There is a chance that they will strengthen it.

This act was written decades ago, before there were any real cloud solutions. Email was downloaded by your email client, and immediately deleted from the server. They law assumed that any email left on a server more than 180 days had been abandoned, and so no warrant was required for law enforcement to obtain it.

These days, with services like gmail, we tend to keep our email on the servers for years, with no thought that it has been abandoned. Law enforcement is opposing reforms of this law because it would make their work more difficult. Doubtless it would, as does almost any civil liberty.

Earlier this month Zoe Lofgren introduced the Online Communications and Geolocation Protection act, amending ECPA. It would require a warrant to obtain cell phone location information. There is clearly some momentum for reform.

· · · · · ·

House panel approves broadened ISP snooping bill | Privacy Inc. – CNET News

Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain “customers’ names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses”.

They are calling it the “Protecting Children From Internet Pornographers Act of 2011” in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.

Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.

Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.

It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.

Contact your Representitive and Senators if this is something you feel strongly about.

· · · · · ·

The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea.

The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance  and constitutional issues).

· · · · · · ·

Technology Firms Back Privacy Bill –

It looks like many technology companies recognize that the writing is on the wall and that some kind of consumer privacy legislation will come down the pipe at some point.

They are endorsing this one (with some suggested changes) because it adopts a self-regulatory program, rather than requiring specific actions.

It is a tricky balance. On the one hand self-regulation is notoriously ineffective and self serving. On the other hand, detailed regulation is almost always out dated before it is passed and does at least as much damage as good.

· · · ·

This NYTimes article discusses a bill which the Obama administration is proposing to submit to congress. The general background of the bill is that evolving technology has made it more difficult for law enforcement to conduct effective wiretaps and other intercepts because much of the targeted communication now takes place on the Internet and is often encrypted.

The actual text of the proposed bill does not appear to be available, but the article lists the following likely requirements.

  1. Communications services that encrypt messages must have a way to unscramble them.
  2. Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
  3. Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

The first of these is similar to the CALEA law which requires telecommunications carriers to design their services to enable automated real time intercepts. While this generally sounds reasonable when “we” say it, the idea is more ominous when coming from some other governments.

The second of these feels uncomfortably familiar. See my past blog posts (and here)on the attempts of privacy hostile countries to require similar concessions from RIM.

The third proposal is completely outrageous. In effect it says that I may not speak in a way which is unintelligible to the wire tappers. As a colleague quipped “I am hiring Navajo code talkers.” This would require a back door be inserted in to cryptography tools. Experience shows that any crypto system with such a back door will be breached and then left vulnerable to the enormous number of criminal hackers on the Internet today.

In 1993 the US Government proposed a system called the “Clipper Chip” which would provide all encryption for personal computers, but to which the US Government would have back door access. This was a terrible idea then, it was widely ridiculed, and suffered a well justified death by 1996. This third proposal would be much worse. It is asking huge numbers of non-crypto experts to build back doors in to their systems. Frankly, the cryptography in most software is already badly broken in many cases. Something as subtle and complex as a secure and effective law enforcement back door would be far beyond their abilities and render currently poor security completely untrustworthy.

All this is not to mention the potential abuse by oppressive regimes, who will pounce on the capability to further crush dissent within their countries. Finally, it will be largely ineffective against serious threats. Very strong and easy to use cryptography is already available world wide, for free (GPG, ZPhone, TrueCrypt, etc.). This is a classic case of damaging the innocent while leaving the guilty and dangerous unaffected.

It seems to me that there is a pendulum swing to these things. Technology cuts both ways. Some times it favors the interceptor and some times it favors the communicator. In most ways the Internet has been a fantastic boon to law enforcement. Cloud computing, email hosts, social networking, open WiFi, and huge hard drive that encourage people to save everything all provide law enforcement with enormous amounts of information they could never have collected in the past.

It may not be shocking to anyone that there is no federal push to make that more difficult to access while pushing to enhance their ability to intercept encrypted communications.

All this is argument about a bill we have not seen yet. Let us hope that the furor that has swirled around it will cause it to be retraced or modified significantly before it is actually delivered to congress.

No tags

Lawmakers To Introduce New Internet Privacy Bill : NPR

Rick Boucher (D-VA) has released draft legislation to significantly increase required privacy notifications for Internet users.

Many websites are fighting the proposed bill, claiming it would hurt their business. I am unsympathetic to complaint that their business would suffer if people actually knew what they were doing with your information. Given that this would apply to all websites, if a policy is no worse than average it should not drive people to other sites.

I would very much like to see the market start to enable competition on the basis of privacy policies.

We shall see how this actually turns out once it has been through the sausage making process. My experience is that most bills about technology end up doing more damage through unintended consequences than they actually help.

No tags

Apparently the legislators in Louisiana feel that crimes committed with an electronic map are much more serious than those committed with the aid of paper maps. Not just some of them, the vote in the Louisiana House approved it unanimously (89-0).

If a “virtual street-level map” is used in the commission of ordinary crimes, a mandatory additional year must be added to the sentence. In cases of terrorism, the penalty is 10 years.

This should prove a boon to the sellers of Thomas Bros. high resolution map books.

The unanimous nature of this decision makes it clear the degree to which our leaders lack any political spine. They are obviously concerned that voting against this will appear “soft on crime” despite the fact that this will have no real impact at all, and is trivial to circumvent. It is a waste of time and attention on what Bruce Schneier calls “Security Theater”.

No tags

I have been following a number of stories like this,Congress Follows Email Trail –, about the Whitehouse use of RNC controlled email accounts to discuss the firings of federal prosecutors. The law appears quite clear. Official Whitehouse email is a document that must be retained. Discussions of firing federal prosecutors sounds official to me. Therefore the Whitehouse was wrong to use outside email addresses to keep the discussions secret.

I am not comfortable with the law in the first place. Email and other electronic communication media like chat and IM are often used more like casual conversation than formal memos. Few would argue that the President’s every word should be recorded at all times. It would make discussion and debate next to impossible. In the process of thinking through an issue one may consider many potentially unpopular ideas, if only for the purpose of argument. Free and unconstrained give and take generally leads to be best understanding and decisions. Free and unconstrained debate can not take place with the world looking over your shoulder and scrutinizing every word.

If we accept that email and chat are used like conversation to hash out ideas, then it is very damaging to the process to place heavy recording and monitoring requirements on it. At the same time, having no oversight substantially reduces accountability. It might even facilitate corruption.

This really shows in a microcosm the greater question of general communications privacy vs. law enforcement access. It is a hard balancing act because there is very little middle ground. Basically you are either monitored or not. Having monitoring of a random half of the messages is going to make everyone unhappy.

No tags

I have seen a couple of articles recently on the third attempt by Congress to pass an anti-spyware bill (this time H.R.964 aka “The Spy Act”).

False Sense Of Security?
Even if the law is needed to intervene, it is unlikely to impact a significant fraction of the offenders, who are operating in countries and jurisdictions that are uncooperative with US law enforcement. Foreign criminal elements will laugh at these laws, and there may be a danger if the passage of a law lulls people into a sense of false security, causing them to lower their guard.

It is interesting to see the Direct Marketing Association (DMA) fighting this legislation so aggressively. The plea for self regulation clearly indicates a desire to continue using these kinds of tactics. Specifically, Dave Morgan of the Interactive Advertising Bureau (IAB) described “consent” and “prescriptive notice” as “extreme measures.” while to me these seem the least requirement for “informed consent” and should form the baseline of privacy policy.

The core principle is that people need to have the ability to know when their information is being captured, know how it will be used, and have some ability to avoid this if they so choose. Legislation that effectively embodies this will be robust against the fast changing technological background, while narrowly tailored laws are likely to be easily bypassed by new technical tricks.

No tags