House panel votes to mandate massive user tracking

in , , , , , ,

House panel approves broadened ISP snooping bill | Privacy Inc. - CNET News

Declan McCullagh of CNET is reporting on a bill to require ISPs to maintain massive records on their users. According to the article this bill requires commercial Internet providers to retain "customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses".

They are calling it the "Protecting Children From Internet Pornographers Act of 2011" in a flagrent attempt to make it politically difficult to vote against it even though the bill has noting directly to do with Internet pornography or protecting children.

Were this bill to become law, it might cause real problems for the growth of public Wi-Fi where there is no user authentication. That would be a huge leap backwards for a very possitive trend of late.

Of course, criminals will continue to be trivially able to circumvent such tracking efforts making this primarily a mechanism for gathering information on innocent persons without any hint of suspicion or probably cause.

It is absolutely un-American to require every citizen to submit to continuous tracking and monitoring on the possibility that some tiny fraction of us will commit a crime. Law enforcement always lobbies hard for such provisions. Make sure your voice is heard that you value your privacy and your rights.

Contact your Representitive and Senators if this is something you feel strongly about.

Excellent EFF post on failures of Cryptography regulation

in , , , , , , , , , , ,

The EFF has an excellent article on eight reasons why government regulation of cryptography is a bad idea. The short answer is: the bad guys can easily get it and use it anyway, and it will make security for the rest of us much worse (not including the big brother surveillance  and constitutional issues).

Revenge of the Clipper Chip?

in , , , , , , , , , , ,

US Government Proposes to put back door in encrypted communications. Disastrous idea.

Read More

India continues move towards surveillance state

in , , , , , ,

India to Monitor Google and Skype - WSJ.com. As an extension of their policy of pushing for access to encrypted communications on RIM BlackBerry devices, they are now demanding access to data from both Google and Skype. India is demanding that Skype and Google install servers within India so the government can access the information on Indian users.

Obviously bad guys can trivially bypass this through the use of VPNs and by taking care to use servers located outside of India. The real impact will be to open all legitimate Internet users to universal surveillance.

Debate on recording on-duty police

in , ,

Thanks to David Brin for linking to this article in reason.com about the debate over arresting people for recording active duty police officers. In general the specific law being broken is about making audio recordings without the concent of all parties.

As a privacy advocate, I find this situation puts me in an uncomfortable situation. On the one hand there is concern about the privacy interests of the police officers. On the other hand, this is one of the only ways of demonstrating police abuse or other bad actions. It also acts to balance the playing field where the police are already routinely recording most interactions through the use of dashboard cameras.

The origin of the term surveilance is the latin from sur- "over" + veiller "to watch,". It implies that surveillance is about being watched by those in power (above).

Sousveillance is a term that has been coined recently to describe participant recording, or recording from "below". That feels like a very different thing that should be fine as long as it is not hidden. Especially in circumstances where there is not a clear expectation of privacy.

I guess my solution to the conundrum would be to state that there should be no expectation of privacy on the part of authorities from recording when they are exercising those authorities. The citizens being interacted with would have a possible privacy expectation with respect to recording third parties however.

I am very interested in feedback and other thoughts on this one.

Security of BlackBerry in question

in , , , , , , , ,

There has been a lot of media coverage of the threats of Saudi Arabia and the UAE to shut down BlackBerry connectivity in their countries unless RIM (the maker of BlackBerry) introduces a back door so they can monitor communications. I have been following this story closely, but wanted to wait until I had all the facts before blogging about it. At this point I don't think I am going to get the whole story. The statements I am seeing are absolutely contradictory and the whole thing is getting really fishy.

UAE/SA say that they need to be able to access BlackBerry communications, but they can't.

RIM says that their technology makes interception impossible because the communications are encrypted end to end between the BES server (located at the users place of business) and the handset. RIM claims not to have access to the decryption keys.

Third parties claim that RIM has arrangements with other countries (including the US and Russia) which allows such access.

RIM responds that this is false and that they don't have this ability.

It looks like RIM and UAE/SA will come to an agreement while both continue to claim that they have not compromised their positions.

The moral of this story is that you should not trust security you can not fully analyze yourself. Anonymizer Universal uses strongly encrypted L2TP VPN technology to secure your information so even if your telecommunications provider is cooperating with surveillance they still can't read the contents of your messages.

Unfortunately Anonymizer Universal does not support BlackBerry yet, but iPhone, Windows, and Mac users are protected.

White House proposes warrantless access to Internet activity records

in , , , ,

Privacy Digest reports on a new White House proposal to extend the powers of FBI "national security letters" to include gathering of "electronic communication transactional records". While this may appear to be a small change, the potential impact is huge.

These records include all the header information from emails: To:, From:, Time, and often Subject:.

It may also include a list of the full URLs that you visit.

While it does not include the contents of the messages, this level of detail is often more than enough to discover social networks, relationships, intentions, plans, political affiliations, and more.

The real problem is that there are no checks and balances on national security letters. They are issued by FBI offices on their own authority without review by a judge. Historically, self restraint in the face of this kind of power has never worked well. While judges approve the vast majority of subpoenas and search warrants in a timely manor, they can reject egregious cases and the mere fact of their review causes law enforcement to be more restrained in their use.

From the Privacy Digest article:

The use of the national security letters to obtain personal data on Americans has prompted concern. The Justice Department issued 192,500 national security letters from 2003 to 2006, according to a 2008 inspector general report, which did not indicate how many were demands for Internet records. A 2007 IG report found numerous possible violations of FBI regulations, including the issuance of NSLs without having an approved investigation to justify the request. In two cases, the report found, agents used NSLs to request content information "not permitted by the [surveillance] statute."

Declaration29 - EU plan to retain data on all Internet searches

in , , , , , , ,

The European Parliament appears to be trying to create a regulation to require search engine companies to retain total information about their user's searches for a period of years. If you are in the EU area, I strongly encourage you to reach out to fight this.

Declaration29: "A group of members of European Parliament is collecting signatures for a Written Declaration that reads: 'The European Parliament [...] Asks the Council and the Commission to implement Directive 2006/24/EC and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively'.

The Data Retention Directive 2006/24/EC requires that details on every telephone call, text message, e-mail and Internet connection be recorded for months, for the entire population, in the absence of any suspicion. As to what is wrong with data retention please refer to DRletter. The Written Declaration even wants to extend data retention to search engines, meaning that your search terms could be tracked for months back.

The proposed declaration has been signed by 371 MEPs (list of names here) - and thus reached the 368 members needed to pass it. Many MEPs signed because of the title of the document ('setting up a European early warning system (EWS) for paedophiles and sex offenders'), not knowing that they are endorsing blanket data retention as well. More than 30 MEPs decided to withdraw their signature, one even on the day of adoption."

 

Google "Street View" vans intercepted sensitive data

in , , , , , , ,

Cnet (among others) reports on Google's interception of personal information from open WiFi nodes, including passwords and e-mail.

Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.

To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.

It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.

The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.

If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.

To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.

If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.

Saving Internet Anonymity -- The Struggle is Joined

in , , , , ,

Lauren Weinstein's Blog: Saving Internet Anonymity -- The Struggle is Joined I strongly encourage anyone with a commitment to Internet anonymity to read this blog post. An organized opposition to the existence of such anonymity is growing. Of course, like attempt to clamp down on cryptography, it will only impact the law abiding while criminals use bots and other tools to circumvent the restrictions.

Between this and the push to remove the expectation of privacy from all stored emails, I am very concerned.

Question from a long time customer

in , , , , , , , , , ,

A long time customer recently sent in the following question. Since it should be of broad interest, I asked his permission to anonymous post and answer it here.

How do you know that subscribing to an anonymizer does not simply mark you for observation? We all know the NSA is capable of intercepting any electronic communication, and with gajillions of electronic communications happening every second, how would the NSA (or the FBI or the CIA or whoever it is who watches us) know which of those communications to watch? Seems like the people wanting anonymity would be the first on the list. Surely they COULD, couldn't they? That is, get the subscriber lists, which would enable them to intercept communications this side of the proxy - i.e., intercept on the way out, on the way TO the proxy, BEFORE it gets securely tunneled? And no, that would not be possible with the web, but it would with email. Supposedly. This is what has been proposed to me. What do you think? Does it have any validity?

It is certainly the case that the government could, in principle, monitor your access to privacy services. As long as that access is over a strongly encrypted connection, the contents of your communication, what sites you are visiting or who you are communicating with would be protected. The strength of your anonymity is then largely determined by the number of other users of the same service with which your traffic is being mixed.

In the United States, the use of privacy tools is not restricted. Strict separation of intelligence from law enforcement functions should prevent drift net monitoring of your use of Anonymizer from leading to any kind of legal investigation. The huge number of Anonymizer subscribers would also make this difficult and highly visible.

Outside of the US it is another story. Many countries exercise much greater control over the Internet. Even if it were not blocked by the Iranian government, accessing the Anonymizer website from within Iran would be a risky activity. Once again, the key here is safety in numbers. We have run anti-censorship tools in Iran that supported over 100,000 users. With those numbers, it is awkward for the government to go after people simply for using the service. This is not to say that if you are already under observation for some other reason that it would not give them added ammunition. Privacy tools are generally very effective at keeping you below the radar, but can be much less effective once you are on the radar for whatever reason.

The reality is that there is no evidence of widespread Internet surveillance being used in the US to track users of privacy services. As long as the connection to the service is well encrypted, you should be fine.

Argentine judge: Google, Yahoo must censor searches | Latest News in Politics and Law - CNET News

in , , , , ,

Argentine judge: Google, Yahoo must censor searches | Latest News in Politics and Law - CNET News There is a disturbing trend towards increasing regulation of the Internet. In this case, Argintine judges have ordered Google and Yahoo to remove certain search results related to various individuals. This appears to be a back door way of removing the content without actually having to go after all the sites hosting the objectionable content. The concept is that information that can't be found is almost the same as information that does not exist at all.

Because a few search engines dominate the market, they become an easy leverage point for achieving broad objectives. Countries like China and Iran have long understood the power of censoring the search engines to block access to information they don't have easy reach to censor directly.

Judge Orders YouTube to Produce Complete Log Files

in , ,

In a lawsuit by Viacom against YouTube, a judge has ordered that YouTube produce its log files of every video ever watched on YouTube. These logs will contain the user ID and IP address of every viewer. The privacy implications are obviously huge. This information is clearly personally identifying. The judge does not agree with me on this point. Here is the relevant part of the decision:

Defendants argue that the data should not be disclosed because of the users’ privacy concerns, saying that 

“Plaintiffs would likely be able to determine the viewin and video uploading habits of YouTube’s users based on the user’s login ID and the user’s IP address” (Do Decl. ¶ 16).   

But defendants cite no authority barring them from 

disclosing such information in civil discovery proceedings,5 and their privacy concerns are speculative.  Defendants do not refute that the “login ID is an anonymous pseudonym that users create for themselves when they sign up with YouTube” which without more “cannot identify specific individuals” (Pls.’ Reply 44), and Google has elsewhere stated:   

We . . . are strong supporters of the idea that 

data protection laws should apply to any data 

that could identify you.  The reality is though 

that in most cases, an IP address without additional information cannot. 

 

Google Software Engineer Alma Whitten, Are IP addresses personal?, GOOGLE PUBLIC POLICY BLOG (Feb. 22, 2008), http://googlepublicpolicy.blogspot.com/2008/02/are-ip-addresses-personal.html (Wilkens Decl. Ex. M). 

Therefore, the motion to compel production of all data 

from the Logging database concerning each time a YouTube video has been viewed on the YouTube website or through embedding on a third-party website is granted. 

Yahoo posts pictures of wanted Tibetans

in , , , ,

Yahoo and MSN helping to root out Tibetan rioters | The ObserversYahoo China posted pictures of "most wanted" Tibetan protestors on Yahoo! China's home page. Cooperation with lawful process in a repressive country is bad enough, here they are actively collaborating. Yahoo!'s claim that this was done by Yahoo! China, not by the Yahoo! mother-ship, seems disingenuous at best.Active support of censorship and oppression is clearly unethical. If this is not clearly on the wrong side of the line, then what in the world is?

Swiss bank in Wikileaks case abruptly abandons lawsuit | The Iconoclast - politics, law, and technology - CNET News.com

in , , , , ,

Swiss bank in Wikileaks case abruptly abandons lawsuit | The Iconoclast - politics, law, and technology - CNET News.comIn a follow up to the earlier story, it seems that the judge finally realized the implications of his actions to free speech, and the fact that his injunction was almost completely ineffective. This is a really good thing. If the ruling had stood under appeal and become precedent, it would have significantly changed the Internet landscape.

Wikileaks domain name yanked in spat over leaked documents | The Iconoclast - politics, law, and technology - CNET News.com

in , , , , , , , ,

Wikileaks domain name yanked in spat over leaked documents | The Iconoclast - politics, law, and technology - CNET News.comDeclan does a really good job here of discussing a fascinating case. WikiLeaks is a Wiki based website designed to enable completely anonymous posting of tips and leaked documents. It is focused around enabling disclosure of information from repressive countries.A US court recently ordered WikiLeak's domain name registrar to disable their domain name because of some documents on the site about questionable off shore banking activities by a group of Swiss bankers.The real shocker here is the draconian action against WikiLeaks prior to the resolution of the claim. It is also ineffective action because WikiLeaks is openly hosted under a number of domains in a number of different countries.I am very interested to see how this story develops and whether the injunction will stand up once the details of the offending materials become clear.

Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says Yes

in , , ,

FindLaw's Writ - Colb: Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says YesThis case raises some interesting questions about using cryptography. Not the usual ones about technical attacks, but about how strong crpyto behaves in court. In general, if someone finds an encrypted volume on your computer, is that prima fascia evidence of illegal materials and thus probable cause? Suppose it was called “my plans to kill the president”? In this particular case the defendant actually showed law enforcement people the contents of the encrypted directory, and the files located therein clearly indicated illegal content. That would seem to be his big mistake. The prosecutors are not guessing about the files in there, they know what is there already, and just want access.At the end of the day, the defendant can always decide if the punishment for contempt for not revealing the password is worse than the punishment for what will be found inside. If the contents are really bad, he is best off resisting. I can’t see anyone doing 20 years in jail to compel production of the password.Of course, in that amount of time, computers may be fast enough that brute forcing the password may be trivial. This is a real concern if the statute of limitations for your crime is very long or there is no limitation.