Monday, December 5, 2011

Of RootKits and Cell Phones

Lawyers, this article is for you: Beware…using your cell phone for confidential conversations my violate client confidentiality! Why you ask? Because a 3rd party may be listening in on your 1) voice calls, 3) text messages, and 3) client emails. The company is Carrier IQ, and they have partnerships with every major cell phone carrier and their software works on every major smartphone.

Carrier IQ didn’t want this information to get out. They sued the person who posted the information in a video on YouTube. His video shows detailed descriptions of how they can snoop on even encrypted conversations…and you can’t disable their software. It isn’t clear what terms and conditions that come with your cell phone that authorize this, if any. I should also say that this is unprecedented…even if you accept the claim that this was to help improve customer service…Microsoft never went to these lengths to help analyze their software.

Here’s how it works: If you type a client text email on a smartphone, for example, Carrier IQ will collect that info to help "analyze your usage experience.” Unlike what Microsoft does for their experience monitoring, Carrier IQ collects the actual info you put into your phone. The blogger who discovered this also indicates that it can record voice calls, although he doesn’t demonstrate this on the video. Since there is no opt-out and no privacy policy that you agree to with Carrier IQ, presumably there is nothing preventing them from collecting all of your information.

The law in this area is very interesting. As far as I know, there has not yet been a case in the US about whether documents obtained via an Attorney’s hacked computer are admissible in court. There have been a number of other cases over time, the most celebrated being Clark v. State, 261 S.W.2d 339, where a switchboard operator who listened in on a telephone call between an attorney and his client was allowed to testify. Does that mean if Wikileaks gets a copy of a law firm's client correspondence, then that becomes admissible? What if they get recordings of client phone calls?

When last checked, Carrier IQ’s website says that they have their software installed on 141 million handsets. The reporting on Carrier IQ suggests that their software has been installed on every major device for the last 6 years. That’s more intel on phone usage than all the wiretaps in the US that have EVER been authorized. In 2010, there were 3194 authorized wiretaps. Carrier IQ’s Intel includes information from all major carriers including Verizon, AT&T, and TMobile customers. That’s half of America being watched without their knowledge. Since they’re calling other people with their smartphones, it’s a good chance that Carrier IQ knows who all of your friends are, whom you’re having an affair with, where you’re having it, and when you wife is calling her lawyer to file for divorce.

6 years ago, Sony installed a rootkit on people’s computers and ended up settling with 39 states for $4.25 million. They also agreed to have regular privacy audits and a number of other concessions to individual states. The figures aren’t clear for how many users this effected. One study suggested that there were 12,588 networks that had a Sony rooted machine on them. Each network could have had multiple computers on it. This scandal for Sony still falls far short of what Carrier IQ has done.

So the question on everyone's mind is what will happen to Carrier IQ? Lawsuits? Congressional Hearings? Will the major carriers drop their contracts with Carrier IQ and remove their software from customer cell phones?

Senator Al Franken (D-Minnesota) wrote a letter to the company last week demanding to know what data the company was collecting. You'll recall that earlier this year, Senator Franken introduced his "Location Privacy Protection Act" after it was revealed that Apple's iPhone had been logging GPS data in their phones (possibly inadvertently). No word yet on if the company has responded.

Monday, November 14, 2011

Computer Fraud and Abuse Act (CCFA)

If I was an attorney (I am) and if I worked for an ISP (I kinda do), and I was feeling a little punchy...what if I decided to write into my terms of service for my organization that any user going to Google was a violation of their terms of service and their Internet access would be shut off.

The Federal government says that if a user violates the terms of service of their ISP, then they've committed hacking under the Computer Fraud and Abuse Act and could face jail time. This is what happened to Lori Drew. She had a role in a cyberbullying incident that led a teenage girl to commit suicide. She was found guilty but the verdict was thrown out because the CCFA was "constitutionally vague."

What the CCFA has done, then, is to give a group of unelected lawyers the power to create law out of thin air. Go to Google, you're a hacker. Send an email with the word, llama, in it you're a hacker. Lie about your age in an online dating ad, you're a hacker. Wait, that last one is already in most terms of service. So that makes what percentage of Internet enabled Americans hackers?

This is what George Washington University Law provessor Orin Kerr who will be testifying before the House Judiciary Committee's Subcommittee on Crime, Terrorism, and Homeland Security, according to an article in Wired. He will argue that the CCFA should be amended. The problem is, essentially, is that "Hacking" is hard to define. This is only made more difficult because there are lots of things that you can do with a computer that aren't necessarily intended, but the user really has no way of knowing what was intended or authorized.

Should people really be worried about facing jail time for not reading the software license or terms of service on their computers?

I'm thinking not.

Friday, November 4, 2011

Economic Espionage vs. Innovation

For the first time, the United States has publicly announced that it believes China is the world's leading source of economic espionage. Robert Bryant, U.S. National Counterintelligence Executive, released the report Wednesday, essentially confirming what many government officials have been saying privately for years.

The silver medal goes to Russia, who, in the words of President Vladimir Putin, must "more actively protect the economic interests of our companies abroad."

For a lesson on how to deal with the issue, the United States needs look no further than its own history. Just after the United States won its independence, it initiated a policy of ignoring the intellectual property law of the United Kingdom. For a fledgling democracy who had just survived a costly war on its own soil, this was vital to survival as a nation.

China is in a vastly different position. There has been no war on its own soil. It is not a fledgling nation in any sense of the word. In fact, it has maintained most favored trade nation status for years with the United States.

The world is also a different place than the one that saw the US ignoring the laws of the country that had oppressed it. It is a global economy. Actions that hurt one country can cripple countries all over the world. It is also an information economy. The world pays for the gigabits flowing through its optical fibers as though they were made of gold.

Should the US create firewalls around China? Stop allowing Chinese students to study at US Universities? Revoke it's favored trade status? Refuse to let corporations have offices in China? I don't think any of these things are likely to happen precisely for the reasons mentioned above.

What should China do? It complains about its own technical inferiority while relying on US educators to train its best and brightest. Even if one day they have all of the intellectual property of the United States (and they may already have most of it), they still won't have the culture of innovation that the US does. Are they willing to change their culture? Should they be concerned about creating a culture that is dependent on others for innovation?

Intellectual Property laws around the world need to change in order to recognize how the world economy has changed. Unfortunately, the pace at which the law changes seems to always lag behind the pace at which technology and Globalization have moved. What we need to do is to picture a world where information moves even faster than it does today. Where ideas are shared even more freely than they are today. Where there is a "Creative Commons" style license for all intellectual property. Where there is incentive for companies to take risk and form new relationships rather than destroy competition and reduce innovation. China has an opportunity to take a leadership role in innovating here and now rather than creating an economic standoff.

Wednesday, October 19, 2011

Why don’t Americans care about Privacy?

In my post from earlier this year, I commented on how Senator Leahy re-introduced his Personal Data Privacy Act…the same bill he has been submitted every year for the last 5 years. 5 months after the re-introduction of the bill this year, there is still no GOP support for Leahy’s Privacy bill.

By my count so far this year, there were 9 data privacy bills introduced into both houses of Congress. This may not sound like a ton, but is half the number of the bills introduced during the Health Care Reform debate of 2008. So it looks like 2011 won’t be the year we get a national data privacy law.

Why not? Do Americans not care about Privacy? Of course they do. Every state in America now has their own data privacy law. How often are their respective Attorney’s General enforcing those laws? Most of them don’t have private rights of action, so there isn’t any one else to enforce them. States probably wont enforce the laws unless they can collect some fines out of it, which means smaller infractions will get overlooked anyway. So Americans have some privacy, but not very much.

Facebook is at war with Privacy. In January of 2010, Facebook’s founder, Mark Zuckerberg pronounced that Privacy is dead. The EU Obviously cares. They’ve spent the last 30 years putting steroids into their Privacy laws. Max Screms, a European law student, is taking Facebook to task over their numerous violations of Irish Privacy laws. Although European members data privacy laws still differ, their push for privacy started with the OECD in 1980 and more recently the EU Data Protection Directive.

So why aren’t Americans more up in arms? Max Screms worries, “The KGB or the CIA never had 1200 pages [of information] on the average citizen.” But Facebook does.

Some theories about why American’s don’t care about Privacy:

  • We’re more worried about the economy – nope, the unemployment rate in Europe has been much worse for longer.

  • Most people haven’t read 1984 – that’s probably true…it’s never been made into an American movie with Brad Pitt.

  • We’re more worried about the stock market, the housing market, health care reform??? This is interesting…the Occupy Wall Street movement, along with the Tea Party, and the Iraq War Activists have been some of the few examples where Americans have been willing to take to the streets for a cause en mass in recent memory.

  • We’re more worried about Terrorism than the EU – I don’t think so. The Facebook case is going on in Ireland, and I think they’re slightly more sensitive to terrorism than we are.

  • What about Corporate Interests – some might say our politicians are bought and sold by corporations. While that may be a valid point, politicians everywhere suffer from the same temptations, and by all evidence, American politicians get in trouble a lot less than their European, Russian, or Asian counterparts.

  • Maybe we’re naturally voyeuristic? We are willing to trade our own privacy in order to invade other people’s privacy. This sounds pretty accurate to me.

  • Maybe we assume if it’s really a problem, then we can just sue somebody. Oh wait, all the so called ‘privacy’ legislation being thrown around doesn’t give individuals a private right of action against privacy infringers. Fines just go to state coffers and probably aren’t enough to deter bad behavior anyway. Remember CAN-SPAM? Of course you don’t.

  • Maybe Americans are just behind the curve? After all, Myspace fell apart, and that could have been an unconscious choice by the faceless public because Myspace felt less secure…from the viruses, to the unsolicited connections from weirdos, to how the apps felt like they gave away your information in a more overt way. Do we vote with our feet? Voting with one’s feet presumes that you have a meaningful choice…if you’re just voting between the lesser of two evils, then you end up voting for the more clean cut of two gangsters who doesn’t curse and swear while they rifle through your life.

  • Or maybe Americans do care about privacy. Maybe the ones that really care, haven’t bothered to join Facebook or have left. So why aren’t they up in arms? If they were, then they’d be in the spotlight, and that’s not really something they’re interested in. Why should they take a stand to protect you when you’re obviously okay with giving up your personal details? Also, this group of people tends to wear tin-foil hats.

Monday, October 17, 2011


Imagine a world where criminals used sophisticated networks of middlemen. Transactions between pawns were untraceable. All using the power of something called, the Internet. And people wonder why I say that the law is having a hard time keeping up with technology.

The article gives a great overview of the developments in cybercrime over the last 3 or 4 years:

Daubert's Fingerprint

Everybody knows that every snowflake is one of a kind. Unique. Just like a fingerprint. Wait, how do we know a fingerprint is unique?

In a legal proceeding in the United States, the process the court uses to determine whether an expert witness is qualified to give testimony in their field is commonly referred to as the Daubert test. If a court were going to let an expert witness in to testify whether a certain fingerprint found at the scene of a crime or on a critical piece of evidence was a match for a defendant…the court would use the Daubert test to determine whether the expert had knowledge derived from sound scientific methodology.

Except they don’t.

What do you mean, they don’t?

They don’t. No court has ever challenged the expert-ness of an expert witness who purported to be an expert on fingerprints.

Why not?

To be an expert in something, there has to be a body of knowledge for you to know about. Where is the body of knowledge about fingerprints? They swirl around, we know that much right? There’s a database of them, right?

The FBI does have a database of fingerprints. But they’ve never let researchers look at it.

The question researchers want to know the answer to is: how unique is a fingerprint? The lines of a fingerprint are about a millimeter wide. A fingertip might be a square inch. So there obviously can only be so many variations in a fingerprint. We know that fingerprints don’t come in stripes or plaid, so the universe of possible variations is limited. So just how limited? How can you compare the relative uniqueness of other markers, like a retna scan, DNA, voice patterns, etc. to a fingerprint when there isn’t any scholarship on how unique a fingerprint is?

This is really interesting because it subjects the validity of fingerprint evidence to a birthday attack. This is a basic type of security problem where you can calculate the probability of two people in the same room having the same birthday. Assuming that there are 30 people in a room, the likelihood that there is one person in the room with a specific birthday is only about 8%. 1-(364/365)30. The likelihood that two people in the room with the same birthday is nearly 70%. The two variables here are the number of people in the room and the number of possible days. If there are 10 million possible variations of fingerprint and 5,000 were at a conference on IT security, what is the likelihood of finding two with the same fingerprint? I’ll keep this idea around for my next detective novel.

A Daubert test would look at the following 5 factors to determine whether a fingerprint expert would be able to testify:

  1. Empirical testing: the theory or technique must be falsifiable, refutable, and testable.
  2. Subjected to peer review and publication.
  3. Known or potential error rate.
  4. The existence and maintenance of standards and controls concerning its operation.
  5. Degree to which the theory and technique is generally accepted by a relevant scientific community.

The list is nondispositive and nonexclusive. The 4th and 5th factors are the only ones that have bearing on a fingerprint. Would these two factors alone be enough for courts to let a fingerprint expert testify? Maybe, but we would have to see a Judge to make that decision.

Friday, October 7, 2011

Cyberattack on Predator Drones?

Wired's Danger Room points out that US Predator and Reaper drones have been under attack by a computer virus:

To date, the virus has only apparently been logging the keystrokes of the operators. From the article, I get the impression that it is the operators workstations and not the drones themselves that are the subject of the attack. Wasn't this how computers took over the world in Terminator 3? Or was that Terminator 4? I can never remember.

Monday, September 26, 2011

Netflix Hates Privacy?

There’s been a lot of news about how Netflix wants to fight an arcane video law, passed almost 25 years ago, to enable the future of movie streaming. Hulu wants to do the same thing, with their new video campaign, “This is my favorite part…” I like the Hulu commercials, but I’m not convinced that I want people to automatically know I’m watching reruns of Cashmere Mafia. It’s my wife, I swear.

Facebook has already been sued for sharing Blockbuster rental information, according to Wired.

Intro to the Video Privacy Protection Act

I think all the best consumer protection laws come from when politician’s private lives are exposed to us. This is what happened to get the VPPA enacted. A supreme court nominee’s local video store gave up his viewing history to a reporter. The reporter published the videos in an attempt to embarrass the nominee and derail his nomination, but instead, members of congress all realized that they’d be in deep trouble if clever reporters could all do the same thing to them. Interestingly, the bill was written by Senator Leahy, whose committee is now being asked to amend the bill in favor of Netflix sharing your movie tastes with everyone.

Some have called the VPPA the strongest protection of consumer privacy against data collection. Even stronger than HIPAA? Yes, it is. The reason is that it creates a private right of action for consumers to sue the offending offender directly. HIPAA and all of the new privacy legislation proposed so far in 2011 do not create a private right of action, instead putting the burden on the states Attorneys General.

Draw your own conclusions here, but I’m liking the VPPA a lot more than the new legislation currently being drafted. Giving the power to the consumers is a better solution than assuming an Attorney General will go after infringers. They already have the power to do this under HIPAA, and they haven’t exercised that power very often. Class Actions for privacy issues are also problematic, since courts are more and more reluctant to let them move forward.

Privacy is dead. Long live privacy.