There is a great discussion over on Slate about how the FBI sees it's ability to listen in via tapping phones as "going dark". Why use a landline or a cell phone when you can use your webcam to orchestrate your criminal enterprises?
http://www.slate.com/blogs/future_tense/2013/03/26/andrew_weissmann_fbi_wants_real_time_gmail_dropbox_spying_power.html
The blog suggests that the FBI is interested in extending CALEA, the Communications Assistance for Law Enforcement Act, to cover Gmail, Google Voice, and other cloud services. This isn't a new thing exactly. Law enforcement has been working for some time now to figure out how to apply CALEA to VoIP, for example. It was only a matter of time before Instant Messaging fell under that same category.
Kids today prefer texting to talking anyway.
HackLaw is a blog dedicated to discussing the legal issues in information security and developments that may have an impack on information security law.
Thursday, March 28, 2013
Monday, March 18, 2013
Judicial Revolt Against Invasions of Privacy
Last week saw two major Judicial decisions related to privacy come out of the 9th Circuit, perhaps signaling a new offensive against warrantless wiretapping.
First, a Federal Appeals court ruled that customs agents no longer have carte blanche to search electronic devices coming into the country. The 9th Circuit decision has an impact on border crossings into California and Arizona. That doesn't mean that Texas or New Mexico will follow the same rules. The case comes from a California man who was flagged by agents because of prior convictions for child molestation. Agents found no incriminating evidence on his two laptops or three digital cameras, so they seized them and sent them away to a forensic lab. Pictures of pornographic pictures of children were allegedly found by the forensic team, but the judge threw the evidence out because the devices were removed from the border area. The 3 judge appeals panel upheld the ruling.
On Friday, another Federal judge ruled that National Security Letters are an unconstitutional ban on companies First Amendment rights in the case of a telecommunications company that sought to fight the gag order. The court refused to conform the order, as the 2nd Circuit did in a prior case.
The battle in the courts over the balance between law enforcement and privacy continues. The Supreme Court last year rejected the case against warrantless wiretapping, but did so on the grounds that the individuals being tapped couldn't prove that their communications had been monitored. If the gag order on NSLs is removed, then it's possible that a new case could go before the Supreme Court for them do decide whether the Executive Branch has the authority to issue NSLs without judicial review.
First, a Federal Appeals court ruled that customs agents no longer have carte blanche to search electronic devices coming into the country. The 9th Circuit decision has an impact on border crossings into California and Arizona. That doesn't mean that Texas or New Mexico will follow the same rules. The case comes from a California man who was flagged by agents because of prior convictions for child molestation. Agents found no incriminating evidence on his two laptops or three digital cameras, so they seized them and sent them away to a forensic lab. Pictures of pornographic pictures of children were allegedly found by the forensic team, but the judge threw the evidence out because the devices were removed from the border area. The 3 judge appeals panel upheld the ruling.
On Friday, another Federal judge ruled that National Security Letters are an unconstitutional ban on companies First Amendment rights in the case of a telecommunications company that sought to fight the gag order. The court refused to conform the order, as the 2nd Circuit did in a prior case.
The battle in the courts over the balance between law enforcement and privacy continues. The Supreme Court last year rejected the case against warrantless wiretapping, but did so on the grounds that the individuals being tapped couldn't prove that their communications had been monitored. If the gag order on NSLs is removed, then it's possible that a new case could go before the Supreme Court for them do decide whether the Executive Branch has the authority to issue NSLs without judicial review.
Thursday, March 14, 2013
Privacy, Customs, and You
If you are travelling to Mexico and you are a technophile, good news! The 9th Circuit now says that Customs agents no longer have carte blanche to search your devices.
See more from the Wired article:
http://www.wired.com/threatlevel/2013/03/gadget-border-searches/
The 9th Circuit decision has an impact on border crossings into California and Arizona. That doesn't mean that Texas or New Mexico will follow the same rules.
See more from the Wired article:
http://www.wired.com/threatlevel/2013/03/gadget-border-searches/
The 9th Circuit decision has an impact on border crossings into California and Arizona. That doesn't mean that Texas or New Mexico will follow the same rules.
Monday, March 11, 2013
Was Aaron Swartz the victim of Prosecutorial Overreach?
After Aaron Swartz's tragic death in 2012, a lot of bloggers have started throwing around the term, Prosecutorial Overreach when talking about Federal prosecutors Carmen Ortiz or Stephen Heymann. The problem is that this is a new term, invented seemingly out of nowhere in 2012. It sounds like legalese, but it isn't a Legal term. It sounds like one. It sounds very similar to Prosecutorial Misconduct, which is a Legal term…this is what the prosecutor of the Duke Lacross case was found guilty of when he withheld evidence from the defense.
Unfortunately, since Prosecutorial Overreach isn't a Legal term, people can use it in ways that they can't use Legal terms. People can say that the Prosecutor in this case is guilty of Prosecutorial Overreach. Usually, when we have a legal charge against someone, you say they are accused of, not guilty of, until they are tried in court.
So what does Prosecutorial Overreach really mean? Here are some possible definitions:
The danger of this term, Prosecutorial Overreach, is that it is a distraction from the battle that Swartz was fighting: The fight against copyright that didn't serve the interests of the public or the academic community.
Unfortunately, since Prosecutorial Overreach isn't a Legal term, people can use it in ways that they can't use Legal terms. People can say that the Prosecutor in this case is guilty of Prosecutorial Overreach. Usually, when we have a legal charge against someone, you say they are accused of, not guilty of, until they are tried in court.
So what does Prosecutorial Overreach really mean? Here are some possible definitions:
- When a prosecutor should have better things to do, but spends their time going after small fish.
- When a prosecutor throws a bunch of charges at a person that are frivolous.
- When a prosecutor goes after a case for purely political or career motivated reasons.
The danger of this term, Prosecutorial Overreach, is that it is a distraction from the battle that Swartz was fighting: The fight against copyright that didn't serve the interests of the public or the academic community.
Thursday, March 7, 2013
Pentagon to use Nukes against Hackers?
What's the latest weapon in the Cyber Arms race? Nuclear bombs, apparently.
http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
Okay, let's not over react. The report says that the U.S. would only use nukes under extreme circumstances. Hopefully that doesn't mean viagra related SPAM.
Seems like, if anything, maybe an EMP would be a better alternative?
http://www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf
Okay, let's not over react. The report says that the U.S. would only use nukes under extreme circumstances. Hopefully that doesn't mean viagra related SPAM.
Seems like, if anything, maybe an EMP would be a better alternative?
Tuesday, March 5, 2013
Privacy is Dead: Now Where's My Inheritance - Part 3
As
an American, when I picture the beginnings of civilization, I don't picture
Neanderthals huddling together in caves. I picture the pilgrims landing
on foreign soil, building log cabins to sustain themselves against the
winter. With the hope of a new frontier to explore.
It
strikes me that we are in the same position when it comes to the
Internet. It's a wild and dangerous frontier that can hold vast wealth or
the dangers of identity theft. In Part 1 of Privacy is Dead: Now Where's MyInheritance, I
postulated that an individual's privacy is worth up to $10,000 per year. In Part 2, I broke down each category of privacy related data and discussed how each
area is important to the individual's privacy as a whole.
Individuals,
however, aren't the only ones venturing out into this new frontier. The
question is, how can companies benefit from the same benefits to sharing
private information as individuals?
Some
companies have built sharing the personal data of their customers into their
business plan. Google does this through advertising. Facebook
benefits through the network effect: the more people and the more content, the
more valuable they are. In fact, any of the 10 domains of "Privacy
Property" I identified in Part 1 could be integrated into a company's
business plan.
What's
interesting is that companies can reap similar benefits when they are willing
to share information about themselves. This is a little
counter-intuitive, but most organizations are already doing this without
knowing it. For example, when a Microsoft or Apple program crashes, the
first thing it does is ask you if you want to share information about the crash
with Microsoft or Apple in order to fix the program. The benefit is that
the individual gets a better, more stable version of software.
Security Through Obscurity vs. Security Through
Community
Security
Through Obscurity is an old concept. The idea is that you can protect the
security of your software by keeping the source code secret. The idea is
a tried and tested human concept. Think of buried treasure. A more
contemporary example would be a company's trade secrets, the secret formula to
Coca Cola or the Colonel's 11 herbs and spices. It makes sense to
businesses to keep their code secret because that what every other part of the
business already does.
The
problem with this concept is that every day, thousands of evil hackers are
looking for vulnerabilities. Code sometimes gets leaked. Code can
be reverse engineered. Sometimes vulnerabilities can be found without
knowing the code at all. If security through obscurity worked, then
zero-day vulnerabilities wouldn't be worth hundreds of thousands of dollars on the black market. Worse for businesses that use the software, no one
knows when zero-days are found until high enough profile breaches occur because
of them.
Another
model is Open Source software, where thousands of good programmers have the ability
to look at the code and clean the vulnerabilities more quickly. And there
are a lot more good programmers out there than ones willing to commit
crimes. To borrow a phrase from the U.S. Supreme Court Justice Brandeis,
"Sunlight is the best disinfectant." (Brandeis, coincidentally,
is also the father of U.S. privacy law.)
Companies
like BrightCloud and FireEye are creating a market by collecting data about
customer’s security related information. BrightCloud and FireEye both
gather user data in order to provide a reputation score for IP addresses, web
sites, or even specific files. FireEye, for example, will take a file and
load it into their cloud based sandbox to observe whether the file contains
malware. Subscribers to the service will all then share the benefits of
having shared that information with the community through fewer malware
infections. These services have the potential to save businesses hundreds
of hours of time to clean infected machines and lost productivity time from
employees.
Similarly,
telecommunications providers like AT&T or Verizon, and to some extent
managed security providers have the ability to correlate attacks against all of
their customers. These providers have the visibility to see attacks in
real time against thousands of their customers. Managed Security
Providers can then prevent attacks from even entering their customer's
networks. This can help reduce the costs of bandwidth and loss of
reputation with customers.
Organizations
can also partner with other organizations in their industry in order to
directly share their information about security. Most large organizations
have an Information Security Advisory Council internally that will help report
security threats, help refine policies, etc. Many industries have adopted
Councils of trusted practitioners who can share information across companies,
even competitors, because sharing information about threats protects the
industry as a whole. The Payment
Card Industry Security Standards Council is an example of this. The Department of
Homeland Security has a CISO Council for Federal security
leaders.
The Banking industry has the Financial Services Information
Sharing and Analysis Center.
The Power, Communications, Nuclear, Water, State, Public Transportation sectors
all have their own ISACs as well. There's even an ISAC of ISACs.
Security
through Community is still immature, however, but the next big thing in
security may come from this concept. Just like with Anti-Virus, which
many companies now offer for free when they used to be expensive add-ons, these
services should also be free. Today, all of the communities mentioned
above require some cost to join, and most are very expensive. It is
precisely the network effect of having huge numbers of customers that makes
these communities have value. Cost is a barrier to entry, especially for
a service that requires your private information to exist. Imagine if
Facebook asked people to pay for their service?
In
part 1, I postulated that to an individual, sharing private information could
be worth $10,000 per year. It is more difficult to measure, but sharing
some private data could be worth a lot more.
Friday, February 22, 2013
Diplomatic Immunity
The White House this week released a plan to stop state sponsored hacking, like the one uncovered by Mandiant this week, through the use of diplomatic pressure. The 72 page report details the measures that the White House is willing to use as leverage. The strategy stops short of threatening economic or other types of sanctions.
No word yet from the hackers on whether they will lay down their compilers. A more likely response will be that they install malware into the PDF of the report. Sorry if you already clicked the link. I can picture the hackers learning to say "Diplomatic Immunity" a la Lethal Weapon 2.
No word yet from the hackers on whether they will lay down their compilers. A more likely response will be that they install malware into the PDF of the report. Sorry if you already clicked the link. I can picture the hackers learning to say "Diplomatic Immunity" a la Lethal Weapon 2.
Wednesday, February 20, 2013
Privacy is Dead: Now Where's My Inheritance - Part 2
In Part 1 of my Post, Privacy is Dead, I estimated that giving up Privacy in exchange for a number of benefits could be worth as much as $10,000 per year to an individual. While this isn't pocket change for most of us, for someone making minimum wage, this might represent 6 months of work. Let's take a deeper dive in where that $10,000 number is coming from.
Privacy Property
Why should a company, either your phone company or a bank, be able to share information about you? Because it creates a new type of property…Privacy Property is the new Intellectual Property. Google and Facebook have both been very successful at leveraging this Privacy Property to create a new source of wealth. And we welcome it for the same reasons that we wanted credit scores. There are scores of new types of Privacy Property that have been created in the last 10 years, and some that have been made even more valuable.
Facebook’s Chief of Privacy was quoted as saying that they are working to get rid of surprises. That seems to address privacy issues…so long as people aren’t surprised by what they are sharing, then it’s okay. As long as we’re getting our Inheritance, we’re happy. Hopefully we don’t find ourselves cut out of the will.
Privacy Property
Why should a company, either your phone company or a bank, be able to share information about you? Because it creates a new type of property…Privacy Property is the new Intellectual Property. Google and Facebook have both been very successful at leveraging this Privacy Property to create a new source of wealth. And we welcome it for the same reasons that we wanted credit scores. There are scores of new types of Privacy Property that have been created in the last 10 years, and some that have been made even more valuable.
- Credit – $2,000/yr to $4,000/yr – Today, the average American has approximately $200,000 in debt between mortgages, cars, student loans, and credit cards. Just one percentage point of difference on a loan could mean thousands of dollars per year in value that this sharing of private information creates.
- Book Reading – $100/yr – Librarians have a long tradition of protecting what books their patrons are reading. They’ve fought and won to protect the FBI or other groups from being able to find out who checked out books like “Mein Kampf”. As it turns out, perhaps that fight was all for nothing. With eBooks, retailers like Amazon and Barnes and Noble have the ability to not just track what books you have read, but they can provide detailed demographics back to the publishers, who in turn can use this information to tailor books at their audiences. In addition, they can figure out things that were impossible before, like what pages or passages were most bookmarked, what chapter caused people to lose interest and stop reading.
- TV Viewing habits – $500/yr – Arthur C. Nielsen created a company starting in the 1950s that tracked what television programs their subscribers watched. Subscribers were paid for this information. Today, this information can be gained without special tracking equipment. TiVo has the ability to not only track what we watch, but how we watch it…which became especially clear when they reported that Janet Jackson’s wardrobe malfunction during the 2008 Super Bowl was the most replayed video ever.
- Driving History – $100/yr to $1,000/yr – For years, Insurance companies have used driving history to help underwrite their insurance practices. Today, they have begun using “black boxes” to track how their customers are driving, whether they stop or speed, where they drive and when they drive. Their customers love this, because they can save hundreds or thousands of dollars per year. Loss of privacy creates value.
- Shopping Habits – $1,000/yr – For years, advertisers have tried to figure out what makes a shopper tick. Now they don’t have to. Companies like Amazon can figure out what you will like before you know it.
- Video Rental – $500/yr – Your movie watching history is critical to figuring out what you’ll want to watch next. Netflix has come up with their own algorithms that can predict better than their competitors what movies you want to watch. If they know what you want, the more likely you are to buy it, and buy it from them. The next Step for Netflix and Hulu, Blockbuster, Amazon, and others is to let you tell your friends about the great movie you just watched…but to do that in an automated fashion, they need to get Congress to change the VPPA. Oh, wait, Congress just passed that in January of 2013! Welcome to the future!
- Location Information – $1,000/yr – Today, Google will customize your search results based on where you are, so you get results in your city, not just anywhere in the US. Your location information can be used to better target advertising to you. This was naturally the case when television advertisers bought airtime based on the region you lived in. Google already knows where you are generally based on your IP address, mobile technologies take this a step further.
- Change of Life Predictors – $500/yr – Today, Credit Card companies know enough about your daily habits that they can predict, for example, when you are going to get divorced or have children. Not that those two things are related. These major life events can have a large impact on your risk profile, perhaps reducing or increasing your credit rating profile.
- Health Records – $1,000/yr HIPAA was originally enacted, not because of Privacy concerns, but because there was a need to move from paper health records to electronic ones. Just like any other business, this was cost driven. Electronic insurance claims processing has helped reduce health care costs. Just imagine how much more expensive health care would be with only paper records. The future is complicated. Should individuals who smoke or drink have to pay more for health care? Your employer says yes!
- Free Stuff – $1,000/yr – Remember in the early 2000’s when you could get free Internet Access or even a free computer if you signed up for a service that would display a constant stream of advertising to you? It’s possible in the future that a clever company could provide you a cellular smart phone for free with no monthly fees. All you have to do is let it track your every move, pop up location based advertising wherever you go. Let it show you ads based on what you say in text messages just like how Google advertises in their mail. Sell your driving habits to insurance companies without the need for a black box.
Facebook’s Chief of Privacy was quoted as saying that they are working to get rid of surprises. That seems to address privacy issues…so long as people aren’t surprised by what they are sharing, then it’s okay. As long as we’re getting our Inheritance, we’re happy. Hopefully we don’t find ourselves cut out of the will.
Monday, February 18, 2013
Privacy is Dead: Now where's my Inheritance - Part 1
Privacy is Dead.
It’s not the first time you’ve heard this, surely. A private investigator, Sam Rambam was quoted as saying “Privacy is Dead – Get Over it” in 2006. In 2012, Huffing Post contributor Miles Feldman posed the question “Is Privacy Dead?”
If it is, then we’ve been collecting our inheritance without knowing it for years.
When did it die? It seemed to have contracted some terminal illness sometime around the same time that the computer was invented. It slipped away in the night somehow without anyone noticing. People worry about privacy related to the Internet, but this was only the first time we noticed that our attitudes about privacy were changing. There were two major events that most likely started this – the first was the Phone Book and the second was your credit rating.
When the telephone was first invented, people needed a way of reaching each other…in order to make the device useful, operators would connect two people to each other. This was a costly way of doing business, so phone companies published subscriber information in a “Book” so that subscribers could directly connect with one another without human intervention. In this way, we willingly gave up some of our privacy in order for the value that connection gave us. Phonebooks became a business model for phone companies – they began selling advertising space in their phone books and now make billions. You could get your privacy back by requesting an unlisted number, but this too had its price.
Before the early 1900s, when you needed credit to make a purchase, a man from the bank would go around and ask your friends, relatives, and neighbors what kind of person you were. Credit translated into character. It was the best we could do at the time. After WWII, people started needing more and more credit after coming back from a costly war. In 1970, the Fair Credit Reporting Act was enacted to offer some rules to govern this new model of collecting and distributing personal information. Now, banks could share your information with each other, which allowed them to know when someone had defaulted on or had excessive amounts of loans with other organizations. This reduced the risk of issuing a loan, which allowed banks to give loans at better rates. Again, giving up privacy created real value for an individual.
When you add it all up, my estimate is that the loss of Privacy, i.e. all the private information that we give up every day to do business actually has a significant tangible value. My estimate is that our Privacy Inheritance is worth as much as $10,000 or more per year. For most Americans, that’s like having a second part time job.
Click here to read Part 2 of this post.
It’s not the first time you’ve heard this, surely. A private investigator, Sam Rambam was quoted as saying “Privacy is Dead – Get Over it” in 2006. In 2012, Huffing Post contributor Miles Feldman posed the question “Is Privacy Dead?”
If it is, then we’ve been collecting our inheritance without knowing it for years.
When did it die? It seemed to have contracted some terminal illness sometime around the same time that the computer was invented. It slipped away in the night somehow without anyone noticing. People worry about privacy related to the Internet, but this was only the first time we noticed that our attitudes about privacy were changing. There were two major events that most likely started this – the first was the Phone Book and the second was your credit rating.
When the telephone was first invented, people needed a way of reaching each other…in order to make the device useful, operators would connect two people to each other. This was a costly way of doing business, so phone companies published subscriber information in a “Book” so that subscribers could directly connect with one another without human intervention. In this way, we willingly gave up some of our privacy in order for the value that connection gave us. Phonebooks became a business model for phone companies – they began selling advertising space in their phone books and now make billions. You could get your privacy back by requesting an unlisted number, but this too had its price.
Before the early 1900s, when you needed credit to make a purchase, a man from the bank would go around and ask your friends, relatives, and neighbors what kind of person you were. Credit translated into character. It was the best we could do at the time. After WWII, people started needing more and more credit after coming back from a costly war. In 1970, the Fair Credit Reporting Act was enacted to offer some rules to govern this new model of collecting and distributing personal information. Now, banks could share your information with each other, which allowed them to know when someone had defaulted on or had excessive amounts of loans with other organizations. This reduced the risk of issuing a loan, which allowed banks to give loans at better rates. Again, giving up privacy created real value for an individual.
When you add it all up, my estimate is that the loss of Privacy, i.e. all the private information that we give up every day to do business actually has a significant tangible value. My estimate is that our Privacy Inheritance is worth as much as $10,000 or more per year. For most Americans, that’s like having a second part time job.
Click here to read Part 2 of this post.
Subscribe to:
Posts (Atom)