Thursday, March 28, 2013

Extending CALEA to Cover the Cloud?

There is a great discussion over on Slate about how the FBI sees it's ability to listen in via tapping phones as "going dark".  Why use a landline or a cell phone when you can use your webcam to orchestrate your criminal enterprises?

The blog suggests that the FBI is interested in extending CALEA, the Communications Assistance for Law Enforcement Act, to cover Gmail, Google Voice, and other cloud services.  This isn't a new thing exactly.  Law enforcement has been working for some time now to figure out how to apply CALEA to VoIP, for example.  It was only a matter of time before Instant Messaging fell under that same category.

Kids today prefer texting to talking anyway.

Monday, March 18, 2013

Judicial Revolt Against Invasions of Privacy

Last week saw two major Judicial decisions related to privacy come out of the 9th Circuit, perhaps signaling a new offensive against warrantless wiretapping.

First, a Federal Appeals court ruled that customs agents no longer have carte blanche to search electronic devices coming into the country.  The 9th Circuit decision has an impact on border crossings into California and Arizona.  That doesn't mean that Texas or New Mexico will follow the same rules. The case comes from a California man who was flagged by agents because of prior convictions for child molestation.  Agents found no incriminating evidence on his two laptops or three digital cameras, so they seized them and sent them away to a forensic lab.  Pictures of pornographic pictures of children were allegedly found by the forensic team, but the judge threw the evidence out because the devices were removed from the border area.  The 3 judge appeals panel upheld the ruling.

On Friday,  another Federal judge ruled that National Security Letters are an unconstitutional ban on companies First Amendment rights in the case of a telecommunications company that sought to fight the gag order.  The court refused to conform the order, as the 2nd Circuit did in a prior case.

The battle in the courts over the balance between law enforcement and privacy continues.  The Supreme Court last year rejected the case against warrantless wiretapping, but did so on the grounds that the individuals being tapped couldn't prove that their communications had been monitored.  If the gag order on NSLs is removed, then it's possible that a new case could go before the Supreme Court for them do decide whether the Executive Branch has the authority to issue NSLs without judicial review.

Thursday, March 14, 2013

Privacy, Customs, and You

If you are travelling to Mexico and you are a technophile, good news!  The 9th Circuit now says that Customs agents no longer have carte blanche to search your devices.

See more from the Wired article:

The 9th Circuit decision has an impact on border crossings into California and Arizona.  That doesn't mean that Texas or New Mexico will follow the same rules. 

Monday, March 11, 2013

Was Aaron Swartz the victim of Prosecutorial Overreach?

After Aaron Swartz's tragic death in 2012, a lot of bloggers have started throwing around the term, Prosecutorial Overreach when talking about Federal prosecutors Carmen Ortiz or Stephen Heymann.  The problem is that this is a new term, invented seemingly out of nowhere in 2012.  It sounds like legalese, but it isn't a Legal term.  It sounds like one.  It sounds very similar to Prosecutorial Misconduct, which is a Legal term…this is what the prosecutor of the Duke Lacross case was found guilty of when he withheld evidence from the defense.

Unfortunately, since Prosecutorial Overreach isn't a Legal term, people can use it in ways that they can't use Legal terms.  People can say that the Prosecutor in this case is guilty of Prosecutorial Overreach.  Usually, when we have a legal charge against someone, you say they are accused of, not guilty of, until they are tried in court. 

So what does Prosecutorial Overreach really mean?  Here are some possible definitions:
  • When a prosecutor should have better things to do, but spends their time going after small fish.
  • When a prosecutor throws a bunch of charges at a person that are frivolous.
  • When a prosecutor goes after a case for purely political or career motivated reasons.
Unfortunately, it's not clear what people are actually saying when they use this new term.  There are protections built into the legal system from an overzealous prosecutor bringing frivolous charges against someone…in the Swartz case, this was the Grand Jury.  In this case, the grand jury indictment was unsealed, and it showed that a jury of 24 of Swartz's peers found that there was enough evidence to proceed with further legal action against him.

The danger of this term, Prosecutorial Overreach, is that it is a distraction from the battle that Swartz was fighting: The fight against copyright that didn't serve the interests of the public or the academic community.

Thursday, March 7, 2013

Pentagon to use Nukes against Hackers?

What's the latest weapon in the Cyber Arms race?  Nuclear bombs, apparently.

Okay, let's not over react.  The report says that the U.S. would only use nukes under extreme circumstances.  Hopefully that doesn't mean viagra related SPAM.

Seems like, if anything, maybe an EMP would be a better alternative?

Tuesday, March 5, 2013

Privacy is Dead: Now Where's My Inheritance - Part 3

As an American, when I picture the beginnings of civilization, I don't picture Neanderthals huddling together in caves.  I picture the pilgrims landing on foreign soil, building log cabins to sustain themselves against the winter.  With the hope of a new frontier to explore.

It strikes me that we are in the same position when it comes to the Internet.  It's a wild and dangerous frontier that can hold vast wealth or the dangers of identity theft.  In Part 1 of Privacy is Dead: Now Where's MyInheritance, I postulated that an individual's privacy is worth up to $10,000 per year.  In Part 2, I broke down each category of privacy related data and discussed how each area is important to the individual's privacy as a whole.

Individuals, however, aren't the only ones venturing out into this new frontier.  The question is, how can companies benefit from the same benefits to sharing private information as individuals?

Some companies have built sharing the personal data of their customers into their business plan.  Google does this through advertising.  Facebook benefits through the network effect: the more people and the more content, the more valuable they are.  In fact, any of the 10 domains of "Privacy Property" I identified in Part 1 could be integrated into a company's business plan.

What's interesting is that companies can reap similar benefits when they are willing to share information about themselves.  This is a little counter-intuitive, but most organizations are already doing this without knowing it.  For example, when a Microsoft or Apple program crashes, the first thing it does is ask you if you want to share information about the crash with Microsoft or Apple in order to fix the program.  The benefit is that the individual gets a better, more stable version of software.

Security Through Obscurity vs. Security Through Community

Security Through Obscurity is an old concept.  The idea is that you can protect the security of your software by keeping the source code secret.  The idea is a tried and tested human concept.  Think of buried treasure.  A more contemporary example would be a company's trade secrets, the secret formula to Coca Cola or the Colonel's 11 herbs and spices.  It makes sense to businesses to keep their code secret because that what every other part of the business already does.

The problem with this concept is that every day, thousands of evil hackers are looking for vulnerabilities.  Code sometimes gets leaked.  Code can be reverse engineered.  Sometimes vulnerabilities can be found without knowing the code at all.  If security through obscurity worked, then zero-day vulnerabilities wouldn't be worth hundreds of thousands of dollars on the black market.  Worse for businesses that use the software, no one knows when zero-days are found until high enough profile breaches occur because of them.

Another model is Open Source software, where thousands of good programmers have the ability to look at the code and clean the vulnerabilities more quickly.  And there are a lot more good programmers out there than ones willing to commit crimes.  To borrow a phrase from the U.S. Supreme Court Justice Brandeis, "Sunlight is the best disinfectant."  (Brandeis, coincidentally, is also the father of U.S. privacy law.) 

Companies like BrightCloud and FireEye are creating a market by collecting data about customer’s security related information.  BrightCloud and FireEye both gather user data in order to provide a reputation score for IP addresses, web sites, or even specific files.  FireEye, for example, will take a file and load it into their cloud based sandbox to observe whether the file contains malware.  Subscribers to the service will all then share the benefits of having shared that information with the community through fewer malware infections.  These services have the potential to save businesses hundreds of hours of time to clean infected machines and lost productivity time from employees.

Similarly, telecommunications providers like AT&T or Verizon, and to some extent managed security providers have the ability to correlate attacks against all of their customers.  These providers have the visibility to see attacks in real time against thousands of their customers.  Managed Security Providers can then prevent attacks from even entering their customer's networks.  This can help reduce the costs of bandwidth and loss of reputation with customers.

Organizations can also partner with other organizations in their industry in order to directly share their information about security.  Most large organizations have an Information Security Advisory Council internally that will help report security threats, help refine policies, etc.  Many industries have adopted Councils of trusted practitioners who can share information across companies, even competitors, because sharing information about threats protects the industry as a whole.  The Payment Card Industry Security Standards Council is an example of this.   The Department of Homeland Security has a CISO Council for Federal security leaders.  The Banking industry has the Financial Services Information Sharing and Analysis Center.  The Power, Communications, Nuclear, Water, State, Public Transportation sectors all have their own ISACs as well.  There's even an ISAC of ISACs.

Security through Community is still immature, however, but the next big thing in security may come from this concept.  Just like with Anti-Virus, which many companies now offer for free when they used to be expensive add-ons, these services should also be free.  Today, all of the communities mentioned above require some cost to join, and most are very expensive.  It is precisely the network effect of having huge numbers of customers that makes these communities have value.  Cost is a barrier to entry, especially for a service that requires your private information to exist.  Imagine if Facebook asked people to pay for their service?

In part 1, I postulated that to an individual, sharing private information could be worth $10,000 per year.  It is more difficult to measure, but sharing some private data could be worth a lot more.