Author: Christopher Parsons
Policy wonk. Torontonian. Photographer. Not necessarily in that order.
Categories
Why Privacy Matters
Axel Arnbak and Nico van Ejik have a thought provoking paper about regulating systematic vulnerabilities in the HTTPS value chain. They focus on constitutional values to establish a baseline to measure regulation against; it’s a clever move that offers a good lens to critique legislative efforts mean to regulate SSL. The paper is here, and the full abstract is below:
Hypertext Transfer Protocol Secure (‘HTTPS’) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet.
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed ‘fundamental weaknesses in the design of HTTPS’ (ENISA 2011). In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis.
While serving as the de facto standard for secure web browsing, in many ways the security of HTTPS is broken. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem.
To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPS ecosystem are described through the lens of several landmark breaches. The paper then explores the rationales for regulatory intervention, discusses the EU eSignatures Regulation and abstracts from the EU proposal to develop general insights for HTTPS governance. Our findings should thus be relevant for anyone interested in HTTPS, cybersecurity and internet governance – both in Europe and abroad.
HTTPS governance apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of communication.
In the long term, a robust technical and policy overhaul must address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem. On the short term, specific regulatory measures to be considered throughout the value chain may include proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions.
The research finds that the EU eSignatures proposal lacks an integral vision on the HTTPS value chain and a coherent normative assessment of the underlying values of HTTPS governance. These omissions lead to sub-optimal provisions on liability, security requirements, security breach notifications and supervision in terms of legitimacy and addressing the systemic security vulnerabilities of the HTTPS ecosystem.
In his most recent op-ed, Morozov offers a good, if common, argument. Specifically, he argues that:
Quaint prudishness, excessive enforcement of copyright, unneeded damage to our reputations: algorithmic gatekeeping is exacting a high toll on our public life. Instead of treating algorithms as a natural, objective reflection of reality, we must take them apart and closely examine each line of code.
While I tend to agree with him, it’s important to recognize the actual value of what he’s written: he’s made rapidly accessible (though, with less subtly) what ethicists and scholars of contemporary digital technology have been writing about for over a decade. Read what he’s written – it’s good – but rather than stopping there go on to read Winner’s The Whale and the Reactor, sections from DeNardis’ excellent Opening Standards, and Lessig’s Code. In essence, it’s not that Morozov’s written anything badly, but what he’s written just touches the tip of the iceberg.
Tumblr user nugnug provides an excellent list of the core “what’s missing” in Windows Phone right now and that will continue being absent after the 7.8 update:
- rotation lock – I surf the net when I’m lying down. Everyone does. This is such an important feature and yet, where the hell is it?
- screen capture – I can’t take screenshots on my phone! What is this!? How can I blackmail people and post the stupid things they say on Facebook?
- customized sounds for messaging, etc. – We can customize our ringtones, so why not the rest?
- notification center – This ain’t happening. I already know this cause they didn’t have time to make it. Lame.
- separate volume controls for phone sounds and media – I want to listen to music at a really low volume but that means I won’t be able to hear my phone ring. A dilemma that can be easily rectified.
- the forward button and “find on page” function in IE – there’s a java fix someone else kindly made, but there shouldn’t be a need. It’s a basic function that should be included in all internet browsers.
- Wifi turns off when in sleep mode – the biggest reason why my whatsapp messages arrive hours later is because my phone, which relies on only Wifi when I’m at home, turns off Wifi when it goes to sleep. Ugh.
- Blutooth file transfers – I WANNA GIVE MY FRIENDS STUFF WITHOUT USING MY NET DATA BUT I CAN’T.
- multi selection – let me delete multiple photos on my phone at a time. PLZZ.
- editing the dictionary – there are some words I made up, I would like to delete please.
- improvements in the calendar – by far the most used section of my phone, it holds all my schedules and Facebook events and works seamlessly. So why not build on it? Include a weekly view, allow me to change colours on some of my personal entries.
- automatic sleep mode – not too fussy, but this would be really cool. If I set a time e.g. from 11pm to 8am, my phone will sleep between those hours and I won’t get any notifications between those times.
- closing apps from the multitasking view – not too important
I have to admit that some of the items aren’t top of mind for me: I don’t really care about the sleep mode, don’t see the point of closing apps from the multitasking view, and am not interested in bluetooth sharing. That said, every other suggestion is much, much needed.
I would also add to the list that scrolling in the 7.8 update needs to change; in the older version 1 Windows Phones scrolling would accelerate the more your scrolled up or down, whereas the current generation of 7.5 phones feature a static scrolling rate. This speed simply feels slower than earlier – and less capable – hardware and software iterations of Windows Phone.
Categories
2012.11.15
Iranian officials have been assuring the public that the establishment of the [National Information Network] NIN will not cut them off from the Internet. The NIN, according to the government, will provide a “faster, safer, and more reliable” network for domestic purposes, in addition to the global Internet for daily usage.
What the officials have been less vocal about is that the NIN will make it easier for them to monitor user activities and carry out surveillance. Moreover, the establishment of the NIN as an independent network from the Internet will provide officials with the option of cutting off access without affecting the country’s administration. Shutting down the Internet in the aftermath of the contested 2009 elections, for example, was problematic since it interrupted banking and government operations. With the establishment of the NIN, a similar outage will not interrupt internal network traffic.
asl19, “Iran’s National Information Network”
Categories
2012.11.14
But first and foremost, Canada must get its own house in order. Thailand wasn’t the only country requesting that Google remove content; Ottawa did as well. What is most notable, and troubling, about Canada’s takedown requests is that an increasing number were not accompanied by a court order, but rather fell into Google’s category of “other” requests from the “executive, police, etc”.
This demonstrates that the government increasingly is bypassing formal and lawful processes in their attempts to get the compliance of private sector companies in their Internet censorship activities. Meanwhile, the government continues to resurrect Bill C30, despite widespread condemnation. The proposed electronic surveillance law would give the government unprecedented access to Canadians’ private online information without the requirement of a warrant.
If the Canadian government fails to respect freedom of expression, the right to privacy, and the rule of law in our own country, how can it expect other countries to do so in theirs?
Kieran Bergmann, “Throttling free speech, at home and abroad”
Categories
On Publicness and the Academy
Alex Reid has written a short piece about his position concerning the question: if and academic speaks in public, is it right for members of the audience to record/write/talk about what was said?
While I can’t say that I agree with one of the positions he assumes – that as an academic you should exclusively be publishing close-to-complete work (i.e. drafts or early works in progress you don’t want talked about need not apply!) – it’s worth the read, especially in the context that many academics are loathe to have ‘early’ work broadcast beyond tightly controlled confines and populations.
Alex has a great punchline, emphasizing how academics are for the first time really, widely, seeing their work being public and thus critiqued/engaged with. It’s scary for a lot of people but it’s definitely the new reality of academe. The post is well worth the few minutes it’ll take you to read!
While it comes as no surprise that police monitored Facebook during last year’s Occupy protests, in the case of Occupy Miami an advocate/journalist was specifically targeted after his Facebook profile was subjected to police surveillance. An email produced in the court case revealed:
the police had been monitoring Miller’s Facebook page and had sent out a notice warning officers in charge of evicting the Occupy Miami protestors that Miller was planning to cover the process.
Significantly, the police tried to destroy evidence showing that they had unlawfully targeted the advocate, footage that (after having been forensically recovered) revealed that the charges laid against the advocate were blatantly false. That authorities conduct such surveillance – often without the targets of surveillance knowing that they have been targeted or, when targeted, why – matters for the general population because lawfully exercising one’s rights increasingly leads to citizens being punished for doing so. Moreover, when the surveillance is accompanied by deliberate attempts to undermine citizens’ capacities to respond to unlawful detentions and false charges, we have a very, very real problem that can affect any citizen.
We know from academic research conducted by scholars such as Jeffrey Monaghan and Kevin Walby that Canadian authorities use broad catch-all caricatures during major events to identify ‘problem populations.’ We also know that many of the suspects that are identified during such events are identically labeled regardless of actually belonging in the caricature population. The capacity to ‘effectively’ sort in a way resembling fact or reality is marginal at best. Consequently, we can’t just say that the case of Occupy surveillance is an ‘American thing’: Canadian authorities do the same thing to Canadian citizens of all ages, be they high school or university students, employed middle-aged citizens, or the elderly. These are surveillance and sorting processes that are widely adopted with relatively poor regulation or oversight. These processes speak to the significant expansion of what constitutes general policing as well as speaking to the state-born risks of citizens even in ‘safe’ countries using social media in an unreflective manner.
Excited Pixels 