Policy wonk. Torontonian. Photographer. Not necessarily in that order.
Alec Muffett has a terrific piece that clearly articulates why, exactly, passwords are beneficial elements of a broader security apparatus. He also notes core ‘risks’ associated with passwords, and how many of these risks can be defrayed (spoiler alert: just use a strong password management system).
Wired has a terrific piece that details how a secret order in the 18th century used a combination of cryptography, obfuscation, and operational secrecy to either spy on the Masons, or keep the Masonic traditions and rituals alive during a time of persecution. It’s a longer read, but worth your time. Wired’s article also demonstrates the value of academic freedom: it gives scholars the ability to explore and solve intriguing problems. Their work may never provide a monetary ‘return on investment’ but it will likely enrich society and culture nevertheless .
The issue here is not whether Anonymous activists can be rightfully prosecuted: acts of civil disobedience, by definition, are violations of the law designed to protest or create a cost for injustices. The issue is how selectively these cyber-attack laws are enforced: massive cyber-attacks aimed at a group critical of US policy (WikiLeaks) were either perpetrated by the US government or retroactively sanctioned by it, while relatively trivial, largely symbolic attacks in defense of the group were punished with the harshest possible application of law enforcement resources and threats of criminal punishment.
That the US government largely succeeded in using extra-legal and extra-judicial means to cripple an adverse journalistic outlet is a truly consequential episode: nobody, regardless of one’s views on WikiLeaks, should want any government to have that power. But the manifestly overzealous prosecutions of Anonymous activists, in stark contrast to the (at best) indifference to the attacks on WikiLeaks, makes all of that even worse. In line with its unprecedented persecution of whistleblowers generally, this is yet another case of the US government exploiting the force of law to entrench its own power and shield its actions from scrutiny.
Glenn Greenwald, “Prosecution of Anonymous activists highlights war for Internet control”
The Times Colonist has a particularly good opinion piece concerning authorities’ use of automatic license plate recognition. This technology was recently subject of an investigation in British Columbia, with the provincial information and privacy commissioner asserting that many of the current uses of the technology must stop. For more information, you can read the decision (.pdf) or some press coverage about the decision.
When speaking about authorities’ interests in retaining locational information about people who aren’t immediately of interest to police, the author of the opinion piece writes:
And the concept [of collecting such information] goes against the golden thread that winds its way throughout our justice system – the presumption of innocence unless proven otherwise. A person shouldn’t become the focus of an investigation just because he or she happened to drive along a certain street at a certain time.
But a person who hasn’t done anything wrong shouldn’t worry, right? Ask that to people whose lives have been ruined when they have been investigated or charged for a crime and later exonerated. That stigma of being the target of a police investigation is not easily erased, even when a person is cleared of all wrongdoing.
This latter paragraph – that the stigma of a false investigation can significantly alter a person’s life possibilities for an extensive period of time – is often forgotten about or glossed over when reporting on new policing surveillance practices. In an era where information is in abundance, and the attention span to monitor stories and issues is at a premium, a false charge may be legally overturned without the population more generally ever correcting their false impressions. This can create a long-standing disadvantage for falsely accused person as they try to carry on with their lives.
Moreover, the very potential that information could be used against you turns the (popular) understanding of guilt on its head: instead of authorities clearly linking a person’s presence at a location with a crime, it becomes the responsibility of each individual to demonstrate the innocence of being in place X at time Y. Given that these license plate scanners can capture where people are, at any time of the day, there isn’t a necessary reason that a person will know why they were at X at Y. While such oversights ought to be understood as the reasonable failings of a reasonable human’s mind, the danger is that an inability to justify one’s presence at a particular place could be taken as an indication of potential guilt. As a result of such ‘suspicious’ behaviour an individual who was just driving at the ‘wrong place’ at the ‘wrong time’ could be subjected to more intrusive police surveillance, simply because a scanner identified a person at a particular place at a particular time.
Fortunately, the privacy commissioner has significantly come out against this ubiquitous form of surveillance. Her stance should limit these dystopian risks of license plate scanners in her jurisdiction. Now it’s up to the authorities to respect the decision and mediate how and why they use the technology.
Axel Arnbak and Nico van Ejik have a thought provoking paper about regulating systematic vulnerabilities in the HTTPS value chain. They focus on constitutional values to establish a baseline to measure regulation against; it’s a clever move that offers a good lens to critique legislative efforts mean to regulate SSL. The paper is here, and the full abstract is below:
Hypertext Transfer Protocol Secure (‘HTTPS’) has evolved into the de facto standard for secure web browsing. Through the certificate-based authentication protocol, web services and internet users protect valuable communications and transactions against interception and alteration by cybercriminals, governments and business. In only one decade, it has facilitated trust in a thriving global E-Commerce economy, while every internet user has come to depend on HTTPS for social, political and economic activities on the internet.
Recent breaches and malpractices at several Certificate Authorities (CA’s) have led to a collapse of trust in these central mediators of HTTPS communications as they revealed ‘fundamental weaknesses in the design of HTTPS’ (ENISA 2011). In particular, the breach at Dutch CA Diginotar shows how a successful attack on one of the 650 Certificate Authorities across 54 jurisdictions enables attackers to create false SSL-certificates for any given website or service. Moreover, Diginotar kept the breach silent. So for 90 days, web browsers continued to trust Diginotar certificates, enabling attackers to intercept the communications of 300.000 Iranians. In its aftermath, Dutch public authorities overtook operations at Diginotar and convinced Microsoft to delay updates to its market-leading web browser to ensure ‘the continuity of the internet’. These bold interventions lacked a legitimate basis.
While serving as the de facto standard for secure web browsing, in many ways the security of HTTPS is broken. Given our dependence on secure web browsing, the security of HTTPS has become a top priority in telecommunications policy. In June 2012, the European Commission proposed a new Regulation on eSignatures. As the HTTPS ecosystem is by and large unregulated across the world, the proposal presents a paradigm shift in the governance of HTTPS. This paper examines if, and if so, how the European regulatory framework should legitimately address the systemic vulnerabilities of the HTTPS ecosystem.
To this end, the HTTPS authentication model is conceptualised using actor-based value chain analysis and the systemic vulnerabilities of the HTTPS ecosystem are described through the lens of several landmark breaches. The paper then explores the rationales for regulatory intervention, discusses the EU eSignatures Regulation and abstracts from the EU proposal to develop general insights for HTTPS governance. Our findings should thus be relevant for anyone interested in HTTPS, cybersecurity and internet governance – both in Europe and abroad.
HTTPS governance apprises the incentive structure of the entire HTTPS authentication value chain, untangles the concept of information security and connects its balancing of public and private interests to underlying values, in particular constitutional rights such as privacy, communications secrecy and freedom of communication.
In the long term, a robust technical and policy overhaul must address the systemic weaknesses of HTTPS, as each CA is a single point of failure for the security of the entire ecosystem. On the short term, specific regulatory measures to be considered throughout the value chain may include proportional liability provisions, meaningful security breach notifications and internal security requirements, but both legitimacy and effectiveness will depend on the exact wording of the regulatory provisions.
The research finds that the EU eSignatures proposal lacks an integral vision on the HTTPS value chain and a coherent normative assessment of the underlying values of HTTPS governance. These omissions lead to sub-optimal provisions on liability, security requirements, security breach notifications and supervision in terms of legitimacy and addressing the systemic security vulnerabilities of the HTTPS ecosystem.
In his most recent op-ed, Morozov offers a good, if common, argument. Specifically, he argues that:
Quaint prudishness, excessive enforcement of copyright, unneeded damage to our reputations: algorithmic gatekeeping is exacting a high toll on our public life. Instead of treating algorithms as a natural, objective reflection of reality, we must take them apart and closely examine each line of code.
While I tend to agree with him, it’s important to recognize the actual value of what he’s written: he’s made rapidly accessible (though, with less subtly) what ethicists and scholars of contemporary digital technology have been writing about for over a decade. Read what he’s written – it’s good – but rather than stopping there go on to read Winner’s The Whale and the Reactor, sections from DeNardis’ excellent Opening Standards, and Lessig’s Code. In essence, it’s not that Morozov’s written anything badly, but what he’s written just touches the tip of the iceberg.
Tumblr user nugnug provides an excellent list of the core “what’s missing” in Windows Phone right now and that will continue being absent after the 7.8 update:
- rotation lock – I surf the net when I’m lying down. Everyone does. This is such an important feature and yet, where the hell is it?
- screen capture – I can’t take screenshots on my phone! What is this!? How can I blackmail people and post the stupid things they say on Facebook?
- customized sounds for messaging, etc. – We can customize our ringtones, so why not the rest?
- notification center – This ain’t happening. I already know this cause they didn’t have time to make it. Lame.
- separate volume controls for phone sounds and media – I want to listen to music at a really low volume but that means I won’t be able to hear my phone ring. A dilemma that can be easily rectified.
- the forward button and “find on page” function in IE – there’s a java fix someone else kindly made, but there shouldn’t be a need. It’s a basic function that should be included in all internet browsers.
- Wifi turns off when in sleep mode – the biggest reason why my whatsapp messages arrive hours later is because my phone, which relies on only Wifi when I’m at home, turns off Wifi when it goes to sleep. Ugh.
- Blutooth file transfers – I WANNA GIVE MY FRIENDS STUFF WITHOUT USING MY NET DATA BUT I CAN’T.
- multi selection – let me delete multiple photos on my phone at a time. PLZZ.
- editing the dictionary – there are some words I made up, I would like to delete please.
- improvements in the calendar – by far the most used section of my phone, it holds all my schedules and Facebook events and works seamlessly. So why not build on it? Include a weekly view, allow me to change colours on some of my personal entries.
- automatic sleep mode – not too fussy, but this would be really cool. If I set a time e.g. from 11pm to 8am, my phone will sleep between those hours and I won’t get any notifications between those times.
- closing apps from the multitasking view – not too important
I have to admit that some of the items aren’t top of mind for me: I don’t really care about the sleep mode, don’t see the point of closing apps from the multitasking view, and am not interested in bluetooth sharing. That said, every other suggestion is much, much needed.
I would also add to the list that scrolling in the 7.8 update needs to change; in the older version 1 Windows Phones scrolling would accelerate the more your scrolled up or down, whereas the current generation of 7.5 phones feature a static scrolling rate. This speed simply feels slower than earlier – and less capable – hardware and software iterations of Windows Phone.
Iranian officials have been assuring the public that the establishment of the [National Information Network] NIN will not cut them off from the Internet. The NIN, according to the government, will provide a “faster, safer, and more reliable” network for domestic purposes, in addition to the global Internet for daily usage.
What the officials have been less vocal about is that the NIN will make it easier for them to monitor user activities and carry out surveillance. Moreover, the establishment of the NIN as an independent network from the Internet will provide officials with the option of cutting off access without affecting the country’s administration. Shutting down the Internet in the aftermath of the contested 2009 elections, for example, was problematic since it interrupted banking and government operations. With the establishment of the NIN, a similar outage will not interrupt internal network traffic.
asl19, “Iran’s National Information Network”
Excited Pixels