Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Links

Iran clamps down on internet use

From the Guardian a while back, we learn:

 Iran is clamping down heavily on web users before parliamentary elections in March with draconian rules on cybercafes and preparations to launch a national internet.

Tests for a countrywide network aimed at substituting services run through the world wide web have been carried out by Iran’s ministry of information and communication technology, according to a newspaper report. The move has prompted fears among its online community that Iran intends to withdraw from the global internet.

The police this week imposed tighter regulations on internet cafes. Cafe owners have been given a two-week ultimatum to adopt rules requiring them to check the identity cards of their customers before providing services.

Since the Green Revolution the Iranian government has massively committed resources to identifying and undermining Iranian citizens’ ability to communicate with one another using electronic systems. From their integration of deep packet inspection into their main ISP networks – and configuring them to identify and stop some kinds of encrypted traffic – to the creation of cyber-police, and now attempts to physically identify those who use public computers, it is getting harder and more dangerous for Iranians to communicate with one another over the Internet.

 

Iran clamps down on internet use

Categories
Links

An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

You should go read Chris’ paper, available at SSRN. Abstract below:

Today, when consumers evaluate potential telecommunications, Internet service or application providers – they are likely to consider several differentiating factors: The cost of service, the features offered as well as the providers’ reputation for network quality and customer service. The firms’ divergent approaches to privacy, and in particular, their policies regarding law enforcement and intelligence agencies’ access to their customers’ private data are not considered by consumers during the purchasing process – perhaps because it is practically impossible for anyone to discover this information.

A naïve reader might simply assume that the law gives companies very little wiggle room – when they are required to provide data, they must do so. This is true. However, companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the exigent circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests. As such, there are substantial differences in the privacy practices of the major players in the telecommunications and Internet applications market: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide government agencies access to user data – one carrier even argued in court that its 1st amendment free speech rights guarantee it the right to do so, while other companies refuse to voluntarily disclose data without a court order; some companies charge government agencies when they request user data, while others disclose it for free. As such, a consumer’s decision to use a particular carrier or provider can significantly impact their privacy, and in some cases, their freedom.

Many companies profess their commitment to protecting their customers’ privacy, with some even arguing that they compete on their respective privacy practices. However, none seem to be willing to disclose, let alone compete on the extent to which they assist or resist government agencies’ surveillance activities. Because information about each firm’s practices is not publicly known, consumers cannot vote with their dollars, and pick service providers that best protect their privacy.

In this article, I focus on this lack of information and on the policy changes necessary to create market pressure for companies to put their customers’ privacy first. I outline the numerous ways in which companies currently assist the government, often going out of their way to provide easy access to their customers’ private communications and documents. I also highlight several ways in which some companies have opted to protect user privacy, and the specific product design decisions that firms can make that either protect their customers’ private data by default, or make it trivial for the government to engage in large scale surveillance. Finally, I make specific policy recommendations that, if implemented, will lead to the public disclosure of these privacy differences between companies, and hopefully, create further market incentives for firms to embrace privacy by design.

Categories
Links Writing

How the US pressured Spain to adopt unpopular Web blocking law

Nate Anderson writes, in reference to Spain’s new web blocking law:

 Resistance from locals was fierce. The US embassy, which enthusiastically supported the Sinde law, noted that “serious challenges” lay ahead, that the law was opposed by Internet groups and lawyers, and that “the outcome is uncertain.”

Still, the government didn’t think much of the opposition. Carlos Guervos, Deputy Director for Intellectual Property at the Ministry of Culture, told the US ambassador that “the dogs bark but the caravan moves on” and that the law would be passed.

The dogs put up a good fight, though. As the BBC noted, “Last year hacktivist group Anonymous organised a protest at the Goya Awards—Spain’s equivalent of the Oscars—which saw several hundred people in Guy Fawkes masks booing the minister of culture while applauding Alex de la Iglesia, then-president of the Spanish Film Academy. The movie director had previously voiced opposition to the Sinde law on Twitter and later resigned over the issue.”

Then in late 2010, opposition parties managed to halt the bill in parliament. On December 21, the Electronic Frontier Foundation declared victory and said that a committee had “just stripped the website shut-down provision from the Sustainable Economy Bill”—in part due to the revelations about US pressure.

But the government found a way to bypass the barking mutts, leaving the law for the incoming administration to handle after November 2011. (The law was so unpopular that the former administration elected not approve it after huge levels of animosity surfaced on social networking sites.) The new government did so quickly, passing a modified version of the Sinde law—judges will now have to issue the actual blacklist order, for instance.

Whatever you think of the resulting legislation, the process was grotesque: the Spanish film industry got one of its officials into power, then promoted a tough new law backed by the threats (and even active lobbying) of the US government—though the US didn’t take the same measures itself.

This is yet another demonstration of American content industries’ ability (and willingness) to exert political pressure through the State Department to affect legislative changes around the world. It’s absolutely absurd that such a small segment of the American economy can wield such incredible power. The Web, and Internet, is larger in economic, political, and cultural importance than any particular group of rights holders; copyright should not trump the laws governing the next generation of content generation and dissemination. As a content producer – with items in print – it’s absolutely reprehensible that any rights holder would actively attempt to undermine the principles of open and free exchange of knowledge that the Web is based upon.

Categories
Links

The credit card that may stop, or at least hinder, on- and offline fraud

From the article:

If someone steals your card, they won’t be able to use it without your code unlocking the number and coding the strip. Since the credit card number is generated fresh for each transaction, there is no data to be stolen in the case of a hack. Citibank is now using the cards in small pilot programs, and the company is hoping to see more banks and cities using the technology.

The dynamic nature of the magnetic strip opens up a number of other applications. I saw a card that had two numbers, so you can keep your business and personal accounts on the same card. You hit a flat button next to each number to select it; a light shines showing you which account is active, and the magnetic strip is coded with that number. Change accounts, and the magnetic strip is instantly reprogrammed. Each card comes with a battery that should last three years.

Of course, this technology is being developed because the US has been so bloody slow adopting the Chip + PIN system that most other nations are adopting. While there are certainly problems with Chip + PIN it makes a lot more sense to work on, and try to resolve, those problems instead of inventing convoluted new technologies to address known-bad systems. Curious about the payment card fiascos? Check out the comments of the Ars article, you might learn a lot.

Categories
Humour

dalal30336:

liberty+justice+equality+freedom = SECURITY !

This is what ‘balancing’ security with civil liberties often looks like in practice.

Categories
Links

NSA Releases (More) Secure Version of Android

It’s code is available to third-parties, so we can check for intentional flaws in the enhancements that the NSA has integrated into the Android OS. Still not sure how comfortable I’d be using an OS designed by the folks that do a considerable amount of US SIGINT and COMINT.

Categories
Links Writing

iOS and Android OS Fragmentation

Jon Evans, over at TechCrunch:

More than two-thirds of iOS users had upgraded to iOS 5 a mere three months after its release. Anyone out there think that Ice Cream Sandwich will crack the 20% mark on Google’s platform pie chart by March? How about 10%? Anyone? Anyone? Bueller?

OS fragmentation is the single greatest problem Android faces, and it’s only going to get worse. Android’s massive success over the last year mean that there are now tens if not hundreds of millions of users whose handset manufacturers and carriers may or may not allow them to upgrade their OS someday; and the larger that number grows, the more loath app developers will become to turn their back on them. That unwillingness to use new features means Android apps will fall further and further behind their iOS equivalents, unless Google manages – via carrot stick, or both – to coerce Android carriers and manufacturers to prioritize OS upgrades.

Android fragmentation is a pain for developers and, perhaps even more worryingly, a danger for users who may not receive timely security updates. To be sure, Apple rules-the-roost when it comes to having better updated device, insofar as users tend to get their updates when they become available. Whether those updates contain needed security upgrades is another matter, of course, but Apple at least has the opportunity to improve security across their ecosystem.

Unfortunately, where Apple sees their customers as the people using the devices, Google (and RIM) both have mixed understandings of who are their customers. Google is trapped between handset manufacturers and carriers whereas RIM is largely paired with the carriers alone. Neither of these companies has a timely, direct, relationship with their end-users (save for RIM and their PlayBook, which has routine updates that bypass their mobile devices’ carrier-restrictions) and this ultimately ends up hurting those who own either companies’ mobile devices.

Categories
Videos

Data Collection, Visualized

Want to see a (small) element of how your personal information is collated by major companies around the world? Watch the video and find out.

Categories
Writing

Search Neutrality

Google’s recent decision to integrate its social services into its search product has led to (another) round of outrage. There’s some speculation that the FTC and European Commissioners could launch anti-trust investigations, on grounds that Google is leveraging their search monopoly to unfairly muscle into other markets. Many of the popular tech news and gadget blogs are in an uproar (perhaps knowing it will lead to page views), with Gizmodo proclaiming that Google’s recent action “wiped out all those years of loyalty and goodwill it had built up” because while the new Google search service is

…ostensibly meant to deliver more personalized results . .. it pulls those personalized results largely from Google services—Google+, Picasa, YouTube. Search for a restaurant, and instead of its Yelp page, the top result might be someone you know discussing it on Google Plus. Over at SearchEngineland, Danny Sullivan has compiled a series of damning examples of the ways Google’s new interface promotes Plus over relevancy. Long story short: It’s a huge step backwards.

I actually use Bing a lot – it’s the default (and sole option) for native search on my phone – and I hate it. HATE IT. It’s really an incompetent search tool at this point. Google, even after integrating social results, works far, far better. Nevertheless, I get the complaints surrounding the anti-trust issues and even agree with them, to a point.

What is that point, you might ask? Well, there has been a long-standing discussion of whether we need ‘search neutrality’ along the lines of ‘network neutrality’, on the basis that people increasingly find sites via search rather than directly plugging in URLs. Thus, Google’s new approach could be seen as constituting a violation of so-called ‘search neutrality’. So, where does the question or issue arise? It’s when we ask this: do search algorithms, or sets of search algorithms, function as networks do – are they ‘dumb’ algorithms meant to get us and data from point A to point B – or do they constitute a form of creative expression, of speech? If you see the algorithms as speech then the notion of ‘speech neutrality’ seems awkward: such neutrality would insist that individuals/corporations moderate their algorithmically-derived ‘speech’ once they reach a certain size.

Whether there are anti-trust violations from Google’s integration of their social services into search will remain to be seen. The more pressing question, however, is whether we see algorithms along the lines of speech or raw data transmission from A to B. I suspect that this question will be addressed or discussed in anti-trust cases and that is where the real action will likely take place.

Categories
Writing

Another Playbook UI Fail

Over the past years, one of the things I’ve spent an inordinate amount of time researching and writing about has been security certificates and data transport security. This is just to say: I spend time in security and know more than a lot of non-technical people.

I have no clue what the fuck this message in the Kobo application for the BlackBerry PlayBook is doing here.

To be specific: I opened the app in a wifi-dead area that was dead in the middle of no where. There was no cell service. I checked with packet sniffing applications on my computer, there were no adhoc or other wireless networks. This kind of a warning indicates that some third-party was trying to intercept encrypted messaging traffic that was destined to Kobo’s servers but gives no indication of how or why this certificate problem was raised. In effect, it’s a warning “shit’s gone back, son!” without say “because X just happened!”

Security – on all devices – should be transparent to the user. The warning above (which I’ve seen in other PlayBook apps) is useless to the end-user because it gives no guidance as to what just happened, how to address it, or even how to learn more about the issue. While I commend RIM for making certificate errors so front and centre, presenting highly technical security information to the end-user is garbage unless you also inform them what the hell just happened.