Category: Links

Categories
Links

An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

You should go read Chris’ paper, available at SSRN. Abstract below:

Today, when consumers evaluate potential telecommunications, Internet service or application providers – they are likely to consider several differentiating factors: The cost of service, the features offered as well as the providers’ reputation for network quality and customer service. The firms’ divergent approaches to privacy, and in particular, their policies regarding law enforcement and intelligence agencies’ access to their customers’ private data are not considered by consumers during the purchasing process – perhaps because it is practically impossible for anyone to discover this information.

A naïve reader might simply assume that the law gives companies very little wiggle room – when they are required to provide data, they must do so. This is true. However, companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the exigent circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests. As such, there are substantial differences in the privacy practices of the major players in the telecommunications and Internet applications market: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide government agencies access to user data – one carrier even argued in court that its 1st amendment free speech rights guarantee it the right to do so, while other companies refuse to voluntarily disclose data without a court order; some companies charge government agencies when they request user data, while others disclose it for free. As such, a consumer’s decision to use a particular carrier or provider can significantly impact their privacy, and in some cases, their freedom.

Many companies profess their commitment to protecting their customers’ privacy, with some even arguing that they compete on their respective privacy practices. However, none seem to be willing to disclose, let alone compete on the extent to which they assist or resist government agencies’ surveillance activities. Because information about each firm’s practices is not publicly known, consumers cannot vote with their dollars, and pick service providers that best protect their privacy.

In this article, I focus on this lack of information and on the policy changes necessary to create market pressure for companies to put their customers’ privacy first. I outline the numerous ways in which companies currently assist the government, often going out of their way to provide easy access to their customers’ private communications and documents. I also highlight several ways in which some companies have opted to protect user privacy, and the specific product design decisions that firms can make that either protect their customers’ private data by default, or make it trivial for the government to engage in large scale surveillance. Finally, I make specific policy recommendations that, if implemented, will lead to the public disclosure of these privacy differences between companies, and hopefully, create further market incentives for firms to embrace privacy by design.

Categories
Links Writing

How the US pressured Spain to adopt unpopular Web blocking law

Nate Anderson writes, in reference to Spain’s new web blocking law:

 Resistance from locals was fierce. The US embassy, which enthusiastically supported the Sinde law, noted that “serious challenges” lay ahead, that the law was opposed by Internet groups and lawyers, and that “the outcome is uncertain.”

Still, the government didn’t think much of the opposition. Carlos Guervos, Deputy Director for Intellectual Property at the Ministry of Culture, told the US ambassador that “the dogs bark but the caravan moves on” and that the law would be passed.

The dogs put up a good fight, though. As the BBC noted, “Last year hacktivist group Anonymous organised a protest at the Goya Awards—Spain’s equivalent of the Oscars—which saw several hundred people in Guy Fawkes masks booing the minister of culture while applauding Alex de la Iglesia, then-president of the Spanish Film Academy. The movie director had previously voiced opposition to the Sinde law on Twitter and later resigned over the issue.”

Then in late 2010, opposition parties managed to halt the bill in parliament. On December 21, the Electronic Frontier Foundation declared victory and said that a committee had “just stripped the website shut-down provision from the Sustainable Economy Bill”—in part due to the revelations about US pressure.

But the government found a way to bypass the barking mutts, leaving the law for the incoming administration to handle after November 2011. (The law was so unpopular that the former administration elected not approve it after huge levels of animosity surfaced on social networking sites.) The new government did so quickly, passing a modified version of the Sinde law—judges will now have to issue the actual blacklist order, for instance.

Whatever you think of the resulting legislation, the process was grotesque: the Spanish film industry got one of its officials into power, then promoted a tough new law backed by the threats (and even active lobbying) of the US government—though the US didn’t take the same measures itself.

This is yet another demonstration of American content industries’ ability (and willingness) to exert political pressure through the State Department to affect legislative changes around the world. It’s absolutely absurd that such a small segment of the American economy can wield such incredible power. The Web, and Internet, is larger in economic, political, and cultural importance than any particular group of rights holders; copyright should not trump the laws governing the next generation of content generation and dissemination. As a content producer – with items in print – it’s absolutely reprehensible that any rights holder would actively attempt to undermine the principles of open and free exchange of knowledge that the Web is based upon.

Categories
Links

The credit card that may stop, or at least hinder, on- and offline fraud

From the article:

If someone steals your card, they won’t be able to use it without your code unlocking the number and coding the strip. Since the credit card number is generated fresh for each transaction, there is no data to be stolen in the case of a hack. Citibank is now using the cards in small pilot programs, and the company is hoping to see more banks and cities using the technology.

The dynamic nature of the magnetic strip opens up a number of other applications. I saw a card that had two numbers, so you can keep your business and personal accounts on the same card. You hit a flat button next to each number to select it; a light shines showing you which account is active, and the magnetic strip is coded with that number. Change accounts, and the magnetic strip is instantly reprogrammed. Each card comes with a battery that should last three years.

Of course, this technology is being developed because the US has been so bloody slow adopting the Chip + PIN system that most other nations are adopting. While there are certainly problems with Chip + PIN it makes a lot more sense to work on, and try to resolve, those problems instead of inventing convoluted new technologies to address known-bad systems. Curious about the payment card fiascos? Check out the comments of the Ars article, you might learn a lot.

Categories
Links

NSA Releases (More) Secure Version of Android

It’s code is available to third-parties, so we can check for intentional flaws in the enhancements that the NSA has integrated into the Android OS. Still not sure how comfortable I’d be using an OS designed by the folks that do a considerable amount of US SIGINT and COMINT.

Categories
Links Writing

iOS and Android OS Fragmentation

Jon Evans, over at TechCrunch:

More than two-thirds of iOS users had upgraded to iOS 5 a mere three months after its release. Anyone out there think that Ice Cream Sandwich will crack the 20% mark on Google’s platform pie chart by March? How about 10%? Anyone? Anyone? Bueller?

OS fragmentation is the single greatest problem Android faces, and it’s only going to get worse. Android’s massive success over the last year mean that there are now tens if not hundreds of millions of users whose handset manufacturers and carriers may or may not allow them to upgrade their OS someday; and the larger that number grows, the more loath app developers will become to turn their back on them. That unwillingness to use new features means Android apps will fall further and further behind their iOS equivalents, unless Google manages – via carrot stick, or both – to coerce Android carriers and manufacturers to prioritize OS upgrades.

Android fragmentation is a pain for developers and, perhaps even more worryingly, a danger for users who may not receive timely security updates. To be sure, Apple rules-the-roost when it comes to having better updated device, insofar as users tend to get their updates when they become available. Whether those updates contain needed security upgrades is another matter, of course, but Apple at least has the opportunity to improve security across their ecosystem.

Unfortunately, where Apple sees their customers as the people using the devices, Google (and RIM) both have mixed understandings of who are their customers. Google is trapped between handset manufacturers and carriers whereas RIM is largely paired with the carriers alone. Neither of these companies has a timely, direct, relationship with their end-users (save for RIM and their PlayBook, which has routine updates that bypass their mobile devices’ carrier-restrictions) and this ultimately ends up hurting those who own either companies’ mobile devices.

Categories
Links

Comcast’s Catch-22 Position on SOPA

As noted by the folks over at Techdirt:

Just as NBC Universal and other SOPA supporters continue to insist that DNS redirect is completely compatible with DNSSEC… Comcast (and official SOPA/PIPA supporter) has rolled out DNSSEC, urged others to roll out DNSSEC and turned off its own DNS redirect system, stating clearly that DNS redirect is incompatible with DNSSEC, if you want to keep people secure. In the end, this certainly appears to suggest thatComcast is admitting that it cannot comply with SOPA/PIPA, even as the very same company is advocating for those laws. 

 

Categories
Links

(Un)Lawful Access: Canadian Government Wants to Spy on You

A snippet:

Without presenting a single shred of evidence that Canadian police need any more power than they already have (arguable too much as it is, if Toronto’s disastrous G20 summit is any indication), you are being asked to believe that handing law enforcement agencies a blank cheque to snoop through your life is actually for your own good.

This is, of course, nonsense. Passing legislation whose only benefit is police convenience comes nowhere close to justifying the dismantling of Canadians’ privacy rights.

 

Categories
Links

Top German cop uses spyware on daughter, gets hacked in retaliation

Surveillance technologies are a double-edged sword, one that often lack a hilt guard.

According to the report, a top German security official installed a trojan on his own daughter’s computer to monitor her Internet usage. What could possibly go wrong?

Nothing—well, at least until one of the daughter’s friends found the installed spyware. The friend then went after the dad’s personal computer as a payback and managed to get in, where he found a cache of security-related e-mails from work. The e-mails, in turn, provided the information necessary for hackers to infiltrate Germany’s federal police.

That was bad, but it got worse. The hackers got into the servers for the “Patras” program, which logs location data on suspected criminals through cell phone and car GPS systems. Concerned about security breaches, the government eventually had to take the entire set of Patras servers offline.

 

Categories
Links

‘Going Dark’ Versus a ‘Golden Age for Surveillance’

A critical read about the contemporary aims of intelligence and policing communities to expand their technical surveillance capabilities whilst reducing legal oversight of their activities. A snippet:

This post casts new light on government agency claims that we are “going dark.” Due to changing technology, there are indeed specific ways that law enforcement and national security agencies lose specific previous capabilities. These specific losses, however, are more than offset by massive gains. Public debates should recognize that we are truly in a golden age of surveillance. By understanding that, we can reject calls for bad encryption policy. More generally, we should critically assess a wide range of proposals, and build a more secure computing and communications infrastructure.

Go read the whole piece. It’ll take a few minutes, but it’ll be some of the best minutes you’ve spent today.

Categories
Links

Verizon and Rogers skirt rules on network neutrality versus Free’s innovative network

St. Arnand says:

They tried and failed with UBB. Now they are at it again with “speed boost” technologies.  The two technologies at question are Verizon’s “Turbo” service  and Roger’s “SpeedBoost”.  There are very few technical details, but it appears in the former case that users will be able to purchase additional instantaneous bandwidth to the detriment of other users on the same shared service.  Whether this will make a difference to actual throughput is another matter because the slow video may be due to server problems and not network congestion. And if you are in elevator with very poor connectivity, you will unlikely get any faster download speed, no matter how many times you press the turbo button. But will Verizon give you a credit if you don’t get the advertised speed boost?  I doubt it. Similarly the Rogers’ service, while still free, seems to imply faster speeds if they detect you are streaming a video, particularly from their own on-line service.  Will users who are not streaming video, but using other real time applications get the same benefit such as VoIP or Telepresence?  I doubt it.

I agree with his thrust that this kind of practice creates undue preference for certain kinds of content distribution over others. I would just note that (based on some people I’ve spoken to about Rogers’ practices) it seems like Rogers’ system temporarily ‘upgrades’ a person’s throughput capacity to try and get ‘bursty’ traffic to the end-user quickly, and to create a buffer for streaming media. Thus, if you subscribe to a 10 mbps service then you would temporarily go to a 15 mbps connection, and after those few seconds pass by you revert back to your 10 mbps speeds.