Quotulatiousness

April 7, 2014

US government data security failures

Filed under: Bureaucracy, Government, Technology — Tags: , , , , — Nicholas @ 09:02

David Gewirtz says that the press has totally mis-reported the scale of government security breaches:

Summary: This is one of those articles that spoils your faith in mankind. Not only are government security incidents fully into holy-cow territory, the press is reporting numbers three magnitudes too low because someone misread a chart and everyone else copied that report.

You might think this was an April Fool’s gag, except it was published on April 2nd, not April 1st.

According to testimony given by Gregory C. Wilshusen [PDF], Director of Information Security Issues for the Government Accountability Office to United States Senate Committee on Homeland Security and Governmental Affairs that, and I quote, “most major federal agencies had weaknesses in major categories of information security controls.”

In other words, some government agency data security functions more like a sieve than a lockbox.

Some of the data the GAO presented was deeply disturbing. For example, the number of successful breaches doubled since 2009. Doubled. There’s also a story inside this story, which I’ll discuss later in the article. Almost all of the press reporting on this testimony got the magnitude of the breach wrong. Most reported that government security incidents numbered in the thousands, when, in fact, they numbered in the millions.

Emphasis mine. Here are the actual numbers:

Incidents involving personal identifying information grew from about 10.5 million in 2009 to over 25 million last year. By the way, some press reports on this misread the GAO’s charts. For example, the Washington Free Beacon wrote about this, claiming “25,566 incidents of lost taxpayer data, Social Security numbers, patient health information.” What they missed was the little notation on the chart that says “in thousands,” so when they reported 25,566 incidents, what that really reads as is 25,566 x 1000 incidents.

2014 GAO analysis of security breaches

This is an example of how the Internet echo chamber can get information very, very wrong. The Chicago Tribune, via Reuters reported the same incorrect statistic. So did InformationWeek. So did FierceHealthIT. Business Insider picked up the Reuters report and happily repeated the same statistic — which was three orders of magnitude incorrect.

This is why I always try to go to the original source material [PDF] and not just repeat the crap other writers are parroting. It’s more work, but it means the difference between reporting 25 thousand government breaches and 25 million government breaches. 25 thousand is disturbing. 25 million is horrifying.

April 2, 2014

People are less inclined to shop or bank online after NSA surveillance reports

Filed under: Business, Government, Technology — Tags: , , , , , — Nicholas @ 08:46

Among the side-effects of government surveillance revelations, ordinary people are deciding to be a bit less involved in online activities, according to a new Harris Poll:

Online banking and shopping in America are being negatively impacted by ongoing revelations about the National Security Agency’s digital surveillance activities. That is the clear implication of a recent ESET-commissioned Harris poll which asked more than 2,000 U.S. adults ages 18 and older whether or not, given the news about the NSA’s activities, they have changed their approach to online activity.

Almost half of respondents (47%) said that they have changed their online behavior and think more carefully about where they go, what they say, and what they do online.

When it comes to specific Internet activities, such as email or online banking, this change in behavior translates into a worrying trend for the online economy: over one quarter of respondents (26%) said that, based on what they have learned about secret government surveillance, they are now doing less banking online and less online shopping. This shift in behavior is not good news for companies that rely on sustained or increased use of the Internet for their business model.

[…]

Whether or not we have seen the full extent of the public’s reaction to state-sponsored mass surveillance is hard to predict, but based on this survey and the one we did last year, I would say that, if the NSA revelations continue – and I am sure they will – and if government reassurances fail to impress the public, then it is possible that the trends in behavior we are seeing right now will continue. For example, I do not see many people finding reassurance in President Obama’s recently announced plan to transfer the storage of millions of telephone records from the government to private phone companies. As we will document in our next installment of survey findings, data gathering by companies is even more of a privacy concern for some Americans than government surveillance.

And in case anyone is tempted to think that this is a narrow issue of concern only to news junkies and security geeks, let me be clear: according to this latest survey, 85% of adult Americans are now at least somewhat familiar with the news about secret government surveillance of private citizens’ phone calls, emails, online activity, and so on.

March 13, 2014

It’s amazing how much data can be derived from “mere” metadata

Filed under: Liberty, Media, Technology — Tags: , , , , — Nicholas @ 08:25

Two Stanford grad students conducted a research project to find out what kind of actual data can be derived from mobile phone metadata:

Two Stanford computer science students were able to acquire detailed information about people’s lives just from telephone metadata — the phone number of the caller and recipient, the particular serial number of the phones involved, the time and duration of calls and possibly the location of each person when the call occurred.

The researchers did not do any illegal snooping — they worked with the phone records of 546 volunteers, matching phone numbers against the public Yelp and Google Places directories to see who was being called.

From the phone numbers, it was possible to determine that 57 percent of the volunteers made at least one medical call. Forty percent made a call related to financial services.

The volunteers called 33,688 unique numbers; 6,107 of those numbers, or 18 percent, were isolated to a particular identity.

[…]

They crowdsourced the data using an Android application and conducted an analysis of individual calls made by the volunteers to sensitive numbers, connecting the patterns of calls to emphasize the detail available in telephone metadata, Mayer said.

“A pattern of calls will, of course, reveal more than individual call records,” he said. “In our analysis, we identified a number of patterns that were highly indicative of sensitive activities or traits.”

For example, one participant called several local neurology groups, a specialty pharmacy, a rare-condition management service, and a pharmaceutical hotline used for multiple sclerosis.

Another contacted a home improvement store, locksmiths, a hydroponics dealer and a head shop.

The researchers initially shared the same hypothesis as their computer science colleagues, Mayer said. They did not anticipate finding much evidence one way or the other.

“We were wrong. Phone metadata is unambiguously sensitive, even over a small sample and short time window. We were able to infer medical conditions, firearm ownership and more, using solely phone metadata,” he said.

February 11, 2014

Rand Paul on the Fourth Amendment

Filed under: Government, Liberty, USA — Tags: , , , , — Nicholas @ 12:06

QotD: The NSA voicemail greeting

Filed under: Government, Humour, Quotations — Tags: , , — Nicholas @ 10:41

Thanks for calling the National Security Agency. Press 1 for a blanket denial. Whatever you heard, it’s not true. Press 2 to hear a transcript of every call you’ve ever made. Press 3 to confess. If you haven’t done anything, that’s OK, the NSA treats everyone like a criminal. Press 4 to have your tax money used to violate your privacy. Press 5 to hear these options again.

Gregg Easterbrook, “Are the Chiefs real or opportunistic?”, ESPN Tuesday Morning Quarterback, 2013-10-29

January 26, 2014

The New York Times profiles Rand Paul

Filed under: Liberty, Politics, USA — Tags: , , , , , — Nicholas @ 11:19

An interesting view of Rand Paul by Sam Tanenhaus and Jim Rutenberg:

As Rand Paul test-markets a presidential candidacy and tries to broaden his appeal, he is also trying to take libertarianism, an ideology long on the fringes of American politics, into the mainstream. Midway through his freshman term, he has become a prominent voice in Washington’s biggest debates — on government surveillance, spending and Middle East policy.

In the months since he commanded national attention and bipartisan praise for his 13-hour filibuster against the Obama administration’s drone strike program, Mr. Paul has impressed Republican leaders with his staying power, in part because of the stumbles of potential rivals and despite some of his own.

“Senator Paul is a credible national candidate,” said Mitt Romney, who ran for president as the consummate insider in 2012. “He has tapped into the growing sentiment that government has become too large and too intrusive.” In an email, Mr. Romney added that the votes and dollars Mr. Paul would attract from his father’s supporters could help make him “a serious contender for the Republican nomination.”

But if Mr. Paul reaps the benefits of his father’s name and history, he also must contend with the burdens of that patrimony. And as he has become a politician in his own right and now tours the circuit of early primary states, Mr. Paul has been calibrating how fully he embraces some libertarian precepts.

[…]

Since becoming a national figure, Mr. Paul has generally stayed on safer ground. His denunciations of government intrusion on Americans’ privacy have been joined by lawmakers in both parties and have resonated with the public — though no other member of Congress as yet has joined him in his planned class-action suit against the National Security Agency.

He has renounced many of the isolationist tenets central to libertarianism, backed away from his longstanding objections to parts of the 1964 Civil Rights Act and teamed with members of the Congressional Black Caucus in calling for an easing of drug-sentencing laws. He recently unveiled a plan for investment in distressed inner cities.

Much of that is in keeping with the left-right alliance Mr. Paul promotes, an alternative to what he dismisses as a “mushy middle.” Such partnerships, he says, “include people who firmly do believe in the same things, that happen to serve in different parties.”

Of course, no profile of Rand Paul is complete without including his early influences, including his musical tastes:

Rand was engrossed in his own course of libertarian study: He received a set of Ayn Rand novels for his 17th birthday. And he followed the rock band Rush, some of whose lyrics had libertarian themes.

Gary L. Gardner Jr., a high school friend, said: “I remember even back then being on a swim team bus and a Rush song comes on. I think it was the song ‘Trees’ — and he said, ‘Man, listen to the words of this, you know those guys have got to be conservative.’ ”

“The Trees” tells the story of maples, overshadowed by tall oaks, that form a union to bring equality to the woods “by hatchet, ax and saw.”

Rand Paul influences

The pantheon of libertarianism includes economists like Mises and Friedman and the novelist Rand; Mr. Hess, a former speechwriter for Senator Barry M. Goldwater; Mr. Rothbard, an economic historian and social thinker; Ron Paul, congressman, presidential aspirant, father and “hero”; and Rush, whose lyrics were infused with libertarian themes.

January 15, 2014

President Obama’s speech shows his fear of “a backlash from national security agencies”

Filed under: Government, Liberty, USA — Tags: , , , , — Nicholas @ 09:38

Is the national security “tail” wagging the national “dog”?

President Obama will issue new guidelines on Friday to curtail government surveillance, but will not embrace the most far-reaching proposals of his own advisers and will ask Congress to help decide some of the toughest issues, according to people briefed on his thinking.

Mr. Obama plans to increase limits on access to bulk telephone data, call for privacy safeguards for foreigners and propose the creation of a public advocate to represent privacy concerns at a secret intelligence court. But he will not endorse leaving bulk data in the custody of telecommunications firms, nor will he require court permission for all so-called national security letters seeking business records.

The emerging approach, described by current and former government officials who insisted on anonymity in advance of Mr. Obama’s widely anticipated speech, suggested a president trying to straddle a difficult line in hopes of placating foreign leaders and advocates of civil liberties without a backlash from national security agencies. The result seems to be a speech that leaves in place many current programs, but embraces the spirit of reform and keeps the door open to changes later.

Emphasis mine.

January 11, 2014

February 11th 2014 is The Day We Fight Back Against Mass Surveillance

Filed under: Government, Liberty, Media — Tags: , , , , — Nicholas @ 10:49

It may be only a token gesture, but mark 11 February on your calendar:

DEAR USERS OF THE INTERNET,

In January 2012 we defeated the SOPA and PIPA censorship legislation with the largest Internet protest in history. A year ago this month one of that movement’s leaders, Aaron Swartz, tragically passed away.

Today we face a different threat, one that undermines the Internet, and the notion that any of us live in a genuinely free society: mass surveillance.

If Aaron were alive, he’d be on the front lines, fighting against a world in which governments observe, collect, and analyze our every digital action.

Now, on the eve of the anniversary of Aaron’s passing, and in celebration of the win against SOPA and PIPA that he helped make possible, we are announcing a day of protest against mass surveillance, to take place this February 11th.

[…]

Anti-surveillance banner preview

We’re creating embeddable banners and widgets that you’ll be able to add to your site to encourage visitors to participate in the day of action. The photo above is just a draft — the final design is yet to come.

January 9, 2014

Oh, that’s okay then – Congress has the same constitutional protections as other Americans (i.e., none whatsoever)

Filed under: Government, Law, Liberty, USA — Tags: , , , — Nicholas @ 10:59

Like Andrew Napolitano, I’m sure all members of congress heaved a sigh of relief when the NSA said that they have exactly the same constitutional right to privacy from surveillance as every other American does. Wait, what?

Last week, Sen. Bernie Sanders, I-Vt., wrote to Gen. Keith Alexander, director of the National Security Administration (NSA), and asked plainly whether the NSA has been or is now spying on members of Congress or other public officials. The senator’s letter was no doubt prompted by the revelations of Edward Snowden to the effect that the federal government’s lust for personal private data about all Americans and many foreigners knows no bounds, and its respect for the constitutionally protected and statutorily enforced right to privacy is nonexistent.

[…]

All of this is background to the timing of Sanders’ letter. That Clapper perjured himself before, and Alexander misled, Congress is nothing new. And the punishments for lying to Congress and for misleading Congress are identical: five years per lie or per misleading statement. Hence, the silence from the NSA to Sanders.

Well, it wasn’t exactly silence, but rather a refusal to answer a simple question. The NSA did reply to Sanders by stating — in an absurd oxymoron — that members of Congress receive the same constitutional protections as other Americans: that is to say, none from the NSA.

The NSA’s refusal to answer Sanders’ question directly is a tacit admission, because we are all well aware that the NSA collects identifying data on and the content of virtually every email, text message and phone call sent or received in the U.S. In fact, just last week, the secret FISA court renewed the order authorizing massive records collection for the 36th time. If members of Congress are treated no differently than the American public, then the NSA is keeping tabs on every email, text and phone call members of Congress send and receive, too.

That raises a host of constitutional questions. Under the Constitution, Congress and the executive branch are equals. The president — for whom the NSA works — can no more legally spy on members of Congress without a search warrant about the members to be spied upon than Congress can legally spy on the president. Surely the president, a former lecturer in constitutional law at the University of Chicago Law School, knows this.

There was a time when the NSA’s failure to answer such a straightforward question as Sanders has asked would have led to hearings and bipartisan investigations. However, Democrats are largely silent, choosing party and personality over principle, and Republicans know all of this started under President George W. Bush and are afraid to open a can of worms — except for King, who apparently likes to be spied upon.

January 8, 2014

“Silicon Valley was … collateral damage in the war on terror”

Filed under: Government, Liberty, Media, Technology, USA — Tags: , , , , , — Nicholas @ 08:40

In Wired, Steven Levy explains how the NSA nearly killed the internet:

On June 6, 2013, Washington Post reporters called the communications depart­ments of Apple, Facebook, Google, Yahoo, and other Internet companies. The day before, a report in the British newspaper The Guardian had shocked Americans with evidence that the telecommunications giant Verizon had voluntarily handed a database of every call made on its network to the National Security Agency. The piece was by reporter Glenn Greenwald, and the information came from Edward Snowden, a 29-year-old IT consultant who had left the US with hundreds of thousands of documents detailing the NSA’s secret procedures.

Greenwald was the first but not the only journalist that Snowden reached out to. The Post’s Barton Gellman had also connected with him. Now, collaborating with documentary filmmaker and Snowden confidante Laura Poitras, he was going to extend the story to Silicon Valley. Gellman wanted to be the first to expose a top-secret NSA program called Prism. Snowden’s files indicated that some of the biggest companies on the web had granted the NSA and FBI direct access to their servers, giving the agencies the ability to grab a person’s audio, video, photos, emails, and documents. The government urged Gellman not to identify the firms involved, but Gellman thought it was important. “Naming those companies is what would make it real to Americans,” he says. Now a team of Post reporters was reaching out to those companies for comment.

It would be the start of a chain reaction that threatened the foundations of the industry. The subject would dominate headlines for months and become the prime topic of conversation in tech circles. For years, the tech companies’ key policy issue had been negotiating the delicate balance between maintaining customers’ privacy and providing them benefits based on their personal data. It was new and contro­versial territory, sometimes eclipsing the substance of current law, but over time the companies had achieved a rough equilibrium that allowed them to push forward. The instant those phone calls from reporters came in, that balance was destabilized, as the tech world found itself ensnared in a fight far bigger than the ones involving oversharing on Facebook or ads on Gmail. Over the coming months, they would find themselves at war with their own government, in a fight for the very future of the Internet.

December 22, 2013

Does the US Constitution actually provide any protection against surveillance?

Filed under: Government, Law, Liberty, Technology, USA — Tags: , , , — Nicholas @ 11:16

Julian Sanchez talks about dismantling the surveillance state:

On Tuesday, Judge Richard Leon held that the National Security Agency’s controversial phone records program likely violates the Fourth Amendment’s guarantee against “unreasonable searches and seizures.” But when the inevitable appeal comes, far more than a single surveillance program will be at stake. Whether far higher courts are prepared to embrace Leon’s logic could determine if Americans enjoy any meaningful constitutional protection against government monitoring in the information age.

The NSA program — a massive database that logs, and stores for five years, the time, date, duration, and number dialed for nearly every call placed in the United States — is based on Section 215 of the Patriot Act, which authorizes the government to obtain any records it reasonably believes are “relevant” to a foreign intelligence investigation. But that authority itself depends on the so-called “third party doctrine,” which says that business records held by a “third party” like a phone company aren’t protected by the Fourth Amendment.

If not for the third party doctrine, “relevance” would not be enough: The government would have to satisfy the Fourth Amendment’s far stricter demand to show “probable cause” that records it had “particularly described” would yield evidence of wrongdoing. Under Fourth Amendment standards, a program that involved vacuuming up billions of records in order to fish through them later for suspicious calls would be out of the question — the kind of unlimited “general warrant” the framers of the Constitution were especially concerned to prohibit.

The roots of this cramped reading stretch back to 1979, when the Supreme Court unwittingly dealt a profound blow to American privacy in the case of Smith v. Maryland. With the cooperation of the phone company, police had traced a series of obscene phone calls from Michael Lee Smith to a woman he had earlier robbed. Because they had not first obtained a warrant from a judge, Smith argued that the police had conducted an illegal search, akin to a wiretap.

The Court disagreed: Because Smith should have known, based on the itemized list of calls on his monthly bill, that the phone company kept business records of the numbers he dialed, he had voluntarily abandoned his “reasonable expectation of privacy” in that information — and with it, the protection of the Constitution.

November 30, 2013

“I have nothing to hide from the government, so why should I worry?”

Filed under: Government, Liberty, Media — Tags: , , , — Nicholas @ 11:39

The Electronic Frontier Foundation explains why you should worry about omnipresent government surveillance:

There are a few ways to respond to this, depending on what you think will work best for the person raising the question.

  • Point out how mass surveillance leaves you at the mercy of not only the NSA, but also to the DEA, the FBI and even the IRS. We know that the government claims that any evidence of a “crime” can be sent to the appropriate law enforcement agencies.
  • Tell them that, even if you don’t think you have something to hide, it’s possible the government thinks you do, or can create some concern about you (or your friends or loved ones). There are so many laws and regulations on the books, Rep. Jim Sensenbrenner said the Congressional Research Service did not have the resources to count them all. One legal expert has argued that the average person likely commits three felonies a day without ever realizing. So, you may be technically breaking a law you have no idea about.
  • We all benefit from a system that allows privacy. For example, when journalists can speak to sources without the specter of surveillance, helping fuel investigative journalism and the free flow of information. And this is not just a hypothetical — the Department of Justice subpoenaed the phone records of Associated Press journalists in an effort to track down government whistleblowers. And it’s not just journalists. Activists, political organizers, lawyers, individuals conducting sensitive research, businesses that want to keep their strategies confidential, and many others rely on secure, private, surveillance-free communication.

November 25, 2013

When your product is “users” your product improvement is “more surveillance”

Filed under: Business, Liberty, Media, Technology — Tags: , , , , , — Nicholas @ 10:36

Bruce Schneier on the rising tide of non-governmental surveillance:

Google recently announced that it would start including individual users’ names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached — without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on its website.

These changes come on the heels of Google’s move to explore replacing tracking cookies with something that users have even less control over. Microsoft is doing something similar by developing its own tracking technology.

More generally, lots of companies are evading the “Do Not Track” rules, meant to give users a say in whether companies track them. Turns out the whole “Do Not Track” legislation has been a sham.

It shouldn’t come as a surprise that big technology companies are tracking us on the Internet even more aggressively than before.

If these features don’t sound particularly beneficial to you, it’s because you’re not the customer of any of these companies. You’re the product, and you’re being improved for their actual customers: their advertisers.

November 21, 2013

A panopticon society, but only in one direction

Filed under: Government, Liberty, Technology, USA — Tags: , , , — Nicholas @ 11:37

For some reason, despite the recent revelations that Americans have almost literally no privacy thanks to government surveillance, some government employees think that they have a right to privacy that they actively push to deny to others:

From the ACLU of Massachusetts:

    Boston Police Department bosses want to install GPS monitoring devices in every patrol car, to enable dispatch to more efficiently process 911 calls. But police officers and their union are outraged, saying that the ubiquitous tracking is too invasive of their personal privacy. Tracking the location of officers as they go about their days would reveal incredibly detailed information about their lives, the officers say.

It must be just awful to go about your daily life looking over your shoulder, conscious that your every movement and activity is being recorded and could be used against you. Oh, wait. That’s what the entire American public is already dealing with, in this age of mass electronic surveillance. But the way the police union is hissing’n’flapping about it, it’s almost as if there was something wrong with that. Don’t they know that you have nothing to fear, if you have nothing to hide?

The ACLU’s tack is that if the police don’t like the feeling of being followed, they shouldn’t be pushing for technologies like mass tracking of license plates or cellphone locations. That’s fair enough, but there’s a larger point here also.

November 18, 2013

Lifelogging in 30-second intervals

Filed under: Media, Technology — Tags: , , , — Nicholas @ 15:38

Jerry Brito is a sousveillance fan and he thinks you should be too:

The Narrative Clip is a digital camera about the size of a postage stamp that clips to one’s breast pocket or shirt collar and takes a photo every thirty seconds of whatever one’s seeing. The photos are uploaded to the cloud and can be accessed on demand with a smartphone app, making it easy to look up any moment in one’s life. When the project to mass-produce these cameras first hit Kickstarter, I knew I had to have one, and with any luck mine will be arriving in a couple of weeks.

The prospect of having a complete photographic record of my life is compelling for many reasons. I have a terrible memory, especially for faces, so it will be interesting to see if this device can help. There are also moments in life that would be great to relive, but that one can’t – or one doesn’t know one should – be photographing. Narrative’s Instagram feed has some good examples of these. But most importantly, I want to help hasten our inevitable sousveillance future.

[…]

Being monitored in everyday life has become inescapable. So, as David Brin points out in The Transparent Society, the question is not whether there should be pervasive monitoring, but who will have access to the data. Will it only be the powerful, who will use the information to control? Or will the rest of us also be able to watch back?

Ideally, perhaps, we would all be left alone to live private lives under no one’s gaze. Short of halting all technological progress, however, that ship has sailed. Mass surveillance is the inevitable result of smaller cameras and microphones, faster processors, and incredibly cheap storage. So if I can’t change that reality, I want to be able to watch back as well.

« Newer PostsOlder Posts »

Powered by WordPress