Quotulatiousness

September 28, 2013

Google is “fighting stupid with stupid”

Filed under: Business, Law, Technology — Tags: , , , — Nicholas @ 11:54

In Maclean’s, Jesse Brown looks at the rather dangerous interpretation of how email works in a recent court decision:

Newsflash: Google scans your email! Whether you have a Gmail account or just send email to people who do, Gmail’s bots automatically read your messages, mostly for the purpose of creating targeted advertising. And if you were reading this in 2005, that might seem shocking.

Today, I think most Internet users understand how free webmail works and are okay with it. But a U.S. federal judge has ruled otherwise. Yesterday, U.S. District Judge Lucy H. Koh ruled that Google’s terms of service and privacy policies do not explicitly spell out that Google will “intercept” users’ email (here’s the ruling).

The word “intercept” is crucial here, because it may put Google in the crosshairs of State and Federal anti-wiretapping laws. After Judge Koh’s ruling, a class-action lawsuit against Google can proceed, whose plaintiffs seek remedies for themselves and for class groups including “all U.S. citizen non-Gmail users who have sent a message to a Gmail user and received a reply…”. Like they say in Vegas, go big or go home.

[…]

An algorithm that scans my messages for keywords like “vacation” in order to offer me cheap flights is not by any stretch of the imagination a wiretap.

But Google has taken a different tack in their defence. If, they’ve argued, what Gmail does qualifies as interception, than so does all email, since automated processing is needed just to send the stuff, whether or not advertising algorithms or anti-spam filters are in use. This logic can be extended, I suppose, to all data that passes through the Internet.

You might call it fighting stupid with stupid, but I think it’s a bold bluff: rule us illegal, Google warns the court, and be prepared to deem the Internet itself a wiretap violation.

September 21, 2013

Justin Amash on congressional classified briefings

Filed under: Bureaucracy, Government, USA — Tags: , , , , — Nicholas @ 10:01

In The Atlantic, Garance Franke-Ruta has transcribed some of Representative Justin Amash’s comments on the ins-and-outs of confidential briefings offered to congressmen:

Amash, who has previously butted heads with Intelligence Committee Chairman Mike Rogers and ranking member Dutch Ruppersberger over access to classified documents, recounted what happened during remarks before libertarian activists attending the Liberty Political Action Conference in Chantilly, Virginia, Thursday night. I quote his anecdote in full here, because it’s interesting to hear what it feels like to be one of the activist congressmen trying to rein in National Security Agency surveillance:

    What you hear from the intelligence committees, from the chairmen of the intelligence committees, is that members can come to classified briefings and they can ask whatever questions they want. But if you’ve actually been to one of these classified briefings — which none of you have, but I have — what you discover is that it’s just a game of 20 questions.

    You ask a question and if you don’t ask it exactly the right way you don’t get the right answer. So if you use the wrong pronoun, or if you talk about one agency but actually another agency is doing it, they won’t tell you. They’ll just tell you, no that’s not happening. They don’t correct you and say here’s what is happening.

    So you actually have to go from meeting to meeting, to hearing to hearing, asking asking questions — sometimes ridiculous questions — just to get an answer. So this idea that you can just ask, just come into a classified briefing and ask questions and get answers is ridiculous.

    If the government — in an extreme hypothetical, let’s say they had a base on the moon. If I don’t know that there’s a base on the moon, I’m not going to go into the briefing and say you have a moonbase. Right? [Audience laughs.] If they have a talking bear or something, I’m not going to say, ‘You guys, you didn’t engineer the talking bear.’

    You’re not going to ask questions about things you don’t know about. The point of the Intelligence Committee is to provide oversight to Congress and every single member of Congress needs information. Each person in Congress represents about 700,000 people. It’s not acceptable to say, ‘Well, the Intelligence Committees get the information, we don’t need to share with the rest of Congress.’ The Intelligence Committee is not one of the branches of government, but that’s how it’s being treated over and over again.

September 18, 2013

The NSA scandal is not about mere privacy

Filed under: Government, Liberty, USA — Tags: , , , , — Nicholas @ 08:19

Last week, Yochai Benkler posted this in the Guardian:

The spate of new NSA disclosures substantially raises the stakes of this debate. We now know that the intelligence establishment systematically undermines oversight by lying to both Congress and the courts. We know that the NSA infiltrates internet standard-setting processes to security protocols that make surveillance harder. We know that the NSA uses persuasion, subterfuge, and legal coercion to distort software and hardware product design by commercial companies.

We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations. The American body politic is suffering a severe case of auto-immune disease: our defense system is attacking other critical systems of our body.

First, the lying. The National Intelligence University, based in Washington, DC, offers a certificate program called the denial and deception advanced studies program. That’s not a farcical sci-fi dystopia; it’s a real program about countering denial and deception by other countries. The repeated misrepresentations suggest that the intelligence establishment has come to see its civilian bosses as adversaries to be managed through denial and deception.

[…]

Second, the subversion. Last week, we learned that the NSA’s strategy to enhance its surveillance capabilities was to weaken internet security in general. The NSA infiltrated the social-professional standard-setting organizations on which the whole internet relies, from National Institute of Standards and Technology to the Internet Engineering Task Force itself, the very institutional foundation of the internet, to weaken the security standards. Moreover, the NSA combined persuasion and legal coercion to compromise the commercial systems and standards that offer the most basic security systems on which the entire internet runs. The NSA undermined the security of the SSL standard critical to online banking and shopping, VPN products central to secure corporate, research, and healthcare provider networks, and basic email utilities.

Serious people with grave expressions will argue that if we do not ruthlessly expand our intelligence capabilities, we will suffer terrorism and defeat. Whatever minor tweaks may be necessary, the argument goes, the core of the operation is absolutely necessary and people will die if we falter. But the question remains: how much of what we have is really necessary and effective, and how much is bureaucratic bloat resulting in the all-too-familiar dynamics of organizational self-aggrandizement and expansionism?

The “serious people” are appealing to our faith that national security is critical, in order to demand that we accept the particular organization of the Intelligence Church. Demand for blind faith adherence is unacceptable.

September 15, 2013

Bruce Schneier on what you can do to stay out of the NSA’s view

Filed under: Liberty, Technology — Tags: , , , , , — Nicholas @ 10:44

Other than going completely off the grid, you don’t have the ability to stay completely hidden, but there are some things you can do to decrease your visibility to the NSA:

With all this in mind, I have five pieces of advice:

  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.
  2. Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you’re much better protected than if you communicate in the clear.
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the Internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my Internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about. There’s an undocumented encryption feature in my Password Safe program from the command line; I’ve been using that as well.

I understand that most of this is impossible for the typical Internet user. Even I don’t use all these tools for most everything I am working on. And I’m still primarily on Windows, unfortunately. Linux would be safer.

The NSA has turned the fabric of the Internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

Reining-in the NSA … while it’s still even theoretically possible

Filed under: Government, Liberty, Technology, USA — Tags: , , — Nicholas @ 10:25

In TechDirt, Glyn Moody on the fleeting opportunity to rein-in the NSA:

In the wake of the continuing leaks about the NSA’s activities, most commentators are understandably still trying to get to grips with the enormity of what has been happening. But John Naughton, professor of the public understanding of technology at the UK’s Open University, tackles a very different question on his blog: what is likely to happen in the future, if things carry on as they are?

Naughton notes that the NSA’s mission statement includes the following phrase: “to gain a decision advantage for the Nation and our allies under all circumstances.” “Under all circumstances” means that as the Internet grows — and as we know, it is currently growing rapidly — so the NSA will naturally ask for resources to allow it to do tomorrow what it is doing today: monitoring more or less everything that happens online. Naughton then asks where that might lead if the political climate in the US remains sufficiently favorable to the NSA that it does, indeed, get those resources:

    The obvious conclusion therefore, is that unless some constraints on its growth materialise, the NSA will continue to expand. It currently has 35,000 employees. How many will it have in ten years’ time? Who can say: 50,000, maybe? Maybe even more? So we’re confronted with the likelihood of the growth of a bureaucratic monster.

    How will such a body be subjected to democratic oversight and control? Let me rephrase that: can such a monster be subjected to democratic control?

September 7, 2013

Maybe the conspiracy theorists just aren’t paranoid enough

Filed under: Government, Media, Technology, USA — Tags: , , , , — Nicholas @ 09:49

Bruce Schneier on the destruction of public trust in government agencies:

I’ve recently seen two articles speculating on the NSA’s capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking — and I have no idea whether any of it is true or not — but it’s a good illustration of what happens when trust in a public institution fails.

The NSA has repeatedly lied about the extent of its spying program. James R. Clapper, the director of national intelligence, has lied about it to Congress. Top-secret documents provided by Edward Snowden, and reported on by the Guardian and other newspapers, repeatedly show that the NSA’s surveillance systems are monitoring the communications of American citizens. The DEA has used this information to apprehend drug smugglers, then lied about it in court. The IRS has used this information to find tax cheats, then lied about it. It’s even been used to arrest a copyright violator. It seems that every time there is an allegation against the NSA, no matter how outlandish, it turns out to be true.

Guardian reporter Glenn Greenwald has been playing this well, dribbling the information out one scandal at a time. It’s looking more and more as if the NSA doesn’t know what Snowden took. It’s hard for someone to lie convincingly if he doesn’t know what the opposition actually knows.

All of this denying and lying results in us not trusting anything the NSA says, anything the president says about the NSA, or anything companies say about their involvement with the NSA. We know secrecy corrupts, and we see that corruption. There’s simply no credibility, and — the real problem — no way for us to verify anything these people might say.

September 6, 2013

Bruce Schneier on taking back the internet

Filed under: Liberty, Technology, USA — Tags: , , , , — Nicholas @ 08:51

From his article in yesterday’s Guardian:

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.

And by we, I mean the engineering community.

Yes, this is primarily a political problem, a policy matter that requires political intervention.

But this is also an engineering problem, and there are several things engineers can — and should — do.

One, we should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don’t cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.

We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I’ve just started collecting. I want 50. There’s safety in numbers, and this form of civil disobedience is the moral thing to do.

Two, we can design. We need to figure out how to re-engineer the internet to prevent this kind of wholesale spying. We need new techniques to prevent communications intermediaries from leaking private information.

We can make surveillance expensive again. In particular, we need open protocols, open implementations, open systems — these will be harder for the NSA to subvert.

The Internet Engineering Task Force, the group that defines the standards that make the internet run, has a meeting planned for early November in Vancouver. This group needs to dedicate its next meeting to this task. This is an emergency, and demands an emergency response.

Update: Glenn Greenwald retweeted this, saying it was “not really hard for a rational person to understand why this is newsworthy”.

September 1, 2013

India moves government email away from US-based email services

Filed under: Government, India, Technology, USA — Tags: , , , , — Nicholas @ 09:13

Vinay Mandalia discusses the quite rational response of the Indian government to the recent discovery that the US intelligence services have had full access to all email communications hosted on US email services:

The Government of India is planning to ban the use of US based email services like Gmail for official communications and is soon going to send out a formal notification to its half a million officials across the country asking them to use official email addresses and services provided by National Informatics Centre.

The move is intended to increase the security of confidential government data and information after it was revealed earlier that NSA may be involved in widespread spying and surveillance activities across the globe.

In a statement to reporters here J. Satyanarayana, secretary in the department of electronics and information technology, said that data of Indian citizens using US based email services like Gmail is residing on servers which are located outside India and for now the government is concerned about the large amount of official and critical data that may be resident on those servers.

Expect a lot of other US “allies” to suddenly discover that their internal communications have been an open book to their “friends” for the last 10-20 years and decide to take similar measures.

H/T to Techdirt for the link.

August 18, 2013

Rounding up the “government is spying on everyone” news

Filed under: Government, Liberty, Technology — Tags: , , , , — Nicholas @ 10:48

A linkapalooza of information at Zero Hedge:

That’s just the first few items of a long list. Read the whole thing.

August 12, 2013

Schneier to internet company executives – it’s time to fight back

Filed under: Business, Government, Liberty, USA — Tags: , , , , — Nicholas @ 11:02

In The Atlantic, Bruce Schneier has some advice for the executives of major internet companies:

It turns out that the NSA’s domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we’ve learned, fight and lose. Others cooperate, either out of patriotism or because they believe it’s easier that way.

I have one message to the executives of those companies: fight.

Do you remember those old spy movies, when the higher ups in government decide that the mission is more important than the spy’s life? It’s going to be the same way with you. You might think that your friendly relationship with the government means that they’re going to protect you, but they won’t. The NSA doesn’t care about you or your customers, and will burn you the moment it’s convenient to do so.

We’re already starting to see that. Google, Yahoo, Microsoft and others are pleading with the government to allow them to explain details of what information they provided in response to National Security Letters and other government demands. They’ve lost the trust of their customers, and explaining what they do — and don’t do — is how to get it back. The government has refused; they don’t care.

It will be the same with you. There are lots more high-tech companies who have cooperated with the government. Most of those company names are somewhere in the thousands of documents that Edward Snowden took with him, and sooner or later they’ll be released to the public. The NSA probably told you that your cooperation would forever remain secret, but they’re sloppy. They’ll put your company name on presentations delivered to thousands of people: government employees, contractors, probably even foreign nationals. If Snowden doesn’t have a copy, the next whistleblower will.

Online privacy and habitual oversharing

Filed under: Liberty, Media, Technology — Tags: , , , , — Nicholas @ 09:47

Cory Doctorow explains why so many of us have gotten into the habit of oversharing personal details in our social media activities:

Whenever government surveillance is debated, someone inevitably points out that it is no cause for alarm, since people already overshare sensitive personal information on Facebook. This means there’s hardly anything to be gleaned from state surveillance that isn’t already there for the taking on social media.

It’s true people overshare on social networks, providing information in ways that they later come to regret. The consequences of oversharing range widely, from losing a job to being outed for your sexual orientation. If you live in a dictatorship, intercepted social media sessions can be used by those in charge to compile enemies lists, determining whom to arrest, whom to torture, and – potentially – whom to murder.

The key reason for oversharing is that cause and effect are separated by volumes of time and space, so understanding the consequences can be difficult. Imagine practising penalty kicks by kicking the ball and then turning around before it lands; two years later, someone visits you and tells you where your kicks ended up. This is the kind of feedback loop we contend with when it comes to our privacy disclosures.

In other words, you may make a million small and large disclosures on different services, with different limits on your sharing preferences, and many years later, you lose your job. Or your marriage. Or maybe your life, if you’re unlucky enough to have your Facebook scraped by a despot who has you in his dominion.

August 11, 2013

Speculations on why Lavabit went dark

Filed under: Business, Law, Liberty, USA — Tags: , , , — Nicholas @ 11:40

In The New Yorker, Michael Phillips tries to outline the legal picture around the Lavabit shutdown:

In mid-July, Tanya Lokshina, the deputy director for Human Rights Watch’s Moscow office, wrote on her Facebook wall that she had received an e-mail from edsnowden@lavabit.com. It requested that she attend a press conference at Moscow’s Sheremetyevo International Airport to discuss the N.S.A. leaker’s “situation.” This was the wider public’s introduction to Lavabit, an e-mail service prized for its security. Lavabit promised, for instance, that messages stored on the service using asymmetric encryption, which encrypts incoming e-mails before they’re saved on Lavabit’s servers, could not even be read by Lavabit itself.

Yesterday, Lavabit went dark. In a cryptic statement posted on the Web site, the service’s owner and operator, Ladar Levison, wrote, “I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.” Those experiences led him to shut down the service rather than, as he put it, “become complicit in crimes against the American people.” Lavabit users reacted with consumer vitriol on the company’s Facebook page (“What about our emails?”), but the tide quickly turned toward government critique. By the end of the night, a similar service, Silent Circle, also shut down its encrypted e-mail product, calling the Lavabit affair the “writing [on] the wall.”

Which secret surveillance scheme is involved in the Lavabit case? The company may have received a national-security letter, which is a demand issued by a federal agency (typically the F.B.I.) that the recipient turn over data about other individuals. These letters often forbid recipients from discussing it with anyone. Another possibility is that the Foreign Intelligence Surveillance Court may have issued a warrant ordering Lavabit to participate in ongoing e-mail surveillance. We can’t be completely sure: as Judge Reggie Walton, the presiding judge of the FISA court, explained to Senator Patrick Leahy in a letter dated July 29th, FISA proceedings, decisions, and legal rationales are typically secret. America’s surveillance programs are secret, as are the court proceedings that enable them and the legal rationales that justify them; informed dissents, like those by Levison or Senator Ron Wyden, must be kept secret. The reasons for all this secrecy are also secret. That some of the secrets are out has not deterred the Obama Administration from prosecuting leakers under the Espionage Act for disclosure of classified information. Call it meta-secrecy.

NSA wiretapping PSA

Filed under: Humour, Liberty — Tags: , , , , — Nicholas @ 10:03

Trevor Moore (Whitest Kids U’ Know) tells us what we can do about the NSA wiretapping our phones.

August 7, 2013

Bruce Schneier – “it’s becoming clear that we can’t trust anything anyone official says about these programs”

Filed under: Government, Media, USA — Tags: , , , , , , — Nicholas @ 08:39

Bruce Schneier talks about the need to restore trust in government and the internet after all the proof we’ve had lately that “they” are lying to us pretty much all the time:

In July 2012, responding to allegations that the video-chat service Skype — owned by Microsoft — was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company’s blog to deny it.

Turns out that wasn’t quite true.

Or at least he — or the company’s lawyers — carefully crafted a statement that could be defended as true while completely deceiving the reader. You see, Skype wasn’t changing its protocols to make it possible for the government to eavesdrop on users, because the government was already able to eavesdrop on users.

At a Senate hearing in March, Director of National Intelligence James Clapper assured the committee that his agency didn’t collect data on hundreds of millions of Americans. He was lying, too. He later defended his lie by inventing a new definition of the word “collect,” an excuse that didn’t even pass the laugh test.

As Edward Snowden’s documents reveal more about the NSA’s activities, it’s becoming clear that we can’t trust anything anyone official says about these programs.

Google and Facebook insist that the NSA has no “direct access” to their servers. Of course not; the smart way for the NSA to get all the data is through sniffers.

Apple says it’s never heard of PRISM. Of course not; that’s the internal name of the NSA database. Companies are publishing reports purporting to show how few requests for customer-data access they’ve received, a meaningless number when a single Verizon request can cover all of their customers. The Guardian reported that Microsoft secretly worked with the NSA to subvert the security of Outlook, something it carefully denies. Even President Obama’s justifications and denials are phrased with the intent that the listener will take his words very literally and not wonder what they really mean.

[…]

Ronald Reagan once said “trust but verify.” That works only if we can verify. In a world where everyone lies to us all the time, we have no choice but to trust blindly, and we have no reason to believe that anyone is worthy of blind trust. It’s no wonder that most people are ignoring the story; it’s just too much cognitive dissonance to try to cope with it.

This sort of thing can destroy our country. Trust is essential in our society. And if we can’t trust either our government or the corporations that have intimate access into so much of our lives, society suffers. Study after study demonstrates the value of living in a high-trust society and the costs of living in a low-trust one.

August 6, 2013

The Electronic Frontier Foundation on reforming the NSA

Filed under: Government, Law, Liberty, USA — Tags: , , , , — Nicholas @ 11:36

The EFF has a few suggestions on how to go about reining-in the NSA:

While we still believe that the best first step is a modern Church Committee, an independent, public investigation and accounting of the government’s surveillance programs that affect Americans, members of Congress seem determined to try to enact fixes now. Almost a dozen bills have already been introduced or will be introduced in the coming weeks.

While we’re also waiting to see what the various bills will look like before endorsing anything, here’s — in broad strokes — what we’d like to see, and what should be avoided or opposed as a false response. We know full well that the devil is in the details when it comes to legislation, so these are not set in stone and they aren’t exhaustive. But as the debate continues in Congress, here are some key guideposts.

This first post focuses on surveillance law reform. In later posts we’ll discuss transparency, secret law and the FISA Court as well as other topics raised by the ongoing disclosures. In short, there’s much Congress can and should do here, but we also need to be on the lookout for phony measures dressed as reform that either don’t fix things or take us backwards.

« Newer PostsOlder Posts »

Powered by WordPress