Archive for September, 2010


Web snooping is a dangerous move

September 30, 2010

On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren’t as easy to monitor as traditional telephones.

The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and to provide law enforcement with back doors that enable them to bypass any security measures.

The proposal may seem extreme, but — unfortunately — it’s not unique. Just a few months ago, the governments of the United Arab Emirates, Saudi Arabia and India threatened to ban BlackBerry devices unless the company made eavesdropping easier. China has already built a massive internet surveillance system to better control its citizens.

Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later.

Obama isn’t the first U.S. president to seek expanded digital eavesdropping. The 1994 CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States.

These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that’s obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.

Read More

Ready for a Private and Secure Online Workspace –


India Launches Project to ID 1.2 Billion People

September 29, 2010

India’s vaunted tech savvy is being put to the test this week as the country embarks on a daunting mission: assigning a unique 12-digit number to each of its 1.2 billion people.

The project, which seeks to collect fingerprint and iris scans from all residents and store them in a massive central database of unique IDs, is considered by many specialists the most technologically and logistically complex national identification effort ever attempted. To pull it off, India has recruited tech gurus of Indian origin from around the world, including the co-founder of online photo service Snapfish and employees from Google Inc., Yahoo Inc. and Intel Corp.

The country’s leaders are pinning their hopes on the program to solve development problems that have persisted despite fast economic growth. They say unique ID numbers will help ensure that government welfare spending reaches the right people, and will allow hundreds of millions of poor Indians to access services like banking for the first time.

Read More

Ready for a Private and Secure Online Workspace – GoSecure


Top Court to Decide Corporate Privacy Rights

September 29, 2010

The U.S. Supreme Court said on Tuesday that it would decide whether corporations like AT&T Inc can claim personal privacy to prevent the disclosure of government records about them under the freedom of information law.

The justices agreed to hear an Obama administration appeal arguing that the law’s personal privacy protections apply only to individuals, not to corporations like the telecommunications giant.

A U.S. appeals court in Philadelphia handed AT&T a victory by ruling that corporations may invoke personal privacy as a legal basis for claiming that government records about them should be exempt from disclosure.

The administration said it marked the first time in the 35-year-history of the law that it has been extended to corporations.

Six public interest groups supported the administration’s appeal.

Unless the Supreme Court overturns the ruling, government records could be withheld about coal mine safety violations, offshore oil rig problems, dirty conditions at a food manufacturing plant and questionable investment bank financial dealings, the groups said.

AT&T said it has the right to make use of the Freedom of Information Act’s personal privacy exception.


Ready for a Private and Secure Online Workspace – GoSecure


Designing an Insecure Internet

September 28, 2010

If there were any doubt that the 90s are back in style, witness the Obama administration’s attempt to reignite the Crypto Wars by seeking legislation that would force Internet services to redesign their networks and products to provide a centralized mechanism for decrypting user communications.

First, while the Communications Assistance for Law Enforcement Act (CALEA) already requires phone and broadband providers to build in interception capacity at their network hubs, this proposed requirement—at least going on the basis of the press description, since there’s no legislative text yet—is both broader and more drastic. It appears that it would apply to the whole panoply of online firms offering secure communication services, not just big carriers, imposing a greater relative burden. More importantly, it’s not just mandating that already-centralized systems install a government backdoor. Rather, if I understand it correctly, the proposal would insist on a centralized (and therefore less secure) architecture for secure communications, as opposed to an end-to-end model where encryption is handled client-side. In effect, the government is insisting on the right to make a macro-design choice between competing network models for thousands of companies.

Second, they are basically demanding that providers design their systems for breach. This is massively stupid from a security perspective. In the summer of 2004, still unknown hackers exploited surveillance software built in to one of Greece’s major cell networks to eavesdrop on high government officials, including the prime ministers. The recent hack of Google believed to originate in China may have used a law-enforcement portal to acquire information about dissidents. More recently, we learned of a Google engineer abusing his access to the system to spy on minors.

Third, this demand has implications beyond the United States. Networks designed for interception by U.S. authorities will also be more easily tapped by authoritarian governments looking to keep tabs on dissidents. And indeed, this proposal echoes demands from the likes of Saudi Arabia and the United Arab Emirates that their Blackberry system be redesigned for easier interception. By joining that chorus, the U.S. makes it more difficult for firms to resist similar demands from unlovely regimes.

Finally, this demand highlights how American law enforcement and intel agencies have been circumventing reporting requirements designed to provide information on this very problem. As the Crypto Wars of the 90s drew to a close, Congress amended the Wiretap Act, which creates strong procedural protections when the government wants to use intrusive electronic surveillance, to add a requirement that agencies report each instance in which they’d encountered encryption. The idea was to get an objective measure of how serious a problem this posed. The most recent report, however, cited only one instance in which encryption was encountered, out of 2,376 wiretap orders. Why, then, are we now being told encryption is a huge problem? Almost certainly because law enforcement and intelligence agencies aren’t using the Wiretap Act to intercept electronic communications—preferring, instead, to avail themselves of the far more lax standards—and spare reporting requirements—provided by the Stored Communications Act. It’s always easier to claim you need sweeping new powers from Congress when you’ve managed to do an end-run around the provisions Congress put in place to keep itself informed about how you’re using your existing powers, after all.


Ready for a Private and Secure Online Workspace – GoSecure


Feds’ Request for Google Data Rise 20% Percent

September 22, 2010

The number of U.S. government requests for Google data rose 20 percent in the last six months, according to data released by the search giant Monday.
U.S. government agencies sent Google 4,287 requests for data on Google users and services from Jan. 1 to June 30, 2010, an average of 23.5 a day. That’s compared to 3,287 for July 1 to Dec. 31, 2009, the company reported Tuesday in an update to its unique transparency tool.

That rise is just a small part of the newest statistics on worldwide government data requests to Google, which are now paired with a comprehensive tool for viewing government blockages of Google services. The new tool lets you check timelines of traffic to 17 Google services from some 200 countries to see blockages and traffic patterns.

The new tool builds upon (and replaces) the up-time monitor that Google custom-built so the public could monitor censorship of its services in China in this spring’s showdown over censorship. However, that tool inadvertantly reported a China-wide blockage in July when none existed, leading to press reports that had to be quickly retracted.

Perhaps as a way to prevent spurring false-alarm news stories, the new tool will have a “tape-delay” of about 30 hours to allow Google engineers to verify and annotate outages. So for instance, if the company suspects a cable outage, not censorship (or vice versa), they can note it and prevent crying “wolf”.

As for why the company would develop such a comprehensive tool?

“Transparency can be a deterrent to censorship,” Google spokeswoman Niki Fenwick told “Free expression is core to Google’s business, and it is a core value.”

For instance, with the tool you can see the effects of Pakistan’s 10-day block of YouTube in response to a “Draw Muhammed” campaign started on Facebook that infuriated the Islamic government. Likewise, you can see the effect of China’s blockage of YouTube in March 2009.

The tool does not record blocking of specific URLs or search terms, as is sometimes used in some governments’ censorship campaigns. Instead the reporting service monitors for widespread outages, though partial blocks and service degradation can be seen in the data visualizations.

As for government data requests, Google added slightly more detail to its reporting on takedown requests, which now indicate how many URLs the government asked to be taken down in total, in addition to the number of requests (because a request could entail multiple URLs).

In the first half of 2010, U.S. government agencies requested removals 128 times, covering 678 items. Google complied with those requests, in full or part, about 83 percent of the time. For instance (as visible in the graphic above), two courts ordered Google to remove location information from its mapping services, 45 items were requested to be removed from Blogger, and a court ordered Google to remove material from search results 30 times.

Brazil remains in first place for data requests, though those numbers might be a bit unfair, because Brazilians remain heavy users of Google’s social networking service Orkut.

Google debuted the government transparency tool in April, and remains the only large tech company in the United States to reveal this kind of data.

Yahoo, Microsoft, Facebook, Twitter, AOL, Comcast, AT&T, Verizon and Time Warner, among others, do not publish this data, nor do they make it available when the media asks for it, even though there’s no law requiring them to keep such requests quiet.

Google cannot reveal some government data requests, however, and they are not included in this tally.

According to Google, the numbers do not include National Security Letters, a sort-of self-issued subpoena used by the FBI in drug and terrorism cases. At their post–Patriot Act peak, the FBI issued more than 50,000 such letters a year, nearly all with gag orders attached to them. The use of such letters dipped for a time after the Justice Department’s internal watchdog unveiled widespread abuses and sloppy procedures, but are on the rise again.

Also not included are national security wiretap and data requests, known as FISA warrants, that are approved by a secret court in D.C. to combat spies and threats to national security.

Nor is there any information on how much data, if any, the government forces Google to turn over en masse on individuals outside the United States, using broad powers handed to the government in 2008 by Congress. That legislation, initially opposed but later supported by Sen. Barack Obama, lets the government turn online service providers into intelligence collection arms of the U.S. government, so long as the “targets” aren’t known to be U.S. citizens.

When he was a candidate, President Obama pledged to revisit that law — passed as a way to legalize much of the Bush administration’s secret, warrantless wiretapping program, but the law remains in place.

Also not included are civil lawsuit requests (such as those filed in a business dispute or divorce) or copyright takedown requests, although these are types of requests generally filed by private parties, because in the United States, copyright does not apply to government-produced documents.

Read More

Ready for a Private and Secure Online Workspace – GoSecure


Cloud Computing Hits Snag in Europe

September 20, 2010

In the world of ideas, cloud computing has the potential to revolutionize the way people work.

Such cloud-based breakthroughs face a formidable obstacle in Europe, however: strict privacy laws that place rigid limits on the movement of information beyond the borders of the 27-country European Union.

European governments fear that personal information could fall prey to aggressive marketers and cybercriminals once it leaves the jurisdictions of individual members, a concern that may protect consumers but one that hinders the free flow of data essential to cloud computing

“There are restrictions on cloud computing in Europe,” said Bob Lindsay, privacy director in Europe for Hewlett-Packard, which makes servers and other equipment for cloud data centers. “This isn’t killing the business, but it is slowing its evolution, compared with what is taking place in the United States.”

Read More

Ready for a Private and Secure Online Workspace – GoSecure


How we measure privacy protections?

September 17, 2010

What data is collected?
Who has access to this data?
How is this data used?
Is this data transferred to third-parties?
Can the data subject see and control this data?
Is this data protected by adequate security safeguards?
How long is this data retained before it is either destroyed or anonymized?

The last one is the least important in terms of measuring meaningful privacy protections for data. But curiously, it’s precisely this one that I hear the most as I move around Continental Europe listening to privacy media and regulatory concerns in the online debates in recent years. Why is that?

European privacy law has clear provisions that personal data should not be retained “longer than necessary”. Naturally, this time period is left vague in the laws, since it would be impossible to prescribe precise time periods for myriads of different contexts, especially since retention is always justified by “legitimate purposes”. I think there’s a temptation to try to boil privacy down into something simple and numerical, and what could be simpler and more measurable than a time period? In practice, there’s a vast spectrum of legitimate retention periods, even for similar services, if the retention periods were designed to respect the very different legitimate purposes for which they were retaining data. To take some Google services as examples: Search logs (9 months), Instant Search logs (2 weeks), Suggest logs (24 hours), etc.

Read More

Ready for a Private and Secure Online Workspace – GoSecure