Otherwise Occupied - privacy

The twisted logic of border searches of electronics

gregh — Thu, 07 Aug 2008 21:03:50 -0500

Jayson Ahern, Deputy Commissioner, U.S. Customs and Border Protection, recently posted a blog entry at the Department of Homeland Security's site. In it, Mr. Ahern takes issue with the criticism that has been level against Customs and Border Protection ("CBP") in light of the news that they've been routinely nabbing laptops and other electronic devices, imaging the full contents, and sharing those contents with other agencies. It's a tired refrain of the typical DHS line: 1) we're at risk; 2) we've always been doing it, anyway, and you just didn't know about it; and 3) the courts say it's okay, so that makes it okay.

Leadership Journal: Answering Questions on Border Laptop Searches:

First, it’s important to note that for more than 200 years, the federal government has been granted the authority to prevent dangerous people and things from entering the United States. Our security measures at the border are rooted in this fundamental fact, and our ability to achieve our border mission would be hampered if we did not apply the same search authorities to electronic media that we have long-applied to physical objects--including documents, photographs, film and other graphic material.

Who knew that documents, photographs, film, and other material constituted "dangerous things?" Those things aren't dangerous, of course, and to characterize them as such is the way of the simple, who have no reasoned explanations for their mindless actions. Might those items contain information that might be used to commit harm? Probably. However, it is people acting, not the things in their possession, that cause harm and create dangers. That's true whether the items contain child pornography, bomb making plans, or obscene comic books.

In the 21st century, terrorists and criminals increasingly use laptops and other electronic media to transport illicit materials that were traditionally concealed in bags, containers, notebooks and paper documents. Making full use of our search authorities with respect to items like notebooks and backpacks, while failing to do so with respect to laptops and other devices, would ensure that terrorists and criminals receive less scrutiny at our borders just as their use of technology is becoming more sophisticated.

So, to, do many law abiding Americans and aliens, who might like "to be secure in their persons, houses, papers, and effects." The difference is one of need. In this modern era of electronic media, there's little reason to feel threatened by the transport of a laptop. There are countless smarter, more efficient ways that a devious criminal would find to migrate that data across the border. In fact, a laptop with a spinning hard drive is perhaps one of the worst. It's the clear electronic devices that are the least threatening.

The agency would be better off not lying to the American people and fully explaining what this is: a fishing expedition. Grab laptops and these other electronic devices, create images, and then use them either in the coming copyright enforcement battles or to simply watch and hope for the appearance of incriminating data.

This brings me to my third point, which is that travelers whose laptops are searched represent a very small number of people. As Secretary Chertoff noted in a recent op-ed,

"Of the approximately 400 million travelers who entered the country last year, only a tiny percentage were referred to secondary baggage inspection…[and] of those, only a fraction had electronic devices that may have been checked.”

This number is less than one percent of people entering the United States. Contrary to some media accounts, we’re not rolling out a new strategy and screening an exorbitant number of travelers. We’re simply following a common sense border policy that has been in place for years, and has been reaffirmed by the courts.

Unless they're horribly misstating their case, there is a "common sense" policy that permitted the CBP to search the electronic devices of up to 4 million people entering the United States last year. One percent may, indeed, be a small percentage. However, 4 million people is not a small number of people.

I hope this has helped answer some of your questions. One of the lessons 9/11 taught us was that we must adapt to 21st century risks and anticipate rather than react to new threats. Our CBP officers are on the front lines every day ensuring that these lessons are heeded. We trust that travelers understand the need for these sensible security measures.

"One of the lessons 9/11 [has] taught" the rest of us is that those in power will use 9/11 as a ready justification for any unwarranted intrusion into the privacy of Americans and the expansion of governmental power and knowledge. Can Mr. Ahern look at the mirror after trotting out this 9/11 crap to support his points? More importantly, if this has been long-standing policy, backed by more than 200 years of authority, as he asserts in the posting, shouldn't we have better lessons than 9/11? What laptops with plans slipped through prior to 9/11 that permitted it to occur?

None, would be my guess.

NCSL calls on Congress to repeal REAL ID

gregh — Wed, 23 Apr 2008 11:44:24 -0500

NCSL Supports The Identification Security Enhancement Act of 2007:

However, lacking the full policy and financial commitment of the federal government to ensure the success of the state-federal partnership needed to make REAL ID possible, NCSL now calls upon Congress to repeal REAL ID and reinstate the negotiated rule-making process. This approach will achieve our shared goals for security in a manner that respects states’ rights, privacy protections, and fiscal responsibility.

S.717, which I previously covered in its 2006 form, would bring back the negotiated rulemaking and return to the states the authority to preserve their own privacy regimes.

Keep your fingers crossed.

(Via Jim Harper.)

Facebook Beacon Dissection

gregh — Tue, 27 Nov 2007 09:31:24 -0600

Jay Goldman has written an excellent description of Facebook Beacon.

The long-and-short of it?

When you're done using Facebook, log out of Facebook. If you're not logged into Facebook, Facebook effectively rejects Beacon info. (Note that because you've probably got lingering Facebook cookies even after logging out, Facebook still knows who you are and where you're coming from. At this point, it appears that they terminate the rest of the Beacon setup.)
If you are logged in to Facebook, don't ever go anywhere else unless you want Facebook to know about it and potentially publish it. Facebook knows about every transaction sent by a cooperating site, even if you've chosen not to publish it.
Consider AdBlockPlus on Firefox; other suggestions for IE are in the post.

The Beacon functionality is really pretty elegant, but it's useful to note that "Beacon" is an excellent name. Like other web beacons or web bugs, it uses embedded JavaScript, effectively tracking your movements around the web in very much the same way that modern web tracking applications do so. In essence, Facebook is making itself a web analytics service for advertisers.

The irony here is that the information collected by Facebook is likely far more valuable than the publication of that information and whatever ad revenue they may get from it. However, to get advertisers to buy in, they needed the Beacon profile entries. But just imagine being able to track the flow of collaborative purchasing information. Imagine I buy a Diet Coke, and that gets published to my profile. Suddenly, members in one of my Facebook groups starts buying Diet Coke shortly after my purchase is published. Not only can Facebook tout its ability to spread the word about the Diet Coke thing, but it also can tell Coca Cola the characteristics (including n-orders of social graph characteristics) of those who buy Diet Coke.

Powerful stuff. Scary. But Powerful.

Who's running this show?

gregh — Sun, 11 Nov 2007 18:23:41 -0600

Definition Changing for People's Privacy:

Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information.

How lovely for Kerr to think that way. You silly Americans; let me tell you what you can have. What should happen is that our intelligence and law enforcement agencies need to work within the confines of our Constitution and laws. If they can't work within those confines, they need to show why they can't, so we can consider going about the business of amending the Constitution.

One problem with the land grab like the one Kerr describes is that there's been no evidence presented that it's either necessary or useful. Instead, what evidence exists shows that it's a crutch, violating our traditional notions of privacy with little benefit.

The other -- huge! -- problem is that the government cannot be trusted to properly safeguard private communications and financial information. That has been made clear in recent years. Business is even worse, unless it's strategically competitive information, of course.

Perhaps the definition that needs to be changed defines suitable government employees. Rather than the Kerrs and Chertoffs, who feel it is their position to determine what we can demand, we need people who will recognize that a Constitution and body of privacy protection laws exists, and that their inability to do their jobs without dreaming up ways around those things suggests their incompetence, not a need for the American people to change how they live their lives.

We now have case law on email interceptions

gregh — Sat, 07 Jul 2007 21:17:05 -0500

Until yesterday, my paper on Fourth Amendment and statutory protections against interception of Internet communications had little directly related case law. Now I have the Ninth Circuit's decision in U.S. v. Forrester, in the matter of the second defendant, Alba. When I first read the headline, I was a bit concerned. After reading the rest of Prof. Solove's commentary, as well as the opinion itself, I am no longer.

That is to say, I am no longer concerned about the state of my paper. I am concerned about where the courts are going to take constitutional protections on the Internet. Many of my complaints continue to come down to many of the overly simplistic analyses of email transport on the Internet. Prof. Solove trumpets Prof. Kerr's work in the above post:

Orin Kerr has usefully analogized the distinction between the non-content / content information to that between an envelope and the contents of a letter. The envelope contains addressing information that is exposed to others; the contents of the letter are concealed. Envelope information falls outside Fourth Amendment protection, but content information is fully protected by the Fourth Amendment.

Kerr's work does often make this distinction, but it often does so with an apparent misunderstanding of how email transportation works. Judge Fisher, in the Forrester decision, follows a path of similar technical missteps.

First, e-mail and Internet users, like the telephone users in Smith, rely on third-party equipment in order to engage in communication. Smith based its holding that telephone users have no expectation of privacy in the numbers they dial on the users’ imputed knowledge that their calls are completed through telephone company switching equipment. 442 U.S. at 742. Analogously, e-mail and Internet users have no expectation of privacy in the to/from addresses of their messages or the IP addresses of the websites they visit because they should know that these messages are sent and these IP addresses are accessed through the equipment of their Internet service provider and other third parties.

In fact, all telephone users rely on third-party equipment. However, there are decided differences between telephone numbers opening a circuit and the routers that route traffic to destination IP addresses. But the problem runs deeper, and this is a significant complaint of mine in the literature. This peering of email and Internet use, as if sending an email is somehow different, is what allows for this butchery. For instance, the next paragraph begins:

Second, e-mail to/from addresses and IP addresses constitute addressing information and reveal no more about the underlying contents of communication than do phone numbers.

An Internet email address without an IP network attached goes nowhere.

There is a useful (to me) diversion into an email/snail mail comparison:

The government’s surveillance of e-mail addresses also may be technologically sophisticated, but it is conceptually indistinguishable from government surveillance of physical mail. In a line of cases dating back to the nineteenth century, the Supreme Court has held that the government cannot engage in a warrantless search of the contents of sealed mail, but can observe whatever information people put on the outside of mail, because that information is voluntarily transmitted to third parties.
. . .
E-mail, like physical mail, has an outside address “visible” to the third-party carriers that transmit it to its intended location, and also a package of content that the sender presumes will be read only by the intended recipient. The privacy interests in these two forms of communication are identical. The contents may deserve Fourth Amendment protection, but the address and size of the package do not.

Oh, it does, indeed. Email has an outside address called an IP address. But beyond that, it has outside addresses called envelope addresses, as specified by the RFCs. These, the technical envelope specifications, are ignored in the literature, but they are key to using Prof. Kerr's envelope terminology. For something to be an envelope, it must surely have an impact on the delivery of a message. The RFC content of a message has no bearing on delivery, yet Prof. Kerr (and now the Ninth Circuit) appear to be perfectly willing to allow it to be intercepted.

And so, this is just another lousy decision, crafted not with an understanding of Internet communications, but with the more typical understanding, that seems to reflect the belief that a "send button" magically whisks an email message to some remote spot on the globe. In the case of the Ninth Circuit, that spot appears to be someplace that need not have even heard of IP addresses.

Speaking in SMTP

gregh — Mon, 02 Jul 2007 23:26:24 -0500

As I've previously written, what I consider a key flaw in current analysis of Fourth Amendment (and Electronic Communications Privacy Act) protections against interception of Internet communication is that it takes a narrow view of what constitutes communication on the Internet. The standard is "any information" that concerns the substance, meaning, or purport of a communication.

We should look to other forms of communication to arrive at a reasonable definition of Internet communication. I've suggested voice as the most pervasive. We don't permit the recording of waveforms of speech and only exclude transcripts. Without a warrant, the government may not record a telephone conversation.

When a person sends an email message, that form of communication is chosen, for whatever reason, over a telephone call. While the propagation of sound is required for meaningful oral communication by telephone, the propagation of properly formatted SMTP commands and RFC 822 message bodies are required for comprehension of the stream of bytes comprising an email message. Without that formatting, there is no substance, purport, or meaning of an email. In many cases, it won't be delivered at all.

The SMTP commands that transport a message across the Internet are, therefore, comparable to the use of voice to communicate across a telephone line. The courts and the Congress don't allow the recording of the electrical underpinnings that make up that voice communication. It makes little sense to allow recording of the commands and formatting that make up an email message.

If I can get to a point where I can substantively establish this, it becomes clear that what follows is protection of the application layer.

Foolish consistency... How the little minds behind Real ID killed the possibility of meaningful immigration reform

gregh — Thu, 28 Jun 2007 21:25:16 -0500

Did Real ID bring down immigration reform? That's probably not the right way to put it.

Are the forces of evil (Sensenbrenner, et al) so incredibly gung ho to track the details of every American who chooses to work that they'll scuttle immigration reform rather than see Real ID go down the tubes? The answer appears to be yes. However, the problem is deeper than immigration; it may extend to your ability to find work, change jobs, and in turn, move freely about the country.

Declan describes how attempted to kill Real ID in the current immigration reform efforts brought a halt to the process in his article, National ID plan may have killed immigration bill:

Privacy advocates were quick to claim that a vote against Real ID cards the previous evening doomed the bill.

Wednesday's vote showed that senators were willing to delete the portion of the labyrinthine immigration bill that would require employers to demand the Real ID cards from new hires. Because some of the bill's backers had insisted that the ID requirement remain in place--as a way to identify illegal immigrants--they were no longer as willing to support the overall bill.

Commentary in that article also comes from the Cato Institute's Jim Harper:

"The proponents of national ID in the Senate weren't getting what they wanted, so they backed away," said Jim Harper, a policy analyst at the free-market Cato Institute who opposes Real ID. "It was a landmine that blew up in their faces."

(By the way, if you're looking for an easy-to-read book with broad coverage of identity issues, I recommend Harper's Identity Crisis: How Identification is Overused and Misunderstood.)

However, it's important to note that another key facet of this immigration reform bill came in the form of pre-employment verification. A database of huge importance that would be run by, of all agencies, the Department of Homeland Security, employers would be forced to query the database preferably before, but certainly shortly after you went to work. In this Huffington Post entry, the ACLU's Caroline Fredrickson explains the system:

For instance, Title III of the bill expands the error-plagued Employment Eligibility Verification System (EEVS), creating a vast federal database to verify the eligibility to work of all job applicants in America -- including U.S. citizens. This expansive system would contain extraordinary amounts of personal information on everyone who seeks or holds a job, all of it keyed to a person's Social Security number. If the immigration bill passes as written, all Americans will need to have their eligibility to work approved by the Department of Homeland Security. Invariably, DHS will confuse the files of people with similar names or use outdated or erroneous information to deny people the right to work, creating a 'No Work List' similar to the government's 'No Fly List.' They have testified that they will need to "manually reverify" the work-eligibility of eight percent of all workers.

So, we can't get passports out to people to travel, but we'll certainly be able to manually verify 80% of the legally working population in no time. No doubt.

John Gilmore paints a much scarier picture of the growing "In DHS We Trust" phenomenon:

The attempt to force a process of "get federal permission to hire FIRST" on the country is eerily parallel to the DHS proposal to require airlines to "get federal permission to transport FIRST". Today, airlines can bring you to the US without permission, but they are liable for the cost of carrying you elsewhere if the US won't admit you. This naturally limits their willingness to bring random people -- but allows people to come and apply for asylum, for example. The Gestapo announced months ago that they plan to change this to require each passenger's info to be submitted long before the plane takes off, getting an affirmative "OK", or else the passenger would not be allowed on board at all. As with other federal watchlist checks, this would come with zero due process protection for the passenger, and zero accountability for the government. If they mysteriously keep saying "No", there's nothing that you as a citizen could do to get back into your own country. They wouldn't even have to jail or detain you, such that a lawyer could go to court with some urgency to spring you. No, YOU would have to sue THEM, and it would take years in the courts.

In our fervor to regulate and control immigration, we've got to be very wary of those in our legislature who would like to use this opportunity to regulate and control the rest of us. As Senators Max Baucus and Jon Tester said after the immigration bill was eventually put out of its misery:

"We scored a major victory today in our efforts to protect privacy and defeat a bad immigration bill at the same time," said Baucus, Montana’s senior U.S. Senator. "If Jon and I just brought down the entire bill, that’s good for Montana and the country."
...
"If by fighting to keep government out of people’s private lives, Max Baucus and I stopped the senate from passing this flawed immigration bill, then this was a real victory for Montana and the American people," Tester said.

Indeed.

Dialing, routing, addressing, and signaling

gregh — Sun, 17 Jun 2007 23:43:03 -0500

Dialing, routing, addressing, and signaling. Pen registers and trap-and-trace devices are devices that may be used to collect the non-content portions of a communication. As I've previously written, contents refers to "any information concerning the substance, purport, or meaning" of a communication. Therefore, non-content dialing, routing, addressing, and signaling information is necessarily such information that does not concern any such information about a communication. Simple enough, right?

Well, it seemed simple enough to Congress. They proceeded with the intention to call an "email address" a communications "facility," moving it into the definitions of pen registers and trap-and-trace devices. This involves a convoluted notion that one communicates from email address to email address, much as one communicates from phone to phone. Obviously, this is nonsense, but that hasn't stopped law enforcement from seizing upon this expansion.

However, let's assume for a minute that an email address actually is a communications facility unto itself, and that when we communicate via email, the endpoints are actually email addresses. If we focus solely on the real-time interception of non-content information of an email communication, what is "dialing, routing, addressing, and signaling" information, and what is "any content concerning the substance, purport, or meaning" of that communication? Remember, this is still a message in transit across the Internet.

Here's what we know. Before the email message can be sent, there is already going to be a TCP connection established between the sending computer and the receiving computer. Only after the TCP connection is established may the actual communication take place. When that message gets to the remote computer, that remote computer is going to have to receive it, most likely via the SMTP. In this day and age of heavy spam and other deviousness online, it is very likely that the message is going to have to be formatted somewhat well in order to be delivered.

In order for a message to be properly formatted for receipt by the remote computer, the sending computer will send SMTP commands, continuing to send others, followed by the actual content of the message being sent, in response to replies from the remote computer. The sending computer will give, at a minimum, its name, the email address that is sending the message, the email address that is the destination of the message, and finally, the message. If these steps aren't followed, the message will not be delivered.

But there's more. Once a message is delivered, for a communication to be complete, the message must be read. There are many things that may be carried in a message to allow it to be understood. Obviously, the body of the message allows it to be understood. But we're concerned, also, with any information that concerns the substance, purport, or meaning of the message.

In a telephone call, a great deal of substance, purport, or meaning may be derived from the voice of the communicator. In email, there is no such voice. However, the sending address certainly gives a message voice. The personalizable "From:" header my also lend such a voice. Bayesian spam filters assign scores to a message based on tokens in the headers, and these can also lend a voice, as can such headers as message priorities and the "Received:" headers, which allow a message to be traced and in many mail programs, is used to sort messages by date (and not the "Date:" header.)

In short, the proper use of SMTP commands, the email addresses and addressing, as well as received headers and the nature of the contents of the headers all lend substance, purport, and meaning to a message. However, under the most common interpretations of the current laws, all of those pieces of content may be readily obtained by law enforcement agents under the Pen Register Act.

Internet anonymity ain't dead yet.

gregh — Wed, 21 Mar 2007 13:09:51 -0600

[The following was largely spawned by a Cyberspace Law class last night, and the repeated suggestions that we must authenticate users before we allow them to "use the Internet" so that we may track down evildoers.]

Are we really heading toward the end of a (relatively) anonymous Internet? I don't think so.

To properly answer this, it's important to consider how the Internet is constructed. Sure, you'll often read accounts of your data traveling across the Internet's "backbone." The problem is, there isn't a single backbone. The internetwork that is the Internet is comprised of numerous independent network backbones that interconnect. For any one node on any one of those backbones to identify with any certainty the sender of a packet would require a vast identity infrastructure that simply is nowhere near existence. However, it's possible that this extreme example of the impossibility of defeating anonymity is more than what some consider necessary. In fact, I know it is, based on class discussion.

Let's take another popular example that has been used: all users must authenticate their identities before they are allowed to "connect to the Internet." The obvious first question I have to ask is "To whom must they authenticate?" This is not an easy question to answer.

Is the answer the user's Internet Service Provider? If so, who's going to mandate that? If it's the ISP who mandates this, what other limitations of service will the ISP then have to place on the user to enforce this authentication? A user who wishes to remain anonymous will simply tunnel traffic through an anonymizing conduit, whether this is an application like TOR, or wilder approaches like tunneling one application layer protocol through another.

This raises another problem: who authenticates the conduit? Not all Internet "users" are discrete individuals. Many are servers providing services, remote access devices providing connectivity, or bots gathering and processing data. Who authenticates every process that connects to the Internet? Who do these processes authenticate to?

Finally, are users going to be expected to authenticate to every peer process? This suggests that every process and every user on the Internet will use a single authentication mechanism, or sufficient federation will have to exist for these authentications to take place. Who's going to write the software that allows the millions of autonomous servers, routers, switches, and other devices connected to the Internet to be able to carry out these authentications so that anonymous actors may eventually be identified?

My point is this: until everything authenticates, there is no forced, universal authentication to "connect" to the Internet. As long as unauthenticated systems exist, and as long as owners of some of those systems prize anonymity, a step as limited as forcing users to properly authenticate to an ISP before using the Internet (a concept that has still more questions) will not kill one's ability to act anonymously, nor will it lead to discoverable identification of anonymous sources.

Schneier on Real-ID: Costs and Benefits

gregh — Tue, 30 Jan 2007 12:28:49 -0600

Real-ID: Costs and Benefits:

All of these problems demonstrate that identification checks based on Real ID won’t be nearly as secure as we might hope. But the main problem with any strong identification system is that it requires the existence of a database. In this case, it would have to be 50 linked databases of private and sensitive information on every American -- one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks of this database are enormous. It would be a kludge of existing databases that are incompatible, full of erroneous data, and unreliable. Computer scientists don’t know how to keep a database of this magnitude secure, whether from outside hackers or the thousands of insiders authorized to access it.

And yet, there's a group that will carry on insisting that this is something we must have. We open ourselves up to theft of identity information on a grand scale, and for what? As Schneier continues:

Even worse, as soon as you divide people into two categories -- more trusted and less trusted people -- you create a third, and very dangerous, category: untrustworthy people whom we have no reason to mistrust. Oklahoma City bomber Timothy McVeigh; the Washington, DC, snipers; the London subway bombers; and many of the 9/11 terrorists had no previous links to terrorism. Evildoers can also steal the identity -- and profile -- of an honest person. Profiling can result in less security by giving certain people an easy way to skirt security.

So, we do all of this Real ID nonsense, and what do we get? Oh, right. Less security. Along with the false sense of security, we also receive diminished privacy, heightened risks to privacy, greater government aggregation of data that is is unlikely to be able to manage, and just generally a worse situation than we had before.