Designing an Insecure Internet
If there were any doubt that the 90s are back in style, witness the Obama administration’s attempt to reignite the Crypto Wars by seeking legislation that would force Internet services to redesign their networks and products to provide a centralized mechanism for decrypting user communications. It cannot be stressed enough what a radical—and terrible—idea this is. I’ll be writing on this at greater length this week, but a few quick points.
First, while the Communications Assistance for Law Enforcement Act (CALEA) already requires phone and broadband providers to build in interception capacity at their network hubs, this proposed requirement—at least going on the basis of the press description, since there’s no legislative text yet—is both broader and more drastic. It appears that it would apply to the whole panoply of online firms offering secure communication services, not just big carriers, imposing a greater relative burden. More importantly, it’s not just mandating that already-centralized systems install a government backdoor. Rather, if I understand it correctly, the proposal would insist on a centralized (and therefore less secure) architecture for secure communications, as opposed to an end-to-end model where encryption is handled client-side. In effect, the government is insisting on the right to make a macro-design choice between competing network models for thousands of companies.
Second, they are basically demanding that providers design their systems for breach. This is massively stupid from a security perspective. In the summer of 2004, still unknown hackers exploited surveillance software built in to one of Greece’s major cell networks to eavesdrop on high government officials, including the prime ministers. The recent hack of Google believed to originate in China may have used a law-enforcement portal to acquire information about dissidents. More recently, we learned of a Google engineer abusing his access to the system to spy on minors.
Third, this demand has implications beyond the United States. Networks designed for interception by U.S. authorities will also be more easily tapped by authoritarian governments looking to keep tabs on dissidents. And indeed, this proposal echoes demands from the likes of Saudi Arabia and the United Arab Emirates that their Blackberry system be redesigned for easier interception. By joining that chorus, the U.S. makes it more difficult for firms to resist similar demands from unlovely regimes.
Finally, this demand highlights how American law enforcement and intel agencies have been circumventing reporting requirements designed to provide information on this very problem. As the Crypto Wars of the 90s drew to a close, Congress amended the Wiretap Act, which creates strong procedural protections when the government wants to use intrusive electronic surveillance, to add a requirement that agencies report each instance in which they’d encountered encryption. The idea was to get an objective measure of how serious a problem this posed. The most recent report, however, cited only one instance in which encryption was encountered, out of 2,376 wiretap orders. Why, then, are we now being told encryption is a huge problem? Almost certainly because law enforcement and intelligence agencies aren’t using the Wiretap Act to intercept electronic communications—preferring, instead, to avail themselves of the far more lax standards—and spare reporting requirements—provided by the Stored Communications Act. It’s always easier to claim you need sweeping new powers from Congress when you’ve managed to do an end-run around the provisions Congress put in place to keep itself informed about how you’re using your existing powers, after all.
Accountability for ‘Exigent Letter’ Abuse At Last?
It is more than three years since the Office of the Inspector General first brought public attention to the FBI’s systematic misuse of the National Security Letter statutes to issue fictitious “exigent letters” and obtain telecommunications records without due process. Nobody at the Bureau has been fined, or even disciplined, for this systematic lawbreaking and the efforts to conceal it. But the bipartisan outrage expressed at a subcommittee hearing of the House Judiciary Committee this morning hints that Congress may be running out of patience—and looking for some highly-placed heads to roll. Just to refresh, Committee Chairman John Conyers summarized the main abuses in an opening statement:
The IG found that more than 700 times, such information was obtained about more than 2,000 phone numbers by so-called“exigent letters” from FBI personnel. In some cases, the IG concluded, FBI agents sent the letters even though they believed that factual information in the letters was false. For more than 3,500 phone numbers, the call information was extracted without even a letter, but instead by e‐mail, requests on a post‐it note, or “sneak peaks” of telephone company computer screens or other records…. In one case, the FBI actually obtained phone records of Washington Post and New York Times reporters and kept them in a database, leading to an IG conclusion of “serious abuse” of FBI authority and an FBI public apology.
It’s probably actually worse than that: Since these letters often requested a “community of interest” analysis for targeted numbers, the privacy of many people beyond the nominal targets may have been implicated—though it’s hard to be sure, since the IG report redacts almost all details about this CoI mapping.
Surveillance, Security, and the Google Breach
Yesterday’s bombshell announcement that Google is prepared to pull out of China rather than continuing to cooperate with government Web censorship was precipitated by a series of attacks on Google servers seeking information about the accounts of Chinese dissidents. One thing that leaped out at me from the announcement was the claim that the breach “was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” That piqued my interest because it’s precisely the kind of information that law enforcement is able to obtain via court order, and I was hard-pressed to think of other reasons they’d have segregated access to user account and header information. And as Macworld reports, that’s precisely where the attackers got in:
That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.
This is hardly the first time telecom surveillance architecture designed for law enforcement use has been exploited by hackers. In 2005, it was discovered that Greece’s largest cellular network had been compromised by an outside adversary. Software intended to facilitate legal wiretaps had been switched on and hijacked by an unknown attacker, who used it to spy on the conversations of over 100 Greek VIPs, including the prime minister.
As an eminent group of security experts argued in 2008, the trend toward building surveillance capability into telecommunications architecture amounts to a breach-by-design, and a serious security risk. As the volume of requests from law enforcement at all levels grows, the compliance burdens on telcoms grow also—making it increasingly tempting to create automated portals to permit access to user information with minimal human intervention.
The problem of volume is front and center in a leaked recording released last month, in which Sprint’s head of legal compliance revealed that their automated system had processed 8 million requests for GPS location data in the span of a year, noting that it would have been impossible to manually serve that level of law enforcement traffic. Less remarked on, though, was Taylor’s speculation that someone who downloaded a phony warrant form and submitted it to a random telecom would have a good chance of getting a response—and one assumes he’d know if anyone would.
The irony here is that, while we’re accustomed to talking about the tension between privacy and security—to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security—one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.
Three Keys to Surveillance Success: Location, Location, Location
The invaluable Chris Soghoian has posted some illuminating—and sobering—information on the scope of surveillance being carried out with the assistance of telecommunications providers. The entire panel discussion from this year’s ISS World surveillance conference is well worth listening to in full, but surely the most striking item is a direct quotation from Sprint’s head of electronic surveillance:
[M]y major concern is the volume of requests. We have a lot of things that are automated but that’s just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.
Who Reads the Readers?
This is a reminder, citizen: Only cranks worry about vastly increased governmental power to gather transactional data about Americans’ online behavior. Why, just last week, Rep. Lamar Smith (R-TX) informed us that there has not been any “demonstrated or recent abuse” of such authority by means of National Security Letters, which permit the FBI to obtain many telecommunications records without court order. I mean, the last Inspector General report finding widespread and systemic abuse of those came out, like, over a year ago! And as defenders of expanded NSL powers often remind us, similar records can often be obtained by grand jury subpoena.
Subpoenas like, for instance, the one issued last year seeking the complete traffic logs of the left-wing site Indymedia for a particular day. According to tech journo Declan McCullah:
It instructed [System administrator Kristina] Clair to “include IP addresses, times, and any other identifying information,” including e-mail addresses, physical addresses, registered accounts, and Indymedia readers’ Social Security Numbers, bank account numbers, credit card numbers, and so on.
The sweeping request came with a gag order prohibiting Clair from talking about it. (As a constitutional matter, courts have found that recipients of such orders must at least be allowed to discuss them with attorneys in order to seek advise about their legality, but the subpoena contained no notice of that fact.) Justice Department officials tell McCullagh that the request was never reviewed directly by the Attorney General, as is normally required when information is sought from a press organization. Clair did tell attorneys at the Electronic Frontier Foundation, and when they wrote to U.S. Attorney Timothy Morrison questioning the propriety of the request, it was promptly withdrawn. EFF’s Kevin Bankston explains the legal problems with the subpoena at length.
Perhaps ironically, the targeting of Indymedia, which is about as far left as news sites get, may finally hep the populist right to the perils of the burgeoning surveillance state. It seems to have piqued Glenn Beck’s interest, and McCullagh went on Lou Dobbs’ show to talk about the story. Thus far, the approved conservative position appears to have been that Barack Obama is some kind of ruthless Stalinist with a secret plan to turn the United States into a massive gulag—but under no circumstances should there be any additional checks on his administration’s domestic spying powers. This always struck me as both incoherent and a tragic waste of paranoia. Now that we’ve had a rather public reminder that such powers can be used to compile databases of people with politically unorthodox browsing habits, perhaps Beck—who seems to be something of an amateur historian—will take some time to delve into the story of COINTELPRO and other related projects our intelligence community busied itself with before we established an architecture of surveillance oversight in the late ’70s.
You know, the one we’ve spent the past eight years dismantling.
Understanding the Consequences of Internet Regulation
In an effort to achieve “network neutrality” online, the FCC is starting to write new regulations for Internet providers. Reuters reports:
U.S. communications regulators voted unanimously Thursday to support an open Internet rule that would prevent telecom network operators from barring or blocking content based on the revenue it generates.
The proposed rule now goes to the public for comment until Jan. 14, after which the Federal Communications Commissions will review the feedback and possibly seek more comment. A final rule is not expected until the spring of next year.
Cato Director of Information Policy Studies Jim Harper appeared on Fox News this week to discuss the FCC decision. “This is governmental tinkering with a market place that is working really well and growing right now,” said Harper. “The last thing we need is to cut that off.”
There are ways to achieve net neutrality without regulation, says Timothy B. Lee:
An important reason for the Internet’s remarkable growth over the last quarter century is the “end-to-end” principle that networks should confine themselves to transmitting generic packets without worrying about their contents. Not only has this made deployment of internet infrastructure cheap and efficient, but it has created fertile ground for entrepreneurship. On a network that respects the end-to-end principle, prior approval from network owners is not needed to launch new applications, services, or content.
…Like these older regulatory regimes, network neutrality regulations are likely not to achieve their intended aims. Given the need for more competition in the broadband marketplace, policymakers should be especially wary of enacting regulations that could become a barrier to entry for new broadband firms.
What You Don’t Know Won’t Hurt You (Surveillance State Edition)
While there are many choice tidbits to relate from Tuesday’s hearings on PATRIOT Act reform at the House Judiciary Committee’s Subcommittee on the Constitution—not least the fellow who had to be wrestled from the room, literally kicking and screaming, after he tried to stand and interrupt with a complaint about alleged FBI violations of his civil rights—I’ll just relate a novel theory of the Fourth Amendment advanced by Rep. Steve King (R-Iowa).
The ACLU’s Mike German, a former FBI agent turned surveillance policy expert, was explaining that it’s hard to know whether expansive surveillance powers are being abused, they’re mostly used in secret and deployed via third-parties like financial institutions and telecoms, who have little incentive to raise much fuss or draw attention to their cooperation. King interrupted to suggest that if we weren’t hearing about constitutional challenges, then it was probably safe to assume there was no Fourth Amendment harm. German tried to reiterate that the people whose privacy interests were directly harmed typically would not know they had ever been targeted.
That, King declared, was precisely the point. Surveillance of which the subject never became aware, he said, could be compared to a “tree falling in the forest” when nobody’s around. In other words, if you aren’t ultimately prosecuted, and don’t even feel subjective distress as a result of the knowledge that your private records or communications have been pored over, then it’s presumably no harm, no foul. If we take this line of thinking literally, sufficiently secret surveillance can never be unconstitutional, which would seem to make King a spiritual cousin of Richard “if the president does it, that means it’s not illegal” Nixon.
Eye of Neutrality, Toe of Frog
I won’t go on at too much length about FCC Chairman Julius Genachowski’s speech at Brookings announcing his intention to codify the principle of “net neutrality” in agency rules—not because I don’t have thoughts, but because I expect it would be hard to improve on my colleague Tim Lee’s definitive paper, and because there’s actually not a whole lot of novel substance in the speech.
The digest version is that the open Internet is awesome (true!) and so the FCC is going to impose a “nondiscrimination” obligation on telecom providers—though Genachowski makes sure to stress this won’t be an obstacle to letting the copyright cops sniff through your packets for potentially “unauthorized” music, or otherwise interfere with “reasonable” network management practices.
And what exactly does that mean?
Well, they’ll do their best to flesh out the definition of “reasonable,” but in general they’ll “evaluate alleged violations…on a case-by-case basis.” Insofar as any more rigid rule would probably be obsolete before the ink dried, I guess that’s somewhat reassuring, but it absolutely reeks of the sort of ad hoc “I know it when I see it” standard that leaves telecoms wondering whether some innovative practice will bring down the Wrath of Comms only after resources have been sunk into rolling it out. Apropos of which, this is the line from the talk that really jumped out at me:
This is not about protecting the Internet against imaginary dangers. We’re seeing the breaks and cracks emerge, and they threaten to change the Internet’s fundamental architecture of openness. [....] This is about preserving and maintaining something profoundly successful and ensuring that it’s not distorted or undermined. If we wait too long to preserve a free and open Internet, it will be too late.
To which I respond: Whaaaa? What we’ve actually seen are some scattered and mostly misguided attempts by certain ISPs to choke off certain kinds of traffic, thus far largely nipped in the bud by a combination of consumer backlash and FCC brandishing of existing powers. To the extent that packet “discrimination” involves digging into the content of user communications, it may well run up against existing privacy regulations that require explicit, affirmative user consent for such monitoring. In any event, I’m prepared to believe the situation could worsen. But pace Genachowski, it’s really pretty mysterious to me why you couldn’t start talking about the wisdom—and precise character—of some further regulatory response if and when it began to look like a free and open Internet were in serious danger.
Picture Don Draper Stamping on a Human Face, Forever
Last week, a coalition of 10 privacy and consumer groups sent letters to Congress advocating legislation to regulate behavioral tracking and advertising, a phrase that actually describes a broad range of practices used by online marketers to monitor and profile Web users for the purpose of delivering targeted ads. While several friends at the Tech Liberation Front have already weighed in on the proposal in broad terms — in a nutshell: they don’t like it — I think it’s worth taking a look at some of the specific concerns raised and remedies proposed. Some of the former strike me as being more serious than the TLF folks allow, but many of the latter seem conspicuously ill-tailored to their ends.
First, while it’s certainly true that there are privacy advocates who seem incapable of grasping that not all rational people place an equally high premium on anonymity, it strikes me as unduly dismissive to suggest, as Berin Szoka does, that it’s inherently elitist or condescending to question whether most users are making informed choices about their privacy. If you’re a reasonably tech-savvy reader, you probably know something about conventional browser cookies, how they can be used by advertisers to create a trail of your travels across the Internet, and how you can limit this. But how much do you know about Flash cookies? Did you know about the old CSS hack I can use to infer the contents of your browser history even without tracking cookies? And that’s without getting really tricksy. If you knew all those things, congratulations, you’re an enormous geek too — but normal people don’t. And indeed, polls suggest that people generally hold a variety of false beliefs about common online commercial privacy practices. Proof, you might say, that people just don’t care that much about privacy or they’d be attending more scrupulously to Web privacy policies — except this turns out to impose a significant economic cost in itself.
The truth is, if we were dealing with a frictionless Coaseian market of fully-informed users, regulation would not be necessary, but it would not be especially harmful either, because users who currently allow themselves to be tracked would all gladly opt in. In the real world, though, behavioral economics suggests that defaults matter quite a lot: Making informed privacy choices can be costly, and while an opt-out regime will probably yield tracking of some who would prefer not to be under conditions of full information and frictionless choice, an opt-in regime will likely prevent tracking of folks who don’t object to tracking. And preventing that tracking also has real social costs, as Berin and Adam Thierer have taken pains to point out. In particular, it merits emphasis that behavioral advertising is regarded by many as providing a viable business model for online journalism, where contextual advertising tends not to work very well: There aren’t a lot of obvious products to tie in to an important investigative story about municipal corruption. Either way, though, the outcome is shaped by the default rule about the level of monitoring users are presumed to consent to. So which set of defaults ought we to prefer?
Exciting! But Not True . . .
The Center for a New American Security is hosting an event on cybersecurity next week. Some fear-mongering in the text of the invite caught my eye:
[A] cyberattack on the United States’ telecommunications, electrical grid, or banking system could pose as serious a threat to U.S. security as an attack carried out by conventional forces.
As a statement of theoretical extremes, it’s true: The inconvenience and modest harms posed by a successful crack of our communications or data infrastructure would be more serious than an invasion by the Duchy of Grand Fenwick. But as a serious assertion about real threats, an attack by conventional forces (however unlikely) would be entirely more serious than any “cyberattack.”
This is not meant to knock the Center for a New American Security specifically, or their event, but breathless overstatement has become boilerplate in the “cybersecurity” area, and it’s driving the United States toward imbalanced responses that are likely to sacrifice our wealth, progress, and privacy.
Cato on Facebook
Cato on Twitter
Cato on Google+
Cato on YouTube
