slight paranoia

How long does it take for the FTC to investigate a company?

noreply@blogger.com (Christopher Soghoian) — Wed, 08 Feb 2012 18:45:00 +0000

The Federal Trade Commission is the nation's premier privacy enforcer. In the last few years, it has gone after Facebook, Google, Twitter and several other firms for violating consumers' privacy or deceiving them about the degree to which they protect that privacy. To outsiders, the FTC can seem highly secretive - it doesn't announce when it opens an investigation, only when an investigation ends in a settlement, a lawsuit, or a public closing letter.

As a result, although the newspapers and blogs may be filled with stories about a particular privacy firestorm, there is no way to know if the FTC is investigating a company. A year or two later, the FTC might announce a settlement, or, the FTC may quietly close an investigation, without ever tipping the public off to the fact that agency staff spent months investigating the company.

I spent a year working in the FTC's Division of Privacy and Identity Protection between 2009-2010, where I got to assist with several important privacy investigations. I saw first hand how frustrating it is for staff, when advocates, the media and Members of Congress demand that the FTC investigate a company or worse, criticize the FTC for doing nothing, when FTC staff are already several months into a complex investigation.

In order to try and help the general public better understand this topic, I recently sought and obtained (via FOIA) the official Matter Initiation Notices (pdf) filed by FTC staff when they formally opened investigations into all of the major privacy-related cases settled during the past few years.

As these documents show, even the fastest privacy case (Google Buzz) took a year from start to finish, while others, such as Facebook (2.3 years) and ControlScan (2.7 years) took far longer.

The take-home lesson from this data? The FTC's investigations are not quick. Given that there are just a couple dozen attorneys in the Division, this isn't surprising. If we want better (and faster) privacy enforcement, giving the FTC more money to hire additional staff would be a great first step.

Sprint recklessly exposed Carrier IQ logged URL data to easy government access

noreply@blogger.com (Christopher Soghoian) — Mon, 19 Dec 2011 07:00:00 +0000

In recent weeks, there has been considerable controversy around Carrier IQ and the data collected by it and the wireless phone companies who have partnered with the firm. Now that class action lawsuits have been filed, and the FTC is reportedly probing the company, one of the most important questions will be: What is the harm?

As I will attempt to argue in this blog post, by allowing Carrier IQ to collect and retain private user data (such as URLs of pages viewed), Sprint recklessly exposed this sensitive information, which would normally require a court order for the government to obtain, to access with a mere subpoena.

Last week, technical experts Ashkan Soltani and Peter Eckersley reported that Carrier IQ's software was, in some cases, collecting keystrokes and the contents of (SMS) text messages. A 19-page report (pdf) released by Carrier IQ confirmed the researchers' claims, putting the blame on a technical bug and accidental overlogging by Sprint or HTC.

For the purpose of this blog post, lets give Carrier IQ the benefit of the doubt. Instead, it is sufficient to focus our attention on one form of intentional data collection that Carrier IQ and its partner Sprint have acknowledged: the URLs of websites visited by handset owners. [There are others kinds of data that the company has intentionally logged too, for example, location data, but we don't know as much about this right now, so I'm focusing my analysis on URLs]

Carrier IQ and Sprint: Yeah, we log URLs

In a letter to Senator Franken (pdf) last week, Carrier IQ acknowledged that its software has been used by one wireless carrier to collect the URLs of webpages viewed by subscribers:

Embedded versions of IQ Agent allow for the collection of URLs if requested by a Network Operator in a profile. These can be collected together with performance metrics so that Network Operators can determine how devices on its network perform for specific web sites... The profile specified by the Network Operator and loaded on the device dictates if this information is actually gathered. The IQ Agent cannot read or copy the content of a website. Only one of Carrier IQ's customers has requested a profile to collect URLs of websites visited on devices on its network.

In its letter to Senator Franken (pdf), Sprint acknowledged that it was the wireless carrier that collected URLs:

Sprint already knows the website of a URL of a website that a user is trying to reach from routing the request on its network. This information may be collected through the Carrier IQ software as part of a profile established to troubleshoot website loading latencies or errors experienced by a population of subscribers.

Let us ignore the fact that in the same letter, Sprint falsely denies collecting users' search query information (the search terms are in the Google/Bing URL), that it failed to disclose that Sprint collects through Carrier IQ the URLs of webpages viewed over encrypted HTTPS connections which it would never learn by watching the network, or, that it probably also gets through Carrier IQ the URLs accessed by handset owners when they are using WiFI and not Sprint's network. While these are interesting points (and show that Sprint is either lying to a Senator, or their legal team is embarrassingly ignorant about technology), they are unnecessary for our analysis.

It is also worth mentioning, although similarly unnecessary for our analysis, that Sprint's Electronic Surveillance Manager revealed in comments at the ISS World surveillance conference in 2009 that Sprint allows its marketing department to look through the logs of URLs viewed by its subscribers:

On the Sprint 3G network, we have IP data back 24 months, and we have, depending on the device, we can actually tell you what URL they went to ... If [the handset uses] the [WAP] Media Access Gateway, we have the URL history for 24 months ... We don't store it because law enforcement asks us to store it, we store it because when we launched 3G in 2001 or so, we thought we were going to bill by the megabyte ... but ultimately, that's why we store the data ... It's because marketing wants to rifle through the data.

Legal protections for URL data under US privacy law

It is beyond a cliche at this point to complain that our primary electronic privacy law dates from 1986, and hasn't been substantially updated since. This law not only differs in the legal protections offered to data based on whether it is is content or non-content, but also, based on what kind of company is holding the data.

As a Sprint customer, I am obviously unhappy about the fact that that the company voluntarily logs and retains the URLs that subscribers visit - which are subsequently available to the government. However, I can get at least a tiny bit of comfort from the fact that the Electronic Communications Privacy Act requires a court order issued under 18 USC 2703(d) before Sprint can be forced to disclose these records to law enforcement agencies.

Furthermore, if Sprint wished to do so, it could probably argue that URLs contain communications content, and thus should only be disclosed pursuant to a probable cause warrant. [DOJ has acknowledged in its Search and Seizure manual that URLs can contain content, at least in context of real-time intercepts via a pen register]. However, given Sprint's general pro-government approach to privacy, I wouldn't expect them to lift a finger to protect their customers.

Carrier IQ and ECPA

What about Carrier IQ? Does the government need a court order to get URLs when held by the company?

To be considered a "remote computing service" (RCS) or an "electronic communication service" (ECS) provider under the Electronic Communications Privacy Act (ECPA), you need to actually provide services to the public. Carrier IQ does not do this -- its customers are wireless carriers. On this point alone, user data held by Carrier IQ is simply not subject to the limited protections of ECPA.

Furthermore, even if we ignore the important requirement relating to providing services to the public, a service provider also has to actually provide the ability to send or receive a users' communication for it to be considered an ECS under the law. See Sega Enterprises Ltd. v. MAPHIA, 948 F. Supp. 923, 930-31 (N.D. Cal. 1996) (video game manufacturer that accessed private email of users of another company's bulletin board service was not a provider of electronic communication service); State Wide Photocopy, Corp. v. Tokai Fin. Servs., Inc., 909 F. Supp. 137, 145 (S.D.N.Y. 1995) (financing company that used fax machines and computers but did not provide the ability to send or receive communications was not provider of electronic communication service).

Since Carrier IQ is merely covertly logging the URLs that consumers are viewing, rather than actually delivering web pages to the end user, they also aren't covered under ECPA.

So what?

As Carrier IQ is neither an RCS or ECS under ECPA, any data held by the company can be obtained by the government with a mere subpoena (and potentially, but I'm not as sure of this, by a civil litigant too, such as a divorce lawyer).

As Sprint opted to have user data sent to Carrier IQ, where it was held for 30-45 days, rather than having the carrier IQ software send the data directly to Sprint's servers, I believe that Sprint recklessly exposed this private information to easy access by the government without a court order. There are plenty of ways that the company could have guaranteed that this data would always remain protected under ECPA -- but it didn't do so.

Likewise, while Sprint claims in its letter to Senator Franken that it tells its customers in its privacy policy that it collects information about the sites that they visit, it never discloses to subscribers that this private data is collected and stored by a third party, or the important way this will enable government access to that data. Sprint needlessly kept its customers in the dark about the ways in which the firm was exposing their data to government access.

In its letter to Senator Franken, Carrier IQ denied getting any requests from law enforcement agencies for user data. Sprint had to issue a much more delicately worded statement: it has not disclosed Carrier IQ data to law enforcement (the reason for this careful wording, I suspect, is the presence of 110 employees in Sprint's Electronic Surveillance team who do nothing but supply user data to law enforcement and intelligence agencies).

Although the recent FOIA response that Muckrock received suggests that the FBI has at least some interest in Carrier IQ data, if we rely on the statements of Carrier IQ and Sprint, then, at least as it relates to URL data, the risks I have described in this blog post are largely theoretical. Even so, it doesn't change the fact that Sprint has demonstrated an extremely cavalier attitude towards user privacy.

In a best case scenario, Sprint's legal team simply didn't consider the ECPA/law enforcement related implications of using Carrier IQ's technology. In a worst case scenario, they knew what they were doing, and didn't care. In either case, the company should be held responsible.

Commerce Dept: export licenses for intercept tech have "exploded" over last 2,3 years

noreply@blogger.com (Christopher Soghoian) — Fri, 16 Dec 2011 23:00:00 +0000

Earlier this year, the Commerce Department's Bureau of Industry and Security held a two-day Conference on Export Controls and Policy. It included a workshop specifically focused on the rules governing the export of encryption technologies (which include intercept equipment). The full transcript can be found here: part 1 (pdf), part 2 (pdf).

As a non-lawyer, and non-expert in export control regulations, I was pretty surprised to learn that the government already strictly regulates the export of covert communications surveillance technology. What this means, of course, is that the Commerce Department already has a list of every foreign buyer of US made covert surveillance technology. Unfortunately, they won't provide this information to the public, and as far as I know, they won't provide it in response to FOIA requests.

In any case, reading through the transcript of the event, the following section caught my eye, as it specifically addressed the regulations that apply to surreptitious listening technology:

Michael Pender: Licenses [for "surreptitious listening" technology] are required for export to all end users, all destinations, and there's a general policy of denial.

The exceptions are for U.S. government agencies or communication-service providers there in the normal course of their business. So, if you're representing a U.S. law-enforcement agency and you're partnering with some other organization in another country and you need to send something out of the county, you know, contact us. Licenses are authorized for that situation.

If you represent a telecommunications company and you receive court orders for wiretaps from the local law enforcement and you have to comply with those court orders, you know, that's one of the few circumstances in which we can grant a license.

And you wouldn't think there would be that many licenses for these products in general in a year, but the rate at which they're coming in has just exploded over the course of the last 2, 3 years. I mean, I think I went from getting one a year to like five times as many, and then again, it's at least doubled or tripled in just the last year.

Twitter's privacy policy and the Wikileaks case

noreply@blogger.com (Christopher Soghoian) — Sat, 12 Nov 2011 01:12:00 +0000

Summary: The federal judge in the Wikileaks case cited in his order a version of Twitter's privacy policy from 2010, rather than the very different policy that existed when Appelbaum, Gonggrijp and Jonsdottir created their Twitter accounts back in 2008. That older policy actually promised users that Twitter would keep their data private unless they violated the company's terms of service. It is unclear how the judge managed to miss this important detail.

Earlier this week, a federal judge in Virginia handed down an order in the high-profile Twitter/Wikileaks case. That order has already been widely covered by the media, so I won't summarize it here.

In ruling that Appelbaum, Gonggrijp and Jonsdottir did not have a reasonable expectation of privacy in the IP addresses that Twitter had collected, the judge specifically highlighted the existence of statements about IP address collection in Twitter's privacy policy.

(from page 3 of the order)

The judge noted that Twitter reveals in its privacy policy that it collects "many types of usage information, including physical location, IP address, browser type, the referring domain ..." To support this claim, the judge cited the "Bringola declaration" (pdf), which is a collection of screenshots from Twitter's website produced by a paralegal working for Appelbaum's lawyer.

The privacy policy reproduced in the Bringola declaration and cited by the judge was effective as of November 16, 2010, and appears to have been the current privacy policy in March of 2011 when the paralegal made the screenshots. That privacy policy included the following "Log Data" section:

Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, your mobile carrier, device and application IDs, and search terms. Other actions, such as interactions with our website, applications and advertisements, may also be included in Log Data. If we haven’t already deleted the Log Data earlier, we will either delete it or remove any common account identifiers, such as your username, full IP address, or email address, after 18 months.

There is a slight problem with relying on a privacy policy created on November 16, 2010 to decide the reasonable expectation of privacy of these three individuals: They created their Twitter accounts several years before the document was written.

According to the useful website howlonghaveyoubeentweeting.com, Appelbaum's Twitter account was created on February 23, 2008, Gonggrijp created his on September 26, 2008, and Jonsdottir created hers on November 14, 2008.

Thankfully, Twitter seems to archive all the old versions of their privacy policy. It would appear that all three individuals would have "agreed to" (ignoring the fact that none of them likely read the thing in the first place) Version 1 of the privacy policy, dated May 14, 2007. The "Log data" section of that policy reads as follows:

When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website ("Log Data" ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site's technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service.

There are a few things worth noting here:

The term "referring domain" appears in privacy policy cited by the judge in his court order, but not in Version 1 of the Twitter privacy policy. This strongly suggests that the judge is citing a newer version of the Twitter policy. The term appears to have been added in Version 2 of the privacy policy, dated November 18, 2009.
In Version 1 of its policy, Twitter promised its users that it would not associate their IP addresses with any other personally identifiable information sufficient to identify them personally, unless they violated the Twitter terms of service. This pro-user sentence was removed in Version 2 of Twitter's privacy policy, one year later.
The government has not alleged that any of the 3 individuals violated Twitter's terms of service. As such, it would appear that they could reasonably rely on Twitter's claims that it wouldn't associate their retained IP address information with their existing account records or any other personally identifiable information.

This is very interesting.

The old version of Twitter's policy that the three individuals "agreed" to also includes the following paragraph about updates to the document:

This Privacy Policy may be updated from time to time for any reason; each version will apply to information collected while it was in place. We will notify you of any material changes to our Privacy Policy by posting the new Privacy Policy on our Site. You are advised to consult this Privacy Policy regularly for any changes.

Note, Twitter didn't say that it would send out emails to users when it updated its privacy policy, instead, it advised users to revisit the site on a regular basis to see if the policy had changed. How this sentence passed the laugh test at Twitter's HQ, I do not know.

In subsequent edits to the policy, Twitter reworded this section, so that it now reads:

We may revise this Privacy Policy from time to time. The most current version of the policy will govern our use of your information and will always be at https://twitter.com/privacy. If we make a change to this policy that, in our sole discretion, is material, we will notify you via an @Twitter update or e-mail to the email associated with your account. By continuing to access or use the Services after those changes become effective, you agree to be bound by the revised Privacy Policy.

Got that? As of Version 2 of Twitter's privacy policy, merely by continuing to use Twitter, you agree to be bound by whatever the company adds to the policy. Oh, and it is up to the company to decide if the changes to the policy are important enough to justify telling users.

I know that I am not the first researcher to point out how stupid privacy policies are, or that no one reads them. Many others have done it, and done so far more eloquently than me. My goal in writing this blog post is simple: Not only is a federal judge ruling that 3 individuals have no reasonable expectation of privacy with regard to the government getting some of their Internet transaction data, but the judge isn't even citing the right version of a widely ignored privacy policy to do so. If the judge were to examine the privacy policy that existed when these three targets signed up for a Twitter account, he might decide that they do in fact have a reasonable expectation of privacy and that the government needs a warrant to get the data.

Two honest Google employees: our products don't protect your privacy

noreply@blogger.com (Christopher Soghoian) — Wed, 02 Nov 2011 21:26:00 +0000

Two senior Google employees recently acknowledged that the company's products do not protect user privacy. This is quite a departure from the norm at Google, where statements about privacy are usually thick with propaganda, mistruths and often outright deception.

Google's products do not meet the privacy needs of journalists, bloggers, small businesses (or anyone else concerned about government surveillance).

Last week, I published an op-ed in the New York Times that focused on the widespread ignorance of computer security among journalists and news organizations. Governments often have no need to try and compel a journalist to reveal the identity of their sources if they can simply obtain stored communication records from phone, email and social networking companies.

Will DeVries, Google's top DC privacy lobbyist soon posted a link to the article on his (personal) Google+ page, and added the following comment:

I often disagree with Chris, but when he's right, he's dead right. Journalists (and bloggers, and small businesses) need to take a couple hours and learn to use free, widely available security measures to store data and communicate.

Let me first say that I really respect Will. Many of the people in Google's policy team default to propaganda mode when questioned. Will does not do this - he either speaks truthfully, or declines to comment. I wish companies would hire more people like him, as they significantly boost the credibility of the firm among privacy advocates.

Regarding Will's comment: If Google's products were secure out of the box, journalists would not need to "take a couple hours" to learn to protect their data and communications. Will does not tell journalists to ditch their insecure Hotmail accounts and switch to Gmail, or to ditch their easily trackable iPhones and get an Android device. Likewise, he does not advise people to stop using Skype for voice and video chat, and instead use Google's competing services. He doesn't do that, because if he described these services as more secure and resistant to government access than the competition, he'd be lying.

Google's services are not secure by default, and, because the company's business model depends upon the monetizaton of user data, the company keeps as much data as possible about the activities of its users. These detailed records are not just useful to Google's engineers and advertising teams, but are also a juicy target for law enforcement agencies.

It would be great if Google's products were suitable for journalists, bloggers, activists and other groups that are routinely the target of surveillance by governments around the world. For now, though, as Will notes, these persons will need to investigate the (non-Google) tools and methods with which they can protect their data.

Google business model is in conflict with privacy by design

At a recent conference in Kenya, Vint Cerf, one of the fathers of the Internet and Google's Chief Internet Evangelist spoke on the same panel as me. We had the following exchange over the issue of Google's lack of encryption for user data stored on the company's servers (I've edited it to show the important bits about this particular topic - the full transcript is online here).

Me:

[I]t's very difficult to monetize data when you cannot see it. And so if the files that I store in Google docs are encrypted or if the files I store on Amazon's drives are encrypted then they are not able to monetize it....And unfortunately, these companies are putting their desire to monetize your data over their desire to protect your communications.

Now, this doesn't mean that Google and Microsoft and Yahoo! are evil. They are not going out of their way to help law enforcement. It's just that their business model is in conflict with your privacy. And given two choices, one of which is protecting you from the government and the other which is making money, they are going to go with making money because, of course, they are public corporations. They are required to make money and return it to their shareholders.

Vint Cerf:

I think you're quite right, however that, we couldn't run our system if everything in it were encrypted because then we wouldn't know which ads to show you. So this is a system that was designed around a particular business model.

Google could encrypt user data in storage with a key not known to the company, as several other cloud storage companies already do. Unfortunately, Google's ad supported business model simply does not permit the company to protect user data in this way. The end result is that law enforcement agencies can, and regularly do request user data from the company -- requests that would lead to nothing if the company put user security and privacy first.

The forces that led to the DigiNotar hack

noreply@blogger.com (Christopher Soghoian) — Mon, 19 Sep 2011 12:45:00 +0000

Last week, the New York Times finally covered the DigiNotar hacks, more than two weeks after security experts and the tech media first broke the story. Unfortunately, the top 2-3 newspapers in the US (which is what legislative staff, regulators and policy makers read) have missed most of the important details. The purpose of this blog post is to fill in those gaps, providing key context to understand this incident as part of the larger Internet trust (and surveillance) debate.

Lawful access

As consumers around the world have embraced cloud computing, large Internet firms like Google, Facebook, Twitter, Yahoo, all of them based in the United States, increasingly hold users' most private documents and other data. This has been a boon for law enforcement agencies, which can often obtain these files without a court issued search warrant, or have to provide the investigated individual with the kind of prompt notice that would otherwise occur had their home been searched.

Law enforcement and intelligence agencies in the US, EU, Canada, Brasil, India, Japan, Israel and several other countries all regularly obtain private user data from Google. The company will insist on a court order for some kinds of user data, but will disclose many other types of data and subscriber records without first insisting on an order issued by an independent judge. This isn't because Google is evil, but because privacy laws in these countries, the US included, are so weak.

Google does not treat all governments equally though. For example, the company will not honor requests from the governments of Iran, Libya, Zimbabwe, Vietnam and several other countries. You might be inclined to believe that Google has taken this position because of the poor human rights record in these countries - that is part of the reason (but not the whole one, otherwise, Google would refuse requests from the US government which has a documented track record of assassination, rendition/kidnapping and torture). Google's policy of refusing these requests, I believe, largely comes down to the fact that Google does not have an office or staff in those countries. Without a local presence, employees to threaten with arrest or equipment to seize, these governments lack leverage over Google.

This situation is not specific to Google - Facebook, Yahoo, Microsoft and other large US firms all disclose user data to governments that have leverage over them, and ignore requests from others. Thus, lacking any "legitimate" way to engage in what they believe is lawful surveillance of their citizens, these governments that lack leverage have turned to other methods. Specifically, network surveillance.

An unintended consequence of HTTPS by default

When users connect to Facebook, Twitter, or Hotmail—as well as many other popular websites—they are vulnerable to passive network surveillance and active attacks, such as account hijacking. These services are vulnerable because they do not use HTTPS encryption to protect all data as it is transmitted over the Internet.

Such attacks are trivially easy for hackers to perform against users of an open WiFi network using tools like Firesheep. They are also relatively easy for government agencies to perform on a larger scale, when they can compel the assistance of upstream ISPs.

As I described above, because Google will not respond to formal requests for user data from certain governments, it is likely that the state security agencies in these countries have come to depend on network interception, performed with the assistance of domestic ISPs.

Unfortunately for these governments, in January 2010, Google enabled HTTPS by default for Gmail and a few other services. Once the firm flipped the default setting, passive network surveillance became impossible. Thus, in January 2010, the governments of Iran and a few other countries lost their ability to watch the communications of domestic Google users.

For now, these governments can still spy on Facebook, Twitter and Hotmail, as these services do not use HTTPS by default. That is changing though. Following the release of Firesheep in October 2010, (as well as two senior US government officials calling for encryption by default) all three services now offer configuration options to force the use of HTTPS. These firms are all moving towards HTTPS by default - for some firms, it will likely be a matter of weeks until it happens, for others, months.

Governments can see the writing on the wall - HTTPS by default will become the norm. Passive network surveillance will lose its potency as a tool of government monitoring, and once that happens, the state intelligence agencies will "go dark", losing the ability to keep tabs on their citizen's use of foreign, mostly US-based Internet communications services.

HTTPS Certificate Authorities and surveillance

As these large providers switch to HTTPS by default, government agencies will no longer be able to rely on passive network interception. By switching to active interception attacks, these governments can, in many cases, easily neutralize the HTTPS encryption, thus restoring their ability to spy on their citizens. One active attack, known as a "man in the middle attack" requires that the government first obtain a HTTPS certificate issued by a Certificate Authority (CA) trusted by the major web browsers.

In March of 2010, Sid Stamm and I published a paper on what we called compelled certificate creation attacks, in which a government simply requires a domestic Certificate Authority issue it one or more certificates for surveillance purposes. When we released a draft of our paper, we also published a product brochure I had obtained in the fall of 2009 at the ISS surveillance conference, for a Packet Forensics interception device that described how it could be used to intercept communications using these kinds of certificates.

The browsers trust a lot of Certificate Authorities, probably too many. These include companies located in countries around the world. They also include Certificate Authorities that are operated by government agencies. For example, Microsoft trusts a couple dozen governments, that include Tunisia and Venezuela. It is perhaps worth noting that Microsoft continues to trust the Tunisian government even after it was caught in December 2010 actively hijacking the accounts of Facebook users -- an act that led to Facebook enabling HTTPS by default for all users in the country.)

In any case, as Sid an I described, governments can compel domestic Certificate Authorities to provide them with the certificates necessary to intercept their own citizens' communications. However, not all governments around the world are as lucky as Tunisia to be trusted by the browsers, nor do all of them have a domestic certificate authority that they can bully around. Some countries, like Iran, have no way to obtain a certificate that will let them spy on Google users (yes, I know that you can buy intermediate CA issuing powers, but I am assuming that no one will sell this to the Iranian gov).

In recent weeks, we have learned that the encrypted communications of 300,000 people in Iran were monitored by an entity using a certificate that DigiNotar issued. While the Iranian government has not admitted to conducting this man in the middle surveillance against its citizens, it seems reasonable to assume they were behind it. The reason for this certificate theft seems pretty clear, when you consider the other details described in this blog post:

Iran wants to spy on its citizens. It wants the same interception and spying capabilities that the US and other western governments have. Unfortunately for the Iranian government, it has no domestic CA, and Google doesn't have an office in Tehran. So, it used a certificate obtained by hacking into a CA already trusted by the browsers - a CA that had weak default passwords, and that covered up the attack for weeks after it learned about it, giving the Iranian government plenty of time to use the stolen certificate to spy on its citizens.

As Facebook, Twitter and other big sites embrace HTTPS by default, the temptation will grow for for governments without other ways to spy their citizens to hack into certificate authorities with weak security. Can you blame them?

NSA and other US government agencies have gambled with our security

In December 2009, after I had obtained Packet Forensics' product marketing materials, I met with a former senior US intelligence official. I told him that I believed that governments around the world were abusing this flaw to spy on their own citizens, as well as foreigners. When I told him I would be going public in a few months, motivated by my concerns about China and other governments spying on Americans, he said I would be aiding "terrorists in Peshawar" by helping to secure their communications. Needless to say, our meeting wasn't particularly productive.

US intelligence agencies have long known about the flaws associated with the current certificate authority web of trust. For example, in 1998, James Hayes, an air force captain working for the National Security Agency published an academic paper in which he described the ease with which certificates could be used to intercept traffic:

Certificate masquerading allows a masquerader to substitute an unsuspecting server’s valid certificate with the masquerader’s valid certificate. The masquerader could monitor Web traffic, picking up unsuspecting victims’ surfing habits, such as the various net shopping malls and stores a victim may visit. The masquerader could change messages at will without detection, or collect the necessary information and go shopping on his or her own time.

Of course, it isn't too surprising that NSA has known about these vulnerabilities. If the agency hadn't know about these risks, it would have been grossly incompetent.

The question to consider then, is what has and hasn't the NSA done with this knowledge. In addition to attacking the computers of foreign governments, NSA is supposed to protect US government electronic assets. In the 10 years since NSA first acknowledged it knew about the problems with certificate authorities, what steps has the agency taken to protect US government computers from these attacks? Likewise, what has it done to protect US businesses and individuals?

The answer, I believe, is "nothing". The reason for this, I suspect, is that NSA wanted to exploit the flaws itself and didn't want to do anything that would lead to the elimination of what is likely a valuable source of intelligence information -- even though this meant that the governments of China, Turkey, Israel, Tunisia and Venezuela would have access to this surveillance method too.

Perhaps this was a reasonable choice to make, when the intelligence agencies abusing the flaw could be trusted to do so discreetly (The first rule of State-run CA Club is...). The Iranians have upset that delicate understanding. They have acquired and used certificates in a manner that is anything but discreet, thus forcing the issue to the front page of newspapers around the world.

Now, any state actor or criminal enterprise with a budget to hire hackers can likely get its hands on fraudulent certificates sufficient to intercept users' communications, as Comodo and DigiNotar will not be the last certificate authorities with weak security to be hacked. Hundreds of millions of computers around the world remain vulnerable to this attack, and will likely stay this way, until the web browser vendors decide upon and deploy effective defenses.

Had the US defense and intelligence community acted 10 years ago to protect the Internet, instead of exploiting this flaw, we would not be in the dire situation that we are currently in, waiting for the next hacked certificate authority, or the next man in the middle attack.

Warrantless "emergency" surveillance of Internet communications by DOJ up 400%

noreply@blogger.com (Christopher Soghoian) — Thu, 04 Aug 2011 17:20:00 +0000

According to an official DOJ report, the use of "emergency", warrantless requests to ISPs for customer communications content has skyrocketed over 400% in a single year.

The 2009 report (pdf), which I recently obtained via a Freedom of Information Act request (it took DOJ 11 months (pdf) to give me the two-page report), reveals that law enforcement agencies within the Department of Justice sought and obtained communications content for 91 accounts. This number is a significant increase over previous years: 17 accounts in 2008 (pdf), 9 accounts in 2007 (pdf), and 17 accounts in 2006 (pdf).

Background

When Congress passed the Electronic Communications Privacy Act in 1986, it permitted law enforcement agencies to obtain stored communications and customer records in emergencies without the need for a court order.

In such scenarios, a carrier can (but is not required to) disclose the requested information if it, "in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency." Typically, belief means that a police officer states that an emergency exists.

With the passage of the USA PATRIOT Improvement and Reauthorization Act of 2005, Congress created specific statistical reporting requirements for the voluntary disclosure of the contents of subscriber communications in emergency situations. In describing his motivation for introducing the requirement, Senator Lungren stated that:

"I felt that some accountability is necessary to ensure that this authority is not being abused… This information [contained in the reports] I believe should be highly beneficial to the Committee, fulfilling our oversight responsibility in the future … this is the best way for us to have a ready manner of looking at this particular section. In the hearings that we had, I found no basis for claiming that there has been abuse of this section. I don't believe on its face it is an abusive section. But I do believe that it could be subject to abuse in the future and, therefore, this allows us as Members of Congress to have an ability to track this on a regular basis."

The current reports are deeply flawed

The emergency request reports are compiled and submitted by the Attorney General, and only apply to disclosures made to law enforcement agencies within the Department of Justice. As such, there are no statistics for emergency disclosures made to other federal law enforcement agencies, such as the Secret Service, as well as those made to state and local law enforcement agencies.

Furthermore, although 18 USC 2702 permits both the disclosure of the content of communications, as well as non-content records associated with subscribers and their communications (such as geo-location data), Congress only required that statistics be compiled for the disclosure of communications content. It is not clear why Congress limited the reports in this way.

Because the reporting requirements do not apply to disclosures made to law enforcement agencies outside the Department of Justice, and do not include the disclosure of non-content communications data and other subscriber records, the reports reveal a very limited portion of the scale of voluntary disclosures to law enforcement agencies.

Likewise, although Congress intended for these reports to assist with public oversight of the emergency disclosure authority, the Department of Justice has not proactively made these reports available to the general public. The reports for 2006 and 2007 were leaked to me by a friend with contacts on the Hill. I obtained the 2008 and 2009 reports via FOIA requests -- and disgracefully, it took DOJ 11 months to provide me with a copy of the 2-page report for 2009.

The emergency requests documented in these reports only scratch the surface

A letter (pdf) submitted by Verizon to Congressional committees in 2007 revealed that the company had received 25,000 emergency requests during the previous year. Of these 25,000 emergency requests, just 300 requests were from federal law enforcement agencies. In contrast, the reports submitted to Congress by the Attorney General reveal less than 20 disclosures for that year. Even though no other service provider has disclosed similar numbers regarding emergency disclosures, it is quite clear that the Department of Justice statistics are not adequately reporting the scale of this form of surveillance. In fact, they underreport these disclosures by several orders of magnitude.

The current reporting law is largely useless. It does not apply to state and local law enforcement agencies, who make tens of thousands of warrantless requests to ISPs each year. It does not apply to federal law enforcement agencies outside DOJ, such as the Secret Service. Finally, it does not apply to emergency disclosures of non-content information, such as geo-location data, subscriber information (such as name and address), or IP addresses used.

As such, Congress currently has no idea how many warrantless requests are made to ISPs each year. How can it hope to make sane policy in this area, when it has no useful data?

Privacy preserving FOIA lawsuits

noreply@blogger.com (Christopher Soghoian) — Fri, 24 Jun 2011 09:45:00 +0000

Several weeks ago, after an extremely successful online fundraising effort to cover the costs, I filed a FOIA complaint in Washington, DC Federal District Court.

Before filing the complaint, I looked through the court website and paid particular attention to a document posted there, titled Information for Parties Who Wish to File a Civil Complaint (pdf), which states:

The name of this Court must be written at the top of the first page [of the complaint]. The complete name and address for each plaintiff must be included in the caption of the complaint. A Post Office Box is insufficient as an address, unless you file a separate motion asking the Court to permit such an address.

Since moving to Washington DC, I've tried to keep my residential address out of databases, primarily by using a PO Box for everything possible. As such, I wasn't too keen on my home address showing up in a public court docket. Following the guidance given by the court, I put my PO box address on my FOIA complaint and filed an accompanying Motion To Include PO Box Address on Complaint.

Two weeks later, I called the court clerk to find out the status of the case, I was told that my motion had been rejected and that the my complaint and all the accompanying documents had been sent back to me.

The clerk didn't actually tell me the reason why the motion had been rejected, and so as soon as I returned to DC, I refiled the complaint with my home address, which was promptly docketed by the clerk.

Several days later, an envelope from the clerk arrived in the mail, which included a copy of the motion that I had filed. Written on it was a note by Judge Royce Lamberth, informing me that my motion was denied, but that the court would reconsider it if I provided my residence address to be filed under seal for the court and defendants.

This news came too late for me -- my home address is now in the DC court docket (something I am still rather upset about), but perhaps this information will be useful to others.

Motion for Po Box Denied

Senators hint at DOJ's secret reinterpretation and use of Section 215 of the Patriot Act

noreply@blogger.com (Christopher Soghoian) — Wed, 25 May 2011 03:23:00 +0000

Summary

According to two Democratic Senators, the Department of Justice has secretly reinterpreted a controversial provision contained in the USA Patriot Act to give the government surveillance powers that are "inconsistent with the public’s understanding of these laws." The senators also accuse DOJ of misleading the American public when describing the use of this legal authority.

This disclosure builds on previous cryptic statements from DOJ officials regarding the use of "Section 215" powers for "sensitive collection program," and Senator Russ Feingold regarding repeated abuses of Section 215 that he was not permitted to publicly describe.

Although FBI Director Robert Mueller revealed earlier this year that the FBI has used Section 215 powers to monitor the sale of hydrogen peroxide, such data collection is unlikely to be the "sensitive collection program" about which several senators have tried to alert the public.

If I had to make a wild guess, I suspect it is likely related to warrantless, massive scale collection of geo-location information from cellular phones.

Secret reinterpretations of the law

Marcy Wheeler reported this evening that Senators Wyden and Udall, both of whom are on the Intelligence committee have submitted an amendment (pdf) as part of the rushed, bipartisan effort to reauthorize Patriot Act. The amendment is noteworthy not because of the changes to the law it proposes, but the information it reveals:

(6) United States Government officials should not secretly reinterpret public laws and statutes in a manner that is inconsistent with the public’s understanding of these laws, and should not describe the execution of these laws in a way that misinforms or misleads the public;

(7) On February 2, 2011, the congressional intelligence committees received a secret report from the Attorney General and the Director of National Intelligence that has been publicly described as pertaining to intelligence collection authorities that are subject to expiration under section 224 of the USA PATRIOT Act (Public Law 107–56; 115 Stat. 295); and

(8) while it is entirely appropriate for particular intelligence collection techniques to be kept secret, the laws that authorize such techniques, and the United States Government’s official interpretation of these laws, should not be kept secret but should instead be transparent to the public, so that these laws can be the subject of informed public debate and consideration.

For those of you who don't read legalese, this means that the Department of Justice has secretly reinterpreted a controversial provision in the Patriot Act, likely Section 215, and is using it in a way that is inconsistent with the public's understanding of the law.

DOJ has already admitted that Section 215 is being used for a "sensitive collection program"

On September 22, 2009, Todd Hinnen, then the Deputy Assistant Attorney General for law and policy in DOJ’s National Security Division testified before the House Judiciary Subcommittee on the Constitution, Civil Rights, and Civil Liberties in support of the reauthorization of key provisions of the USA PATRIOT Act.

During his oral testimony, Mr. Hinnen stated that:

"The business records provision [Section 215] allows the government to obtain any tangible thing it demonstrates to the FISA court is relevant to a counterterrorism or counterintelligence investigation.

This provision is used to obtain critical information from the businesses unwittingly used by terrorists in their travel, plotting, preparation for, communication regarding, and execution of attacks.

It also supports an important, sensitive collection program about which many members of the subcommittee or their staffs have been briefed."

Section 215 has been repeatedly abused

On October 1, 2009, Senator Feingold made several statements regarding abuses of Section 215 during a Senate Judiciary Committee markup hearing:

"I remain concerned that critical information about the implementation of the Patriot Act remains classified. Information that I believe, would have a significant impact on the debate..... There is also information about the use of Section 215 orders that I believe Congress and the American People deserve to know. It is unfortunate that we cannot discuss this information today.

…

Mr Chairman, I am also a member of the intelligence Committee. I recall during the debate in 2005 that proponents of Section 215 argued that these authorities had never been misused. They cannot make that statement now. They have been misused. I cannot elaborate here. But I recommend that my colleagues seek more information in a classified setting.

…

I want to specifically disagree with Senator Kyle's statement that just the fact that there haven't been abuses of the other provisions which are Sunsetted. That is not my view of Section 215. I believe section 215 has been misused as well."

Likewise, after the Senate rejected several reforms of Section 215 powers in 2009, Senator Durbin told his colleagues that:

"[T]he real reason for resisting this obvious, common-sense modification of Section 215 is unfortunately cloaked in secrecy. Some day that cloak will be lifted, and future generations will whether ask our actions today meet the test of a democratic society: transparency, accountability, and fidelity to the rule of law and our Constitution."

Conclusion

Clearly, there are many unanswered questions - we do not know what kind of data collection is occurring, and why it is problematic enough to cause four senators to speak up publicly. However, given that four senators have now spoken up, this strongly suggests that there is something seriously rotten going on.

Industry-created "privacy enhancing" abandonware

noreply@blogger.com (Christopher Soghoian) — Tue, 03 May 2011 15:55:00 +0000

Industry loves self regulation and why shouldn't it? Given the choice between strong enforcement by a federal agency, and scout's honor promises, industry would be foolish to support a strong FTC.

Unfortunately, the self-regulatory groups and organizations that are created in response to the threat of regulation are often extremely short lived.

Pam Dixon noted this in her her comment (pdf) submitted in response to the FTC's recent privacy report:

[I]ndustry knows that the Commission’s attention span is limited. When the Commission showed interest in online privacy in the years before 2000, industry responded by developing and loudly trumpeting a host of privacy self-regulatory activities. Most of these activities were strictly for the purpose of convincing policy makers at the Commission and elsewhere that regulation or legislation was a bad idea. All of these activities actually or effectively disappeared as soon as new appointees to the Commission demonstrated a lack of interest in regulatory or legislative approaches to privacy.

[These include:]

The Individual Reference Services Group (IRSG) was announced in 1997 as a self-regulatory organization for companies that provide information that identifies or locates individuals. The group terminated in 2001.

The Privacy Leadership Initiative began in 2000 to promote self regulation and to support privacy educational activities for business and for consumers. The organization lasted about two years.

The Online Privacy Alliance began in 1998 with an interest in promoting industry self regulation for privacy. OPA’s last reported activity appears to have taken place in 2001, although its website continues to exist and shows signs of an update in 2011.

The Network Advertising Initiative had its origins in 1999, when the Federal Trade Commission showed interest in the privacy effects of online behavioral targeting. By 2003, when FTC interest in privacy regulation had evaporated, the NAI had only two members. Enforcement and audit activity lapsed as well. NAI did nothing to fulfill its promises or keep its standards up to date with current technology until 2008, when FTC interest increased

Industry created privacy enhancing software is made for regulators, not consumers

A few weeks ago, Ryan Singel at Wired wrote about Google's curious lack of support for Do Not Track (DNT). Rather than embracing the DNT header supported by the three other major browser vendors, Google is instead pushing the 3rd party browser plugins it has released that make it possible for consumers to retain their opt out cookies.

As I told Ryan then:

"[Google's] opt-out cookies and their plug-in are not aimed at consumers," Soghoian says. "They are aimed at policy makers. Their purpose is to give them something to talk about when they get called in front of Congress. No one is using this plug-in and they don’t expect anyone to use it."

Soon after this piece was published, I received a bit of pushback from several friends in Washington, who felt I was unfairly slamming the company.

However, when you actually examine the history of the industry's privacy enhancing technologies, they seem awfully similar to the short-lived self regulatory organizations that Pam Dixon highlighted.

Privacy enhancing abandonware

On March 11, 2009, Google entered the behavioral advertising market. On the same day, Google released its Advertising Cookie Opt-out Plugin for Firefox and Internet Explorer. The browser plugin permanently saves the DoubleClick opt-out cookie, enabling users to retain their opt-out status even after clearing all cookies.

Google's tool was a genuine innovation in privacy enhancing technologies. Furthermore, as the tool was released under an open source license, I was able to take the source code, expand it, and turn it into TACO, which opted consumers out of dozens of different ad networks.

The initial release of Google's plugin worked with Firefox 1.5 through 3.0.

In June 2009, Mozilla released Firefox 3.5. It took Google nearly two weeks to release an update to its plugin that was compatible with the new version of the browser.

One year later, Mozilla released Firefox 3.6 in January 2010. This time, it took more than a month for Google to release an updated version of the add-on.

Most recently, on March 22, 2011, Mozilla released Firefox 4.0. More than 5 weeks later, Google still has not released an updated version of its opt out add-on.

Google can perhaps be forgiven for ignoring the users of its Firefox privacy add-on -- the company's attention seems to have shifted to its new plugin: Keep My Opt Outs, which only supports the company's Chrome Browser (the tool was ~~quickly rushed out~~ announced on the same day that Mozilla announced its support for Do Not Track).

Similarly, in November 2009, the Network Advertising Initiative (an organization representing many of the major ad networks) released its own Firefox plugin that makes opt out cookies permanent. NAI Executive Director Charles Curran told one journalist that "this [tool] has been a recognition of criticism of opt-outs that are recorded in cookies. It's essentially designed to prevent the standard sweep of cookies that you get from a cookie cache dump...It's designed to work with the browser functionality."

As with Google's plugin, although it has been more than 5 weeks since the the release of Firefox 4.0, the NAI plugin still has not been updated to support it.

Why updates are important

When a user upgrades to a new version of Firefox, the browser will check for available updates to all installed browser plugins. Any plugins that have not been updated to support the new browser release will be disabled. This is obviously a pretty big problem, which is why Mozilla actively encourages developers to make sure that their addons support upcoming versions of the browser. For the 4.0 version of Firefox, which was released in March, Mozilla started harassing add-on developers as far back as November, 2010.

As such, there are likely tens of thousands (if not more) users of Firefox 4.0 whose Advertising Cookie Opt-out Plugin is currently disabled due to incompatibility. The moment these users clear their cookies (something some many have configured to happen automatically when they restart their browser), they will lose their doubleclick.net behavioral advertising opt out cookie. Likewise, the thousands of Firefox 4.0 users who had previously installed the NAI opt out plugin have now lost the opt out cookie persistence that they were promised.

These firms have created privacy enhancing technologies and then loudly advertised them to consumers and regulators. Unfortunately, now that the attention of regulators has shifted to Do Not Track, both Google and the NAI appear to have abandoned the users of their respective plugins. Neither firm has provided their users with sufficient notice to let them know the impact, or let them know what other options they have to continue to maintain their opt out choices.

Perhaps the FTC will take notice?

How can US law enforcement agencies access location data stored by Google and Apple?

noreply@blogger.com (Christopher Soghoian) — Fri, 22 Apr 2011 08:30:00 +0000

Note: I am not a lawyer. US privacy law is exceedingly complex. If I am wrong, I hope that someone who knows this better will chime in.

Over the past day, the iPhone location scandal has expanded beyond location data retained on the phone to data sent by iPhones and Android devices back to Apple and Google. This raises some really interesting issues, particularly regarding the degree to which these companies can be compelled to disclose that data to law enforcement agencies. In this blog post, I am going to try and examine the limited legal protections afforded to this data.

Introduction

Today, the Wall Street Journal reported that Apple's iPhones and iPads and Google's Android mobile phones all collect and transmit back to the companies data about a device's nearby WiFi access points, geo-location data, and in Google's case, a unique identifier.

According to the Journal, Android phones collect the data every few seconds and transmit it to the company at least several times an hour. Apple, meanwhile, "intermittently" collects data and transmits that data to itself every 12 hours.

The motivation for this data collection appears to be in order to create a large database of WiFi access points and their associated location, which can then be used by mobile devices to determine the user's approximate location information (doing so via WiFi uses far less battery power than using the GPS chip).

While such collection is likely entirely commercial in nature, this also raises serious privacy concerns regarding the ease with which law enforcement agencies can access this sensitive data.

A quick primer in location privacy law

The primary law in the US that governs the privacy of information kept by Internet and communications companies is the Electronic Communications Privacy Act (ECPA). This law dates back to 1986, long before cloud computing, email inboxes larger than 5 megabytes, or GPS enabled smartphones. To be quite blunt, the law is hopelessly out of date, and it is for this reason that the House and Senate held multiple hearings over the last two years focused on ECPA reform.

For user data to be protected by ECPA, it needs to fall into one of two categories:

An "electronic communication service" ("ECS") is "any service which provides to users thereof the ability to send or receive wire or electronic communications." Examples of this include telephone email services.

A "remote computing service" ("RCS") is a "provision to the public of computer storage or processing services by means of an electronic communications system." Roughly speaking, a remote computing service is provided by an off-site computer that stores or processes data for a user. Examples of this likely include data stored in the cloud, such as online backup services.

ECPA provides varying degrees of protections for communications content and non-content data stored by an ECS or RCS (without going too far into the details, communications content generally required a warrant, and most non-content data can be obtained with a lesser court order). However, if the service is neither an ECS, nor an RCS, law enforcement agencies can obtain the information with a mere subpoena, without getting a judge to sign off on the order.

Location data under ECPA

Law enforcement agencies routinely obtain location data from wireless telephone companies. Depending on the kind of data sought (historical or real time, fine-grained or approximate tower data), the kind of court order varies between a probable cause warrant, or an order based upon facts showing that the information will be relevant and material to an ongoing investigation.

It is important to note that the wireless carriers are providing their customers with a communications service, and that the location data is usually generated in the process of the users' phone transmitting voice or other data to a tower. While most consumers probably do not realize that the phone companies know where they are whenever they make a call or check their email, consumers are at least knowingly making a call or checking their email. As such, the location data obtained by the government quite clearly falls into the ECS category under ECPA.

Internet companies, location data and ECPA

In 2009, Google launched Latitude, its mobile location check-in competitor to Loopt and Foursquare. Shortly after the launch, the EFF reported that both Loopt and Google had pledged to require that user location data would only be delivered to law enforcement agencies in response to a warrant.

As EFF explained at the time:

When it comes to friend-finding services, we think it’s clear that your location information is the content of a private communication between you and your friends, and that it deserves the same legal protections against wiretapping as the content of your phone calls or your emails.

Because the text of ECPA doesn't actually include the word "location", Loopt and Google tried to get the best protections they could for users' check-in data by arguing that it is in fact a communication transmitted through their service to users' friends. That is, these firms argued that check-in location data is is an ECS.

(Note to legal experts: I am simplifying this a little bit, since these companies actually insisted on a wiretap order. The companies don't keep any historical location data by default, other than the most recent data-point, so they insisted on an intercept order before they would start retaining future location data).

iPhone/Android location data: ECS, RCS or neither?

Now, with this in mind, lets consider the location data transmitted covertly by iPhones and Android devices. Given that the existence of this information collection and transmission wasn't widely disclosed to users (other than in privacy policies that no one reads), that it didn't hit the press until this week, and that users are not knowingly transmitting the information to their friends or anyone else, I think it is going to be pretty tough for these two firms to be able to claim that this location data falls into the ECS protections of ECPA. This location data is simply not a communication by the user.

Similarly, I don't think that these companies can reasonably claim that this location data falls into the category of an RCS, since it isn't a storage or processing service provided to the user. Quite simply, the companies are collecting this data for their own benefit, not the user's, who probably has no idea that it is being collected and transmitted to a server somewhere.

What this means, I think, is that this location data likely does not fall under the protections of ECPA, which means that law enforcement agencies can likely obtain it with just a subpoena.

Now, it is quite possible that if and when these firms receive a request for this data, they could refuse to comply with the subpoena, and argue that it should be subject to the protections of the 4th Amendment. Certainly, some judges around the country have decided that mobile phone location data is sensitive enough to require a probable cause warrant issued by a judge. However, many other judges do not agree with that theory. Without the protections of ECPA, if the courts do not think this data deserves 4th amendment protections, there is nothing to stop law enforcement agencies from getting it with a subpoena.

Conclusion

What should be clear after reading this post is that privacy law in this country is hopelessly out of date. The collection of location information by Apple and Google raises some really troubling questions regarding the degree to which existing law restricts law enforcement access to the data when it is not associated with a communication by the user, but rather, is collected without their knowledge or consent.

As I noted at the beginning of this post, I am not a legal expert (but a computer scientist by training). There are several fantastic privacy law experts out there, and I really hope that they look into this issue, and write their own, far more extensive analysis.

How Dropbox sacrifices user privacy for cost savings

noreply@blogger.com (Christopher Soghoian) — Tue, 12 Apr 2011 17:00:00 +0000

Note: This flaw is different than the authentication flaw in Dropbox that Derek Newton recently published.

Summary

Dropbox, the popular cloud based backup service deduplicates the files that its users have stored online. This means that if two different users store the same file in their respective accounts, Dropbox will only actually store a single copy of the file on its servers.

The service tells users that it "uses the same secure methods as banks and the military to send and store your data" and that "[a]ll files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password." However, the company does in fact have access to the unencrypted data (if it didn't, it wouldn't be able to detect duplicate data across different accounts).

This bandwidth and disk storage design tweak creates an easily observable side channel through which a single bit of data (whether any particular file is already stored by one or more users) can be observed.

If you value your privacy or are worried about what might happen if Dropbox were compelled by a court order to disclose which of its users have stored a particular file, you should encrypt your data yourself with a tool like truecrypt or switch to one of several cloud based backup services that encrypt data with a key only known to the user.

Introduction

For those of you who haven't heard of it, Dropbox is a popular cloud-based backup service that automatically synchronizes user data. It is really easy to use and the company even offers users 2GB of storage for free, with the option to pay for more space.

The problem is, offering free storage space to users can be quite expensive, at least once you gain millions of users. In what I suspect was a price-motivated design decision, Dropbox deduplicates the data uploaded by its users. What this means is that if two users backup the same file, Dropbox only stores a single copy of it. The file still appears in both users' accounts, but the company doesn't consume storage space nor upload bandwidth on a second copy of the file.

The company's CTO described the deduplication in a note posted in the "Bugs & Troubleshooting" section on the company's web forum last year:

Woah! How did that 750MB file upload so quickly?

Dropbox tries to be very smart about minimizing the amount of bandwidth used. If we detect that a file you're trying to upload has already been uploaded to Dropbox, we don't make you upload it again. Similarly, if you make a change to a file that's already on Dropbox, you'll only have to upload the pieces of the file that changed.

This works across all data on Dropbox, not just your own account. There are no security implications [emphasis added] - your data is still kept logically separated and not affected by changes that other users make to their data.

Ashkan Soltani was able to verify the deduplication for himself a couple weeks ago. It took just a few minutes with a packet sniffer. A new randomly generated 6.8MB file uploaded to dropbox lead to 7.4MB of network traffic, while a 6.4MB file that had been previously uploaded to a different dropbox account lead to just 16KB in network traffic.

Claims of security and privacy

There are long standing privacy and security concerns with storing data in the cloud, and so Dropbox has a helpful page on their website which attempts to address these:

Your files are actually safer while stored in your Dropbox than on your computer in some cases. We use the same secure methods as banks and the military to send and store your data.

Dropbox takes the security of your files and of our software very seriously. We use the best tools and engineering practices available to build our software, and we have smart people making sure that Dropbox remains secure. Your files are backed-up, stored securely, and password-protected.

...

Dropbox uses modern encryption methods to both transfer and store your data...

All files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password

Reading through this document, it would be easy for anyone but a crypto expert to get the false impression that Dropbox does in fact protect the security and privacy of users' data. Many users and even the technology press will not realize that AES-256 is useless against many attacks if the encryption key isn't kept private.

What is missing from the firm's website is a statement regarding how the company is using encryption, and in particular, what kinds of keys are used and who has access to them.

Encryption and deduplication

Encryption and deduplication are two technologies that generally don't mix well. If the encryption is done correctly, it should not be possible to detect what files a user has stored (or even if they have stored the same file as someone else), and so deduplication will not be possible.

Dropbox is likely calculating hashes of users' files before they are transmitted to the company's servers. While it is not clear if the company is using a single encryption key for all of the files users' have stored with the service, or multiple encryption keys, it doesn't really matter (from a privacy and security standpoint), because Dropbox knows the keys. If the company didn't have access to the encryption keys, it wouldn't be able to detect duplicate files.

While the decision to deduplicate data has probably saved the company quite a bit of storage space and bandwidth, it has significant flaws which are particularly troubling given the statements made by the company on its security and privacy page.

Cloud backup providers do not need to design their products this way. Spideroak and Tarsnap are two competing services that encrypt their users' data with a key only known to that user. These companies have opted to put their users' privacy first, but the side effect is that they require more back-end storage space. If 20 users upload the same file, both companies upload and store 20 copies of that file (and in fact, they have no way of knowing if a user is uploading something that another user has backed up).

Why is this a problem?

As Ashkan Soltani was able to test in just a few minutes, it is possible to determine if any given file is already stored by one or more Dropbox users, simply by observing the amount of data transferred between your own computer and Dropbox's servers. If the file isn't already stored by Dropbox, the entire file will be uploaded. If Dropbox has the file already, just a few kb of communication will occur.

While this doesn't tell you which other users have uploaded this file, presumably Dropbox can figure it out. I doubt they'd do it if asked by a random user, but when presented with a court order, they could be forced to.

What this means, is that from the comfort of their desks, law enforcement agencies or copyright trolls can upload contraband files to Dropbox, watch the amount of bandwidth consumed, and then obtain a court order if the amount of data transferred is smaller than the size of the file.

Last year, the New York Attorney General announced that Facebook, MySpace and IsoHunt had agreed to start comparing every image uploaded by a user to an AG supplied database of more than 8000 hashes of child pornography. It is easy to imagine a similar database of hashes for pirated movies and songs, ebooks stripped of DRM, or leaked US government diplomatic cables.

Responsible Disclosure

On April 1, 2011, Marcia Hofmann at the Electronic Frontier Foundation contacted Dropbox to let them know about the flaw, and that a researcher would be publishing the information on April 12th. There are plenty of horror stories of security researchers getting threatened by companies, and so I hoped that by keeping my identity a secret, and having an EFF attorney notify the company about the flaw, that I would reduce my risk of trouble.

At 6:15PM west coast time on April 11th, an attorney from Fenwick & West retained by Dropbox left Marcia a voicemail message, in which he reveled that: "the company is updating their privacy policy and security overview that is on the website to add further detail."

Marcia spoke with the company's attorney this morning, and was told that the company will be updating its privacy policy and security overview to clarify that if Dropbox receives a warrant, it has the ability to remove its own encryption to provide data to law enforcement.

While I want to praise the company for being willing to clarify the security statements made on its website, I hope this will be a first step on this issue, and not the last.

It is unlikely that the millions of existing Dropbox users will stumble across the new privacy policy in their regular web browsing. As such, the company should send out an email to its users to let them know about this flaw, and advise them of the steps they can take if they are concerned about the privacy of their data.

I also urge the company to abandon its deduplication system design, and embrace strong encryption with a key only known to each user. Other online backup services have done it for some time. This is the only real way that data can be secure in the cloud.

DEA rejects FOIA for 38 pages of docs related to Sprint's digital surveilance API

noreply@blogger.com (Christopher Soghoian) — Wed, 23 Mar 2011 11:59:00 +0000

As some of my regular readers know, in October 2009, I attended an invitation-only surveillance industry conference in Washington DC. It was at that event where I recorded an executive from Sprint bragging about the 8 million GPS queries his company delivered via a special website to law enforcement agencies in a 13 month period.

At that same event, Paul W. Taylor, the manager of Sprint/Nextel’s Electronic Surveillance team revealed that the wireless carrier also provides a next-generation surveillance API to law enforcement agencies, allowing them to automate and digitally submit their requests for user data:

"We have actually our LSite [Application Programming Interface (API)] is, there is no agreement that you have to sign. We give it to every single law enforcement manufacturer, the vendors, the law enforcement collection system vendors, we also give it to our CALEA vendors, and we've given it to the FBI, we've given it to NYPD, to the Drug Enforcement Agency. We have a pilot program with them, where they have a subpoena generation system in-house where their agents actually sit down and enter case data, it gets approved by the head guy at the office, and then from there, it gets electronically sent to Sprint, and we get it ... So, the DEA is using this, they're sending a lot and the turn-around time is 12-24 hours. So we see a lot of uses there."

My PhD research is focused on the relationship between communications and applications service providers and the government, and the way that these companies voluntarily facilitate (or occasionally, resist) surveillance of their customers. As such, this sounded pretty interesting, and so on December 3, 2009, I filed a FOIA request with the DEA to get documents associated with the Sprint LSite API and the DEA's use of the system.

On March 8, 2011, I received a letter (pdf) from the DEA, telling me that although they found 38 pages of relevant material, they are withholding every single page.

I will of course be appealing this rejection, either by myself, or with any luck, someone experienced with FOIA appeals and litigation will contact me and offer to help.

It is bad enough that Sprint is bending over backwards to assist the government in its surveillance of Sprint customers, but what is even worse, is that the DEA is refusing to allow the public to learn anything about this program. If, as Mr Taylor suggested, there is a computer in every DEA office connected directly to Sprint's computer systems, the public has a right to know.

The negative impact of AT&T's purchase of T-Mobile on the market for privacy

noreply@blogger.com (Christopher Soghoian) — Mon, 21 Mar 2011 15:25:00 +0000

Yesterday, AT&T announced that it will be purchasing T-Mobile, the fourth largest wireless carrier in the US. While there are many who have raised antitrust concerns about this deal due to the impact it will have on the price of wireless services and mobile device/application choice, I want to raise a slightly different concern: the impact this will have on privacy.

While it is little known to most consumers, T-Mobile is actually the most privacy preserving of the major wireless carriers. As I described in a blog post earlier this year, T-Mobile does not have or keep IP address logs for its mobile users. What this means is that if the FBI, police or a civil litigant wish to later learn which user was using a particular IP address at a given date and time, T-Mobile is unable to provide the information.

In comparison, Verizon, AT&T and Sprint all keep logs regarding the IP addresses they issue to their customers, and in some cases, even the individual URLs of the pages viewed from handsets.

While privacy advocates encourage companies to retain as little data about their customers as possible, the Department of Justice wants them to retain identifying IP data for long periods of time. Enough so that T-Mobile was called out (albeit not by name) by a senior DOJ official at a data retention hearing at the House Judiciary Committee back in January:

"One mid-size cell phone company does not retain any records, and others are moving in that direction."

If and when the Federal government approves this deal, T-Mobile's customers and infrastructure will likely be folded into the AT&T mothership. As a result, T-Mobile's customers will lose their privacy preserving ISP, and instead have their online activities tracked by AT&T.

After this deal goes through, there will be three major wireless carriers, all of whom have solid track records of being hostile to privacy:

AT&T, a company that voluntarily participated in the Bush-era warrantless wiretapping program in which it illegally disclosed its customers communications to the National Security Agency.

Verizon, a company that similarly voluntarily participated in the warrantless wiretapping program, and then when sued by the Electronic Frontier Foundation, argued in court that it had free speech right protected by the 1st Amendment to disclose that data to the NSA.

Sprint, a company that established a website so that law enforcement agencies would no longer have to go through the trouble of seeking the assistance of Sprint employees in order to locate individual Sprint customers. This website was then used to ping Sprint users more than 8 million times in a single year.

The market for privacy

Today, privacy is largely an issue risk mitigation for firms. Chief Privacy Officers are tasked with protecting against data breaches, and class action lawsuits related to the 3rd party cookies that litter companies' homepages. The privacy organizations within companies do not bring in new customers, or improve the bottom line, but protect the firm from regulators and class action lawyers.

Recently, there are signs that this may be changing. Microsoft and Mozilla are now visibly competing on privacy features such as "Do Not Track" built into their web browsers. Several venture capital firms have invested cash into firms like Reputation.com and Abine who are selling privacy enhancing products to consumers.

To be clear, the market for privacy is in its infancy. As such, the government should be doing everything possible to nurture and encourage such growth. It is for that reason that the FTC should not permit the one and only privacy protecting major wireless carrier to be swallowed up by AT&T, a company that has repeatedly violated the privacy of its customers.

The FTC should lead the government's investigation into this deal, and should reject it on privacy grounds

When the FTC approved Google's merger with Doubeclick in 2007, then Commissioner Pamela Jones Harbour raised the issue of privacy in her dissent (pages 9-12). As I think history now confirms, the FTC erred in ignoring Commissioner Harbour and not considering the issue of privacy in the Google deal. However, many of her comments similarly apply to the AT&T/T-Mobile deal.

While the FTC cannot turn back the clock on Google/Doubleclick, it can and should protect the privacy of the millions of T-Mobile subscribers. The FTC should block this merger. However, even if the deal is permitted to go through, the FTC should at least extract strict privacy guarantees from AT&T that include a policy of not retaining IP address allocation or other Internet browsing logs.

If the FTC, Commerce Department and Congress want the market to provide privacy to consumers, then they need to make sure that consumers have options in this area. Without options, informed consumers cannot vote with their wallets. Companies that choose to go the extra mile to protect privacy should be rewarded for doing so, and not, when the market for privacy is so young, be swallowed up by those that steamroll over their customers' desire to keep their data safe.

Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies

noreply@blogger.com (Christopher Soghoian) — Sat, 12 Mar 2011 01:13:00 +0000

Earlier this afternoon, a federal magistrate judge issued an order in the much-hyped Twitter/Wikileaks case. While I will leave it to others in the media to analyze the order and its impact, I do want to focus on one specific issue.

The three individuals who objected to having their Twitter account records obtained by the government (referred to in the order as the petitioners) raised an interesting 4th amendment claim regarding their IP address information. Building on recent developments in the area of location privacy (where the 3rd circuit ruled that consumers do not knowingly transmit their location information to phone companies, because they generally don't understand the technical details of how phones work), the individuals here claimed that they didn't realize that they were conveying their IP addresses to Twitter, and thus maintained a privacy interest in this information.

The judge didn't buy this argument at all -- but rather than focusing on the fact that two of the individuals are skilled security experts who obviously understand how IP addresses work, she instead based her decision on Twitter's privacy policy. From page 13 of her order:

In an attempt to distinguish the reasoning of Smith v. Maryland and Bynum, petitioners content that Twitter users do not directly, visibly, or knowingly convey their IP addresses to the website, and thus maintain a legitimate privacy interest. This is inaccurate. Before creating a Twitter account, readers are notified that IP addresses are among the kinds of "Log Data" that Twitter collects, transfers and manipulates. See Warshak, 2010 recognizing that internet service provider's notice of intent to monitor subscribers' emails diminishes expectation of privacy). Thus, because petitioners voluntarily conveyed their IP addresses to Twitter as a condition of use, they have no legitimate Fourth Amendment privacy interest.

A footnote below the paragraph states further that:

At the hearing, petitioners suggested that they did not read or understand Twitter's Privacy Policy, such that any conveyance of IP addresses to Twitter was involuntary. This is unpersuasive. Internet users are bound by the terms of click-through agreements made online. A.V. ex rel. Vanderhye v. iParadigms, LLC, 544 F.Supp.2d 473,480 (E.D. Va. 2008) (finding a valid "clickwrap" contract where users clicked "I Agree" to acknowledge their acceptance of the terms) (aff'd A.V. ex rel v. iParadigms, LLC, F.3d 630,645 n.8 (4th Cir. 2009). By clicking on "create my account", petitioners consented to Twitter's terms of use in a binding "clickwrap" agreement to turn over to Twitter their IP addresses and more.

Twitter's privacy policy

The facts here are quite a bit different than the Vanderhye v. iParadigms case that the judge cites. I will leave it to legal scholars to pick apart and analyze those differences. Instead, I want to highlight the Twitter sign up process, and then a few other facts which make it clear that it is absolutely insane to assume that consumers have read privacy policies, when all available evidence (and statements by several senior government officials) suggests the opposite.

When you sign up for a Twitter account, you are shown a copy of the 200-line Terms of Service, in a text-box which displays 5 lines of text at a time. Users are not required to scroll to the bottom, or click a checkbox acknowledging that they have read the terms. Instead, right above the clickable "Create My Account" button, there is the following line of text:

By clicking on "Create my account" below, you are agreeing to the Terms of Service above and the Privacy Policy.

The Twitter terms of service do not actually include any mention of IP addresses. Instead, it is Twitter's privacy policy that includes the following section of text in its sixth paragraph:

Log Data: Our servers automatically record information ("Log Data") created by your use of the Services. Log Data may include information such as your IP address, browser type, the referring domain, pages visited, and search terms. Other actions, such as interactions with advertisements, may also be included in Log Data.

Although the judge states in her order that "[b]efore creating a Twitter account, readers are notified that IP addresses are among the kinds of 'Log Data' that Twitter collects, transfers and manipulates," that isn't entirely true.

It would be far more accurate to say that before creating a Twitter account, users are presented a link to a privacy policy, which includes a statement six paragraphs down about IP address collection. Users are further told that by clicking on a button to create the account, that they acknowledge that they read the linked privacy policy, although Twitter does not actually take any steps to make sure that users clicked on the link or scrolled through the content on that page.

Of course, it wouldn't really matter if Twitter forced people to click on the privacy policy, or scroll through the page, because everyone knows that consumers won't actually read through the text.

The FTC and Supreme Court discuss privacy policies

In introductory remarks at a privacy roundtable in December 2009, Federal Trade Commission Chairman Leibowitz told those assembled in the room that:

We all agree that consumers don’t read privacy policies – or EULAs, for that matter.

Similarly, in a August 2009 interview, David Vladeck, the head of the FTC's Bureau of Consumer Protection told the New York Times that:

Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act.

Even the Chief Justice of the US Supreme Court has weighed in the issue, albeit only in a speech before students in Buffalo, NY last year. Answering a student question, Roberts admitted he doesn’t usually read the terms of service or privacy polices, according to the Associated Press:

It has "the smallest type you can imagine and you unfold it like a map," he said. "It is a problem," he added, "because the legal system obviously is to blame for that." Providing too much information defeats the purpose of disclosure, since no one reads it, he said. "What the answer is," he said, "I don’t know."

Academic research on privacy policies

Among 222 study participants of the 2007 Golden Bear Omnibus Survey, the Samuelson Clinic found that only 1.4% reported reading EULAs often and thoroughly, 66.2% admit to rarely reading or browsing the contents of EULAs, and 7.7% indicated that they have not noticed these agreements in the past or have never read them.

Similarly, a survey of more than 2000 people by Harris Interactive in 2001 found that more than 60 percent of consumers said they had either "spent little or no time looking at websites' privacy policies" or "glanced through websites' privacy policies, but . . . rarely read them in depth." Of those individuals surveyed, only 3 percent said that "most of the time, I carefully read the privacy policies of the websites I visit."

However, while the vast majority of consumers don't read privacy policies, some do seem to notice the presence of a privacy policy on a company's website. Unfortunately, most Americans incorrectly believe that the phrase privacy policy signifies that their information will be kept private. A 2003 survey by Annenberg found that 57% of 1,200 adults who were using the internet at home agreed or agreed strongly with the statement "When a web site has a privacy policy, I know that the site will not share my information with other websites or companies." In the 2005 survey, questioners asked 1,200 people whether that same statement is true or false. 59% answered it is true.

Even if consumers were interested in reading privacy policies -- doing so would likely consume a significant amount of their time. A research team at Carnegie Mellon University calculated the time to read the privacy policies of the sites used by the average consumer, and determined that:

[R]eading privacy policies carry costs in time of approximately 201 hours a year, worth about $2,949 annually per American Internet user. Nationally, if Americans were to read online privacy policies word–for–word, we estimate the value of time lost as about $652 billion annually.

Finally, even if consumers took the time to try and read privacy policies, it is quite likely that many would not be capable of understanding them. In 2004, a team of researchers analyzed the content of 64 popular website's privacy policies, and calculated the reading comprehension skills that a reader would need to understand them. Their research revealed that:

Of the 64 policies examined, only four (6%) were accessible to the 28.3% of the Internet population with less than or equal to a high school education. Thirty-five policies (54%) were beyond the grasp of 56.6% of the Internet population, requiring the equivalent of more than fourteen years of education. Eight policies (13%) were beyond the grasp of 85.4% of the Internet population, requiring the equivalent of a postgraduate education. Overall, a large segment of the population can only reasonably be expected to understand a small fragment of the policies posted.

Conclusion

I don't know the caselaw well enough to say if the judge was correct in stating that clickwraps that link to privacy policies are binding. However, even if there is caselaw supporting this decision, it is in no way supported by evidence of actual consumer behavior, or common sense. If the Chief Justice of the Supreme Court doesn't read privacy policies, how can we expect this of regular consumers?

Deconstructing the CALEA hearing

noreply@blogger.com (Christopher Soghoian) — Tue, 22 Feb 2011 05:45:00 +0000

Last Thursday, the House Judiciary Committee held a hearing focused on law enforcement surveillance of modern Internet services.

Although both the New York Times and CNET have stories on the hearing, I don't think either publication covered the important details (nor did they take the time to extract and post video clips).

The FBI is no longer calling for encryption backdoors

When Charlie Savage at the New York Times first broke the news last year that law enforcement officials were seeking more surveillance capabilities, it seemed quite clear that the FBI wanted to be able to access to encrypted communications. Consider, for example, this statement by the General Counsel of the FBI:

"No one should be promising their customers that they will thumb their nose at a U.S. court order," Ms. Caproni said. "They can promise strong encryption. They just need to figure out how they can provide us plain text."

That threat spooked the hell out of a lot of people in the privacy community and at technology companies. However, in the months that followed, rumors started to circulate that as a result of negotiations within the administration encryption was now "off the table."

Thus, many of us in Washington were not entirely surprised to see Ms. Caproni walk back her previous statements on encryption when she testified last Thursday:

Law enforcement (or at least, the FBI) has not suggested that CALEA should be expanded to cover all of the Internet...

But lets turn directly to encryption. Encryption is a problem. It is a problem we see for certain providers. Its not the only problem.

If I don't communicate anything else today, I want to make sure that everyone understands. This is a multifaceted problem. And encryption is one element of it, but it is not the entire element. There are services that are not encrypted, that do not have an intercept solution. So it's not a problem of them being encrypted. It's a problem of the provider being able to isolate the communications and deliver them to us in a reasonable way so that they are usable in response to a court order...

There are individual encryption problems that have to be dealt with on an individual basis. The solution to encryption that is part of CALEA. Which says that if the provider is encrypting the communications, and so if they have the ability to decrypt and give them in the clear, then they're they're obligated to do that. That basic premise. That provider imposed encryption, that the provider can give us communications in the clear, they should do that. We think that is the right model. No one's suggesting that Congress should re-enter the encryption battles that were fought in the late 90's, and talk about sequestered keys or escrowed keys and the like. That is no what this is about.

Why the FBI doesn't really need encryption back doors

The bit of CALEA that she is talking about is 47 USC 1002(b)(3), which states that:

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

US law is surprisingly clear on the topic of encryption -- companies are free to build it into their products, and if they don't have the decryption key, they can't be forced to deliver their customers' unencrypted communications or data to law enforcement agencies.

While Skype uses some form of proprietary end-to-end encryption (although it should be noted that the security experts I've spoken to don't trust it), and RIM uses encryption for its Enterprise Blackberry messaging suite, the vast majority of services that consumers use today are not encrypted. Those few services that do use encryption, such as Google's Gmail, only use it to protect the data in transit from the user's browser to Google's servers. Once Google receives it, the data is stored in the clear.

There is one simple reason for this, which I described in a law journal article last year ago:

It is exceedingly difficult to monetize a data set that you cannot look at. Google’s popular Gmail service scans the text of individual emails, and algorithmically displays relevant advertisements next to the email. When a user receives an email from a friend relating to vacation plans, Google can display an advertisement for hotels near to the destination, rental cars or travel insurance. If those emails are encrypted with a key not known to Google, the company is unable to scan the contents and display related advertising. Sure, the company can display generic advertisements unrelated to the user’s communications contents, but these will be far less profitable.

Google’s Docs service, Microsoft’s Hotmail, Adobe’s Photoshop Express, Facebook, and MySpace are all made available for free. Google provides its users with gigabytes of storage space, yet doesn’t charge a penny for the service. These companies are not charities, and the data centers filled with millions of servers required to provide these services cost real money. The companies must be able to pay for their development and operating costs, and then return a profit to their shareholders. Rather than charge their users a fee, the firms have opted to monetize their user’s private data. As a result, any move to protect this data will directly impact the companies’ ability to monetize it and thus turn a profit. Barring some revolutionary developments from the cryptographic research community, advertising based business models are fundamentally incompatible with private key encrypted online data storage services.

Robert Scoble also addressed this very same issue last year, writing about the reasons why major location based services have not adopted privacy preserving technologies:

Well, there’s huge commercial value in knowing where you’re located and [service providers] just aren't willing to build really private systems that they won’t be able to get at the location info. Think about a Foursquare where only your friends would be able to see where you were, but that Foursquare couldn’t aggregate your location together with other people, or where it wouldn’t be able to know where you are itself. They wouldn't be able to offer you deals near you when you check in, the way it does today.

The FBI knows that most services are not going to be using full end-to-end encryption, and as such, there is not much to be gained by fighting a public battle over encryption backdoors. In her testimony on Thursday, Ms. Caproni drove this point home:

We're suggesting that if the provider has the communications in the clear and we have a wiretap order, that the provider should give us those communications in the clear.

For example, Google for the last 9 months has been encrypting all GMail. As it travels over the internet, its encrypted. We think that's great. We also know that Google has those communications, and in response to a wiretap order, they should give them to us, in the clear.

Privacy by design vs. insecurity by design

In the report it issued in December, the Federal Trade Commission called on companies to embrace "privacy by design":

[C]ompanies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices. Such protections include providing reasonable security for consumer data, collecting only the data needed for a specific business purpose, retaining data only as long as necessary to fulfill that purpose, safely disposing of data no longer being used, and implementing reasonable procedures to promote data accuracy.

Building encryption into products, turning it on by default, and using it to protect all data is the ultimate form of privacy by design. While the FTC is encouraging firms to embrace this philosophy, the FBI is betting that poor security will remain the default. Sure, a few individuals will know how to encrypt their data, but the vast majority will not. It is because of this that the FBI can avoid a fight over encryption. Why bother, when so little data is encrypted?

Consider Ms. Caproni's argument:

There will always be criminals, terrorists and spies who use very sophisticated means of communications that create very specific problems for law enforcement. We understand that there are times when you need to design an individual solution for an individual target. That's what those targets present. We're looking for a better solution for most of our targets, and the reality is I think sometimes we want to think that criminals are a lot smarter than they really are. Criminals tend to be somewhat lazy, and a lot of times, they will resort to what is easy.

So long as we have a solution that will get us the bulk of our targets. The bulk of criminals, the bulk of terrorists, the bulk of spies, we will be ahead of the game. We can't have to design individualized solutions as though they were sophisticated targets, who was self-encrypting, putting very difficult encryption algorithm on, for every target we find. Because not every target is not using such sophisticated communications.

While I understand her perspective, the problem I have is that her description of criminals as "lazy" people who use technology that is "easy" similarly describes the vast majority of the general public. As such, for the FBI's plan to work, encryption technology needs to be kept out of the hands of the general public in order to similarly keep it out of the hands of lazy criminals.

If encryption is off the table, what is the FBI after?

During the hearing Ms. Caproni noted that both RIM and Skype were foreign companies, and not subject to CALEA. She had ample opportunities to call out these companies, and instead, opted to not do so. As such, at least right now, it looks like the two firms may be safe.

As such, with Skype, RIM, and the general encryption issue off the table, you must be wondering, what exactly does the FBI want? From what I can gather, quite a few things, many of which impact privacy in a big way, but which will lead to far less press than those other high profile issues.

Ms. Caproni didn't name names at the hearing, but it is pretty easy to identify the companies and services that she and her colleagues are interested in.

Real-time interception of cloud services. Google, Microsoft, Facebook and Twitter are all legally required to provide after-the-fact access to their customers' stored data, in response to a valid legal process. The law does not require them to provide real-time interception capabilities. What this means is that while the government can go to Google and ask for all searches conducted by a particular user, they can't ask for all future searches or Google Chat instant message communications. These companies are under intense pressure to provide such real-time, prospective access to user data.

Voice services that do not connect to the public telephone network. Google and Facebook both offer in-network audio chat to their users (Google also offers video). Microsoft's XBox 360 service, Blizzard and several other online video game platforms allow users to ~~insult each other~~ chat while they play against other users online. At least from published information, I'm not aware of any one of these companies offering interception capabilities -- and so law enforcement agencies almost certainly want access to this

Virtual Private Network (VPN) services. These services, many of them paid, are increasing in popularity among users who want a bit of privacy when they surf. They enable users to browse the web when using unsecured public WiFi networks without having to worry about hackers stealing their data; browse the web at home without having to worry about their broadband Internet Service Provider using Deep Packet Inspection technology to spy on them; access streaming content that is restricted by country (for example, allowing foreigners to watch hulu, or US residents to watch the BBC); and download files from P2P networks without having to worry about Hollywood studios, record labels and porn companies suing them.

Many users turn to these commercial VPN services in order to obtain privacy online, and it is because of this that many services have strict no-logging policies. They do not know what their users are doing online, and don't want to know. However, many of these services are based in the US (or at least, have many servers in US datacenters), and could very easily keep logs if they were forced to do so.

What happens next?

Last week's hearing was just the first step in what will likely be a long battle. There will be more hearings, and eventually, the FBI will return with draft legislation. In the mean time, all the major tech companies in Silicon Valley will no doubt continue to engage in private, high-pressure negotiations with senior FBI officials who will tell them they can avoid new legislation by voluntarily building new surveillance capabilities into their products.

No New Surveillance Powers For The War On Drugs

noreply@blogger.com (Christopher Soghoian) — Fri, 18 Feb 2011 20:45:00 +0000

At two hearings over the past month, including one yesterday, senior officials from the Department of Justice asked Congress to significantly expand its ability to monitor and investigate the online communications of Americans.

Law enforcement officials claim that it is too difficult to snoop on users of modern services like Skype, Blackberry, Facebook and Google, as the companies have not built wiretap capabilities into their services. The Department of Justice would also like wireless and residential Internet Service Providers to keep records that would make it easier to determine after-the-fact which particular customer visited specific websites.

These officials argue that technology companies should be required to build new surveillance capabilities in order to more effectively investigate child pornographers and terrorists. This is a politically savvy argument, as no member of Congress will want to risk appearing weak on terrorism or child pornography.

The reality is that most law enforcement surveillance powers are used in support of the war on drugs, not to investigate terrorists or pedophiles. As such, Congress should first demand reliable statistics on law enforcement’s existing Internet surveillance activities before even considering the FBI’s request for more powers.

The American public may be willing to give up their privacy and civil liberties in order to actually prevent terrorism and the sexual exploitation of children. This deal is far less attractive if the new surveillance powers will instead be used to to continue a failed prohibition opposed by millions of Americans.

Statistics are useful

Each year, federal and state law enforcement agencies obtain thousands of court orders that allow them to secretly wiretap the telephones of American citizens. We know this because Congress requires annual reports regarding the use of these surveillance powers.

The first documented instances of law enforcement wiretaps were used to investigate bootleggers during the prohibition. Decades later, as the wiretap reports confirm, the vast majority of intercepts are used to enforce our modern day prohibition: the war on drugs. For example, of the 2,376 wiretap orders issued in 2009, 86% (2,046) were obtained as part of narcotics investigations.

Similarly, of the 763 “sneak and peek” search warrants obtained in 2009, 474 were obtained in investigations of drugs, and only 3 were used in investigations of terrorism. These surveillance orders allow government agents to search a home without telling the owner or resident until weeks or months later. Law enforcement agencies were given this authority as part of the Patriot Act, after the Department of Justice claimed that the powers were necessary to allow “law enforcement to conduct investigations without tipping off terrorists.” However, a report published by the Administrative Office of the Courts in 2009 revealed that the powers are primarily used to investigate drugs, not terrorism.

Unfortunately, while accurate statistics exist for wiretaps, and for the sneak and peek authority granted as part of the Patriot Act, we are largely in the dark regarding most of the tens of thousands of requests made each year to phone companies and Internet service providers. There are no statistics that document law enforcement requests for email, instant messaging, social network profiles, search engine history, or geographic location information from mobile phones.

Not only do we have no way of knowing the total number of requests made by law enforcement officers each year, but we also do not know what kinds of crimes they are investigating. Instead, all we have are unverifiable anecdotes from law enforcement officials, who selectively reveal them in order to justify their push for increased surveillance powers.

If the statements of law enforcement officials are to be believed, most of their online investigations involve child pornography. However, the published statistics for other forms of surveillance suggest that they are likely in support of the war on drugs. The only way to be sure would be for Congress to require the collection and publication of statistics covering law enforcement agencies’ surveillance of Internet applications and communications. As Senator Leahy noted more than 10 years ago, surveillance statistics serve as a “more reliable basis than anecdotal evidence on which to assess law enforcement needs and make sensible policy in this area.”

Rather than granting the Department of Justice the sweeping new surveillance powers it seeks, Congress should first seek and obtain detailed reports on the use of modern surveillance techniques. There is no need to rush the passage of new authority; especially since, as the debate over the renewal of the Patriot Act has clearly demonstrated, rolling back powers is much tougher than granting new ones.

CALEA: It is about the money

noreply@blogger.com (Christopher Soghoian) — Thu, 17 Feb 2011 03:50:00 +0000

Cash Rules Everything Around Me
C.R.E.A.M.
Get the money
Dollar, dollar bill y'all
-- Wu Tang Clan

Tomorrow, the House Judiciary Committee will hold a hearing on the topic of CALEA, and the FBI's desire to get backdoors in modern services like Skype, Google, Facebook and RIM's Blackberry. The mass adoption of these services, the FBI claims, is leading to a situation where law enforcement agencies have "gone dark," and lost the ability to intercept the communications of suspects in real time.

This is not the first time that the FBI has come to Congress to ask for increased surveillance powers -- The FBI spent a good part of the 90s sending people to Capitol Hill, asking for backdoors in encryption.

What does surprise me is that the tech companies are nowhere to be seen, and have not deployed anyone publicly to fight this proposal. Compare this, for a moment, to the cloud computing privacy hearing held by the same House Committee last September, where Google, Microsoft, Amazon, Rackspace and Salesforce all sent executives to argue for stronger privacy laws.

Last year, those companies were vocally asking for stronger privacy laws that would make it more difficult for law enforcement agencies to access their customers' data. Now, these same firms are being asked to put backdoors in their services, and make it easier for the government to snoop on their customers. Are they fighting this? No.

Instead, they are hiding behind industry-funded advocacy groups, like the Center for Democracy and Technology, which has written a softly-worded statement of concern.

Google, Microsoft and Facebook have excellent, well-funded teams of lobbyists. The fact that they are not appearing at the hearing tomorrow and have not issued any public statements about the topic is a clear sign that these companies are doing everything possible to keep a low profile on this issue.

If I had to guess why, I suspect that they don't want to do anything to upset Congress, particularly now that topic of commercial privacy is very much on the legislative agenda. If they put their foot down on CALEA, they may find themselves with few friends when members start considering bills to limit behavioral advertising.

Priority #1: Gotta get paid

When Congress passed CALEA in 1994, it set aside $500 million to help with the cost of designing and deploying wiretap capable networking equipment. Unfortunately, as 2008 DOJ Inspector General report (pdf) revealed, it was not possible to tell if the money was well-spent, since neither the telecoms nor the switch makers were willing to share the necessary information.

With that in mind, this bullet point from CDT's statement of concern caught my eye:

"Avoid unfunded mandates: The costs of implementing any new proposals should be borne by the government."

While tech companies aren't particularly crazy about adding new snooping capabilities into their services, they are even less excited about having to eat the financial cost of developing and deploying those backdoors.

Even though CDT seems to think otherwise, there are strong policy advantages to sticking companies with these costs. The most important one being that Google and Facebook are far more likely to take a strong position against CALEA II if they are going to get stuck with the check. If these firms know they are going to get millions of dollars for upfront surveillance development, they are far less likely to fight, and will instead spend more of their time haggling over the details, and in particular, lobbying for a larger payout with less oversight.

Charging the government for individual requests is good

"When I can follow the money, I know how much of something is being consumed - how many wiretaps, how many pen registers, how many customer records. Couple that with reporting, and at least you have the opportunity to look at and know about what is going on.
-- Albert Gidari Jr., Keynote Address: Companies Caught in the Middle, 41 U.S.F. L. Rev. 535, Spring 2007.

This is not to say that I am opposed to companies making the government pay for the assistance they are legally required to provide. I just think that the payment should be associated with specific investigations and requests, rather than a huge cash payment for developing and deploying surveillance capabilities.

The reason for this is that invoices for surveillance serve as a fantastic paper trail documenting the scope and scale of government snooping. Through Freedom of Information Act requests, I have obtained invoices from both Google and Yahoo, which detailed the kinds of requests they were getting, and helped me to discover that the US Marshals have essentially granted themselves a new surveillance power that is not in the law.

Charging for law enforcement assistance also tends to limit their use to only those records necessary. As Al Gidari told the House Judiciary Committee in testimony last year:

When records are "free," such as with phone records, law enforcement over consumes with abandon. Pen register print outs, for example, are served daily on carriers without regard to whether the prior day's output sought the same records. Phone record subpoenas often cover years rather than shorter, more relevant time periods. But when service providers charge for extracting data, such as log file searches, law enforcement requests are more tailored.

It is for these reasons that I have pleaded with attorneys at Microsoft and Facebook to start charging the government. Even though the law permits them to do so, both firms currently deliver user data to law enforcement agencies for free.

Recoup the high costs of surveillance technology though high per-request fees

A 2006 report from the DOJ Inspector General revealed that:

One carrier informed us that most of the costs it billed to law enforcement are for overtime and recovery of capitalized hardware and software costs. These representatives stated that capital costs are the major costs incurred by a carrier, and that these costs are entirely proper for carriers to recover.

For once, I actually agree with the carriers. If they had to spend millions of dollars deploying CALEA compliant intercept equipment, then it is only reasonable that they recoup it by charging $3500 for a 30 day wiretap (as Cox communications does).

The problem with charging $3500 for a wiretap, is that the police will complain, as this money comes out of their budget. The same 2006 Inspector General report confirmed this:

Law enforcement's biggest complaint regarding CALEA is the relatively high fees charged by carriers to conduct electronic surveillance. A traditional wiretap costs law enforcement approximately $250. However, a wiretap with CALEA features costs law enforcement approximately $2,200 according to law enforcement officials and carrier representatives we interviewed. A law enforcement official noted that, "[w]ith CALEA, the carriers do less work but it costs approximately 10 times as much to do a CALEA-compliant tap versus a traditional tap."

If Congress is considering spending another $500 million on CALEA II (and I hope it doesn't), it should give it out in grants to state and local law enforcement agencies. Give them each a pool of money, and let them decide how they want to spend it. If they want to use it to hire more officers, or buy body armor, that is their choice. If they want to pay for CALEA II wiretaps provided by Google, Facebook and Skype, well, that is their choice too. In the real world, there are opportunity costs associated with every purchase, and the police should have to experience these too. Surveillance should be expensive -- that is the best way to make sure these powers are not overused, or abused. Unfortunately, at just $25 for an individual user's account, Google and Yahoo are not charging nearly enough.

Web 2.0 FBI backdoors are bad for national security

noreply@blogger.com (Christopher Soghoian) — Wed, 09 Feb 2011 18:03:00 +0000

Charlie Savage broke the news yesterday that the House will be holding a hearing in two weeks on the subject of CALEA – the 1994 law that forced telecommunications companies to purchase and deploy intercept capable network hardware. As Savage described in a series of articles last fall, the FBI is no longer happy with these intercept capabilities – it now wants modern technology firms like Skype, RIM, Google and Facebook to provide similar backdoors in their own services.

Public interest groups like EFF, the ACLU and CDT will of course do their best to argue that such backdoors would totally violate the privacy of millions of Americans. Unfortunately, this criticism will largely fall on deaf ears.

Those members of Congress who are strong believers in privacy will not need convincing. However, those members who are willing to grant any and all additional powers requested by those investigating pedophiles and terrorists have already made up their mind – in their eyes, individual privacy is a small price to pay.

As such, I am not going to waste my time explaining why CALEA II is a horrible idea on privacy grounds. Instead, I will now explain why, for non-privacy reasons, it is a bad idea to give the FBI what it wants -- and why doing so threatens national security.

Surveillance backdoors, like all other software, will have security flaws

Abusable flaws are routinely found in commercial software products (which is not too surprising, since software engineers are rarely trained in software security or the appropriate use of cryptography). To make a product 100% secure, engineers have to get everything right – protecting against all known attacks, as well as attack techniques not yet invented.

Now, consider this question – if the government is going to force Google, Facebook, Skype and RIM to create surveillance backdoors in their own products, how are these companies going to protect the backdoors to make sure they are not accessed by evildoers? If Google knew how to develop software that is 100% secure, surely it would already be applying these software engineering techniques to its products.

Of course, this is an impossible task, which is why the software products we all regularly use seem to constantly bug us to install security updates.

As such, we need to accept the fact that any surveillance backdoors that these firms are required to build will have security flaws, and that they will be abused by people who care even less about privacy than the FBI.

Governments around the world acquire and exploit security flaws in commercial software

More often than not, commercial software vendors do not discover their own flaws. They learn about them because “white hat” security researchers discover them and notify the company, or because “black hat” hackers discover the flaws, and either exploit them directly, or sell them to others who use them to steal users’ data, or use infected computers to deliver spam.

There is now a thriving economy for those wishing to sell “zero day” security flaws and exploits (that is, those not known to the community). While criminal gangs certainly seem to be interested in buying these exploits, they are not the only customers – governments around the world are on the market for this information.

Charlie Miller, a security researcher famous for discovering exploitable software flaws in Apple’s iPhone, also has a bit of experience selling security flaws. In an academic research paper a few years ago, he described how after discovering a flaw in the Linux operating system, he sold the information to a US government agency (presumably, the NSA, his former employer) for a cool $50,000.

Mr Miller’s experience is not unique – security researchers that have spoken with me confirm that US defense contractors (such as SAIC and Booz Allen Hamilton) purchase exploitable security flaws on behalf of their government clients. One researcher told me that bonuses are built into the contracts – that is, the longer the flaw remains useful and unpatched by the operating system or application provider, the higher the payment.

It would be foolish to assume that the US government is the only one doing this – foreign governments are probably buying any exploits they can get their hands on, as well as spending significant resources to discover these through in-house R&D.

Consider the following example - the recent Stuxnet worm that was used to penetrate Iran’s nuclear facilities used a number of zero day exploits in Microsoft Windows.

While no government has claimed credit for the worm, what is clear, is that whoever did it has quite a bit of security expertise. What this also means, at least as long as the US government claims that it had no role in stuxnet, is that there are other governments out there with the ability to discover (or purchase) and exploit flaws in US made software.

By requiring law enforcement backdoors, we open ourselves to surveillance by hackers and foreign intelligence agencies

In 2004, a still unknown entity somehow gained access to the the CALEA-compliant intercept system of Vodafone Greece, the country's largest cellular service provider.

Those customers whose calls were intercepted included the prime minister of Greece, the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy.

The story of the "Athens Affair", as it is commonly known in security circles, is perhaps the best example of the privacy risks associated with lawful interception capabilities in communications infrastructure. I'm not going to go into all the details here, but there is an absolutely fantastic, multi-page writeup of the incident in IEEE's Spectrum magazine.

While Greek investigators still have not been able to conclusively determine who penetrated their network, all signs (including the mysterious "suicide" of a Vodafone employee in 2005) indicate that it was the work of a foreign intelligence service.

Similarly, in 2010, soon after Google disclosed that Chinese hackers had broken into the company's network, news reports surfaced indicating that the hackers had gained access to Google's lawful surveillance systems.

[Google's Chief Legal Officer David] Drummond said that the hackers never got into Gmail accounts via the Google hack, but they did manage to get some "account information (such as the date the account was created) and subject line."

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

"Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

In April 2010, at a public event at Google's Washington DC office, I asked the Pablo Chavez, the company's director of public policy if the reports were true. His response, while evasive, still seemed to suggest that there was more to this story:

I'm not familiar with the details. But I do know that there is this contining, ongoing investigation of the matter. Hopefully, Over the course of time, we can talk a little bit more about precisely what happened. I am familar with the report, I am just not a in a position to answer any details.

It has now been a year since the company first disclosed that the hack occurred, yet it still has not revealed if its intercept systems were in fact breached.

It is time for Google to fess up - its customers have a right to know, and members of Congress similarly need to be aware of the risks of adding further backdoors to our communications networks.

An open letter to Adobe

noreply@blogger.com (Christopher Soghoian) — Wed, 02 Feb 2011 01:00:00 +0000

MeMe Rasmussen
Chief Privacy Officer
Adobe Systems Inc.

Dear MeMe,

Yesterday, as you know, two researchers from Carnegie Mellon University released a study on the extent to which Flash Local Stored Objects ("Flash cookies") are used on popular websites, and in particular, how often sites engage in cookie "respawning".

Before discussing the report, I want to begin by stating that I have great respect for the two researchers, Dr Aleecia McDonald and Professor Lorrie Cranor. They both have truly stellar track records in their area of academic expertise: the study of usable security and privacy.

However, I have serious misgivings about the the motivation of this study, the role that several non-academic entities played in shaping it, its methodology, and the way that it may be used by your company and others in industry to whitewash a significant privacy issue.

The motivation of the study, and the role played by Adobe, CDT and Reed Freeman

It is not entirely clear, at least from publicly available sources, who first came up with the idea for the study. That is, did the researchers decide to conduct the study, and seek funding from Adobe and CDT in order to help pay their costs, or did Adobe seek to repair its own reputation, write a large check to the Center for Democracy and Technology (CDT), which then passed on some of the money to these researchers in order to produce the report?

Update Feb 2: A post by MeMe on Adobe's official blog confirms that:

Adobe commissioned the Carnegie Mellon University research study ... with assistance provided by the Center for Democracy and Technology (CDT)

What is clear, from the acknowledgements at the end of the report, is that the researchers received financial support from Adobe. Looking at CDT's funding charts for 2009 and 2010, it looks like 2010 is the first year that Adobe has given any money to CDT. Was this funding tied to the creation and publication of this report?

Both Adobe and CDT are thanked by the researchers for assistance in developing the experimental protocol, and several CDT staff members are thanked for providing the researchers with assistance and feedback on their report. One other person who is thanked for his assistance is Reed Freeman, a partner at the law firm Morrison & Foerster.

Given the trigger-happy nature with which some firms fire off DMCA cease and desist letters, or call in Department of Justice, it is unfortunately quite common for privacy and security researchers to have to solicit the advice and assistance of attorneys before publishing research. I myself have several attorneys on speed-dial, and have turned to the absolutely amazing attorneys at the Electronic Frontier Foundation (EFF) on several occasions.

What puzzles me though, is why Professor Cranor did not go to the EFF for her legal questions, particularly given that she serves on EFF's board of directors. Instead, she sought and received feedback from Reed Freeman.

As far as I know, Reed has no experience or special expertise in helping academic researchers avoid lawsuits from pissed off companies. However, he does have quite a bit of experience in helping companies engulfed in privacy scandals escape the wrath of the Federal Trade Commission. For example, he represented Netflix a year ago, after the FTC took an interest (pdf) in the company's plan to share a second dataset of its customers' movie reviews.

I would love to find out the role that he played in shaping this study and the final report. Did he provide advice to these researchers on a pro-bono basis, or did Adobe pick up the likely very expensive tab for his assistance?

Research methodology

This study was a response to a 2009 study by Soltani et al, which coined the term "respawning Flash cookies" and exposed several major web properties and advertising networks engaging in the practice.

Leaving aside the potential issues that Joe Hall has raised of how the researchers chose the 500 random sites, I want to focus on one key area which suggest serious limits (and perhaps even flaws) in this study.

Consider the data collection method followed by Soltani:

Each session consisted of starting on a Firefox about:blank page with clean data directories. We then navigated directly to the site in question (by entering the domain name into the browser’s navigation bar) and mimicked a ‘typical’ users session on that site for approximately 10 pages. For example, on a video site, we would search for content and browse videos. On a shopping site, we would add items to our shopping cart. We did not create accounts or login for any of the sites tested. As a result, we had to ‘deep link’ directly into specific user pages for sites such as Facebook.com or Myspace.com since typically these sites do not easily allow unauthenticated browsing.

In the CMU study, the researchers visited the front page only of the top 100 sites, plus an additional random 500 sites. The researchers did not navigate beyond paywalls, conduct searches, click on items to add them to shopping carts, or otherwise interact with the sites. As such, any Flash cookies present on these other pages have gone undiscovered.

Naming names

One important norm in the academic privacy community, is that when researchers discover companies engaged in privacy invasive (or even just problematic) practices, they are named. Soltani et al named the companies they discovered respawning Flash cookies, Krishnamurthy and Wills (pdf) named Facebook, MySpace and a few other social networks that were leaking user identifiers via referrer headers, and Jang et al (pdf) named YouPorn, Morningstar, Charter and the dozens of other firms they discovered abusing CSS flaws to determine users' browsing history.

Similarly, when Professor Cranor, Dr McDonald and several other CMU researchers published a paper last year examining the extent to which major websites misrepresent their privacy policies via machine-readable P3P headers, the researchers identified the offending websites.

It seems curious then that this time around, these same researchers would decide to not identify the two companies that they discovered were engaged in Flash cookie respawning.

It is just a wild guess, but I suspect that the decision not to identify the offending firms was not a decision left up to the researchers. What I do not know though, is if this was a decision made by CDT, or Adobe.

Adobe's commitment to privacy

One year ago, you submitted written comments (pdf) to the FTC as part of its series of privacy roundtables. In your submission, you wrote that:

Adobe condemns the practice of using Local Storage to back up browser cookies for the purpose of restoring them later without user knowledge and express consent.

...

Adobe is committed to supporting research to determine the various types and extent of the misuse of Local Storage. We are eager to participate in the discussion of which uses are and are not privacy friendly. We will support appropriate action, in consultation with the development, advocacy, regulatory, and legislative communities, to eradicate bad, unintended uses of Local Storage.

...

Adobe Supports the Commissions’ Use of its Authority to Police Unfair and Deceptive Acts and Practices in Commerce.

Adobe believes that existing legislation and regulation provide the Commission with robust enforcement authority against deceptive or unfair trade practices, including the use of Local Storage to re-spawn cookies users have deleted.

Adobe should identify the offending websites, or at least rat them out to the FTC

The studies published by Soltani et al, Krishnamurthy and Wills and Jang et al have all lead to class action lawsuits against the companies engaged in the various privacy violating activities exposed by these researchers. As such, it is quite reasonable to assume that had the CMU Flash cookie study identified the two firms that were caught engaging in Flash cookie respawning, class action lawsuits would have soon followed.

Given the strong tone you took in your FTC comments, and the fact that Adobe "condemns" the misuse of your technology to violate consumers' privacy, it is surprising that you have not pushed for the identification of these two companies. Surely the millions of users of Flash who have had their privacy violated by these firms should have an opportunity to seek their day in court?

Even if you do not wish to expose these firms to the threat of class action litigation, at the very least, you should turn them in to the FTC, which would then be able to investigate the firms, and prohibit them from engaging in similar privacy violations in the future.

As such, I hope you will confirm if you know the identity of the two firms discovered by the CMU researchers, and further confirm what plans you have, if any, to provide FTC staff with the evidence that was uncovered.

It is time for Adobe to be a leader on privacy. Turning these two firms in to the FTC would be a good first step.

With regards,

Christopher

A lesson on saying no to governments from Google, Twitter and Vodafone

noreply@blogger.com (Christopher Soghoian) — Tue, 01 Feb 2011 15:03:00 +0000

I've been thinking a lot recently about the role that technology companies play in facilitating or frustrating the efforts of governments to spy on or censor their citizens.

As such, I think it is interesting to compare the actions by a few large firms in response to the recent events in Egypt.

First, from Google and Twitter yesterday:

Like many people we’ve been glued to the news unfolding in Egypt and thinking of what we could do to help people on the ground. Over the weekend we came up with the idea of a speak-to-tweet service—the ability for anyone to tweet using just a voice connection.

We worked with a small team of engineers from Twitter, Google and SayNow, a company we acquired last week, to make this idea a reality. It’s already live and anyone can tweet by simply leaving a voicemail on one of these international phone numbers ...

We hope that this will go some way to helping people in Egypt stay connected at this very difficult time. Our thoughts are with everyone there.

And Vodafone, on Friday:

All mobile operators in Egypt were instructed on Friday to suspend services in some areas amid widespread protests against President Hosni Mubarak's rule, Vodafone Group PLC (VOD) said in a statement.

"All mobile operators in Egypt have been instructed to suspend services in selected areas," the U.K. company said, adding that under Egyptian law it was "obliged" to comply with the order.

The following day, Vodafone issued an updated statement:

Vodafone restored voice services to our customers in Egypt this morning, as soon as we were able.

We would like to make it clear that the authorities in Egypt have the technical capability to close our network, and if they had done so it would have taken much longer to restore services to our customers.

It has been clear to us that there were no legal or practical options open to Vodafone, or any of the mobile operators in Egypt, but to comply with the demands of the authorities.

Moreover, our other priority is the safety of our employees and any actions we take in Egypt will be judged in light of their continuing wellbeing.

These statements reveal significantly different positions by large, multi-national corporations. Google and Twitter opted to thumb their noses at the Egyptian government's attempt to silence its citizens, while Vodafone meekly complied, shutting down one of the largest wireless phone networks in the country.

Does this mean that Twitter and Google value human rights more than Vodafone? Does it mean that Vodafone hates freedom? Not really.

The government has guns, and we don't

For a bit of insight on this, lets turn to Google's CEO, Eric Schmidt, in what is perhaps his most truthful interview ever on the topic of privacy, and reason why consumers should not trust their data to Google:

There is a problem with the government which is that they have guns and we don't. And so the term "resistance", you want to be careful ... We are required to follow US law, and we do so, even if we don't like it. As the CEO of a public company (or a private company) there can be no other answer.

The key difference between these firms, is that neither Google nor Twitter have any infrastructure located in Egypt, while Vodafone likely has hundreds of millions of dollars worth of equipment located in the country. While the Egyptian government could raid Google's Cairo office and arrest its local marketing staff, the government cannot take Google's servers (which are located in other countries) offline. Twitter is in an even safer position, as it doesn't even have a local office in Egypt -- there is nothing that the government can do to hurt the company.

As such, while Google and Twitter certainly deserve praise for going out of their way to frustrate the censorship efforts of the Egyptian government, we should remember that these firms are sacrificing very little in order to do so.

If Vodafone dared to ignore the government's order and kept its network running, it is likely that the authorities would seize or destroy the firm's hugely valuable equipment.

In order to accurately gauge a company's willingness to tell a particular government to go and fuck itself, you have to examine the actions of that company in countries where it actually has significant assets, and where the government can actually shut down its services.

Rather than comparing Vodafone's actions to Google's Tweet-via-voicemail effort, it might be more useful to compare it to Google's recent, voluntary move to scrub the auto-suggest results in its search engine, censoring a few high-profile keywords associated with filesharing and piracy. Google didn't even wait for the government to pass laws requiring it to censor the rules, merely the threat of such legislation on the horizon was enough to get the company to act.

This is not to say that Google is evil, merely that it is a rational actor, and is going out of its way to avoid upsetting governments that can actually harm the company. Keep this in mind the next time that Google (or any other firm) thumbs their nose at the censorship activities of some government in a far away country -- such actions are easy, but much tougher at home.

Which US cable providers have privacy preserving data retention policies?

noreply@blogger.com (Christopher Soghoian) — Mon, 31 Jan 2011 16:14:00 +0000

The decision to not retain logs of its customers' IP addresses is one of the best ways that a company can proactively take a stand in defense of user privacy. Two of Sweden's largest residential ISPs have adopted such policies, with one even taking the additional step of routing all its customers data through an encrypted VPN service in order to anonymize the source of the traffic.

Here in the US, it is unfortunate that Internet Service Providers seem unwilling to embrace such aggressive, pro-user data deletion policies. Instead, firms like Google make full use of Doublespeak in order to justify their retention of user data (Those IP addresses we keep? Yeah, they're not really private information. Quick, look over there! We've created self-driving cars).

However, even if US service providers have not embraced privacy, it appears that one or two firms have enacted policies that as a perhaps perhaps unintentional side-effect do significantly enhance their users' privacy.

At a data retention hearing in the House of Representatives last week, Jason Weinstein, a deputy assistant attorney general in the Department of Justice testified. Half-way through his written remarks is this interesting fact:

"One mid-size cell phone company does not retain any records, and others are moving in that direction. A cable Internet provider does not keep track of the Internet protocol addresses it assigns to customers, at all. Another keeps them for only seven days."

As I described in a blog post last week, the mid-size cell phone company he mentioned is most likely T-Mobile.

Unfortunately, I have no idea about the identity of the two cable companies he identified.

Since one of these firms keeps no logs at all, none of its customers have been targeted in filesharing lawsuits, and it will not have passed on a single DMCA complaint. Depending on how fast the media companies send out their complaints and lawsuit shakedown letters, it is quite possible that the customers of the second cable company may have escaped such harassment too.

My question to those of you who follow the copyright infringement space is this: Do you know of any cable company whose customers have escaped filesharing lawsuits? If so, it might be because the firm has embraced a zero IP data retention policy.

I'd love to know who this is -- and if I live in their service area, I'd love to give them my business.

Data retention push confirms DOJ hypocrisy

noreply@blogger.com (Christopher Soghoian) — Sat, 29 Jan 2011 12:00:00 +0000

As I described in a lengthy blog post a couple days ago, the US law enforcement community is yet again pushing for mandatory data retention laws, which would require internet service providers to keep records detailing the IP addresses issued to their customers.

At the hearing last Tuesday, Jason Weinstein of the Department of Justice argued that the government needed this data to be able to effectively investigate serious crimes, such as terrorism and child exploitation.

In what truly is a bit of Orwellian doublespeak Mr. Weinstein told the Congressional committee that retaining this data would actually protect privacy:

Unlike the Department of Justice – which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies – malicious cyber actors do not respect our laws or our privacy. The government has an obligation to prevent, disrupt, deter, and defeat such intrusions. The protection of privacy requires that we keep information from those who do not respect it — from criminals and others who would abuse that information and cause harm.

Investigating and stopping this type of criminal activity is a high priority for the Department, and investigations of this type require that law enforcement be able to utilize lawful process to obtain data about the activities of identity thieves and other online criminals. Privacy interests can be undercut when data is not retained for a reasonable period of time, thereby preventing law enforcement officers from obtaining the information they need to catch and prosecute those criminals. Short or non-existent data retention periods harm those efforts.

My absolute favorite bit of Mr Weinstein's testimony is the first sentence above:

Unlike the Department of Justice – which must comply with the Constitution and laws of the United States and is accountable to Congress and other oversight bodies

What I love, is the fact that Mr. Weinstein was able to repeat this complete and total lie, under oath, without ever once cracking a sheepish smile, or showing any sign of embarrassment.

From The Washington Post, January 19, 2010:

The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews... A Justice Department inspector general's report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed.... FBI general counsel Valerie Caproni said in an interview Monday that the FBI technically violated the Electronic Communications Privacy Act when agents invoked nonexistent emergencies to collect records.

The Washington Post, January 21, 2010:

FBI agents for years sought sensitive records from telephone companies through e-mails, sticky notes, sneak peeks and other "startling" methods that violated electronic privacy law and federal policy, according to a Justice Department inspector general report released Wednesday.

The study details how the FBI between 2002 and 2006 sent more than 700 demands for telephone toll information by citing often nonexistent emergencies and using sometimes misleading language. The practice of sending faulty "exigent" letters to three telecommunications providers became so commonplace that one FBI agent described it to investigators as "like having an ATM in your living room."

The New York Times, March 10, 2007:

Bipartisan outrage erupted on Friday on Capitol Hill as Robert S. Mueller III, the F.B.I. director, conceded that the bureau had improperly used the USA Patriot Act to obtain information about people and businesses...

The report found many instances when national security letters, which allow the bureau to obtain records from telephone companies, Internet service providers, banks, credit companies and other businesses without a judge’s approval, were improperly, and sometimes illegally, used.

Moreover, record keeping was so slipshod, the report found, that the actual number of national security letters exercised was often understated when the bureau reported on them to Congress, as required.

The Washington Post, October 24, 2005:

The FBI has conducted clandestine surveillance on some U.S. residents for as long as 18 months at a time without proper paperwork or oversight, according to previously classified documents to be released today.

These reports only detail violations of the law during the last few years. Such abuses are not a new phenomenon though - the Department of Justice has abused its powers to illegally spy on Americans as long as the agency has existed.

Furthermore, in spite of the numerous instances in which it was confirmed that FBI agents and DOJ officials violated the law and engaged in illegal surveillance, I can't think of a single instance where they (or the telecommunications carriers that collude in their crimes) have been arrested or prosecuted for doing so. Instead, they get a slap on the wrist, and then it is back to business as usual.

One rule for us, one rule for them

The push for data retention seems to be currently limited to IP address allocation records, but, if successful, it will almost certainly extend to non-content information associated with email, chat and instant messaging communications.

The hypocrisy of the government's push for such data retention is clear when compared to the extreme efforts that government agencies go to in order to shield their own communications, documents and other records from the American people.

Consider for a moment, that this president, like Bush and Clinton before him, does not send any emails. The reason for this? Because such emails would have to be retained under the Presidential Records Act. Rather than let the American people later see a record of his official communications, he simply avoids email, and instead does everything by phone or in-person.

Of course, in this day and age, most people do not have the luxury of going without email. Private citizens, corporations and government employees alike rely on email to go about their daily business. However, while the email accounts that consumers rely on increasingly keep their communications forever (due to essentially unlimited storage), companies and government agencies are increasingly embracing data deletion policies in order to limit the risk that their emails will later see the light of day, due to lawsuits or FOIA requests.

For example, starting in the spring of 2010, the Federal Trade Commission (where I worked until August of 2010) adopted a 90-day email deletion policy. Any email messages that employees did not specifically mark to be saved would be automatically deleted after 90 days. This policy creates a significant barrier for public interest groups wishing to learn about the activities of the agency.

At the FTC, all records about particular investigations are shielded from disclosure as long as the investigation is active. However, since most investigations take 6 months or more, by the time the investigation is eventually made public, many email messages will have already been deleted.

Quite simply, government email deletion policies are specifically designed to circumvent and neutralize open government laws, such as the Freedom of Information Act.

I am sure that the FTC is not the only government agency to embrace an aggressive data deletion policy, and at least right now, there is nothing that legally prohibits agencies from adopting such policies.

This would be a great issue for pro-transparency, pro-oversight House Republicans to tackle. Perhaps once the administration is forced to reveal its own official communications to the whole world, then maybe it'll be a bit more sympathetic to the efforts of privacy groups and corporations that wish to protect privacy of regular users.

US Treasury fudges truth on financial privacy

noreply@blogger.com (Christopher Soghoian) — Sat, 29 Jan 2011 10:40:00 +0000

From the New York Times today:

In May, the government will no longer pay someone eligible for benefits with a mailed check. Instead, the money will be electronically deposited directly into a bank account or made accessible by a debit card. And by March 2013, the 10 million people who receive checks, out of 70 million people in all, must switch over to direct deposit or use a card.

...

Some see the decision as government meddling and say they fear their spending habits may be traced. But [David A. Lebryk, commissioner of the Treasury department’s Financial Management Service] said that information could be obtained only with a court order in a "rare exception."

That quote caught my eye, because I don't think it is correct.

In 1976, the Supreme Court ruled in United States v. Miller that bank customers have no legal right to privacy in financial information held by financial institutions. Responding to this ruling, Congress passed the Right to Financial Privacy Act (RFPA).

The RFPA requires that "no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described" and

1. the customer authorizes access;
2. there is an appropriate administrative subpoena or summons;
3. there is a qualified search warrant;
4. there is an appropriate judicial subpoena; or
5. there is an appropriate written request from an authorized government authority.

Administrative subpoenas are not court orders, and are not reviewed by a judge.

As for the government's claim that such requests will be infrequent, occurring in "a rare exception", as I described at length in a blog post just a couple months ago, the Department of Justice has argued in court that its prospective real-time surveillance of financial transactions is "routine". How exactly can something be both routine and a rare exception?

The truth is that warrantless financial surveillance likely occurs on a massive scale. The American people (and Congress) have no idea that this happens, because the courts are largely not in the loop, and the government is not required to compile or publish any aggregate statistics on the use of such surveillance methods. That is, although there are detailed annual reports on the use of wiretaps and other electronic intercepts by law enforcement agencies, we have no similar orders for the surveillance of our financial transactions.

What the US government can do to encourage Do Not Track

noreply@blogger.com (Christopher Soghoian) — Thu, 27 Jan 2011 14:00:00 +0000

Over the past few months, there has been a lot of discussion about Do Not Track. Although both the FTC and Commerce Department have recently issued privacy reports that mentioned Do Not Track, neither agency has the authority under existing law to make Do Not Track a reality. Either the industry can voluntarily agree to respect such a mechanism, or Congress is going to have to give the FTC the authority to make it happen.

But wait, you might ask, Microsoft has introduced a tracker blocking feature in the upcoming release of IE9 (similar to the massively popular AdBlock Plus add-ons for Firefox and Chrome), and this mechanism doesn't require that the online advertising embrace or respect it.

That is certainly true. However, as the industry has demonstrated time and time again with its use of Flash cookies, css history sniffing, cache cookies, and browser fingerprinting, unless it prohibited from doing so by law, companies will simply "innovate" and engineer around privacy enhancing features in the browser.

What this means is that unless the FTC is given the authority to prevent it, ad networks will either switch domains frequently (so that the blacklists get stale), or host compelling content from the same servers and domains that they use for their ads (for example, if youtube.com is used to deliver videos and track users, consumers won't be able to effectively block it).

The do not track header

As I described in a 2009 blog post, opt out mechanisms that enable a user to affirmatively express her desire to not be tracked finally free us from this cycle of arms races, in which advertising networks innovate around the latest browser privacy control. At the time that I wrote that blog post, opt out cookies were the only way to express such a preference, which was unfortunate, because opt out cookies have a number of other problems that prevent them from scaling effectively.

However, since then, the Do Not Track header has emerged as a vehicle for users to express their desire to be left alone, via a single preference in the browser, which will then be delivered to all websites that they interact with.

On Monday of this week, Mozilla announced that it will be including support for the header in a future release of the Firefox browser, which should provide a fix for the current chicken/egg problem, in which no browser sends the header, and so no advertising network looks for and respects for the header.

Even though 300 million users will soon be able to send the Do Not Track header, the advertising industry doesn't seem to keen to support it. The Interactive Advertising Bureau's general counsel Mike Zaneis told MediaPost that:

"It's very simplistic to think that you just put something in a header and people will honor it." He adds that it isn't clear whether Mozilla's definition of online tracking for ad purposes aligns with that of self-regulatory groups. "It's an interesting idea that they can offer this header, but if nobody's reading it, and nobody knows what it means, why should we care as an industry?"

Zaneis adds that the IAB is focusing on building out a self-regulatory system that requires companies to honor do-not-track cookies, but not other mechanisms like browser headers.

Why is the IAB focusing on opt-out cookies? Because they are difficult to discover, obtain, use, and easy to delete. Advertisers want to be able to tell Congress that they are doing something to let consumers opt out, but don't actually want that mechanism to be easy to use. The Do Not Track header is so easy to enable that the ad industry is deeply worried that large numbers of consumers just might enable it. As such, the industry will likely do anything it can to derail the header, which almost certainly means that it won't support it until it is absolutely forced to.

How can the Federal government help, without waiting for Congress to pass new laws

The FTC seems to like the idea of the Do Not Track header -- certainly, the tweet that it issued on Monday praising Mozilla suggests as much.

We’re pleased entities like Mozilla recognize that consumers want a choice in online tracking & are taking steps 2 give it 2 them. #dntrackless than a minute ago via webFTC
FTCgov

Unfortunately, as I described above, neither the FTC or Commerce can currently force the advertising networks to support the header. What they can do though, is to publicly embrace the header as the best way for users to achieve Do Not Track. The best way to do this, even moreso than tweeting about it, would be for government sites to support the do not track header.

Federal cookie rules and opt outs

For more than a decade, Federal agencies were prohibited from using long term tracking cookies on their websites. In 2010, these rules were changed (after a lengthy public comment period, in which the government mostly ignored the suggestions of privacy advocates).

The new rules (pdf) permit tracking technologies, but require opt outs:

Clear Notice and Personal Choice. Agencies must not use web measurement and customization technologies from which it is not easy for the public to opt-out. Agencies should explain in their Privacy Policy the decision to enable web measurement and customization technologies by default or not, thus requiring users to make an opt-out or opt-in decision. Agencies must provide users who decline to opt in or decide to opt-out with access to information that is comparable to the information available to users who opt-in or decline to opt-out.

a. Agency side opt-out. Agencies are encouraged and authorized, where appropriate, to use web tracking and measurement technologies in order to remember that a user has opted out of all other uses of such technologies on the relevant domain or application. Such uses are considered Tier 2.

b. Client side opt-out. If agency side opt-out mechanisms are not appropriate or available, instructions on how to enable client side opt-out mechanisms may be used. Client side opt-out mechanisms allow the user to opt out of web measurement and customization technologies by changing the settings of a specific application or program on the user’s local computer. For example, users may be able to disable persistent cookies by changing the settings on commonly used web browsers. Agencies should refer to http://www.usa.gov/optout_instructions.shtml, which contains general instructions on how the public can opt out of some of the most commonly used web measurement and customization technologies.

Unfortunately, the "recommended" opt out procedures on the usa.gov website merely tell consumers how they can disable cookies on various popular browsers. Those consumers who neglect to disable cookies in their browsers will be tracked whether they like it or not.

This form of "opt out" (take our long term tracking cookies, or disable them in your browser) was exactly the method of choice that the online behavioral advertising industry long offered, until, bowing to pressure from privacy advocates and regulators, they started to offer the cookie based opt outs now featured on the Network Advertising Initiative website.

Thankfully, not all government agencies have followed the sample opt out features on usa.gov. The Office of Scientific & Technical Information (OSTI), for example, has its own opt out cookie, which disables the collection of web measurement and tracking data on the OSTI website.

This is far better than the approach taken by usa.gov, and actually gives visitors to the site a usable mechanism in order to protect their privacy. Unfortunately, if each federal agency develops and deploys their own opt out cookie, we will find ourselves in the same problematic situation that currently exists in the behavioral advertising industry (where there are more than 100 different opt out cookies available from various firms).

In my written comments to the White House back in 2009, I highlighted this problem:

The federal government should learn from the mistakes of the behavioral advertising industry. In your blog post, you also propose that federal government web sites be required to "[p]rovide a clear and understandable means for a user to opt-out of being tracked." As you consider a policy that will require federal websites to offer opt-outs to consumers, it would be useful to look to the situation in the behavioral advertising industry (where opt-out capabilities are widespread, yet difficult to use and discover by consumers), in order to avoid some of the many mistakes and pitfalls that have been made there.

In order to avoid these problems, I suggested that the White House:

Require that Federal web sites support a single, browser based universal opt-out header in addition to the opt-out cookie. This header approach has been repeatedly proposed in the behavioral advertising arena, and would solve many of the problems that plague the current cookie-based opt-out model.

Now that Mozilla has actually embraced the Do Not Track header (a proposal that was implemented in a prototype add-on when I submitted my comments in 2009), the Federal Government could realistically embrace the header as an improved mechanism for tracking opt outs on government sites. This would solve two problems at once: 1. Avoiding the chaos of 100+ different federal agency opt out cookies, and 2. providing early support for the Do Not Track header at a time when the technology proposal could very much use a boost.