Slight Paranoia (Chris Soghoian)

Your papers please: TSA bans ID-less flight

Mon, 09 Jun 2008 11:23:00 PDT

In a major change of policy, the Transportation Security Administration has announced that passengers refusing to show ID will no longer be able to fly. The policy change, announced on Thursday afternoon, will go into force on June 21, and will only affect passengers who refuse to produce ID. Passengers who claim to have lost or forgotten their proof of identity will still be able to fly.

As long as TSA has existed, passengers have been able to fly without showing ID to government agents. Doing so would result in a secondary search (a pat down and hand search of your carry-on bag), but passengers were still permitted to board their flights. In some cases, taking advantage of this right to refuse ID came with fringe benefits--being bumped to the front of the checkpoint queue.

For a few years after September 11, 2001, TSA's policies when it came to flying without ID were somewhat fuzzy. The agency, like many other parts of the Bush Administration, has hidden behind the shroud of classification--in TSA's case, labeling everything Sensitive Security Information.

Seeking to clarify the rules, activist John Gilmore took the U.S. government to court in 2004. Gilmore chose to take a particularly hard line, by refusing to show ID to TSA and also by refusing to undergo the more thorough "secondary screening" search. He eventually lost his case before the 9th Circuit of the U.S. Court of Appeals.

While the judges were not willing to let Gilmore avoid the secondary screening search, they did at least recognize the right to travel without showing ID--providing that passengers are willing to be subject to a pat down and a bit of probing:

"The identification policy requires that airline passengers either present identification or be subjected to a more extensive search. The more extensive search is similar to searches that we have determined were reasonable and consistent with a full recognition of appellants constitutional right to travel."

Since then, in at least two letters to citizens, TSA has re-affirmed this right. In March 2008, a TSA official wrote that:

"If a traveler is unwilling or unable to produce a valid form of ID, the traveler is required to undergo additional screening at the checkpoint to gain access to the secured area of the airport."

A change in policy

In a press release issued on Thursday with little fanfare, TSA announced a major change in its rules.

"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures."

To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.

While TSA's announcement stated that the goal of the change was to "increase safety," this blogger disagrees. The change of rules seems to be a pretty obvious case of security theater. Real terrorists do not refuse to show ID. They claim to have lost their ID, or they use a fake.

TSA's new rules only protect us from a non-existent breed of terrorists who are unable to lie.

Fixing flaws vs. security theater

In a research paper published in 2007, I outlined a number of glaring loopholes allowing the total circumvention of the much criticized no-fly lists. The two main flaws were that passengers can modify boarding passes, and that they can refuse to show ID.

In December 2007, TSA began testing out a secure, authenticated, tamper-proof boarding pass scheme. It has since been rolled out to a number of major airports around the country.

With hundreds of millions of dollars having already been spent on the various no-fly lists, it is at least interesting to see that someone at TSA is now spending time on fixing the loopholes in the system. The most glaring of this has long been the fact that passengers can refuse to show (or claim to have forgotten) their ID. Simply put, without being able to know who is walking through a checkpoint, there is no way to know that the "bad guys" have been caught by the no-fly list.

TSA's new rule, while perhaps motivated by a desire to beef up security, is significantly flawed. Terrorists will lie, and claim to have lost their ID--while law-abiding citizens wishing to assert their rights will be hassled, and refused flight.

Of course, all of this is premised on the idea that the no-fly list is actually a useful safety tool--something that I, and a number of other prominent security experts, strongly disagree with. Simply put, terrorists do not pre-register their intent.

As Bruce Schneier has noted before, the no-fly list is a collection of hundreds of thousands of people who are too dangerous to fly, but not guilty enough to be charged with a crime.

These are interesting times, indeed.

Thanks to Gary @ View from the Wing for spotting TSA's announcement.

Disclosure: I am supposed to be on a hiatus, but this topic was too important to leave alone. I am currently an intern at the American Civil Liberties Union of Northern California. These opinions are my own, and do not reflect anyone that pays me.

Hiatus

Wed, 14 May 2008 10:25:00 PDT

Dear Readers,

I'll be taking the summer off from blogging here at Surveillance State.

On May 5, I started a summer internship at the American Civil Liberties Union of Northern California. I want to avoid any possible conflict of interest regarding my blog posts, and so the simplest solution is to not blog.

In early September, I move to Boston to begin a 1 year student fellow position at the Berkman Center for Internet and Society at Harvard Law School. I fully expect to begin blogging again as soon as I get to Boston.

See you in a few months.

Legal liability for YouTube viewers

Wed, 14 May 2008 10:20:00 PDT

Updated on 5/19/08 with comment from RealPlayer (see below)

Users of YouTube and other video-sharing sites could face $750 per clip penalties if they have watched a video that was uploaded without the copyright holder's permission.

Copyright infringement in the United States strict liability offense. What this means, is that users are liable when they illegally copy works, even if they're not aware that this is wrong, or that the work is protected by copyright.

As an example, let us consider the popular video sharing website YouTube.

Every week, 6 days after the show airs, HBO uploads the most recent episode of "Real Time with Bill Maher." However, within a few hours of the show's TV broadcast, a number of other users upload copies that they have recorded with their computers.

When a user visits YouTube, and searches for "Bill Maher", he will see a large number of results - some of which will be for official content uploaded by HBO, and the vast majority of which is for copyrighted content illegally uploaded by other users.

According to a strict reading of the copyright laws, and discussions with legal scholars, users could unknowingly be liable if they click on the wrong YouTube link. The fact that they're not aware that a video was illegally uploaded is irrelevant. All that matters is that they clicked on a link, and watched the video.

For BitTorrent websites like The Pirate Bay, where the vast majority of the files are illegal, it is at least semi-reasonable to expect most users to know that they are engaged in an illegal act. However, for sites like YouTube, where both legal and illegal content are available on the same platform, it is significantly trickier. How exactly, are the less-tech savvy amongst us supposed to determine if a file is legal to watch?

Copytraps

The issue of unintentional home user liability is the subject of a recent paper by Ned Snow, a law professor at the University of Arkansas. In "Copytraps", Professor Snow argues that copyright law unfairly exposes end users to significant liability, for actions which they have no reason to believe are illegal.

Professor Snow puts forth the following example: A user visits Google, and searches for the name of a band they like. One of the first results takes them to a website, named "legal-music-downloads.com". Once there, the user hands over her credit card, and pays $.99 per song to this unknown website. Now, imagine that "legal-music-downloads.com" is in fact a fraudulent website run by a couple guys in Eastern Europe. They download files from BitTorrent, and then illegally re-sell them to American consumers.

As Prof. Snow describes, the fact that the end user thought she was participating in a legal purchase is irrelevant. All that matters is that she has copied (downloaded) a copyrighted work, which was not sold through legitimate means. This user could be liable for up to $750 per song.

This may sound crazy, but it's completely possible under the existing system. Yes, the RIAA and MPAA have for now, gone after people who were sharing files. However, there is nothing in the law forcing them to stick to just those users. They are legally permitted to go after downloaders too.

Experts respond

To make sense of this, I turned to a few other experts in copyright law. First, I spoke with Corynne McSherry, a staff attorney at the Electronic Frontier Foundation. McSherry told me that the scenarios I outlined were not beyond imagination, and quite possible under existing copyright law.

As an example of copyright holders going after downloaders, she pointed to a 2006 attempt by the Embroidery Software Protection Coalition to get the identities of all the participants of an online embroidery discussion forum. In support of their claims, the Coalition compared the stitchers' online screeds to "terrorist activities" and accused them of posting slanderous statements "that marched across the Internet bulletin boards and chat groups similar to Hitler's march across Europe."

The Embroidery Coalition, following tactics similar to the RIAA and MPAA, threatened grandmothers with lawsuits for downloading copyrighted embroidery patterns from the Internet. These little old ladies were given the choice of either paying a few hundred dollars, or facing a lawsuit.

Luckily, the lawyers at the EFF were able to get the Coalition to back down, but this does at least prove that left unchecked, copyright law can be used to go after the end users.

The EFF's McSherry told me that the penalties in copyright law were "not like many other areas of the law where you have to show harm." Thus, illegally copying a song that is sold for $.99 at the iTunes store can still lead to a $750 per song fine. McSherry labeled this as "completely disproportionate" and said that because of this, "for regular people, who don't have thousands of dollars, the inclination is to settle (the cases), rather than to fight."

YouTube users at risk

While Professor Snow focuses on the example of lying websites, I am personally far more interested in liability for users of major sites like YouTube.

Sherwin Siy, an attorney with Public Knowledge, told me that my YouTube fears might be overblown. Siy points to a difference between downloading a video, and streaming it. He told me that "arguing that a buffer copy (for a streaming view) is a duplication, that's even more of an uphill (battle), and the potential awards might not be worth the attorneys fees." He added that "merely watching a video on your screen, authorized or not, isn't going to be an infringement if you're not publicly performing or copying it."

Siy also noted that copyright law does allow for a reduced $200 per work penalty for infringement, if the pirate can prove that they had no reason to believe that they were infringing.

Updated:

Siy clarified his point in a followup email: "For instance, if my local network TV affiliate were to broadcast an infringing copy of a TV show, and I were to watch it at home, I would definitely not be liable. The copytraps idea might come into play had I (however innocently) taped or DVR'd the broadcast."

While Siy makes some good points, I will have to disagree with him on the issue of viewing vs. downloading. There are many off the shelf tools that allow users to download YouTube videos. The most widely deployed of these is RealPlayer, which ~~automatically makes~~ allows the user to make a local copy of every YouTube video that a user watches. YouTube has no way of knowing if someone is streaming or downloading a video - as it's simply a case of transferring bits over a wire. If the RIAA or MPAA ever subpoenaed YouTube's logs, they wouldn't be able to differentiate these users either.

YouTube's Position

A few years ago, a number of major firms started threatening Linux end-users with patent lawsuits. In response, one or two Linux companies to shield their customers from such lawsuits. That is, buy Linux from us, and we'll cover any potential legal bills.

Thinking along these lines, I reached out to YouTube to get their perspective. I wanted to know if they would offer to foot the bills of users who were sued after watching a video on their site. I also wanted to find out if YouTube has ever disclosed a list of infringing viewer IP addresses to a copyright holder.

YouTube's spokesperson ignored my actual questions, and instead told me that:

We prohibit users from uploading infringing material, and we cooperate with all copyright holders to identify and promptly remove infringing content as soon as we are officially notified.

As a company that respects the rights of copyright holders, we expect to continue to take the lead in providing state of the art DMCA tools and processes for all copyright holders.

While the liability for end users remains unclear, there is certainly the potential for some nasty lawsuits, should the copyright owners decide to go down that path. In a conversation with me, Prof. Snow described a scary future with Copyright Trolls who delay sending takedown letters to websites, so that the number of infringing users (who the company can later go after) will increase.

A scary future indeed.

Update: Jeff Chasen, a VP at RealPlayer contacted to let me know that I had erred in my original blog post. He told me that:

RealPlayer does not automatically download or make local copies of videos from YouTube. RealPlayer 11 gives users the option of downloading the video they are watching, but it requires that the user click a button to initiate the download. No copies or downloads occur until a user explicitly takes an action.

I do stand by my original point though, which is that YouTube (and any copyright holder who gets a list of the views/downloads via a subpoena) has no way to tell when a user is watching a video, and when a user is downloading them via a single-click RealPlayer tool.

For Hezbollah, it's fiber warfare

Tue, 13 May 2008 08:45:00 PDT

Over the past few weeks, things have heated up again in Lebanon, with the U.S.-backed government on one side and the Syrian-backed Hezbollah on the other.

To many U.S. observers, this might be just another case of tensions flaring up in the Middle East. Do not be fooled. This is all about telecommunications policy--and the design of secure, attack-resistant data networks.

But first, a bit of background. Hezbollah and Israel have been at war for some time. In an effort to stop Hezbollah's guerrilla fighters from communicating, Israel has in the past jammed the cell phone towers in the Hezbollah-controlled areas in southern Lebanon. Eager to make sure that didn't happen again, Hezbollah has covertly built out a fiber-optic network throughout the areas it controls.

Jamming cell phones is relatively easy, as it is simply a matter of sending out radio waves. Disrupting a fiber-optic network, on the other hand, is extremely difficult. The Israelis would need to locate the individual fiber-optic lines, and then cut them. To do that, they'd need boots on the ground, in control. This is not something that Israel, or even the central Lebanese government, can currently do.

It seems that recently, the U.S.-backed central government of Lebanon tried to put an end to Hezbollah's private network. Hezbollah responded with force, eventually taking over West Beirut. As the Boston Globe recently reported:

(Hezbollah's leader, Hassan Nasrallah) said the government's decision to shut down Hezbollah's fiber-optic communications network was tantamount to a declaration of war. For the (central) government, the network represented an intolerable example of Hezbollah's efforts to set up an Iranian- and Syrian-backed state within Lebanon. Hezbollah justifies the network, which carried its communications during a 2006 war with Israel, as a vital security asset.

This sort of thing, as interesting as it is, is way out of my league. To get a better grasp of the situation, I spoke with John Robb, an expert in modern asymmetrical warfare, an author, and blogger.

Robb said Hezbollah is not alone in building out its own communications infrastructure. He said that it is fairly common for such groups and that a similar situation exists in the Sadr City area of Baghdad.

Yahoo, Cisco Systems, and other U.S. companies have been heavily criticized for their assistance of China and its so-called Great Firewall. Thinking along these lines, I asked Robb which U.S. companies might be manufacturing Hezbollah's equipment.

He responded that there is no reason to suspect that U.S. equipment was being used. He added that Chinese-made, no-name optical-networking gear is available in most of these markets and certainly available to Hezbollah. Even equipment five to seven years old, Robb said, would work for Hezbollah's needs.

As a technologist, and someone interested in tech policy, this is fascinating. We typically hear that developing countries are leapfrogging over the traditional wire-based network infrastructure, due to the costs involved, and going straight to mobile or Wi-Fi technologies. It's interesting to see that fiber-optic networks can play a vital role in these countries. It seems that when there is a real threat of network interruption and jamming, the cost and difficulty of laying the cable is worth it.

At the Freedom To Connect conference a few weeks back, Doc Searls coined the term "glass roots" to describe community-built fiber networks. That term doesn't quite apply here, so I'm going to quickly stake my claim to "fiber warfare" (fiber vs. cyber, get it?). Remember, you heard it here first.

With that out of the way, I thought it'd be fun to end on a snarky note. For the last six months, I suffered with an AT&T 3Mbps DSL line. So how would Hezbollah act as an ISP? Consider these questions:

What, exactly, does Hezbollah consider to be "reasonable network management," and are its views on this area the same as Comcast's?
Does Hezbollah block BitTorrent? Does it use Linux?
Does Hezbollah offer so-called "naked" DSL?
If I do not get satisfactory customer service from the Hezbollah ISP, what happens if I resort to a Consumerist.com-style executive e-mail carpet bomb? Will its executives bomb me back?
How does Hezbollah respond to Digital Millennium Copyright Act cease-and-desist threats? If the RIAA and MPAA are too scared to send DMCA threats to Harvard, will they risk sending them to Hezbollah?
If I pay my fiber network bill late, will Hezbollah terminate my connection, or me?
We do not have competition in most U.S. markets, but instead have a duopoly of crappy DSL and evil cable. How many Americans would switch to Hezbollah's fiber network if it meant that they could use BitTorrent without Comcast "temporarily delaying" their data transfers? Could Hezbollah force the Federal Communications Commission to open up the market to real competition?

Update:For more info on Hezbollah's network infrastructure, check out this detailed report.

U.K. turns CCTV, terrorism laws on pooping dogs

Fri, 09 May 2008 09:41:00 PDT

The United Kingdom has the most surveillance cameras per capita in the world. With the recent news that CCTV cameras do not actually deter crime, how can the local town councils justify the massive surveillance program? By going after pooping dogs.

In a recent interview with The Guardian, the head of the Metropolitan Police's Visual Images Office explained the failings of CCTV:

"Billions of pounds has been spent on it, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3 percent of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? (They think) the cameras are not working."

Conjuring up the bogeymen of terrorists, online pedophiles and cybercriminals, the U.K. passed a comprehensive surveillance law, The Regulation of Investigatory Powers Act, in 2000. The law allows "the interception of communications, carrying out of surveillance, and the use of covert human intelligence sources" to help prevent crime, including terrorism.

Recent reports in the U.K. media indicate that the laws are being used for everything but terrorism investigations:

Derby City Council, Bolton, Gateshead, and Hartlepool used surveillance to investigate dog fouling.
Bolton Council also used the act to investigate littering.
The London borough of Kensington and Chelsea conducted surveillance on the misuse of a disabled parking pass.
Liverpool City Council used Ripa to identify a false claim for damages.
Conwy Council used the law to spy on a person who was working while off sick.

Privacy activists were, unsurprisingly, up in arms. Shami Chakrabarti, director of human rights group Liberty, told the BBC that "you don't use a sledgehammer to crack a nut, nor targeted surveillance to stop a litter bug." Liberty and other groups have called for a complete review of the law and its unplanned uses.

Is this surprising? Not really. Just as we've seen in the U.S., once law enforcement and intelligence agencies are given new unchecked powers, abuse tends to happen. The more secretive and unchecked the powers, the more widespread the abuse. (See: Warrantless wiretapping, detainee torture, COINTELPRO, The CIA's Operation Chaos.)

Thanks to Dizzy Thinks for the tip.

IRS Web site opens door to phishers

Thu, 08 May 2008 08:00:00 PDT

A new IRS Web site that allows taxpayers to check on the status of their refund checks could lead to users being phished.

The new "Where's my stimulus payment?" site asks taxpayers to enter in their Social Security number, and a few other trivial bits of information before informing the user of the amount of their refund, and the date it will be sent out.

While no doubt useful, this Web site sets a horrible example, and encourages dangerous behavior by users. Furthermore, in the hands of someone who knows the last four digits of a taxpayer's Social Security number, it could be used as an oracle (by submitting multiple requests) to determine the full SSN of a taxpayer.

Screenshot of the IRS Stimulus Website

(Credit: Christopher Soghoian)

The IRS is frequently mimicked by phishers. The agency even goes so far as to offer advice on its site, debunking many common phishing attacks. Furthermore, agency has shut down more than 1,600 phishing sites claiming to be the IRS in the past few years.

From a security education perspective, it is a really bad idea to have such a form on the official IRS Web site. The IRS should not be training users (via positive reinforcement) to enter their full Social Security numbers into Web sites. It is bad enough that credit cards and banks require us to do so when signing up. The IRS has an existing relationship with every tax-paying citizen. It does not need to use our SSN to authenticate us, and could use one of many other bits of information.

Secondly, the URL, http://sa2.www4.irs.gov/irfof/IRServlet?app=IRACTC is simply horrible. The vast majority of users will have no idea if this is a legitimate Web site or not. Why could they not select something a bit more readable, such as "www.irs.gov/stimulus".

At the very least, the IRS should authenticate users with additional information (such as the amount of federal taxes paid in 2008). It already does this for users who wish to e-file. This would at least stop the site being used as an oracle to confirm/guess someone else's SSN.

To see why this is such a bad idea--look at the image below of a phishing scam claiming to be an IRS refund Web site. Now look at the image above, the IRS's new refund status site. Can we really expect most users to tell the difference?

Phishing Site targetting IRS

(Credit: Laughing Squid / Flickr)

Keep your data safe at the border

Mon, 05 May 2008 09:00:00 PDT

There is no right to privacy at international borders. For those of us with laptops, this presents a pretty major problem: How do we get through U.S. Customs with our beloved portable devices, without having Uncle Sam peeking at every e-mail we've sent, every MP3 we've listened to, and every "home movie" we've made?

The obvious solution, encryption, is not enough. Non-Americans have no right to enter the U.S. Don't want to hand over your encryption keys? No problem--but you will be put on the next airplane back to your home country (if you're lucky...If the government really doesn't like you, you may end up getting sent to Syria).

Those of us "lucky" enough to have a U.S. passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned.

For travelers heading to countries other than the U.S., it can be even worse. Refusing to hand over your encryption key to a lawful request by British Police can result in jail time. Ouch.

CNET News.com's Declan McCullagh posted a guide to securing laptops for border searches back in March. The Electronic Frontier Foundation's Jennifer Granick wrote a blog post on the subject recently, in which she broke down the case law and offered a bit of advice. While both of these are interesting reads, neither includes the practical solution which I use.

Chris' Guide to Safe International Data Transport

Before going on any international trip, back up all of your important and potentially embarrassing, incriminating, or troubling data. This includes any copyrighted content which you may not be able to prove you own.
Create an encrypted disk image/encrypted folder of that data. This can be done with Pretty Good Privacy, Truecrypt, or software built into many operating systems.
Remember the password. This is very important, as if you forget it, you lose all your data.
Upload the encrypted data to a reliable place on the Internet (or two). Personally, I use Amazon S3, which charges 15 cents per GB-month of storage plus 17 cents per GB of data transfer.
Wipe your laptop clean (do this properly, or the data may be accessible after the fact with forensics software), and install a fresh copy of your OS onto it.
Travel. You should have no problem at U.S. Customs (or in any other country) as you won't have anything problematic on your computer.
At your hotel/office, fire up your Web browser and download the encrypted data file from Amazon's servers.
Decrypt the data.

Once you are done with your trip, you can simply re-encrypt the data, upload it to Amazon again, and wipe the disk clean.

For those of you traveling to countries (or places in the U.S.) with slow Internet connections, you may wish to burn your encrypted data to a DVD and FedEx it to your destination. Do it a few days before you leave, and you should know before you get on the airplane if the disk made it to your destination safely by checking the delivery status online.

I realize that I take paranoia to a more extreme level than most, but I find that this technique works really, really well for me. For those of you who are even more paranoid, and are worried about customs agents being able to recover the deleted data from your laptop disk, you may wish to avoid keeping the decrypted data on your laptop at all (while on the trip). Portable flash drives are quite cheap these days, and can be easily destroyed (a microwave, a hammer, driving over them in a rental car, etc.) once your trip is done.

Disclosure: Jennifer Granick represented me, pro-bono, in my civil troubles with TSA back in 2006 and 2007.

Can TSA be trusted not to data discriminate?

Tue, 15 Apr 2008 08:00:00 PDT

The Transportation Security Administration is joining the 21st century. Just 5 years after security experts first outlined methods for faking boarding passes (and 2 years after the FBI raided my home for automating the process), TSA is finally testing out technology to neutralize this security threat. The only problem? The new authenticated boarding passes lay the groundwork for a surveillance state, enforceable all-points-bulletins, and most scary of all, data discrimination.

Can TSA be trusted to do the right thing?

A sample secure boarding pass

(Credit: Continental Airlines)

For the last 4 months, Continental Airlines and TSA have been running a pilot project, which permits passengers to pass through security using mobile-phone based boarding passes. After the user checks in online 24 hours before travel, the airline will send a dense 2D bar code to the passenger's mobile phone. The program is open to anyone flying on a non-stop Continental Airlines flight out Houston.

The bar codes contain all of the information that would ordinarily appear on a boarding pass, plus one other important thing: a digital signature.

The system doesn't seem too bad, security wise. The airlines each create a PGP cryptographic key pair, a private key which they use to sign each boarding pass, and a public key which they give to TSA.

When a passenger shows up at a TSA checkpoint, the boarding pass is scanned by TSA agents with a handheld device. The device will verifies the cryptographic signature, and if the boarding pass hasn't been modified, it'll display the passenger's information, which the agent can then compare to the passenger's ID. (Click here to see a picture of the boarding pass being read by the handheld device.)

Privacy safeguards

The Department of Homeland Security released a detailed Privacy Impact Report on the boarding pass system in late 2007. The report reveals a number of interesting details, and surprisingly, that the system was designed with passenger privacy in mind. The report (pdf) notes that:

The [Boarding Pass Scanning System (BPSS)] equipment is a handheld 2-D Bar Code scanning device and should be considered standalone as it will not be connected to any network - via wireless or ethernet connection.....
When [the passenger's] information is collected, it is immediately displayed on the device screen, in order for TSA screeners to screen the passengers against their photo identification. Once this is completed, the information is immediately and permanently deleted from the system....

The BPSS device application does not maintain a transaction log with bar code scan content; the application does not save or store the bar code scan data to a file, database, etc.

As many of my readers may know, I caused a bit of a panic at TSA in 2006, when I created a website that made fake boarding passes. Once the FBI dropped their investigation, and TSA decided not to come after me, the Feds became a lot nicer to me. I've flown out to Washington DC a couple times since to meet with TSA officials, and I know for a fact that a number of people inside DHS have read my research paper. Thus, it's not terribly surprising that the system in trial at Houston airport closely follows the design I outlined.

The authors of the privacy report were even nice enough to give me props, and mention my boarding pass security research as a motivation for the technology in the second paragraph of the document.

The makings of a surveillance state

TSA has clearly done a good job in designing this system, and making sure to include privacy analysis at the early design stages. The main problem though, is that it creates the foundations of a surveillance state. A world where TSA agents will be able to read through your digital dossier in detail as they decide how strictly to prod and probe you. This system, essentially, sets the stage for data discrimination at checkpoints.

When a passenger goes through a TSA checkpoint right now, the agent only has a few bits of information in front of him or her: The passenger's reported name, ID documents and the the physical features of the passenger (race, gender, dress, accent). Yes, it is possible for an airline to flag a passenger (the dreaded SSSS on a boarding pass), if the passenger's name appears on one of the watchlists. However, this is still very little information.

Imagine if, when going through a TSA checkpoint, the agents had a full dossier on each passenger - detailing everywhere you'd ever flown, any past criminal records, credit history, parking tickets and heck, even which books you've been seen reading in the airport. It's not such a wild fantasy, as US Customs Officers already have this information, and look at it when you enter the country.

What if ....

While the pilot program that TSA is using in Houston is privacy preserving, passengers will have no way of knowing if a future administration decides to update the software or hardware of the handheld devices. It would be very easy to add a wireless card to the devices, and no passenger would ever be the wiser. Suddenly, TSA agents would have a wealth of information at their fingertips, information that could help agents "fight the war on terror."

Such a change, if it did happen, would probably not require that TSA notify the public. Moreover, I doubt if it'd even have to tell the entire Congress. It would simply hold a closed briefing for the Intelligence Committees -- including the same gutless "gang of 8" who knew about the NSA's Warrantless Spying program for years, and didn't do anything about it.

To be clear, I'm not accusing TSA of doing anything wrong. All I'm saying is that once agents start scanning in bar codes with hand held devices, we the public will have no way of knowing what happens to the data. TSA is, afterall, rather trigger-happy when it comes to pseudo-classifying data as Sensitive Security Information .

Remember the National Security Letter powers that the FBI was given by the Patriot Act? Congress and the public were assured that there would be safeguards, and that they would be used correctly. Fast forward a few years, and we find out that National Security Letters have been widely abused, time and again.

I don't have an easy solution to recommend here. The current boarding pass system is easy evade, and digitally signed bar codes do solve this problem. However, given that passengers can still refuse to show ID when they fly (and thus totally avoid the watchlists), I'm not really sure what is the main goal of this pilot. Why spend millions to beef up boarding passes, when passengers can still slip through the system with no ID?

Perhaps the real solution, as crazy as it may sound, is for TSA to do their job - and screen passengers. As experts have noted over and over, a valid ID and boarding pass are not proof that someone is not a terrorist. Instead of wasting money and time trying to verify documents and ID cards, why not reallocate these resources to searching bags and patting down old ladies?

Thanks to Adam Shostack for tipping me off to the NYT article on the TSA pilot.

Finding the line between activism and reporting

Fri, 11 Apr 2008 08:15:00 PDT

A few weeks ago, I brought you news that Indiana's Governor had signed into law HB 1197, a data breach and encryption bill that I worked on.

What I have not revealed, up until now is the coercion and arm-twisting that accompanied the passage of this bill. While the details may not surprise jaded readers, it certainly gave me a reason to dislike the entire process, as well one particular power-tripping legislator. Now that the bill, albeit a significantly slimmer version, has become law, I'm free to tell the story.

As regular readers of this blog know, I spent a significant amount of time this spring working on an update to Indiana's data breach laws. Along with my local State Representative, I co-wrote a bill that would fix loopholes in the existing rules, as well as designate the State Attorney General as a central reporting body, which would then post a copy of each report to its website.

The bill passed through House Committee without any problems, and was then passed unanimously by the State House of Representatives. Once the bill came up before the relevant Senate Committee, it drew the attention of lobbyists representing AT&T, Microsoft and Lexis Nexis, who flew in from Washington to try and kill the bill.

Eventually, the lobbyists got their way, and the bill was stripped of some of the most pro-consumer provisions. Shortly after this happened, I wrote a blog post on the subject, explaining what had happened, who had voted for the amendment, and which firms lobbied against the bill.

Coercion

After the bill passed through committee, the next step was for it to receive a second reading on the Senate floor. This was scheduled to happen on February 18th. At the end of that day, I went online, and saw that every single bill scheduled to receive its second reading that day had been read, except my bill. Curious as to what had happened, I made a few calls.

And this is where it gets interesting. A well placed source told me that a powerful Republican Senator had taken offense to something I had written on my blog the week before, in which I mentioned that each member of the Senate Committee voting to shred the bill had previously received campaign donations from AT&T. My source relayed a threat from the Senator: Either I had to remove the offending paragraph from my blog, or he would hold up the bill, and it would die in the Senate.

The offending text from the blog post:

AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).
I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.

This put me in a very difficult position. I had worked very hard on this bill, and this was my chance to close what I believed was a serious loophole in Indiana's existing breach laws. If I didn't cave to the Senator's demands, my bill would die, and with it, the chances of getting the law changed.

On the flip side, I hate the idea of censorship. I don't like being told what to write, or being told that I have to take something down. I think this is a feeling that I share with most of the Internet community -- be it cease and desist letters, or lawsuit threats, such attempts at stifling free speech are universally denounced (and usually evaded).

In addition to my own feelings, censorship is something that is not tolerated at CNET. Any edits I make to my own posts after publication must be ~~struck out~~. Thus, removing an entire paragraph, let alone doing it silently without saying why, totally violated CNET policies, as well as basic journalistic standards.

To make matters worse, my source would only deliver the Senator's threat on the condition that it remain off the record. In later conversations, once I explained the trouble I'd get into with CNET over the silent deletion, he agreed to let me write about what had happened, as long as his name, and the Senator's name, were not revealed.

In the end, I decided to take down the text temporarily. I planned to post the offending text back online as soon as the Governor signed the bill into law. It was not a decision I was completely comfortable with, but I decided that passage of the bill was more important.

In hindsight, I'm not so sure that this was the right move. At the very least, I acknowledge that I let down both CNET, and the trust of my readers. This is something that I sincerely regret.

The day after I removed the paragraph, the bill had its second reading, and then a few days later, was passed unanimously by the State Senate. While he was unethical, the Senator did at least keep his word.

After the dust settled, I received some great advice from one of my mentors:

As a general rule it's difficult to wear two hats simultaneously in the legislative process. Fine to be a good citizen and propose necessary legislation. Fine also to be a whistleblower and call attention to legislative abuse. But very difficult to do both at the same time.

I'm not sure which hat I'll end up wearing for good. The entire process has left me with a fairly unpleasant taste in my mouth, made significantly worse by the fact that I still cannot name the Senator who abused his power.

Why Google puts privacy second

Wed, 09 Apr 2008 08:46:00 PDT

European regulators sent shock-waves through the search engine industry earlier this week, when they proposed significantly tighter rules for logging data. If the EU adopts the proposed rules, Google, Yahoo and Microsoft will have to significantly reduce the amount of time they keep identifying search logs, and will have to start treating IP addresses as personally identifiable data -- something that Google has been particularly vocal against.

Google has recently engaged in a major public relations effort to try and make a credible argument for keeping log data. The company has trotted out respected employee researchers to try and make the case that deleting such data will hurt search results. When all of their claims are analyzed, however, one thing becomes clear: It's all about the money (and the clicks).

Google has a genuine need to retain detailed log information on one kind of user: Those who click on ads. However, in order to avoid creating a situation where only clickers lose their privacy, the company logs data on all searchers instead. That is, the privacy of millions is threatened, to protect the incentive for users to click on ads.

The excuses

Over the last few months, a number of Google's engineers have issued public statements on the company's public policy blog to defend its much criticized log data retention policies. The company claims that the data can be used to hunt down malware, to catch people defrauding its advertising system, and can be used to improve search results, especially for localized results.

Google claims that accurate logging data can improve localized searches. This data is then used to intelligently respond to searches, such that a search for "GM" will result in General Motors related information for an American search user, yet someone in France be presented with information on "Guerre Mondiale" (World War).

What Google has done here, is attempt to muddy the waters of the debate. Yes, accurate logging data improves localized searches. However, the company does not need to retain the exact network address (known as an IP address) of each and every search. Instead of tracking my searches by my network address, 129.53.136.23, the company could instead log that I came from San Francisco, California. That, in itself, would be more than enough information in order to help it localize and improve search results.

Avoiding disincentives

Of all the excuses that Google's puppets have presented for retaining search logs, there is only 1 case where Google actually has a legitimate need to store information that identifies the individual user, and network address: advertising clicks.

Google is an advertising company first, and a search engine second. Sometimes, we forget this, but Google has a lot of bills to pay. After all, those free meals and massages for employees have to be paid for somehow.

Google displays text advertisements on all of its web search results pages. Advertisers, for the most part, pay per click. That is, every time a user clicks on one of the ads, Google charges an advertiser a few cents (or dollars, depending on the search term). Because of the amounts of money at play, this tends to attract criminals wishing to defraud the system. Thus, it is not terribly surprising that Google wishes to retain information on the user who clicked.

What is most interesting to note though, is that if a user does not click on one of Google's web advertisements, the only credible reason for retaining detailed search information becomes moot. If a user doesn't click, they can't possibly be engaged in fraud, and thus there is no reason to retain identifying information on the user's search.

Were Google to institute an information needs based logging policy, it would find itself in a curious position: users who clicked on advertisements would have detailed logs retained for months, if not years, while users who didn't click on ads would quickly have any identifying information scrubbed from logs, and replaced with more generalized info.

The obvious problem with such a scenario would be that of incentives, especially once the policy was made public. Users would lose their privacy each time they clicked on an advertisement. Unfortunately for the company, this is exactly the wrong kind of message to send. It wants to encourage users to click on its text ads, not to provide incentives for customers to skip them.

Thus, in order to not create that situation, and to avoid the disincentive to click on ads, Google logs data on every search, by every user. And because of this, we all suffer -- even those users who never even see ads, because they use technologies like AdBlockPlus and CustomizeGoogle.

Disclaimer: In 2006, worked as a summer intern in Google's click fraud team. Shuman Ghosemajumder, Google's "Business Product Manager for Trust & Safety" and the person claiming that search logs prevent fraud worked in the same team.

None of the information in this blog post involves confidential company information.

I was awarded a Google fellowship in both 2006 and 2007, for $5000 each time. Finally, I just returned from a Scholar Retreat in San Francisco, which the company paid for.

My Blog Has Moved!

Christopher Soghoian — Mon, 03 Sep 2007 09:33:00 PDT

I'm happy to announce that my blog has moved to CNET, where I've joined their Blog Network.

Due to the terms of my contract, I've had to change the name of my blog (so that they can own the new name) - and so the new blog is named Surveillance State. The new blog is located at: http://www.cnet.com/surveillance-state/

For the most part, the blog will remain the same - still a focus on security and privacy, with a bit of amateur legal analysis thrown in for fun - although expect slightly more frequent posting (3x per week or so).

For those ~400 of you who subscribe to my blog via an RSS feed - fear not, you should seamlessly transition to getting data from CNET's servers without having to change anything within your RSS reader. CNET has also graciously agreed to provide full text RSS feeds, which makes life much easier for those of us who vacuum information via a RSS client.