You are here

Privacy

Dept. of Justice files subpoena against NSA to get Google search records

April 1, 2006, San Francisco, CA: In a surprise move, Department of Justice (DoJ) attorneys filed a subpoena yesterday in federal court against the National Security Agency, requesting one million sample Google searches. They plan to use the searches as evidence in their defence of the constitutionality of the Child Online Protection Act.

Wiretaps beget wiretaps -- I don't hate that much to say I told you so.

For some time in my talks on CALEA and VoIP I've pointed out that because the U.S. government is mandating a wiretap backdoor into all telephony equipment, the vendors putting in these backdoors to sell to the U.S. market, and then selling the same backdoors all over the world. Even if you trust the USGov not to run around randomly wiretapping people without warrants, since that would never happen, there are a lot of governments and phone companies in other countries who can't be trusted but whom we're enabling.

Encrytped text that looks like plaintext, thanks to spammers.

You may be familiar with Stegonography, the technique for hiding messages in other messages so that not only can the black-hat not read the message, they aren't even aware it's there at all. It's arguably the most secure way to send secret data over an open channel. A classic form of "stego" involves encrypting a message and then hiding it in the low order "noise" bits of a digital photograph. An observer can't tell the noise from real noise. Only somebody with the key can extract the actual message.

4th Amendment Shipping Tape

Looking at printed wedding gift ribbon some time ago, Kathryn thought it would be amusing to put the 4th amendment on the ribbon, and tie it around our suitcases.

That turned out to be hard to make, but I did make a design for shipping tape which you can see below. The printed shipping tape has the text slant so that as the pattern repeats, the 4th amendment appears as a long continuous string, as well as a block.

Commercial I would like to see

Tom Selleck narrates:

Have you ever arranged a wiretap in Las Vegas without leaving your office in Fort Meade?

Or listened in on a mother tucking in her baby from a phone booth, all without the bother of a warrant?

Or data mined the call records of millions of Americans with no oversight?

You will.

And the company that will bring it to you... AT&T

EFF sues AT&T for giving access to your data without warrants

A big announcement today from those of us at the EFF regarding the NSA illegal wiretap scandal. We have filed a class-action lawsuit against AT&T because we have reason to believe they have provided the NSA and possibly other agencies with access to not only their lines but also their "Daytona" database, which contains the call and internet records of AT&T customers, and probably the customers of other carriers who outsource database services to Daytona.

MP3 Podcast of my talk at Emerging Telephony on how to love CALEA

Last week I spoke at O'Reilly's Emerging Telephony (ETEL) conference about CALEA and other telecom regulations that are coming to VoIP. CALEA is a law requiring telecom equipment to have digital wiretap hooks, so police (with a warrant, in theory) can come and request a user's audio streams. It's their attempt to bring alligator clips into the digital world.

Panoptopia and the Pushbutton Panopticon

With too many people defending the new levels of surveillance, I thought I would introduce a new word: Panoptopia -- a world made wonderful by having so much surveillance that we can catch all the bad guys.

David Brin introduced the concept to many in The Transparent Society, though he doesn't claim it's a utopia, just better than the alternative as he sees it.

It used to be that "If you are innocent you have nothing to hide" was supposed to be a statement whose irony was obvious to all. Today, I see people saying it seriously.

Topic: 

What's the default on 4th amendment questions?

We're always coming up with new technologies that affect privacy and surveillance. We've seen court cases over infrared heat detectors seeing people move inside a house. We've seen parabolic microphones and lasers that can measure the vibration of the windows from the sound in a room. We've seen massive computers that can scan a billion emails in a short time, and estimates of speech recognition tools that can listen to millions of phone calls.

Topic: 

Google Subpoena is the tip of the iceberg

Google is currently fighting a subpoena from the DoJ for their search logs. The DoJ experts in the COPA online porn case want to mine Google's logs, not for anybody's data in particular, but because they are such a great repository of statistics on internet activity. Google is fighting hard as they should. Apparently several Google competitors caved in.

Topic: 

Wanted -- a system to anonymously test the support of radical ideas

How often does it happen? There's an important idea or action which is controversial. The bravest come out in support of it early, but others are wary. Will support for this idea hurt them in other circles? Is the idea against the "party line" of some group they belong to, even though a sizeable number of the group actually support it? How can you tell.

How much must we keep the obvious from stupid criminals

One particularly interesting argument seen in the Underwatergate scandal is the one that the NYT, by revealing the existence of warrantless wiretaps on international communications lines, compromised national security.

Reporters asked how that can be. After all, surely the bad guys knew the U.S. had the ability to perform surveillance on them, and has a secret intelligence court, and was presumably getting lots of secret warrants to watch them, and was furthermore watching them overseas without being subject to the 4th amendment.

Underwatergate: How many E-mails tapped?

A lot of new developments in the warrantless wiretap scandal. A FISA judge has resigned in disgust. A Reagan-appointed former DoJ official calls the President a clear and present danger. And the NSA admits they have on rare occasions tapped entirely domestic phone calls, because sometimes people calling to or from international cell phones while those phones are in the USA would see the traffic go overseas and come back again. I have made such calls to Europeans and Australians visiting the USA.

Scandal name: Underwatergate

Seeing as this scandal seems to be revolving around the tapping, without warrants, of signals over the undersea telecom cables, I propose we call it Underwatergate.

What the NSA is doing with warrantless searches

It's long, but I can strongly recommend the transcript of today's press briefing on the NSA warrentless wiretaps. It's rare to see the NSA speak about this topic.

One can read a fair bit between the lines. The reporters were really on the ball here, far more than one usually sees.

Particularly interesting notes include:

Addrescrow -- privacy for physical address and much more

This is an idea from several years go I've never written up fully, but it's one of my favourites.

We've seen lots of pushes for online identity management -- Microsoft Passport, Liberty Alliance and more. But what I want is for the online world to help me manage my physical identity. That's much more valuable.

I propose a service I call "addrescrow" which holds and protects your physical address. It will give that address to any delivery company you specify when they have something to deliver, but has limits on how else it will give away info from you. It can also play a role in billing and online identity.

You would get one or more special ID names you could use in place of your address (and perhaps your name and everything else) when ordering stuff or otherwise giving an address. If my ID was "Brad Ideas" then somebody would be able to send a letter, fedex or UPS to me addressed simply to "Brad Ideas" and it would get to me, wherever I was.

(Read on...)

Stop the extension of the Patriot ACT

I don't post most EFF news here, since the EFF has a news page and 2 blogs for that, but today I'm doing it twice because congress is voting tomorrow on renewal of the PATRIOT act. There was a lot of effort to reduce the bad stuff in the bill, efforts that seemed to be getting somewhere but were ignored.

Is strong crypto worse than weaker crypto? Lessons from Skype

A mantra in the security community, at least among some, has been that crypto that isn't really strong is worse than having no crypto at all. The feeling is that a false sense of security can be worse than having no security as long as you know you have none. The bad examples include of course truly weak systems (like 40 bit SSL and even DES), systems that appear strong but have not been independently verified, and perhaps the greatest villian, "security through obscurity" where the details of the security are kept secret -- and thus unverified by 3rd parties -- in a hope that might make them safer from attack.

On the surface, all of these arguments are valid. From a cryptographer's standpoint, since we know how to design good cryptography, why would we use anything less?

However, the problem is more complex than that, for it is not simply a problem of cryptography, but of business models, user interface and deployment. I fear that the attitude of "do it perfectly or not at all" has left the public with "not at all" far more than it should have.

An interesting illustration of the conflict is Skype. Skype encrypts all its calls as a matter of course. The user is unaware it's even happening, and does nothing to turn it on. It just works. However, Skype is proprietary. They have not allowed independent parties to study the quality of their encryption. They advertise they use AES-256, which is a well trusted cypher, but they haven't let people see if they've made mistakes in how they set it up.

This has caused criticism from the security community. And again, there is nothing wrong with the criticism in an academic sense. It certainly would be better if Skype laid bare their protocol and let people verify it. You could trust it more. Read on...

Identity systems change the client/server decision

There have been many efforts at internet "identity" systems, such as Microsoft Passport, Liberty Alliance, and a variety of others. A recent conference was held in SF, though I didn't go, but I thought it was time to put forward one important idea.

Topic: 

Some fault for Phishing on the people who stopped encryption

During the 1990s, the US Government made a major effort to block the deployment of encryption by banning its export. We won that fight, but during the formative years of most internet protocols, they made it hard to add good authentication and privacy to internet tools. They forced vendors to jump through hoops, made users download special "encryption packs" and made encryption the exception rather than the norm in online work.

Topic: 

Pages

Subscribe to RSS - Privacy