I’ve been ranting of late about the dangers inherent in “Data Portability” which I would like to rename as BEPSI to avoid the motherhood word “portability” for something that really has a strong dark side as well as its light side.

But it’s also important to come up with an alternative. I think the best alternative may lie in what I would call “data hosting.” It’s a layered system, with a data layer and an application layer on top.

A data hosting approach has your personal data stored on a server chosen by you. (You might have that server right in your own house, or pay for hosting services.) If you pay, that server’s duty is not to exploit your data, but rather to protect it. That’s what you’re paying for. You can have more than one (with different personas, if you like) but for now let’s imagine having just one.

Your data host’s job is to perform actions on your data. Rather than giving copies of your data out to a thousand companies (the Facebook and Data Portability approach) you host the data and perform actions on it, programmed by those companies who are developing useful social applications.

As such, you don’t join a site like Facebook or LinkedIn. Rather, companies like those build applications which can run on your data. They don’t get the data, rather they write code to do things with it that runs in a protected sandbox on your data host.  read more »

I’ve spoken about the Web 2.0 movement that is now calling itself “data portability.” Now there are web sites, and format specifications and plans are underway to make it possible to quickly export the personal data you put on one social networking site to another. While that sounds like a good thing — we like interoperability, and cooperation, and low barriers to entry on new players — I sometimes seem like a lone voice warning about some of the negative consequences of this.

I know I’m not going to actually stop the data portability movement, and nor is that really my goal. But I do have a challenge for it: Switch to a slightly negative name. Data portability sounds like motherhood, and this is definitely not a motherhood issue. Deliberately choosing a name that includes the negative connotations would make people stop and think as they implement such systems. It would remind them, every step of the way, to consider the privacy implications. It would cause people asking about the systems to query what they have done about the downsides.

And that’s good, because otherwise it’s easy to put on a pure engineering mindset and say, “what’s the easiest way we can build the tools to make this happen?” rather than “what’s a slightly harder way that mitigates some of the downsides?”

A name I dreamed up is BEPSI, standing for Bulk Export of Personal and Sensitive Information. This is just as descriptive, but reminds you that you’re playing with information that has consequences. Other possible names include EBEPSI (Easy Bulk Export…) or OBEPSI (One-click Bulk Export…) which sounds even scarier.

It’s rare for people to do something so balanced, though. Nobody likes to be reminded there could be problems with what they’re doing. They want a name that sounds happy and good, so they can feel happy and good. And I know the creator of dataportability.org thinks he’s got a perfectly good name already so there will be opposition. But a name like this, or another similar one, would be the right thing to do. Remind people of the paradoxes with every step they take.

Earlier I wrote an essay on the paradox of identity management describing some counter-intuitive perils that arise from modern efforts at federated identity. Now it’s time to expand these ideas to efforts for portable personal data, especially portable social networks.

Partly as a reaction to Facebook’s popular applications platform, other social networking players are seeking a way to work together to stop Facebook from taking the entire pie. The Google-lead open social effort is the leading contender, but there are a variety of related technologies, including OpenID, hcard and other microformats. The primary goal is to make it easy, as users move from one system to another, or run sub-abblications on one platform, to make it easy to provide all sorts of data, including the map of their social network, to the other systems.

Some are also working on a better version of this goal, which is to allow platforms to interoperate. As I wrote a year ago interoperation seems the right long term goal, but a giant privacy challenge emerges. We may not get very many chances to get this right. We may only get one.

The paradox I identified goes against how most developers think. When it comes to greasing the skids of data flow, “features” such as portability, ease of use and user control, may not be entirely positive, and may in fact be on the whole negative. The easier it is for data to flow around, the more it will flow around, and the more that sites will ask, and then demand that it flow. There is a big difference between portability between applications — such as OpenOffice and MS Word reading and writing the same files — and portability between sites. Many are very worried about the risks of our handing so much personal data to single 3rd party sites like Facebook. And then Facebook made it super easy — in fact mandatory with the “install” of any application — to hand over all that data to hundreds of thousands of independent application developers. Now work is underway to make it super easy to hand over this data to every site that dares to ask or demand it.  read more »

As many of you will know, it’s been a tumultuous week in President Bush’s battle to get congress to retroactively nullify our lawsuit against AT&T over the illegal wiretaps our witnesses have testified to. The President convinced the Senate to pass a bill with retroactive immunity for the phone companies — an immunity against not just this but all sorts of other illegal activities that have been confirmed but not explained by administration officials. But the House stood firm, and for now has refused. A battle is looming as the two bills must be reconciled. I encourage you to contact your members of congress soon to tell them you don’t want immunity.

And here, I’m going to outline in a slightly different way, why.

I’ve talked about the rule of law, and the problems with retroactive get out of jail free cards that “make it legal.” But let’s go back to when these programs started, and ask some important questions about the nature of democracy and its checks and balances.

The White House decided it wanted a new type of wiretap, and that it wouldn’t, or most probably couldn’t get a warrant from the special court convened just to deal with foreign intelligence wiretaps. They have their reasoning as to why this is legal, which we don’t agree with, but even assuming they believe it themselves, there is no denying by anybody — phone company employees, administration officials, members of congress or FISA judges — that these wiretaps were treading on new, untested ground. Wiretaps of course are an automatic red flag, because they involve the 4th amendment, and in just about every circumstance, everybody agrees they need a warrant as governed by the 4th amendment. Any wiretap without a warrant is enough to start some fine legal argument.

In the USA, the government is designed with a system of checks and balances. This is most important when the bill of rights is being affected, as it is here. The system is designed so that no one branch is allowed to interfere with rights on its own. The other branches get some oversight, they have a say.

So when the NSA came to the phone companies, asking for a new type of wiretap with no warrant, the phone companies had to decide what to do about it. The law tells them to say no, and exacts financial penalties if they don’t say no to an illegal request. The law is supposed to be simple and to not ask for too much judgment on the part of the private sector. In this situation, with a new type of wiretap being requested, the important question is who makes the call? Who should decide if the debatable orders are really legal or not?

There are two main choices. Phone company executives or federal judges. If, as the law requires, the phone company says “come back with a warrant” this puts the question of whether the program is legal in the hands of a judge. The phone company is saying, “this is not our call to make — let’s ask the right judge.”

If the administration says, “No, we say it’s legal, we will not be asking a judge, are you going to do this anyway?” then we’re putting the call in the hands of phone company executives.

That’s what happened. The phone companies made the decision. The law told them to kick it back to the judge, but the White House, it says, assured them the program was legal. And now that lawsuits like ours are trying to ask a different federal judge if the program was legal, the Senate has passed this retroactive immunity. This immunity does a lot of bad things, but among them it says that “it was right for the phone companies to be making the call.” That the pledges of the administration that the program was legal were enough. We’ve even be told we should thank the phone companies for being patriots.

But it must be understood. Even if you feel this program was necessary for the security of the nation, and was undertaking by patriots, this was not the only decision the phone company made. We’re not suing them because they felt they had a patriotic duty to help wiretap al Qaeda. We’re suing them because they took the decidedly non-patriotic step of abandoning the checks and balances that keep us free by not insisting on going to either a judge or congress or both.

Officials in the three branches take a solemn oath to defend the constitution. Phone company executives, as high minded or patriotic as they might be, don’t. So the law was written to tell them it is not their call whether a wiretap is legal, and to tell them there are heavy penalties if they try to make that decision. Those who desire immunity may think they are trying to rescue patriots, but instead they will be rewarding the destruction of proper checks and balances. And that’s not patriotic at all.

Some have argued that there was a tremendous urgency to this program, and this required the phone companies to act quickly and arrange the warrantless wiretaps. While I disagree, I can imagine how people might think that for the first week or two after the requests come in. But this wasn’t a week or two. This has gone on since 2001. There was over half a decade of time in which to consult with judges, congress or both about the legitimacy of the wiretaps. It’s not that they didn’t know — one company, Qwest, refused them at their own peril. If you argued for immunity for the actions of that first week or two, I could understand the nature of your argument. But beyond that, it’s very hard to see. For this is immunity not just for illegal wiretapping. This is immunity for not standing by the law and saying “let’s ask a judge.” For years, and years. Why we would want to grant immunity for that I just can’t understand, no matter how patriotic the goals. This system of freedom, with checks and balances, is the very core of what patriots are supposed to be defending.

A couple of weeks ago many wrote about the mistakes of spock which made us call them the “evil spock” for the way they had you mass mail your friends by fooling you into thinking they were already users of Spock.

The newest company to make a similar mistake is called NotchUp. I am loathe to discuss their business, because this means they get publicity for being bad actors, but it involves companies paying candidates for the chance to interview them rather than just giving all the fees to the headhunters. (Something that could only work in a boom market, I expect.) But in this case, some of the fees go to the headhunters, of course, and in a particularly nasty turn, 10% of them go to the “friend” who “invited” you to sign up.

When I get a bunch of invites for something brand new in a short period, it’s either something really hot, or something fishy. In this case it’s the latter. And one person suggests they didn’t authorize NotchUp to email their entire linked-in contact list so there may be something really fishy.

Here are some of the mistakes:

• The offering of affiliate fees to spam your friends, effectively an Amway style marketing system, has been pernicious for some time. While this should be strongly discouraged, I am not calling for its total prohibition, but it should never be secret. Every such message should contain a note explaining the financial incentive.
• The ad comes with your friend’s name on it, but the reply address is a dummy “invite@notchup” which I presume doesn’t work. Any site that does this sort of mailing should put in the friend’s real e-mail, so I can complain to them.
• The ad comes as a combined HTML and plain text message. Which would be good except the plain text part is just “Go read the HTML part.” Seriously. Boy is that evil.
• The site contains no “contact us” information for users who have issues. Their FAQ is all about signing up.
• The site has no “opt out” to stop my friends from doing these mass mailings to me. These are not particularly useful, because I have many email addresses and in fact whole domains that come to me, but they are better than nothing.
• It may have some of these things if I sign up. Of course as somebody who wants to opt-out, I hardly want to create an account just to do that. A few other sites have had this flaw. (I have no idea if you can opt out by signing up, I presume it does give you the ability to at least not get mailings because you have already been fished by your friend.)

Whether their headhunting model sounds interesting or not, the company’s practices seem slimy enough that I would wait for a nicer competitor to come along if you want to get headhunted this way.

Bruce Schneier has made a fuss by writing about how he leaves his wireless internet open. As a well regarded security expect, how can he do this. You’ll see many arguments for and against in his posting. I’ll expand on one of mine.

Part of Bruce’s argument is one I express different. I sometimes say “Firewalls are a hoax.” They are the wrong choice for security, but we sell them as a good choice. Oddly, however, this very fact does make them a valid choice. I will explain the contradiction.

Firewalls, I should say, are a form of network security — creating an internal network which is “trusted” and protected from the outside world. In an obscure way, encrypting your wireless net is in this class of security. Note that the “firewall” programs that run on PCs are not network firewalls so they are generally not in this class of security, though they are called Firewalls.

The right way to do things, in the ideal world, is to secure each PC, and to have that PC encrypt its traffic end-to-end with all the sites it communicates with. If you do this, you have almost no need for firewalls or encryption on the network. This is important because in many cases, the idea that your internal network is trustable is a dangerous one. That’s because many networks are populated with insecure consumer computers which frequently get infected with malware (viruses, trojans etc.) They can get infected because they are laptops that visit exposed networks they are not secured well enough for — because you thought you could get away with less on the home net — or because their owner is tricked into downloading malware, or going to a web site that exploits a browser bug, etc.

Once a local computer is infected, your trusted local net betrays you, as the malware now gets to take advantage of all that trust.

We don’t live in that ideal world. The same insecurity these consumer computers (and yes, I mean Windows but other OSs are not immune) have makes them unsuitable for general exposure. The firewall industry gets to sell firewalls because the workstations are so insecure.

In the real world, virus/trojan attacks are the most common. Up to 30% of PCs are “botted” — taken over by malware and acting as zombies under the control of some distant master. A significant number are just plain compromised in other ways, though botting seems the most popular motive today for taking control of systems. The volume of attacks coming in via outsiders sniffing or connecting to your wireless network is insignificant in comparison, I think research would show.

And sadly, while we would like all web traffic to be HTTPS and all E-mail to be secured over TLS, this is just not an option. Most web servers don’t over encrypted versions, and even the ones that do get rarely used because the UI was not set up correctly for it. (Ideally, http should have been designed so that you don’t have to put your encryption desires into the URL — https vs. http — so that it could be negotiated for each connection. Even then, it would be hard to do this though identity certificates could make it happen.)

So we must surf the web in the open, or at best through an encrypted tunnel to a proxy that surfs in the open. So this does call for encrypting one’s wifi. However, again, the number of people sniffing private homes wifi is tiny in comparison to the other threats.

One of the factors supporting Bruce’s choice is that most security continues to have bad UI. The computer and security industries regularly vastly underestimate the importance of good UI. The hard truth is that good security with bad (hard to use) UI simply doesn’t get deployed very much unless you force it and force it hard. This suggests that lesser security with good UI can actually deliver more real world results than better security with bad UI.

For encrypting networks, the UI is poor. Different vendors use different passphrase algorithms to input keys. For many devices (phones, digital picture frames etc.) even entering a passphrase is difficult. We’re starting to see some better UI but it’s slow to deploy and for now it is no surprise that people want to leave their nets open, both for their own devices, and to give access to guests in their home or office.

To my mind the ideal UI is a device tries to connect to the network, and the AP or a computer flashes a light that says that one, and exactly one device is asking to join the net. You then push a button to confirm that device. Also good is the ability to allow arbitrary devices to connect in a secured channel but with no special ability to route packets to one another or into general devices. A full configuration has an internal net (with routing), guest devices that can’t route to the internal net or to other guests, and host devices which can be seen by guests but not the outside world.

Oddly, as I said at the start, the choices we make affect the value of the choices. Because NATs and firewalls provide some security, people (and vendors) allow the computers behind these NATs and firewalls to be insecure in a way they never would or could if the NATs and firewalls weren’t there. This in turn makes the NATs and firewalls worthwhile. And yes, random attacks from outside will always be more probable than attacks from the inside from compromised machines, and they will be more probable than attacks from neighbours. So it’s not as simple as we like. However, computers are going to roam more and more. My PDA has wifi and roams. It also has EVDO and some day those networks will open and need more endpoint security.

So is Bruce right or wrong? Both. The real world risk of what he’s doing isn’t great. It’s not zero, either. The real question is whether the UI penalties of an encrypted network are worse than the risk. And that decision varies from person to person. Better UI and protocol design could mostly eliminate the tradeoff, which is the real lesson.

This week, like many, I have gotten a bunch of invites to join people’s trust networks on the people-search/social networking site called “Spock.” Now normally I have started to mostly ignore new invites from social networking services. There are far too many, and I can’t possibly maintain accounts on them all, so a new site will have to get very, very, very compelling before I will join it.

I’m waiting for the social networking sites to figure out how how to interoperate in a meaningful way, so that I can join just one, and befriend people on others, and use apps that work over both. The new Google offering is a step in that direction but is mostly about making apps portable over networks.

However, the volume of mail from Spock was much higher than a typical new network. One blogger identified the reason, suggesting the site was designed by the evil spock from Mirror, Mirror (Star Trek). The trick is the site has already spidered other social networking sites and web sites to build profiles on people, and thus declares that almost everybody in your addressbook “already has a profile” according to Benson. This is convincing friends to authorize the semi-spam. And Wired News has discovered something even nastier about this spidering.

However, I see a deeper problem, even without these flaws in Spock’s system. We have to consider just how much we want to allow applications to “mail everybody in your address book.” This started with Plaxo and Goodcontacts, which wanted to be address book managers, and now has moved into social networking tools.

The problem is I have 1,000 or more people in my address book. If the average person engages in “mail everybody in my address book” once a year, I will get on average 3 such mails a day, and so will most others.

Facebook actually clued into that and forbids applications from mailing solicitations to everybody in your facebook profile. You are limited to a modest number per day. Even with this, it didn’t stop Zombie invitations from getting pretty annoying to people.

E-mail viruses, of course, also spread by mailing everybody in your address book, to the extent that email programs had to move to make that a more guarded operation, and antivirus programs had to detect it.

Now mailing most of your address book isn’t spam (even with commercial) because you know the people. Many of us mail a subset of it to announce parties or major events in our lives, or to send end of year letters. But we do need to generate a different ethic over mail to your whole list that is triggered by a 3rd party web site or application. With so many apps wanting to “market like a virus” this just doesn’t scale, and our boxes will become full of this spam-from-friends. (A bit like the way pyramid schemes also encourage friend spam.) It needs to be clear that this is not something apps should do, and not something our friends should let apps do without a lot of consideration.

Note: If you are on Spock, and you agree they went too far, you should delete your profile. Only be seeing people flee will they figure out they did wrong. Or, at the very least, change your profile to a stub that says you find Spock’s privacy practices unacceptable and you ask people not to network with you on it.

Update: Harry Reid has delayed the bill until 2008. Let’s hope we can keep the immunity out when it returns again next year. Let your senators know.

Usually, when you start a legal action, you consider the merits and go ahead when you have a good case. If your case is just, you should win.

You don’t usually expect your case to cause the President to personally lobby congress to grant a retroactive immunity to the parties who broke the law. You don’t usually expect to have them try to toss out your case by having an act of congress grant amnesty to those you are suing.

But this could happen tomorrow, in our battle against AT&T for letting the NSA wiretap without warrants. The house passed a bill without the amnesty the President wanted, and the Senate had two bills, but right now they’ve picked the bad one, with the amnesty, and powerful forces are pushing to make it go through quickly, and then add the amnesty to the house bill.

Senator Chris Dodd is going to show some great spine tomorrow and try to filibuster the bill and trigger debate. However, pro-amnesty forces are gathering the 60 senate votes needed to shut down the bill and grant amnesty. Your senator is probably among them. One of my senators, Dianne Feinstein, is among the worst. But it’s not too late to call your own senator and tell them not to engage in this travesty of justice.

In Star Wars: The Phantom Menace, Darth Sidious, a.k.a. Emperor Palpatine, tells his puppet trade federation to invade Naboo.

“But my lord, is that legal?” asks the trader.

“I will make it legal” says Lord Sidious.

That’s the precedent they are setting, as I’ve written before. Do what the President says, ignore checks and balances because he can make it legal, retroactively. It’s a sad say for the rule of law.

Do me a favour and call your senator and let them know what you think about this issue. Let them know their constituents will remember this action, and see if you can turn the tide.

All over the net, a huge number of sites offer you the option of E-mailing you your password if you have forgotten it. While this seems to make sense, it is actually a dreadful security policy, and if you see it, you should complain and point them to this article or others to get them to stop. As an alternate, they should at most offer to E-mail you a new, randomly chosen temporary password, which you can use to log in and set a more memorable password.

If a site can mail you your password, it means they are keeping a copy of it. They should not be doing that. First of all, almost everybody re-uses passwords at different sites. That means if one site has a security breach — as Convio did this week for a wide variety of sites that are its clients — your password will be stolen, and it can then be used on all the other sites you use it at. (This is a good reason to always use more protected, less duplicated passwords on sites where actual damage can be done or money can be spent, like banks, eBay, paypal etc.)

Instead, they should keep a “hash” of your password. A hash is a one way function. Given the plain password, they can hash it, and store the result, but you can’t get the plain password back from the hash. So you can check to see if a password that was typed matches the password without storing what the password is. This is actually a very easy thing to do in most systems, and its main downside is the fact that they can no longer e-mail you your password. They can, however, set it to something random and mail you that. That’s a touch more work in the rare event of a lost password, but worth the trouble.

There is, oddly, one minor downside to hashed passwords. With hashed passwords, you must provide the site your real password, and they can then test it and forget it. You must trust them to forget it. The real password, however, is sent over the internet and if you don’t use an encrypted channel, like SSL/TLS/https, it could be intercepted by people tapping the line. Some password systems (included the less commonly used HTTP password system) have the browser hash the password (in a special way that is different every time) and send the hash to log in. In this case, the real password is not sent, and can’t be sniffed, but must be in storage at the remote site. However, if you use an encrypted channel (https), there is no worry about the password going over the internet, and so there’s no reason not to do it that way.

There is a better way to do all of this. With digital signature, you can prove that you’re you using a secret private key only you know. Nobody else ever gets this key, and nobody can figure it out by watching the communications you send. While this technology has been around for some time, and is in fact implemented in most browsers (though far from perfectly) it is not a common way to authenticate to web sites at all.

However, next time a site offers to E-mail your password, point them to the Convio data theft and to this page and ask them to get their act together.

The hot new thing of the web of late has been facebook apps. I must admit Facebook itself has been great for me at finding old friends because for unknown reasons, almost 20% of Canada is on Facebook compared to 5% of the USA. Facebook lets 3rd parties write apps, which users can “install” and after installing them, the apps get access to the user’s data (friend list) and can insert items into the user’s “feed” (which all their friends see) and sometimes send E-mails to friends.

I haven’t examined the API enough to understand the reason, but there are many Facebook apps that are very, very annoying in how they operate. Most won’t let you get anything from them unless you “install” them and give them access to a lot of your data. (There are a few that let you have more limited temporary use through a login.)

This is annoying because you constantly get data in feeds (or emails) which is just a teaser. “Fred Smith wrote something on your pixie wall.” You have to follow the link, and find you must install the application before it will show you what the other person wrote. It could easily have shown you the text in the feed or email, but it doesn’t want to do that, it wants to spread virally.

But this is far beyond viral. Viral apps usually work because friends recommend them. These apps push to install just because a friend used the app in reference to you.

Outside of facebook there was a different dynamic. Usually if you used a social app which emailed your friends, your friends could do their part just on the web site, without creating an account, or providing personal data, or “installing” something. (The install on facebook isn’t like a PC software install, but given the data it gets access too, it is pretty insidious, a form of super-spyware.)

There were a few apps which required your contacts to create accounts and enter data. They got a lot of pushback, and this largely stopped. Most of the apps certainly encouraged your friends to create accounts, but few forced it or sent a message that was useless unless they did create one. (Not counting deliberate invitations to join a system which obviously work this way, and which you tend to send one-by-one, or so most companies learned.) As much as I hate evite they still let the people you invite RSVP without doing any account creation.

In facebook it’s the reverse. One app I tired and hated asked questions. It ended up putting text into the feed and emails of the form, “Joe has asked a question, click here to see what it is” and “Mary has answered Joe’s question, click here to read the answer” instead of putting these short text questions and answers right into the email. And answering a question required installing the app.

I see a few things that have driven it this way. First of all, when you install a Facebook app, it informs all your friends in the feed. That’s publicity for the app. And they get to increase their total number of installed users, which gives them more visibility when people look to see what’s popular. If the app let your friends get data without making them join, it would not have so many users.

Apps are not forced to do this. A number of good apps will let people see the data, even put it in feeds, without you having to “install” and thus give up all your privacy to the app. What I wish is that more of us had pushed back against the bad ones. Frankly, even if you don’t care about privacy, this approach results in lots of spam which is trying to get you to install apps. Everybody thinks having an app with lots of users is going to mean bucks down the road, with Facebook valued as highly as it is.

But a lot of it is plain old spam, but we’re tolerating it because it’s on Facebook. (Which itself is no champion. They have an extremely annoying email system which sends you an e-mail saying, “You got a message on facebook, click to read it” rather than just including the text of the message. To counter this, there is an “E-mail me instead” application which tries to make it easier for people to use real E-mail. And I recently saw one friend add the text “Use E-mail not facebook message” in her profile picture.)

I only post a modest number of EFF news items here, because I know that if you want to see them all, you should be reading some of the EFF blogs such as deeplinks or or action alerts or EFFector or others.

However, something remarkable is happening. As you may know, we filed suit against AT&T because we have evidence they allowed the government to engage in a massive spying program within the US without warrants or other proper legal authority. Special secret rooms were installed in San Francisco and other locations, rooms under the control of the NSA, and massive data pipes with all internet traffic and more were forked and fed into these NSA rooms. We want to get to the bottom of this, and punish the phone companies if they violated the very explicit laws which were set up after watergate to stop the President from doing this exact sort of thing. Congress told the phone companies that Nixon showed us we can’t trust the President all the time, and so they have a duty to protect their customers as well, even if the President tells them not to.

But as our lawsuit has progressed, forces are pushing Congress to not just enable this spying, but to grant a retroactive amnesty on the phone companies that violated the law. In one sense I am glad our lawsuit has scared them so much — you know you are on to something when they try to get congress to pass retroactive laws to stop your lawsuits — but the enormity of such action boggles my mind.

The phone companies and White House are pushing for a “get out of jail free” card for their past activity. Whatever you think about the need for such massive surveillance, retroactive immunities are something else entirely. Allowing such immunities will let the President tell people, “Don’t worry whether this is illegal or not. As you can see, I can make it legal.” Congress might give him the proof he needs to back up such claims. It doesn’t matter that he won’t be able to “make it legal” every time he promises it. The fact that he did it this time is still going to get more people to feel at less risk in joining illegal conspiracies. It undermines the rule of law.

The American people need to convince their Senators and House members not to do this. If your rep has already decided they like the surveillance program — even if you have decided you like it — they must realize this get out of jail free card is a horrible idea.

You can use our action alert system to find your rep and their phone numbers, and give them a call. Calls matter the most. See if your reps are on the right committees and talk to them about it.

The house was ready to pass a bill without immunity and pro-immunity forces scuttled it and are pushing to get it added. Call House Members

The Senate Intelligence community passed a bill with Telco immunity in it. The Judiciary committe is now looking at it. Call Senate Members

Earlier I wrote about the ability to find you from a DNA sample by noting it’s a near match with one of your relatives. This is a concern because it means that if relatives of yours enter the DNA databases, voluntarily or otherwise, it effectively means you’re in them too.

On a recent 60 minutes on the topic, they told the story of Darryl Hunt, who had been jailed for rape and murder. It wasn’t clear to me why, but this was done even though his blood type did not match the rapist’s DNA. Even after DNA testing improved and the non-match was better confirmed, he was still kept in jail, because he was believed to be the murderer, if not the rapist, ie. an accomplice.

Later, they did a DNA search on the rapist’s DNA and found his brother in the database, who had been entered due to a minor parole violation. So they interviewed the brothers of the near-match and found Willard Brown, who turned out to be the rapist. Once they could see he was not an associate of the rapist, Hunt was freed after 19 years of false imprisonment.

The piece also told the story of another rapist, who had raped scores of women and stolen their shoes as souvenirs, but had become a cold case. He was caught because his sister was in a DNA database due to a DUI.

Now much of our privacy law is based on having your own private data not seized and used against you without probable cause. It’s easy to answer the case of the shoe rapist. There are a wide variety of superior surveillance tools we could allow the police to use, and they would help them catch criminals, and in many cases thus prevent those criminals from committing future crimes. But we don’t give the police those tools, deliberately, because we don’t want a world where the government has such immense surveillance power. And a large part of that goal is protecting the innocent. Our rules that allow criminals to walk free when police do improver evidence gathering and surveillance to catch them are there in part to keep the police from use of those powers on the innocent.

But the innocent man who was freed presents a more interesting challenge. Can we help him, without enabling 1984? In considering this question, I asked, “What if we allowed DNA near matches to be used only when they would prove innocence?” Of course, in Hunt’s case, and many others, the innocence is proven by finding the real guilty party.

So what if, in such cases, it was ruled that while they might find the guilty party, they could not prosecute him or her? And further, that any other evidence learned as a result was considered Fruit of the poisonous tree? That’s a pretty tough rule to follow, since once the police know who the real perpetrator is, this will inspire them to find other sorts of evidence that they would not have thought to look for before, and they will find ways to argue that these were discovered independently. It might be necessary to put on a stronger standard, and just give immunity to the real perpetrator if sufficient time has passed since the crime to declare the case to be cold.

Setting out the right doctrine would be difficult. But if it frees innocents, might it be worth it?

For some time I’ve been warning about a growing danger to the 4th amendment. The 4th amendment protects our “persons, houses, papers and effects” but police and some courts have been interpreting this to mean that our private records kept in the hands of 3rd parties — such as E-mail on an ISP or webmail server — are not protected because they are not papers and not in our houses. Or more to the point, that we do not have a “reasonable expectation of privacy” when we leave our private data in the hands of 3rd parties. They have been seizing E-mail without getting a warrant, using the lower standards of the Stored Communications Act.

Recently, we at the EFF got involved in a case challenging that, and argued in our amicus brief that this mail deserved full protection. We won a lower court round and are thrilled that today, the 6th circuit court of appeals has issued a ruling affirming the logic in our amicus and protecting E-mail. We hope and expect this to become the full law of the land, though for now, I might advise all E-mail service providers to move their servers to the 6th circuit (MI, OH, TN, KY) for full protection. It will save you money as you will be able to more simply deal with requests for customer E-mails.

You can read more details on the EFF page on Warshak v USA. Congrats to Kevin Bankston who did the work on the brief. (Amusingly, Google owes him a big debt today, and last week they were hassling him to provide a notarized driver’s license photo in order to get removed from their Street View!)

From time to time I come up with ideas that are interesting but I can't advocate because they have overly negative consequences in other areas, like privacy. Nonetheless, they are worth talking about because we might find better ways to do them.

There is some controversy today over whether driving while talking on a cell phone is dangerous, and should be banned, or restricted to handsfree mode. It occurs to me that the data to answer that question is out there. Most cars today have a computer, and it records things like the time that airbags deploy, or even in some cases when you suddenly dropped in speed. (If not, it certainly could.) Your cell phone, and your cell company know when you're on the phone. Your phone knows if you are using the handsfree, though the company doesn't. Your phone and cell company also know (but usually don't record) when you're driving and suddenly stop moving for an extended period.

In other words, something with access to all that data (and a time delta for the car's clock) could quickly answer the question of what cell phone behaviours are more likely to cause accidents. It would get a few errors (such as if the driver borrows their passenger's phone) but would be remarkably comprehensive in providing an answer.

But to gather this data involves way too many scary things. We don't really want our cars or phone companies recording data which can be used against us. They could record things like if we speed, and where we go that we don't want others to know about, and who we're talking to at the time, and much more.

In our quest for learning from private data, we have often sought anonymization technologies that can somehow collect the data and disassociate it from the source. That turns out to be very hard to do, often near impossible, and the infrastructure built for this sort of collection can almost always be trivially repurposed for non-anonymous use; now all that is needed is to flick a switch.

Now I do expect that soon we will see, after a serious car accident, attempts to get at this data on a case by case basis. The insurance companies will ask for cell phone records at the time of the accident, or data from the phone itself. We're already going to lose that privacy once there is an accident, thought at least case by case invasions don't scale. Messy problem.

I wrote recently about the paradox of identity management and how the easier it is to offer information, the more often it will be exchanged.

To address some of these issues, let me propose something different: The creation of an infrastructure that allows people to generate secure (effectively anonymous) pseudonyms in a manner that each person can have at most one such ID. (There would be various classes of these IDs, so people could have many IDs, but only one of each class.) I’ll call this a QID (the Q “standing” for “unique.”)

The value of a unique ID is strong — it allows one to associate a reputation with the ID. Because you can only get one QID, you are motivated to carefully protect the reputation associated with it, just as you are motivated to protect the reputation on your “real” identity. With most anonymous systems, if you develop a negative reputation, you can simply discard the bad ID and get a new one which has no reputation. That’s annoying but better than using a negative ID. (Nobody on eBay keeps an account that gets a truly negative reputation. An account is abandoned as soon as the reputation seems worse than an empty reputation.) In effect, anonymous IDs let you demonstrate a good reputation. Unique IDs let you demonstrate you don’t have a negative reputation. In some cases systems try to stop this by making it cost money or effort to generate a new ID, but it’s a hard problem. Anti-spam efforts don’t really care about who you are, they just want to know that if they ban you for being a spammer, you stay banned. (For this reason many anti-spam crusaders currently desire identification of all mailers, often with an identity tied to a real world ID.)

I propose this because many web sites and services which demand accounts really don’t care who you are or what your E-mail address is. In many cases they care about much simpler things — such as whether you are creating a raft of different accounts to appear as more than one person, or whether you will suffer negative consequences for negative actions. To solve these problems there is no need to provide personal information to use such systems.  read more »

Since the dawn of the web, there has been a call for a “single sign-on” facility. The web consists of millions of independently operated web sites, many of which ask users to create “accounts” and sign-on to use the site. This is frustrating to users.

Today the general single sign-on concept has morphed into what is now called “digital identity management” and is considerably more complex. The most recent project of excitement is OpenID which is a standard which allows users to log on using an identifier which can be the URL of an identity service, possibly even one they run themselves.

Many people view OpenID as positive for privacy because of what came before it. The first major single sign-on project was Microsoft Passport which came under criticism both because all your data was managed by a single company and that single company was a fairly notorious monopoly. To counter that, the Liberty Alliance project was brewed by Sun, AOL and many other companies, offering a system not run by any single company. OpenID is simpler and even more distributed.

However, I feel many of the actors in this space are not considering an inherent paradox that surrounds the entire field of identity management. On the surface, privacy-conscious identity management puts control over who gets identity information in the hands of the user. You decide who to give identity info to, and when. Ideally, you can even revoke access, and push for minimal disclosure. Kim Cameron summarized a set of laws of identity outlining many of these principles.

In spite of these laws one of the goals of most identity management systems has been ease of use. And who, on the surface, can argue with ease of use? Managing individual accounts at a thousand web sites is hard. Creating new accounts for every new web site is hard. We want something easier.

The paradox

However, here is the contradiction. If you make something easy to do, it will be done more often. It’s hard to see how this can’t be true. The easier it is to give somebody ID information, the more often it will be done. And the easier it is to give ID information, the more palatable it is to ask for, or demand it.  read more »

While I was at Tim O’Reilly’s Web 2.0 Expo, I did an interview with an online publication called Web Pro News. I personally prefer written text to video blogging, but for those who like to see video, you can check out:

Video Interview on Privacy and Web 2.0

The video quality is pretty good, if not the lighting.

The main focus was to remind people that as we return to timesharing, which is to say, move our data from desktop applications to web based applications, we must be aware that putting our private data in the hands of 3rd parties gives it less constitutional protection. We’re effectively erasing the 4th Amendment.

I also talk about hints at an essay I am preparing on the evils of user-controlled identity management software. And my usual rant about thinking about how you would design software if you were living in China or Saudi Arabia.

I also was interviewed some time ago about Google and other issues by a French/German channel. That’s a 90 minute long program entitled Faut-il avoir peur de Google ? (Should we fear Google). It’s also available in German. It was up for free when I watched it, but it may now require payment. (I only appear for a few minutes, my voice dubbed over.)

When I was interviewed for this I offered to, with some help, speak in French. I am told I have a pretty decent accent, though I no longer have the vocabulary to speak conversationally in French. I thought it would be interesting if they helped me translate and then I spoke my words in French (perhaps even dubbing myself later if need be.) They were not interested since they also had to do German.

Another video interview by a young French documentarian producing a show called Mix-Age Beta can be found here. The lighting isn’t good, but this time it’s in English. It’s done under the palm tree in my back yard.

I have written before how future technology affects our privacy decisions today. DNA collection is definitely one of these areas. As you may know, law enforcement in the USA is now collecting DNA from people convicted of crimes, and even those arrested in a number of jurisdictions — with no ability to expunge the data if not found guilty. You may feel this doesn’t affect you, as you have not been arrested.

As DNA technology grows, bioinformatics software is becoming able to determine that a sample of DNA is a “near match” for somebody in a database. For example, they might determine that a person in the database is not the source of the DNA being studied, but is a relative of that person.

In a recent case, a DNA search turned up not the perpetrator, but his brother. They investigated the male relatives of the brother and found and convicted the man in question.  read more »

I was discussing his Zphone encrypting telephone system with Phil Zimmermann today. In his system, phone calls are encrypted with opportunistic, certificateless cryptography, which I applaud because it allows zero user interface and not centralization. It is vulnerable to “man in the middle” attacks if the MITM can be present in all communications.

His defence against MITM is to allow the users of the system to do a spoken authentication protocol at any time in their series of conversations. While it’s good to do it on the first call, his system works even when done later. In their conversation, they can, using spoken voice, read off a signature of the crypto secrets that are securing their conversation. The signatures must match — if they don’t, a man-in-the-middle is possibly interfering.

I brought up an attack he had thought of and called the Rich Little attack, involving impersonation with a combination of a good voice impersonation actor and hypothetical computerized speech modification that turns a good impersonator into a near perfect one. Phil believes that trying to substitute voice in a challenge that can come at any time, in any form, in any conversation is woefully impractical.

A small amount of thought made me produce this attack: Two impersonators. Early on in a series of conversations, the spy agency trying to break in brings in two impersonators who have listened to Alice and Bob respectively (we are hearing their calls) and learned their mannerisms. A digital audio processor helps convert the tones of their voice. That’s even easier on an 8khz channel.  read more »

If you’re like me, you select special unique passwords for the sites that count, such as banks, and you use a fairly simple password for things like accounts on blogs and message boards where you’re not particularly scared if somebody learns the password. (You had better not be scared, since most of these sites store your password in the clear so they can mail it to you, which means they learn your standard account/password and could pretend to be you on all the sites you duplicate the password on.) There are tools that will generate a different password for every site you visit, and of course most browsers will remember a complete suite of passwords for you, but neither of these work well when roaming to an internet cafe or friend’s house.

However, every so often you’ll get a site that demands you use a “strong” password, requiring it to be a certain length, to have digits or punctuation, spaces and mixed case, or subsets of rules like these. This of course screws you up if the site is an unimportant site and you want to use your easy to remember password, you must generate a variant of it that meets their rules and remember it. These are usually sites where you can’t imagine why you want to create an account in the first place, such as stores you will shop at once, or blogs you will comment on once and so on.

Strong passwords make a lot of sense in certain situations, but it seems some people don’t understand why. You need a strong password in case it is possible or desireable for an attacker to do a “dictionary” attack on your account. This means they have to try thousands, or even millions of passwords until they hit the one that works. If you use a dictionary word, they can try the most common words in the dictionary and learn your password.  read more »