You are here


They're trying an act of congress to stop us suing AT&T

Update: Harry Reid has delayed the bill until 2008. Let's hope we can keep the immunity out when it returns again next year. Let your senators know.

Usually, when you start a legal action, you consider the merits and go ahead when you have a good case. If your case is just, you should win.


Don't E-mail me my password

All over the net, a huge number of sites offer you the option of E-mailing you your password if you have forgotten it. While this seems to make sense, it is actually a dreadful security policy, and if you see it, you should complain and point them to this article or others to get them to stop. As an alternate, they should at most offer to E-mail you a new, randomly chosen temporary password, which you can use to log in and set a more memorable password.


How did facebook apps reverse the install dynamic?

The hot new thing of the web of late has been facebook apps. I must admit Facebook itself has been great for me at finding old friends because for unknown reasons, almost 20% of Canada is on Facebook compared to 5% of the USA. Facebook lets 3rd parties write apps, which users can "install" and after installing them, the apps get access to the user's data (friend list) and can insert items into the user's "feed" (which all their friends see) and sometimes send E-mails to friends.


No "get out of jail free" card for the phone companies

I only post a modest number of EFF news items here, because I know that if you want to see them all, you should be reading some of the EFF blogs such as deeplinks or or action alerts or EFFector or others.

Should we allow relative's DNA matching to prove innocence?

Earlier I wrote about the ability to find you from a DNA sample by noting it's a near match with one of your relatives. This is a concern because it means that if relatives of yours enter the DNA databases, voluntarily or otherwise, it effectively means you're in them too.

Giant victory for E-mail privacy

For some time I've been warning about a growing danger to the 4th amendment. The 4th amendment protects our "persons, houses, papers and effects" but police and some courts have been interpreting this to mean that our private records kept in the hands of 3rd parties -- such as E-mail on an ISP or webmail server -- are not protected because they are not papers and not in our houses. Or more to the point, that we do not have a "reasonable expectation of privacy" when we leave our private data in the hands of 3rd parties.


Orwell could answer the cell phone driving question

From time to time I come up with ideas that are interesting but I can't advocate because they have overly negative consequences in other areas, like privacy. Nonetheless, they are worth talking about because we might find better ways to do them.

Unique Pseudonyms: QID

I wrote recently about the paradox of identity management and how the easier it is to offer information, the more often it will be exchanged.

To address some of these issues, let me propose something different: The creation of an infrastructure that allows people to generate secure (effectively anonymous) pseudonyms in a manner that each person can have at most one such ID. (There would be various classes of these IDs, so people could have many IDs, but only one of each class.) I'll call this a QID (the Q "standing" for "unique.")

The value of a unique ID is strong -- it allows one to associate a reputation with the ID. Because you can only get one QID, you are motivated to carefully protect the reputation associated with it, just as you are motivated to protect the reputation on your "real" identity. With most anonymous systems, if you develop a negative reputation, you can simply discard the bad ID and get a new one which has no reputation. That's annoying but better than using a negative ID. (Nobody on eBay keeps an account that gets a truly negative reputation. An account is abandoned as soon as the reputation seems worse than an empty reputation.) In effect, anonymous IDs let you demonstrate a good reputation. Unique IDs let you demonstrate you don't have a negative reputation. In some cases systems try to stop this by making it cost money or effort to generate a new ID, but it's a hard problem. Anti-spam efforts don't really care about who you are, they just want to know that if they ban you for being a spammer, you stay banned. (For this reason many anti-spam crusaders currently desire identification of all mailers, often with an identity tied to a real world ID.)

I propose this because many web sites and services which demand accounts really don't care who you are or what your E-mail address is. In many cases they care about much simpler things -- such as whether you are creating a raft of different accounts to appear as more than one person, or whether you will suffer negative consequences for negative actions. To solve these problems there is no need to provide personal information to use such systems.


The paradox of identity management

Since the dawn of the web, there has been a call for a "single sign-on" facility. The web consists of millions of independently operated web sites, many of which ask users to create "accounts" and sign-on to use the site. This is frustrating to users.

Today the general single sign-on concept has morphed into what is now called "digital identity management" and is considerably more complex. The most recent project of excitement is OpenID which is a standard which allows users to log on using an identifier which can be the URL of an identity service, possibly even one they run themselves.

Many people view OpenID as positive for privacy because of what came before it. The first major single sign-on project was Microsoft Passport which came under criticism both because all your data was managed by a single company and that single company was a fairly notorious monopoly. To counter that, the Liberty Alliance project was brewed by Sun, AOL and many other companies, offering a system not run by any single company. OpenID is simpler and even more distributed.

However, I feel many of the actors in this space are not considering an inherent paradox that surrounds the entire field of identity management. On the surface, privacy-conscious identity management puts control over who gets identity information in the hands of the user. You decide who to give identity info to, and when. Ideally, you can even revoke access, and push for minimal disclosure. Kim Cameron summarized a set of laws of identity outlining many of these principles.

In spite of these laws one of the goals of most identity management systems has been ease of use. And who, on the surface, can argue with ease of use? Managing individual accounts at a thousand web sites is hard. Creating new accounts for every new web site is hard. We want something easier.

The paradox

However, here is the contradiction. If you make something easy to do, it will be done more often. It's hard to see how this can't be true. The easier it is to give somebody ID information, the more often it will be done. And the easier it is to give ID information, the more palatable it is to ask for, or demand it.


Interview with me on Web 2.0 and privacy (and a French/German documentary)

While I was at Tim O'Reilly's Web 2.0 Expo, I did an interview with an online publication called Web Pro News. I personally prefer written text to video blogging, but for those who like to see video, you can check out:

Video Interview on Privacy and Web 2.0

The video quality is pretty good, if not the lighting.

Without knowing it, we're all in the gene databases already

I have written before how future technology affects our privacy decisions today. DNA collection is definitely one of these areas. As you may know, law enforcement in the USA is now collecting DNA from people convicted of crimes, and even those arrested in a number of jurisdictions -- with no ability to expunge the data if not found guilty. You may feel this doesn't affect you, as you have not been arrested.

As DNA technology grows, bioinformatics software is becoming able to determine that a sample of DNA is a "near match" for somebody in a database. For example, they might determine that a person in the database is not the source of the DNA being studied, but is a relative of that person.

In a recent case, a DNA search turned up not the perpetrator, but his brother. They investigated the male relatives of the brother and found and convicted the man in question.


Zphone and the "rich little attack"

I was discussing his Zphone encrypting telephone system with Phil Zimmermann today. In his system, phone calls are encrypted with opportunistic, certificateless cryptography, which I applaud because it allows zero user interface and not centralization. It is vulnerable to "man in the middle" attacks if the MITM can be present in all communications.

His defence against MITM is to allow the users of the system to do a spoken authentication protocol at any time in their series of conversations. While it's good to do it on the first call, his system works even when done later. In their conversation, they can, using spoken voice, read off a signature of the crypto secrets that are securing their conversation. The signatures must match -- if they don't, a man-in-the-middle is possibly interfering.

I brought up an attack he had thought of and called the Rich Little attack, involving impersonation with a combination of a good voice impersonation actor and hypothetical computerized speech modification that turns a good impersonator into a near perfect one. Phil believes that trying to substitute voice in a challenge that can come at any time, in any form, in any conversation is woefully impractical.

A small amount of thought made me produce this attack: Two impersonators. Early on in a series of conversations, the spy agency trying to break in brings in two impersonators who have listened to Alice and Bob respectively (we are hearing their calls) and learned their mannerisms. A digital audio processor helps convert the tones of their voice. That's even easier on an 8khz channel.


When should a password be strong

If you're like me, you select special unique passwords for the sites that count, such as banks, and you use a fairly simple password for things like accounts on blogs and message boards where you're not particularly scared if somebody learns the password. (You had better not be scared, since most of these sites store your password in the clear so they can mail it to you, which means they learn your standard account/password and could pretend to be you on all the sites you duplicate the password on.) There are tools that will generate a different password for every site you visit, and of course most browsers will remember a complete suite of passwords for you, but neither of these work well when roaming to an internet cafe or friend's house.

However, every so often you'll get a site that demands you use a "strong" password, requiring it to be a certain length, to have digits or punctuation, spaces and mixed case, or subsets of rules like these. This of course screws you up if the site is an unimportant site and you want to use your easy to remember password, you must generate a variant of it that meets their rules and remember it. These are usually sites where you can't imagine why you want to create an account in the first place, such as stores you will shop at once, or blogs you will comment on once and so on.

Strong passwords make a lot of sense in certain situations, but it seems some people don't understand why. You need a strong password in case it is possible or desireable for an attacker to do a "dictionary" attack on your account. This means they have to try thousands, or even millions of passwords until they hit the one that works. If you use a dictionary word, they can try the most common words in the dictionary and learn your password.

Understand the importance of a key in crypto design

I've written before about ZUI (Zero user interface) in crypto, and the need for opportunistic encryption based upon it. Today I want to further enforce the concept by pointing to mistakes we've seen in the past.


Something isn't CLEAR about airport line-jumping program

A new program has appeared at San Jose Airport, and a few other airports like Orlando. It's called "Clear" and is largely the product of the private company Clear at But something smells very wrong.

To get the Clear card, you hand over $99/year. The private company keeps 90% and the TSA gets the small remainder. You then have to provide a fingerprint, an iris scan and your SSN, among other things.


Anonymizing is hard to do

One of the few positive things over the recent giant AOL data spill (which we have asked the FTC to look into) is it has hopefully taught a few lessons about just how hard it is to truly anonymize data. With luck, the lesson will be "don't be fooled into thinking you can do it" and not "Just avoid what AOL did."


So tell me again why you need a stay on the order stopping the wiretapping?

You probably heard yesterday's good news that the ACLU prevailed in their petition for an injunction against the NSA warrentless wiretapping. (Our case against AT&T to hold them accountable for allegedly participating in this now-ruled-unlawful program continues in the courts.)

However, the ruling was appealed (no surprise) and the government also asked for, and was granted a stay of the injunction. So the wiretaps won't stop unless the appeal is won.

But this begs the question, "Why do you need a stay?"


The peril of anonymized data

The blogosphere is justifiably abuzz with the release by AOL of "anonymized" search query histories for over 500,000 AOL users, trying to be nice to the research community. After the fury, they pulled it and issued a decently strong apology, but the damage is done.

Many people have pointed out obvious risks, such as the fact that searches often contain text that reveal who you are. Who hasn't searched on their own name? (Alas, I'm now the #7 "brad" on Google, a shadow of my long stint at #1.)


Judge allows EFF's AT&T lawsuit to go forward

Big news today. Judge Walker has denied the motions -- particularly the one by the federal government -- to dismiss our case against AT&T for cooperative with the NSA on warrantless surveillance of phone traffic and records.

The federal government, including the heads of the major spy agencies, had filed a brief demanding the case be dismissed on "state secrets" grounds. This common law doctrine, which is often frighteningly successful, allows cases to be dismissed, even if they are of great merit, if following through would reveal state secrets.

Credit card companies, give us a fake "verifiable" address

When you buy stuff with a credit card online these days, they always want your address, because they will plug it into their credit card verification system, even if they are not shipping you a physical product.

I'm trying to give my physical address out less and less these days, and would in the long term love something like the addresscrow system I proposed.



Subscribe to RSS - Privacy