Blown To Bits

Archive for August, 2008

Tracking Terrorists, The Right and Wrong Ways

Sunday, August 31st, 2008 by Harry Lewis

Terrorists use the Internet just like the rest of us. Probably moreso. They email each other. They post stuff on web sites. They have discussions about what they are planning. All the big things we know about the Internet — that it can spread information quickly and cheaply, that it is an effective tool for cooperative action by widely dispersed participants — are value-neutral. The Internet’s capabilities can be exploited for either good or evil.

The U.S. government understands this, and watches what happens on the Internet as part of its war on terror. Two recent news items show different ways this can be done.

The online edition of the German magazine Spiegel has a fascinating profile of SITE and IntelCenter, two companies run by young Americans. Essentially all they do is to sit in front of computer screens at their offices and watch what the terrorists are saying and doing. Sometimes they have to create fraudulent identities and obtain passwords to do so. They often need translators. But in essence, these companies are just bit processors. Though they don’t disclose all their tricks in the article, it seems that their staff just shows up at their offices in the morning (at undisclosed locations), pull bits in and push a few out, all day long. They use no shoe leather or even cell phones. They pass along what they have learned to parties who pay them for the information.

They are an important source of information to the CIA, FBI, and other American security and defense agencies. Their discoveries are used by news agencies as well. The Federal government has developed some similar capabilities internally, but got into the business later and is still catching up.

A success story for private enterprise and the small-business entrepreneurship, and for sensible cooperation between the federal government and the private sector.

Another part of the federal government’s anti-terror intelligence operations is the use of so-called National Security Letters (NSLs). These orders require (among other things) Internet Service Providers to turn over electronic communications, usually without disclosing that they have done so to the communicating parties or to anyone else. NSLs are provided for in the PATRIOT Act, and have long been resented by civil libertarians. Hundreds of thousands of NSLs have been issued, almost all accompanied by gag orders.

A small ISP (which one is itself being kept secret) took the government to court on First Amendment grounds. The ISP claimed that the requirement that it keep quiet even about the fact that it had received a NSL was an infringement of its constitutional right to free speech, as the gag order made it impossible to protest the government’s action. A lower federal court agreed with its claim that this provision of the PATRIOT Act was unconstitutional. The matter is now before a federal appeals court, as Reuters reports. It appears that the court is skeptical of the government’s arguments, to judge from this passage from the Reuters story:

The government argues [gag orders] are in place for national security concerns, such as keeping terrorists from learning what they are investigating.

“You can’t tell me that any terrorist is going to make anything out of the fact you issued NSLs to AT&T and Verizon,” said Circuit Judge Sonia Sotomayor, using a hypothetical example.

The technology is neither good nor bad. It’s all about what you do with it, and we should all be thinking about the choices the government makes.

The PATRIOT Act Drives Internet Traffic Offshore

Saturday, August 30th, 2008 by Harry Lewis

We explain in Blown to Bits that bits crossing entering the U.S. are, under U.S. law, subject to inspection by federal authorities. No matter whether they are in a laptop (see earlier post about new border procedures) or in a fiber optic cable. So the U.S. government claims the right to read the email your daughter sends you while she is in Toronto and you are in Detroit.

According to John Markoff of the New York Times, this law is one of the reasons that Internet traffic is increasingly bypassing the U.S. entirely. Since this is where the Internet started, the U.S. network used to be a kind of hub for the rest of the world; no longer.

It’s not the only reason — there are more Chinese Internet users than American now, so of course it makes sense for other countries to build up their communications infrastructure for purely economic reasons. But this may be an early example of the U.S. driving business away by its incursions into what we used to think of as private information.

I expect that sooner or later some business executive from a friendly foreign country will have his laptop seized and searched at the U.S. border, along with documents of great sensitive value to the business and of no significance to the war on terror. The incident will cause a stink that will lead international executives to suggest that their American counterparts come visit them abroad next time, rather than expecting foreigners to subject themselves to data disclosure by visiting U.S. soil.

The MBTA Goes High-Tech

Friday, August 29th, 2008 by Harry Lewis

The Boston area public transportation system, known as the MBTA or the “T,” got some bad publicity¬†recently¬†for hauling several MIT students into court because they were planning to explain publicly the security ¬†deficiencies of the T’s fare card system. (See my previous blog posts here, here, and here.) Last week,the T finally admitted that the students were right: the security of the fare card system was poor.

In a gesture to use the latest in communication technologies to improve riders’ experience, the T announced that it is working on a new system that will announce the arrival time of the next train¬†on video screens, and maybe even text-message that information to riders’ cell phones. The WCVB report explains, “The MBTA is currently seeking bids for the multimillion-dollar project, which is still several years away from implementation.”

Running any public transportation system is hard work. The systems are antiques, funding is variable, unions can retard progress. So any modernization should be celebrated.

BUT: When I heard this story it reminded me of something. I checked my old email and found this exchange from October 1998 — ten years ago — with David Malan, who was at the time a senior in Harvard College:

David to me:

I thought I’d show¬†you something I finished writing this weekend. ¬†‚Ķ¬† it’s a shuttle-schedule-type program ‚Ķ¬†it’s been used by 150+ students already! ¬†:)

That is, it enabled Harvard students to track the shuttle buses that run around campus so they could decide whether it was faster to walk than to wait. Me to David:

It is neat! Congratulations for your enlightened application of technology in the service of the citizenry.

David went on to get his PhD at Harvard and is now on our faculty, teaching our very popular introductory computer science course. If the T wants to hire someone who is reliable and skilled, and a decade ago did something on a smaller scale that is very much like what they are planning, I’d highly recommend him! And I’ll bet he’d charge fewer multis of millions than the T will wind up paying.

Here is a 1998 Crimson story about Shuttleboy. To be fair, it wasn’t really the same thing as what the T wants now; couldn’t have been, in those days before ubiquitous cell phones and global positioning systems. But text messaging was added to the Harvard system a year ago, and as you can see by looking here, it also now has GPS and shows you where the shuttles are on a Google map.

This problem just isn’t hard enough for the big play the the T is giving it.

A Victory for “Free” Copyright Licenses

Thursday, August 28th, 2008 by Harry Lewis

A major point of Chapter 6 of Blown to Bits is that copyright protections were so strengthened by rewrites of copyright law over the past decade that it became difficult even to facilitate the re-use of your creations (literary, software, or artistic), unless gave up all claims on your work and released them into the public domain. As we discuss, Creative Commons was an effort (Hal was among the founders) to allow creators easily to specify conditions under which their creations could be re-used by others (for example, that the new creation include proper attribution to the original, and that such “borrowers” must make similar requirements on those who borrow in turn).

But there has always been a bit of discomfort about the legal infrastructure underlying Creative Commons licenses. Suppose I put a CC license on my work and you just use it, ignoring the conditions I stipulated. Have you actually done anything unlawful? The theory has been that in attaching a CC license, I never gave up my copyright, and I could always go after you for infringing that copyright. But it’s a delicate matter of law and, until recently, it had never been tested in court.

Indeed, a Federal District Court in California came to the opposite conclusion about an “Open Source” license — that the creator couldn’t impose a legal requirement on the re-user by attaching the open source license. On August 13, that decision was reversed on appeal to the US Court of Appeals for the Federal Circuit, which is the venue where appeals on intellectual property issues like this get adjudicated. Though it applies exclusively to software, an “open source” license is enough like a Creative Commons license in its intent and in what it requires that there is now much more confidence that CC licenses are legally binding.

The case is that of Robert Jacobsen v. Matthew Katzer and Kamind Associates, and the decision of the Appeals Court is here. The decision is 15 pages, and while you would need legal training to understand the subtleties, the gist of what the parties did and the court’s reasoning about its conclusion are comprehensible to an interested layperson.

Life, Liberty, and Happiness: The Course

Wednesday, August 27th, 2008 by Harry Lewis

A reminder that Ken and I will be teaching “Life, Liberty, and Happiness After the Digital Explosion” (with a guest appearance by Hal) in the Harvard Extension School this fall. You can take it in person or as a distance course, and by distance either live or on tape delay. Class meets once a week, 5:30-7:30 Mondays, starting September 15. Here is the catalog information and here is the preliminary¬†course syllabus. Open enrollment — all are welcome!

Border Searches and Email Privacy

Wednesday, August 27th, 2008 by Harry Lewis

Mark Rasch is a security expert and lawyer practicing in Washington, DC. He has written two good pieces about important issues on blogged here: The government’s new policy about searching and seizing laptops at the border (which I blogged here), and the case of Mr. Steven Warshak, where the feds have successfully asserted their right to snoop email without a warrant (which I blogged here).

One Web Day, and Armchair Science Redefined

Tuesday, August 26th, 2008 by Harry Lewis

September 22 is One Web Day. I’ll quote from the web site to explain it:

OneWebDay is an Earth Day for the internet. The idea behind OneWebDay is to focus attention on a key internet value (this year, online participation in democracy), focus attention on local internet concerns (connectivity, censorship, individual skills), and create a global constituency that cares about protecting and defending the internet.  So, think of OneWebDay as an environmental movement for the Internet ecosystem. It’s a platform for people to educate and activate others about issues that are important for the Internet’s future.

Lots more information on the site, and suggestions of things to think about and to do.

Now here’s a curious example of web-enabled science that would have been impossible a decade ago. A group of German scientists has discovered that cows tend to orient themselves toward the North or South pole. So do other animals. They figured this out by looking at hundreds of herds in Google Earth images. No explanation offered of how or why they do it.

Nor is there any mention in the summary of whether the cows opted in to this study or even were given a chance to opt out.

Senator Biden on Encryption

Monday, August 25th, 2008 by Harry Lewis

On page 190 of Blown to Bits, we tell the story of how government control of encryption became largely a moot issue. In 1991, Joe Biden, as chair of the Judiciary Committee, introduced two bills, the Comprehensive Counter-Terrorism Act and the Violent Crime Control Act. Both included language stating that the government should have the right to get the keys to all your encrypted communications:

It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.

It was this language, as we explain, that cause Phil Zimmermann’s PGP encryption software to appear on several publicly accessible servers. The encryption genie has yet to be put back into the bottle.

Obama is generally presumed to be more sensitive to civil liberties than McCain. Not sure it really matters, but Biden has been among the staunchest friends of the FBI’s investigatory powers. It’s anything but clear that the two of them would agree on, say, the most important characteristics of Supreme Court nominees.

Declan McCullagh has a thorough analysis of Biden’s technology record here.

Connected but Hermetically Sealed

Monday, August 25th, 2008 by Harry Lewis

Ben Stein, writing in the Sunday New York Times, bemoans the loss of contact with the “real world” that accompanies our greatly expanded capacity for digital communication.

What he is really saying is that too many bits are reaching us. In the old days (that is, five years ago or so), the paucity of sensors and the weakness of communications technologies meant that we had to think harder about the limited data we received. And sometimes even process non-digital data, such as the sunlight reaching our eyes.

Now we have digital sensors galore and the technology to funnel megabytes per second to us from all over the world. Our processing capability is now consumed with just keeping up with the inputs and outputs. Not enough time is left over to think deeply about what is going on, the way we used to do when we read books.

The line of reasoning is not wholly original, but it’s not wholly wrong either. Look back at my August 18 post about the paradoxes of improved communications technologies.

Another British Data “Oops!”

Saturday, August 23rd, 2008 by Harry Lewis

Personal data on all 84,000 prisoners serving time in England and Wales has gone missing. New York Times story here.

On a memory stick. A flash drive. A thumb drive. Those little things that you can put on a keychain to carry your documents when you don’t want to lug your computer.

The government is embarrassed, because this sort of thing has happened before in the U.K. We discuss at some length the case of some disks that went missing and still haven’t been accounted for, disks containing data on virtually every child in the country. That rocked Tony Blair’s government, and this breach may be rocking Gordon Brown’s.

The details are interesting. The government knows about encryption. When it engaged the services of a private consultant, it delivered the data to the consultant in encrypted form. The consultant apparently decrypted it to work on it, and put it on a flash drive.¬†Don’t know what happened next; maybe someone took the stick with him and it fell out of his pocket.

According to the New York Times, “officials said that appeared to be a breach of government rules.”

This reminds me of what General Turgidson tells the president in Dr. Strangelove. “That’s right, sir, you are the only person authorized to do so. And although I, uh, hate to judge before all the facts are in, it’s beginning to look like, uh, General Ripper exceeded his authority.”

This case (and the others listed in the NYT story) illustrates how hard it is to control bits when they are handed around. Strict protocols are especially hard to enforce across organizational boundaries.