Blown To Bits

Archive for the ‘Surveillance’ Category

Watching your recycling habits

Friday, September 10th, 2010 by Harry Lewis

In what is surely another example of people thinking something is a bright idea just because it is possible, cities are putting RFIDs in recycle bins. The trash collection process weighs the bins and logs who is being naughty in their recycling habits. I had a lot to say about this when the Fox News journalist contacted me. Credit where credit is due — I learned about the process of chipping dairy cows and weighing their milk production from the course project of an undergraduate from Wisconsin several years ago.

The Forces Align Against Anonymity

Saturday, April 17th, 2010 by Harry Lewis

Stories on successive days in the New York Times make me wonder if there is any hope of preserving anonymity on the Internet. The forces of security and commerce are lining up to end it, and I am not feeling a lot of pushback.

On Friday, there was some apparently happy news: At Internet Conference, Signs of Agreement Appear Between U.S. and Russia. It takes awhile to learn the nature of the common ground between American and Russian cybersecurity experts.

“Anonymity is an invitation to criminals,” General Miroshnikov said.

Mr. Baker agreed, saying, “Anonymity is the fundamental problem we face in cyberspace.”

And then today, there is a stunning report on refinements in the business of discount coupons. The coupons you print off the Internet look generic, but the bar code may have everything but your social security number in it — even including your IP# and the search terms you used to get to the site where you printed the coupon. This information enables aggregation of extremely fine-grained information about your shopping habits — and adjustment of what offers get extended to which customers.

“When someone joins a fan club, the user’s Facebook ID becomes visible to the merchandiser,” Jonathan Treiber, RevTrax’s co-founder, said. “We take that and embed it in a bar code or promotion code.”

“When the consumer redeems the offer in store, we can track it back, in this case, not to the Google search term but to the actual Facebook user ID that was signing up,” he said. Although Facebook does not signal that Amy Smith responded to a given ad, Filene’s could look up the user ID connected to the coupon and “do some more manual-type research — you could easily see your sex, your location and what you’re interested in,” Mr. Treiber said. (Mr. O’Neil said Filene’s did not do this at the moment.) …

“Over time,” Mr. Treiber said, “we’ll be able to do much better profiling around certain I.P. addresses, to say, hey, this I.P. address is showing a proclivity for printing clothing apparel coupons and is really only responding to coupons greater than 20 percent off.”

Is this the Internet we want?

Is Your Bank’s Site Really Connected to Your Bank?

Wednesday, March 24th, 2010 by Harry Lewis

The intrepid Chris Soghoian, about whom I have blogged previously, has just released another potential blockbuster.

At a trade show he found an equipment manufacturer making these claims about a box it was offering for sale to government investigators:

“Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity. … IP communication dictates the need to examine encrypted traffic at will. … Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”

To back up a step, SSL encryption — which lies underneath the secure browsing you take for granted when you see “https” preceding a URL such as bankofamerica.com — does not by itself guarantee that the site to whom you are connected is in fact the site of the Bank of America. Your browser relies on the site presenting a certificate, and a certificate authority certifying that the certificate really does belong to Bank of America. There are hundreds of these third party certificate authorities — Verisign is the one you are most likely to have heard of — and there is a protocol for those authorities themselves to be certified as reliable. If a certificate authority is issuing bogus certificates — “certifying” that the FBI is really Gmail, for example — then the impostor could read your email or banking transactions, and no one would be the wiser.

What else could the company, Packet Forensics, mean by promising to provide a “false sense of security”? Its answers to Wired, which called the company, certainly are not reassuring.

Company spokesman Ray Saulino initially denied the product performed as advertised, or that anyone used it. But in a follow-up call the next day, Saulino changed his stance.

“The technology we are using in our products has been generally discussed in internet forums and there is nothing special or unique about it,” Saulino said. “Our target community is the law enforcement community.”

Good for Chris. It will be interesting to see how many worms come out of this can. For good summaries, read the Wired or EFF news items. But the paper itself is well written and does not require an advanced education to read.

Is It Illegal to Record an Arrest?

Tuesday, January 12th, 2010 by Harry Lewis

Depends on who you talk to.

In Blown to Bits, we talk about citizen vigilantism—people taking vengeance on people they see doing bad things, or just snapping pictures of crimes being committed, pictures that may help identify the culprits. The digital explosion has engendered a lot more of this, for both better and worse—we once did not all have cameras on us all the time.

Of course, a technology generation later, we all have not just still cameras, but audio recorders and video cameras too—in cell phones and even iPods. And people are whipping them out when they observe arrests being made, and are using the recordings to embarrass the the police, or to help in the defense of the party being arrested.

Except now, as the Boston Globe reports,  the police are increasingly fighting back, accusing those making the recordings of illegal surveillance, under wiretapping statutes. It’s a fascinating story. Some of the convictions are standing up in Massachusetts—the Supreme Judicial Court ruled in a split decision that the wiretapping statutes apply, unless the recording was made in a public manner. So people hiding the microphone in their sleeve or the camera in their coat may well be in trouble. Chief Justice Margaret Marshall was in the minority, opining

Citizens have a particularly important role to play when the official conduct at issue is that of the police. Their role cannot be performed if citizens must fear criminal reprisals when they seek to hold government officials responsible by recording, secretly recording on occasion, an interaction between a citizen and a police officer.

I don’t envy the police their job. Hell, I wouldn’t be happy if people were video-recording my  every movement while I was doing my job. But what the police are doing while making an arrest seems to me a public act by definition. In other situations (all those traffic-stop videos we see) the police themselves make sure everything is recorded these days. Can’t see why recording the police arresting someone in the public square wouldn’t fall within citizens’ rights.

How Much Did We Pay for These Drones?

Thursday, December 17th, 2009 by Harry Lewis

Incredibly, the signals between the unmanned drones being used in Iraq and Afghanistan and their base stations are transmitted in the clear — unencrypted. The insurgents have figured that out and are watching the same scenes that our military is watching. The Wall Street Journal says the system has been “hacked,.” Not really — no more, as a colleague put it to me, than someone who buys a police scanner is “hacking” the police radio system.

Encrypting signals is easy, obvious, and taken for granted. How could the system have been designed and deployed without it?

What Google has on you

Friday, November 6th, 2009 by Harry Lewis

Google has released a dashboard tool that makes it easy for you to review all the settings and preferences you’ve provided for the various Google products you use (Docs, YouTube, Gmail, etc.). The short video here shows you how to access it. (Basically, pull down the Settings menu in the top right of the Google home page, select Google Account Settings, and then select Dashboard and log in a second time.) It’s a bit sobering to see what you’ve told Google about yourself, and what documents of yours Google has, all in one place.

Of course, Google actually knows a lot more about you, or may, than what you’ve said in response to the various invitations it has given you to fill in forms. The Dashboard doesn’t reveal what Google may have concluded about you by retaining and analyzing your searches, for example. You can observe a lot by watching, as the great Yogi Berra said and Google knows better than anyone. The Dashboard gives you no information or control about the privacy threat from inferred data rather than explicit question answering.

For more, see the ComputerWorld article.

DHS Limits Laptop Border Searches (a little)

Thursday, August 27th, 2009 by Harry Lewis

A year ago we blogged about the guidelines issued by Department of Homeland Security Director Michael Chertoff about laptop searches at the border. As I wrote at the time,

The Department of Homeland Security may take your laptop at the U.S. border and remove it to an off-site location for as long as it wants. Doesn’t matter if you are a U.S. citizen. There it may examine its contents and have any text it contains translated.

WITHOUT HAVING ANY REASON TO THINK YOU HAVE DONE ANYTHING WRONG.

I was far from the only person perturbed by this policy. It was rational in its way — they can search your suitcase, so why not your laptop? — and yet it was disturbing. Only in recent years have people routinely walked around with their entire life histories in readable format. Why should the government not be required to show probable cause before reading your love letters and personal photos from a decade ago? And then there was the fact that laptops of doctors and lawyers have lots of information about other people on them. Aren’t they entitled to some protection from the curiosity of border guards?

Now Janet Napolitano has issued new guidelines that tighten things up a bit. Here is the CNN story; here is the DHS press release, and here are the rules themselves (pdf, 10 pages).

In essence, DHS has put limits on how long the laptops can be held (5 days) and has guaranteed the person whose laptop is being inspected the right to be in the room at the time agents are inspecting the laptop (though not necessarily the privilege of watching what they are doing).  But left in place is the basic right of DHS to look at any laptop it wishes without having to provide any reason for doing so.

The release says only a tiny fraction of laptops have been inspected while the earlier policy was in place, which is nice, but no guarantee that an individual agent may not adopt a different standard.

Whole disk encryption, which is increasingly standard for business laptops, should be standard for private citizens taking their laptops on international trips. The policy document addresses this possibility too:

Officers may sometimes have technical difficulties in conducting the search of electronic devices such that technical assistance is needed to continue the border search. Also, in some cases Offtcers may encounter information in electronic devices that requires technical assistance to determine the meaning of such information, such as, for example, information that is in a foreign language andlor encrypted (including information that is password protected or otherwise not readily reviewable). In such situations, Officers may transmit electronic devices or copies of information contained therein to seek technical assistance from other federal agencies. Officers may seek such assistance with or without individualized suspicion.

So make your encryption key long enough so it can’t be cracked in five days. (My understanding of US court precedents is that the government can’t compel you to disclose your encryption key — though it may be able to obtain a warrant to search your home and your leather appointment book for the place you wrote it down.)

Altogether this new policy seems to me to leave too much to the discretion of the border officials. I recognize that we’d love to catch terrorists carrying blueprints of their targets, but I suspect that some of those searches are for bad pictures. If the number of laptops they want to search is so small, it should not be a big problem for them to get judicial approval before searching them.

The Orwellian Kindle

Friday, July 17th, 2009 by Harry Lewis

I love my Kindle. I love being able to go to China for a week and not having to judge which books to bring by their weight. I love that I can make the type the size I want, not the size the publisher decided to use to keep the page count down.  I love being able to buy on impulse (at least where there is Whispernet coverage, which is most definitely not everywhere). I love that I can dump 50 student papers on the damn thing and not have to carry a ream of paper around with me. I love that I can read immaterial bits, rather than heavy atoms.

I’ve never loved the fact that I can’t lend a book to my wife after I’ve gotten through reading it, though. And while I know that I’m kind of renting the books rather than buying them, so far that’s been OK. In fact it’s been great — when I accidentally deleted a book from my Kindle, I could get it back for free. Can’t do that with my copy of The Greening of America that is lost somewhere in my basement. Owning it does me no good.

Comes now an amazing ironic demonstration that the bits on my Kindle really aren’t mine. They are just on loan to me, with a big tether attached. Amazon accidentally sold some books to Kindle users that it didn’t actually have rights to. When if figured out its boo-boo, it took the books back, without asking. The buyers had their accounts credited, and whoosh, the books were gone. So much for the appearance of buying and owning.

The irony is that¬†the books were Orwell’s 1984 and Animal Farm. If Orwell had thought of it, I am confident he would have done something with that image of tethered books always in jeopardy of being yanked from your hands without your knowledge or consent, and its reminder that if all your reading material is on your Kindle, then the complete profile of what you read is in the hands of Big Brother Amazon.

Added 7/18:

Randal Picker blogs this item as well (which is also featured in the NY Times). Picker concentrates on the fact that ultimately Amazon was simply withdrawing an illegally provided document, and his moral is about how copyright should be enforced.¬†Fair ’nuff. He notes the irony, and I note the illegality, so we’re not disagreeing, except perhaps about what the most important take-away lesson is. For me it’s not about copyright; it’s about making the public aware of the control possibilities when creative works are transformed from physical to digital objects. ¬†A born-again Jeff Bezos unhappy about the portrayal of Jesus in some novel, or a federal executive backed up by a judicial decision that some book is obscene, could, technically, easily take it away from everyone who thought they had bought it. A PATRIOT-Act inspired investigator wondering who is reading terrorist literature could get the answer from Amazon; in the digital world there is no walking into Revolution Books and paying cash. Which of these technical possibilities would actually be legal is another question, of course — and which, legal or not, might happen without anyone checking first is another question still.

As If To Prove My Point …

Wednesday, July 15th, 2009 by Harry Lewis

‚Ķ the US State Department reports that US Immigration checks the Facebook pages of people seeking to enter the US, looking for signs of fraud. I’d love to know what other parts of the government look at Facebook for what other purposes.

That article has some other remarkable passages, about State Dept web browsers and the Sec’y of State on peanut butter.

Facebook in Iran

Tuesday, July 14th, 2009 by Harry Lewis

Evgeny Morozov has a scary report at the NPR web site that should serve as a reminder of how hard it now is to keep our various personae separate when our social life is conducted online. I’ll quote, rather than paraphrase, what happened to an Iranian-American woman.

On passing through the immigration control at the airport in Tehran, she was asked by the officers if she has a Facebook account. When she said “no”, the officers pulled up a laptop and searched for her name on Facebook. They found her account and noted down the names of her Facebook friends.

Scary and creepy. But why, exactly? It’s not like the information was rummaged out of her personal papers or extracted by torture. Anyone who uses Facebook much knows that the list of your friends is usually public information. Hundreds of millions of people could have gotten the same information without the woman even being aware that it was happening. This poor woman probably felt that her Iranian identity was separate from her American identity. And the Iranian authorities, who surely have been frustrated by the Internet’s connecting capabilities, have figured out that there is another side to that coin.

Think about it. There is absolutely no reason to think that ANY government would not do the same thing. Nobody needs a search warrant to find out who your “friends” are — they just need your name. Any police officer or boarder guard anywhere in the world could do the same thing. So could any employer or prospective employer, college admissions officer, etc.

Unless, that is, you change Facebook’s default privacy settings. Go to Settings, and select Privacy Settings. On the page that comes up, look under Search Result Content. Uncheck “My Friend List.” There may be a few other boxes you’ll want to uncheck too. Don’t forget to click Save Changes.