" /> net.wars: February 2017 Archives

« January 2017 | Main | March 2017 »

February 24, 2017

After the search

harpo2017.JPGProbably most Americans living in foreign countries, whether "migrants" or "expatriates", have spent the last month listening to people panic about traveling to the US. They seem unconsoled by the reflection that travelers have long had very few rights at the border of any country. The latest Department of Homeland Security proposal - to require incoming visitors to disclose their social media passwords - has really amped up these conversations.

The Independent advises leaving smart phones at home. This isn't an option for creative people, business folk, programmers, academics or many others who need to work wherever they are and whose job description is not "terrorist".

Others suggest maintaining a stripped-down travel phone, a more viable option now that you can keep data in the cloud and download it after reaching your destination. That approach requires avoiding services that sync automatically, like Dropbox or iCloud.

At Freedom to Tinker Dan Wallach makes techie suggestions: encrypt your data; set up a sanitized fake profile; arrange a temporary lockout from your account. Wallach also suggests that companies like Facebook could assist by enabling people to temporarily drop friends or delete postings and by providing for dual passwords; the second, "duress", password would delete, selectively display, or encrypt your data. I think these are risky: fake profiles will stick out as new accounts. A different approach might be to advise your social graph that you are planning a trip to the US, so people can withdraw from your friends list if they want.

It's disappointing that Facebook and other social media companies have not stepped up to point out that disclosing your password is contrary to their terms of service. Here's Facebook's ToS, section 4, item 8: "You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account."

gizmos2017-rotated.jpgTop-level resistance is forming. EFF is collecting border search stories and reports that Senator Ron Wyden (D-OR) will introduce legislation that would require a warrant for such searches. Meanwhile, let's assume you've passed the border and resistance was futile. Your devices have been, however briefly, rummaged. Now what?

I'm writing here for average innocent travelers. Members of more vulnerable groups - human rights workers in hostile situations, journalists, activists, and bad people - need better-tailored advice.

You should behave exactly as if you found that you've been hacked. However warm your feelings may be toward the country conducting such a search, good security practice requires you to equate the search with a cyber attack. The longer the device has been held, the more you should assume that back doors and keyloggers may have been left behind and that all data may have been copied and may be read or searched at any time. That includes obvious things like friends lists, search histories, photographs, other media, and old email, but also less-obvious things like deleted files.

So the first thing: before you leave home back up all your data and leave the backups behind. It's good practice anyway, because traveling devices may get lost, stolen, or broken (more likely events than border inspections).

As soon as you can, use a trusted device - not one that has been searched - to change all passwords, beginning with your email account and including the answers to secondary security questions that protect your bank and other accounts. If you use a password manager, change that master password, too. Because you must assume you have now disclosed the email address associated with your various accounts, turn on two-factor authentication (if you haven't); you may even be wise to set up a new email address for that purpose. If you have trusted access to anyone else's network via the searched device, notify them.

If you are the rare innocent average traveler who uses encryption and you have opted for convenience over security so your private keys are stored on your device, assume they may have been copied and revoke your keys and generate new ones. If you've opted for convenience, your private keys may now be in the hands of the people who searched your device, as Stef Marsiske explains, though presumably your passphrase is not. Similarly, if you use WhatsApp or Signal because they build in encryption, if you do not password-protect your phone or turn on encryption for your stored messages, the stored messages can be read by third parties.

Many sites - Tech Radar, for example - offer advice on recovering from hacking attacks. If your oddly-behaving device was held for an exceptionally long time, EFF Citizen Lab may want to perform a forensic examination. Moving on, rebuild your device from as far down the stack as you can, proportionate to the length of time you lost control over it. Start by looking for updated firmware before restoring your operating system, applications, and so on. If you're under deadline you may need instead to buy or borrow something to work on, copying across only your data.

Above all remember. This is not about having things to hide. It's about having things to *protect* - for everyone in your circle, not just for you.

Illustrations:: well-traveled gadets.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 11, 2017

Unfit for private purpose

wizard-of-oz.jpgBe careful what you put in your privacy policy: someone might read it. This week, Shane Harris at The Daily Beast discovered this in the privacy policy for Samsung's smart TVs:

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party..."

Well, that's honest enough. On Twitter, Parker Higgins helpfully showed the manual page alongside a passage delineating exactly how surveilled Winston was in George Orwell's 1949 novel Nineteen Eighty-Four.

It's hard to know what to do with this other than to marvel and laugh in disbelief at the disconnect between corporate lawyers and...I don't know, *people*. Someone wrote that, someone reviewed it, someone third approved it, and on it went, probably through committees and departments. And yet no one in that whole giant company - not even in marketing - stopped and said, "Uh, guys? People don't like feeling they can't be alone in their own living rooms. Remember the fuss they made last time?"
new-22portobelloroad.jpgOf course, *now* they have. The policy has been changed. But the key thing to remember is that the TVs have not. The win here is that the company has now identified the third party that processes the voice data and the types of data the TVs collect, and it's clearer what you have to do to disable voice commands and what you gain and lose by doing so. So: if you want to have the privacy of your own living room *in* your own living room, you disable voice recognition and unplug the TV from the wifi network. At which point...it's a dumb old TV just like you used to buy back in 2014.

The Great Oz has spoken. The market has failed.

One of the unfortunate things about the mismatch between the speed of technology and the speed of legislation is that by the time a law gets passed the technology it covers is last-generation stuff. This is the situation with the General Data Protection Regulation, which MEP Jan Philipp Albrecht heroically oversaw into law last year. Privacy policies and subject access rights are the wrong approach for large appliances, not least because the consumer never sees the policy until after the box has been delivered and opened. In other situations where a consumer buys one thing (a television) and gets another (a spy in their living room) we have a name for it: bait and switch.

I don't think it's enough to take the same approach we did with software, where the presumption has become that when you open the clickwrap you have some idea of what standard terms the license is likely to contain. Instead, we are probably already overdue for a system of transparent labelling right there on the box that has something like the following list, with tickboxes for the ones that apply:

- Collects usage data;
- Shares data with third parties;
- Listens via audio microphone(s);
- Watches via camera(s);
- Other data collection sensors.

And then an overall privacy score based on how well the company is known to comply with the law, the terms of its privacy policy, the number of third parties that get the data it collects; and how many data breaches it and its sub-contractors have had in the past. We are going to need this for the myriad "smart" devices people are going to try to sell us over the next few years, beginning with smart meters. The internet became, as Bruce Schneier says, a giant surveillance platform because we weren't fully paying attention; making hidden data collection visible will be essential if the physical world is not going to become an even bigger, more intimate one.

Now, someone out there is going to say, "But people don't care about privacy." This would be a way to find out. Are voice commands for a television just a novelty that people will find they can do without, or is it an invaluable improvement that's worth trading for the sovereignty of your living room? As Charles Arthur has frequently noted at The Overspill, despite the electrons being excitedly splattered over the Alexa Echo, it's hard to find anyone who, after a running-in period of experimentation, uses it as anything much more than a glorified clock radio.

I continue to believe that people do care about their privacy, but they do not have good enough tools; the harm is very difficult to quantify or predict; their threat models are often not those of privacy advocates (PDF); and many are so overwhelmed with the pressures of everyday life that even modest amounts of convenience or savings seem worth the trade.

And where do we go next? Will the third-party processing companies that parse the sounds smart TVs collect be next on the list of targets for copyright holders? As in: we give you a database of fingerprints of sounds from copyrighted works, and your system finds a match you run an automated check for a valid license? If someone inside one of those companies for some reason overhears suggestive sounds collected by a bedroom TV, will they sue for sexual harassment? These things seem absurd now - but so many realities of 2017 would have seemed absurd only a year ago.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 10, 2017

The anonymous hand

BergmannMeredith-Anonymouse.jpgOn Wednesday, I participated in a wide-ranging discussion of anonymity at Loughborough University, featuring big data, privacy, and illegal drugs. For my bit, I focused on threat models, more commonly talked about in connection with security.

Timandra Harkness, the presenter of BBC Radio 4's FutureProofing focused on big data and the way size and multiplicity of databases makes protecting our privacy hard; this stuff is hard to anonymize. The situation will soon get much worse. People move to large cities from small towns in part to find relative anonymity, but smart cities will turn everyday infrastructure into data hogs. Soon, we may be migrating ruralwards to get away from park benches that greet us by name and offer to call a vendor selling our favorite beverage.

Tim Jordan, from the University of Sussex, discussed how identification has changed by comparing a cache of 1890s letters to and from Australia with modern gaming chats. Perversely, game worlds' addition of voice chats has made it harder for women to mask their gender, and he stressed the need for better tools to enable people to take the privacy and security they want. A clear gap in the market here, for entrepreneurs: voice-obfuscating home microphones!

JudithAldridge-cropped2.JPGMost unfamiliar to me was Judith Aldridge's work studying digital drug dealers. How do online hidden markets (her preferred term) change things? Is there more or less risk of being caught? Or of violence? Are the drugs better quality? Are there more or fewer scams? Are they cheaper? Tor and bitcoin make it harder to tie user IDs to real-world individuals, but physical goods have to be delivered to an address: the location of that risk has nothing to do with online. Since the takedowns adoption of PGP for communications has risen from 21% to 90%: a worked example of reassessing risk in the light of new information. Even so, buyers in these markets are less likely to report being caught by law enforcement, and violence is less than in physical-world markets, even compared to buying from friends.

Anonymity features in all these cases as a tool for a larger purpose, not an end in itself. In the digital rights world, most of us to stress anonymity's valuable protection for whistleblowers, activists in hostile situations, and vulnerable people - LGBTQ teens exploring their sexuality, people with various illnesses seeking support, victims of domestic violence and stalking, and so on. Each of these groups has a different threat model. The last category may need not only to hide from specific abusers but uncomprehending friends and family members who might out their whereabouts. Those seeking support need freedom from consequences while they explore to understand themselves. Activists may be primarily concerned to protect their contacts, who may be in greater danger. Those of us wishing to escape online marketing may care less about links to our real-world identities than we do about stopping ads from interfering with our ability to read the page we've landed on. Many of the most famous whistleblowers - Edward Snowden, Daniel Ellsberg - actually aren't anonymous, or not for very long. The notable exception is Mark Felt, "Deep Throat" in the Watergate investigation, whose identity was known only to journalists Carl Bernstein and Bob Woodward for more than 30 years.

invisibleman.jpgThe image today's governments seem to want us to have is of the shady, dangerous criminal; the closest I can come mentally is the form the invisible man takes in the movie of H.G. Wells's novel: every inch of skin covered. The parts his long coat, trousers, and shoes couldn't reach - his face, mainly - are wrapped in gauze to make them visible, and giant sunglasses hide his eyes. Met in real life he'd definitely be creepy and unnerving. Does that make him a terrorist?

My personal preference is the image at the top: Meredith Bergmann's homage to Anonymous, the author of so many songs and stories.

Threat modeling is not conceptually complex, though the exercise may be painful. Essentially, anyone seeking to protect themselves should ask themselves a series of questions that ought to be familiar in broad outline if not intimate detail to anyone who's ever worked as a journalist. Who wants to attack you? What do you have that they want? When are they likely to want it? Where are the vulnerabilities that will help them? Why do they want it?

It's the answers to these questions that may be imponderable. Journalist Matt Honan would never have guessed - until it happened - that someone would leverage his online accounts and wipe all his personal data just to get...his Twitter ID. However, the answers to those questions determine what self-protective moves you need to take. Each situation requires a different response and a different set of protective behaviors, though obviously there's some overlap.

Similarly, if you want to be anonymous, your approach will be different depending on whether you are trying to foment revolution (Thomas Paine, an online troll, or one of a flash ad-hoc collective of hacktivists.

If you are a government - or an intelligence agency tasked to protect one - all of those may seem hugely dangerous and essential to stop. The fundamental question we all have to answer is: does a society require perfect identification in order to be secure? I don't believe it does.


Illustrations: "Anonymous", by Meredith Bergmann; the invisible man; Judith Aldridge.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

February 3, 2017

Privacy practice

CPDP-Bowdenpanel-2017.pngLate on the first day of this year's Computers, Privacy, and Data Protection conference, US President Donald Trump had issued Executive Order 13768, "Enhancing Public Safety in the Interior of the United States". The cause for conference uproar was Section 14:

Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.

MEP Jan Philipp Albrecht, who shepherded the EU's new General Data Protection Regulation into law immediately tweeted that the European Commission must suspend the EU-US Privacy Shield agreement and sanction the US. To CPDP's many experts, the situation was less clear-cut. Much of the conference's closing discussion, the Caspar Bowden panel on Privacy Shield and Mass Surveillance, focused on whether Albrecht was correct.

Left out of the discussion were three pending court cases which will have a lot to say about how this will develop. First, the next stage in Austrian privacy advocate Max Schrems' second case against Facebook, covering its use of "standard contractual clauses", is due in the Irish High Court next week, and the US government has successfully petitioned to join the case. Schrems' first case precipitated the nullification of the Safe Harbor agremeent, which in turn led to the creation of Privacy Shield as a replacement. Also pending is Digital Rights Ireland's legal action is challenging the independence of Ireland's Data Protection Authority.

peterswire.jpegThe Umbrella Agreement is a framework for transferring law enforcement data from the EU to the US, and was created under the Judicial Redress Act (2015), which was passed specifically to enable Privacy Shield and which gives EU citizens limited rights under the US Privacy Act (1974). The Umbrella Agreement and the list of covered countries were published in the Federal Register on January 23, 2017, and, said Georgia Tech professor Peter Swire during the panel, would enter into force on February 1, 2017.

Swire therefore suggested that while the executive order has its policy implications, there is no operational legal effect on Privacy Shield; the ombudsperson is still in place. At Lawfare, Adam Klein and Carrie Cordero agree with him, as does Hunton and Williams; Chris Pounder, at HawTalk, generally agrees, but believes the result is nonetheless to show that the US's privacy protection is not adequate as per the requirements of GDPR.

Swire went on to list three positive and three negative thoughts.

The positive. First, Trump's campaign platform did not include hurting American business, and disrupting Privacy Shield makes no business sense. Second, there is no important US constituency opposing Privacy Shield. Third, Safe Harbor was signed under Bill Clinton and became routine under George W. Bush, and with 1,700 companies now signed up for Privacy Shield and more applications pending there seems no reason why the agreement negotiated by Barack Obama should not become routine under Trump. Immigration, on the other hand, was a big campaign issue, and accordingly Swire believes the executive order is focused on the immigration authorities' mixed records. However, the incoming Attorney General could change or revoke the list of covered countries, forcing the EU to decide how to act.

The negative. It is hard to be optimistic about the future of privacy protection under the Trump administration. Consistent with the many statements he's made on the subject, Trump is fundamentally shifting the US away from the free-trade policies that have held sway in the US since the end of World War II. Swire added that the relative peace and prosperity of recent times provided a fortunate opportunity to work on data protection; he believes in the coming years privacy will be forced to take a back seat to more fundamental issues - nuclear arms, for example.

marcywheeler-pngThe indefatigable policy blogger Marcy Wheeler was more pessimistic. Presidents modify or wave older EOs rather than issue new ones. On January 3, Obama approved procedures to allow the US's 17 intelligence agencies to share signals intelligence data collected under EO 12333, which was originally issued by Ronald Reagan in 1981. Together with statements by new CIA director Mike Pompeo, that leads Wheeler to believe that Trump will demand that the EU participate in sharing data. She also noted that a key element of Privacy Shield is assuming that the US will adhere to Presidential Policy Directive 28 (PPD-28), "Signals Intelligence Activities", which specifies how the US will use the data it collects. Meanwhile, the US immigration service is already asking arriving international travellers for their social media identifiers, and Immigration and Customs Enforcement (ICE) and the Department of Homeland Security can share this data via the Intelligence Cloud the US government began setting up in 2013.

But don't get too relieved. Edward Hasbrouck argues that Trump's action does kill the EU-US PNR Agreement, which depends on administration action. This agreement, which covers sharing passenger name records, specifies that individuals should be entitled to request their PNR data, correct or delete it, and seek effective redress if it's been misused. However, neither the US Privacy Act nor the JRA requires giving foreigners these rights; instead, they depend on administrative action that Trump's EO has now eliminated for foreigners.

Illustrations: Caspar Bowden panel; Peter Swire; Marcy Wheeler.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.