" /> net.wars: July 2016 Archives

« June 2016 | Main | August 2016 »

July 29, 2016

Legislating the sea of holes


This is a sort-of summary of my Tuesday evening talk at DC4420

seaofholes-bluemeanie.pngLoopholes within loopholes, the EFF called the draft Investigatory Powers bill last November. The bill enshrines a long-held wishlist of policies; in his 2012 submission to the Joint Committee on the draft Communications Data Bill, the late Caspar Bowden said, "The kernel of the CDB was already fully formed in 2000, before the Olympics, national scale rioting, 7/7, Iraq, Afghanistan, and 9/11." Bowden's evidence was a leaked National Criminal Intelligence Service submission to the Home Office in 2000, which suggested retaining all "internet-related" data for five years in either a giant national "data warehouse" or in smaller warehouses kept by communications service providers. Then, the estimated cost was £3 million; today it's £170 million over ten years, as per oral testimony to the Joint Committee in December (PDF), double the present retention regime (Q121).

We'll summarize ten problem areas:

- Secrecy. As George Danezis writes, the bill is liberally sprinkled with gagging orders. It will be impossible to ensure either confidentiality or security.

ncaslide800_thumb800.jpg- Internet Connection Records. The bill's S59(6) definition is claimed to mean "only" metadata, but as Susan Landau, Matt Blaze, Steve Bellovin, and Stephanie Pell explain in It's Too Complicated (PDF), distinctions between metadata and content are no longer possible. In oral testimony, small ISP owner Adrian Kennard said after a Home Office briefing, "It is so vague that, no, we do not know what it is" (Q120). Paul Bernal suggests ICRs answer the wrong question ("How do we recreate those useful telephone bills?") and advises asking a better one: "How do we catch terrorists and serious criminals when they're using all this high-tech stuff?" Bernal also calls the resulting databases "perfect for identity theft", a point underlined by Big Brother Watch's recent FOIA request-based report (PDF) showing that police forces were responsible for at least 2,315 data breaches between June 2011 and December 2015. At MIS-Asia, Scott Carey posted the National Crime Agency's imagining of an ICR data format; perhaps someone believed the Open Rights Group's 2009 Statebook mock-up is actually possible. In that 2000 leaked NCIS document, Roger Gaspar wrote, "Agreement will be needed to ensure that the provisions of Clause 20, Part 1, Chapter II, Regulation of Investigatory Powers Act can be interpreted as widely as possible to include all Internet related data."

statebook.png- Request filter (S63ff). The claim is that the filter will protect privacy by limiting the data investigators see. It's possible that implementing it require direct access to third-party databases, a serious security issue. The bill's Schedule 4 list of the agencies that will have access to communications data can be modified by subsequent regulations (Notes, paragraph 191).

- Bulk, as in "equipment interference" (hacking) and "personal datasets". In the June 7 Commons debate on the IPB, it was explained thusly: "Bulk equipment interference is not targeted against particular person(s), organisation(s) or location(s) or against equipment that is being used for particular activities." So bulk is..."all the phones in the world"? Seeing the note "additional safeguards for health records" next to bulk personal datasets is not reassuring. A couple of days ago, Privacy International published documents shedding new light on the government's prior use of bulk datasets.

- Technical capability notices (S226). The clearest problem is the power to require "relevant operators" to remove the electronic protection they've applied, taking into account likely cost and technical feasibility. Like the FBI wanted Apple to provide.

- Double lock. It sounds OK: warrants are issued by a Secretary of State but must also be signed by a Judicial Commissioner; a refusal can be appealed to the Investigatory Powers Commissioner. The problem it that it's so easy to appoint rubber stampers. It's worth noting former Intelligence Services Commissioner Mark Waller's oral testimony; admittedly lacking technical expertise, he saw no reason why he needed any (Q4).

- Extraterritorial jurisdiction. A technology company's nightmare, though future employment prospects look bright for anyone studying international law. Days after last week's Microsoft vs DoJ ruling, US President Barack Obama proposed a US-UK deal enabling law enforcement to access data stored on each other's servers. The better solution is likely to reform the cumbersome multi-lateral access treaty (MLAT) procedures that direct arrangements are aimed at bypassing.

- Future scope. In oral testimony, then Home Office minister Theresa May indicated that data retention may extend to coffeeshops offering wifi and private networks (universities, libraries, businesses) (Q269); in Parliament on January 3, she said no communications service provider will ever be too small to be served a notice. The present choice of twelve months' retention period derives from the statistic that 49% of requests in child exploitation cases ask for data between ten and 12 months old.

- Legal compatibility. In the bill's notes, May calls the IPB "compatible with the Convention rights". The Advocate-General of the European Court of Justice disagreed last week with regard to the less-invasive DRIPA. OIf course, Britain may not have to care about conventions in future.

Much of this legislation is "Be the envy of other major governments" precedent-setting powers. Former GCHQ director David Omand underlined this in oral testimony: "This Bill contains the basis of the gold standard for Europe." (Q79)

IPB isn't law yet. Those opposing might write your MP, join ORG or Liberty, sign the Don't Spy on Us petition, or donate to Privacy International.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


July 22, 2016

Judgment days

US-Supreme_Court.jpgAs if the last few weeks weren't sufficiently full of surprises, this week several more showed up like rare Pokemon characters in the form of remarkably sensible judgments in court cases that form part of several chains of long-running disputes.

The first is the Microsoft case concerning international jurisdiction, significant because it will doubtless prove to be one of the first salvos in a lengthy process of deciding who gets access to what and where in a connected world.. The case began in December 2013, when a New York district judge issued a warrant ordering Microsoft to turn over to US authorities the contents of emails stored on its servers in Ireland. The US government argued that since Microsoft could access this data from within the US, it had the right to compel the company to do so. Microsoft argued that EU fundamental rights - that is, data protection law - applied, and that the US should make a formal request to the Irish government using the Mutual Legal Assistance Treaty (MLAT). The government argued in return that since Microsoft is an American company, MLAT was not necessary. The Second Circuit Court of Appeals has now ruled in favor of Microsoft.

As I understand it from various discussions, law enforcement tends not to like MLATs much. The process involved in making such requests is slow; last year, the Information Technology Industry Council asked Congress to provide more funding to eliminate the apparently growing backlog; like Microsoft, they wanted governments to follow legal procedures instead of bypassing them by making direct requests to the companies themselves.

As crime - and therefore investigation - becomes increasingly international, this is clearly an important issue for all concerned. Even given the difficulties, it seems clear that granting governments direct access to whatever data they want via direct arrangements is a bad idea, as it allows little transparency and no documented trail of accountability. It seems to be in all our interests to improve the MLAT process to eliminate the temptation to bypass them. The Center for Democracy and Technology, while welcoming the ruling on the basis that it avoids "a parade of horribles", warns that the government will likely appeal.

Tom_watson_communia2009_cropped.jpgThe second case, which dates to 2014, was the case brought against the UK government by the MPs Tom Watson (Labour - West Bromwich East) and David Davis (Conservative - Haltemprice and Howden) over the passage of the Data Retention and Investigatory Powers Act (2014) Last year, the High Court ruled in their favor, finding that the Act is incompatible with the right to private life and the protection of personal data enshrined in the EU Charter of Fundamental Rights. The government appealed, that this week the European Court of Justice has indicated it, too, will rule in Watson's favor. Last week, Davis was forced to withdraw when new Prime Minister Theresa May appointed him to the cabinet. Apparently you can't sue the British government while being part of it. Philip K. Dick would be so disappointed.

There are of course caveats: the ECJ's advocate general said that the fight against serious crime might justify bulk data retention - but that ordinary offenses and civil matters would not. This has ramifications for the Investigatory Powers bill, currently under consideration in the House of Lords and which reflects much the same approach as DRIPA. What the government will do now is an interesting question. Groups such as Privacy International, Liberty, and the Open Rights Group have argued all along for better safeguards, and that targeted, rather than bulk, surveillance is both more compatible with human rights and a better, more effective method of investigation. But will the UK government listen? Or will Theresa May - who has made her name advocating the policies the court has just indicated it will rule against - simply shrug and take the view that the ECJ's opinion is irrelevant since the UK's departure from the EU will remove it from the court's jurisdiction?

Finally, over in the torrent wars, the High Court of Paris has ruled that search engines do not have to censor torrent links (or in French, at NextImpact).This in the same week that the world's largest torrent site, Kickass Torrents, was seized and its owner arrested after investigators used historical data to match IP address, Facebook account, and real-world identity sourced from an iTunes transaction, a rare worked example of the power of data matching. As Charles Arthur noted in this morning's Overspill, it's nicely ironic that the alleged owner of a torrent site got caught in part because he made a purchase on iTunes (PDF).

In the French case, the French music industry association SNEP wanted the court to require Google and Bing to block search results featuring the word "torrent" and any of the names of the artists Kendji Girac, Shy'm, and Christophe Willem. Microsoft argued that such filtering would be "imprecise, disproportionate, and inefficient". So, the court made a sensible response to the old problem of blunt-force blocking. I assume SNEP can try again with a more precise, more proportionate, and more efficient version of the same request. Maybe one that wouldn't block a search to this piece, for example, which also features those artists' names and the word "torrent".

I feel sure this is just a brief summer outbreak of sanity.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 15, 2016

New tricks

bristolcable.jpg
Investigative journalism has long been a hard sell: it's time-intensive and expensive to produce, and even more expensive to defend if you really rile someone. Time magazine spent ten years and $7 million defending its 1991 story on the Church of Scientology. What mainstream outlet can afford that now?

Some of it has long since moved to NGOs, which (unlike politicians) require facts in order to campaign successfully. One of the best examples is Big Brother Incorporated, a project for Privacy International in which Eric King did all the things that investigative journalists do: he went to trade shows, listened to what the companies were telling their customers, and read their financial reports. The resulting stories were blasted across the world by mainstream newspapers - but they weren't the ones who did the work.

Now, it turns out that the risky, hard-hitting stuff is finding another home, in small, independent cooperatives that are beginning to reinvent local journalism, one of the most significant market failures in recent times. In the US, many formerly local newspapers got bought up by chains and turned into wire service clones. In the UK, news, like government, seems to flow more naturally from the center.

Yet every neighborhood has issues that residents are passionate about. So my theory has lonng been that for sufficiently motivated people it ought to be possible to restart journalism from the ground up by canvassing neighborhoods for people who were willing to pay a modest stipend to get good reporting on all those local issues: council and school board meetings, planning applications, local corruption, and so on. In the UK, your best shot about finding out about the last of those is the satirical weekly Private Eye - its "Rotten Boroughs" section makes excruciatingly depressing reading.

This week, the annual summer school run by the annual summer school run by the Centre for Investigative Journalism, there were two examples of the kind of local-based independent projects that point the way to at least one piece of a possible future: the Bristol Cable, founded in 2013, and Scotland's year-old The Ferret.

bristolcable-cover.jpgFor the Bristol Cable, Alec Saelens and Lorna Stephenson explained that the risk-averse Bristol media, compromised by their dependence on advertising and local relationships, left the need for something different that genuinely served the public interest. Wanting something different, the group formed a cooperative, held workshops and meetings, and after about a year and a half had pulled together sufficient support to launch the paper. A year and a half after its launch, the Cable is supported by four revenue streams: membership subscriptions, which they hope will consistently be the leading stream; grants; carefully selected advertising; and external engagements. In the last year, both membership (now around 1,200) and the size of their print run have tripled (now 30,000).

Print? You betcha. "It's a way to make sure it's shared across the city," Saelens explained.

The group plans to build partnerships with like-minded organizations across the city and provide journlaism training for people who wouldn't normally have access to it. Most interesting, they believe their model of cooperative production is replicable, and they are trying to develop guidelines to help other groups wanting to do the same thing for their cities.

ferret-folks.jpgMore or less during the same period,, freelance journalists Rachel Hamada and Peter Geoghegan, among others, were pondering how to create The Ferret to fill a similar gap. Like the Bristol group, they decided on coooperative ownership and benefited from an early £1,500 grant from Cooperatives UK. In the interests of keeping expenses low, however, they've so far avoided print, though it sounds like it's something they might consider for special occasions in future.

After some consideration, The Ferret's founders began by seeking crowdfounding for one project and consulting the funders to choose what it should be. In the end, they picked fracking, which led to a substantial package of stories such as mapping where companies wanted to frack first and discovering that anti-fracking campaigners had been branded terrorist threats in anti-terror training materials published by Glasgow City Council. Since then, they've investigated the House of Lords' expenses, Facebook censorship, and much more. Two of their most-recurring topics are surveillance and domestic violence, both of which they feel are underserved in the mainstream press. Stories they've published have been picked up by or published in tandem with mainstream outlets.

They have so far managed to keep the operation very cheap: it has no offices. They all work remotely, communicating via email and Slack. Editorial decisions are made by consensus, they're signed up to Impress, and they've put some effort into developing a complaints policy. They also find they need to put some effort into ensuring subscribers stay engaged and active through meetings and other events. Unlike the Cable's crew, they were all already experienced journalists, which may explain their almost quaint insistence on paying everyone for the stories they write. ("We're just chancers," Saelens cheerfully responded.)

They are finding that two things they were told at the beginning would never work are not so far proving true: 1) a paywall would never work; and 2) populist subjects are essential for success.

Yes, both these operations are extremely small. "These are very humble beginnings," Geoghegan said. But even the oldest, biggest newspapers - or The Skeptic - had to start somewhere.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 8, 2016

Respawn

vlcsnap-2016-07-08-18h23m39s849.pngAlmost unnoticeable among the noise and fury of this week in British politics (which required a thorough review of Yes, Minister to parse), several initiatives reopened old wounds.

First off, Ars Technica reports that Privacy Shield, the replacement for the late, not-so-much-lamented Safe Harbour, looks set for approval. Both European and American businesses have been operating in limbo while awaiting a new legal framework. The court's key complaints about Safe Harbor were that data transferred to the US could not be protected from NSA bulk surveillance and that EU citizens lacked access to redress within the US. To remedy the situation, the US passed the Judicial Redress Act, which some observers argue doesn't help much because of the practical difficulties of exercising the limited rights it grants. These two points were part of the basis of the Article 29 Working Party's criticism of the draft Privacy Shield. Now it seems set to pass, we'll have to wait and see what the courts think.
lokke_moerel_web.jpgMeanwhile, the model contracts that companies have been using to fill the gap have also been found inadequate in a draft decision by the Irish data protection authority. If this view is upheld by the courts, it could leave both European and American businesses in trouble. As a whole, the situation has led Dutch data protection expert Lokke Moerel to ask whether the EU is veering into protectionism. European companies, as much as US ones, need to perform data transfers. In the piece linked above, Moerel suggests that the EU is exercising a double standard - especially since the US and EU are apparently able to agree on data protection safeguards for the purposes of law enforcement, just not for commercial purposes.

18cert100by100.jpgMeanwhile, we had almost entirely forgotten about the Digital Economy bill, which was announced in May in the Queen's speech. The key controversial elements look set to be the provisions regarding copyright - the bill seeks to raise the maximum prison term for online copyright infringement from two years to ten - and access to pornography. The proposal is to require websites to implement controls barring minors from access; industry discussions about how to do this have been underway for some time. A new Age Verification Regulator will be able to fine sites up to £250,000 or 5 percent of turnover.

Next, in the process of announcing a new consultation on sharing medical data, the government also said it was closing down the care.data program that caused so much trouble back last year. The consultation asks for opinions about a bunch of proposed security standards and from the sounds of it the intention is to give patients more flexible options for consent. Nonetheless, perhaps in part because of the amount of political posturing that's gone on in the wake of the EU referendum vote, it seems logical to fear that "closing care.data" may wind up meaning "renaming and relaunching care.data". I hope not. I hope we wind up with a really good solution to sharing medical data so everyone's health benefits while genuinely protecting patient privacy and trust. In May, the Ponemon Institute's sixth annual study on the privacy and security of healthcare data found that nearly 90 percent of the organizations surveyed had at least one breach in the last two years - and 45 percent had more than five. The leading cause of breaches is criminal activity such as ransomware, DDoS attacks, and malicious insiders are a key problem.

Doubtless plenty of advisers will pop up to tell the government and NHS how to do security properly. The bigger worry is that, like the paper BoingBoing highlighted recently, the efforts to protect security will be devised in such a user-unfriendly way that healthcare workers on the ground will be forced to ignore them to avoid putting patients at risk. These are the kinds of issues that Angela Sasse and others have worked on for years: security has to work with and for people. Nowhere is it clearer than in healthcare that security has to be designed with the understanding that it has to support, rather than hinder, the non-security functions that are most people's primary jobs.

Finally, some months back, I said much the same about Hillary Clinton's email server, and got some pushback (on Facebook) by those who felt her complaint was specious. This week, the eminent computer science professor and security authority Eugene Spafford commented on the absence of discussion of whether the rules applied to Clinton were appropriate. That absence is still notable: instead, people are wrangling over James Comey's report and his discinclination to bring criminal charges against Clinton, the news that the hacker who claimed to have hacked her server actually didn't, and exactly how many of the emails she sent through her server were classified at the time when she sent them (three, Comey told Congress). And so, the BBC reports, the State Department will now reopen its investigation into the matter. The one good side of this is that for the rest of this year - and probably into next - email security is going to receive an unprecedented amount of national attention, even among politicians who don't use it. Maybe security will genuinely improve as a result.

Illustrations: Rebuilding from a DNA strand in The Fifth Element; Lokke Moerel; the UK's 18-rating logo.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

July 1, 2016

Copyright exception gymnastics

Julia Reda-wg-2016-06-24-cropped.jpg
"National sovereignty in a globalized world is an illusion, and a dangerous one at that," the MEP Julia Reda said last Friday morning, a few hours after the results of Britain's EU referendum had been announced.. She might have said this anyway in the interests of explaining why copyright reform is so difficult to achieve, but it had, as I'm sure she intended it to, special poignance for a shaken-up audience asking each other what had just happened.

Reda was speaking at the Create Festival, a day-long event intended to show off the work of the many researchers aiming to put an evidence base underneath copyright policy. In her talk, she stressed two things: first, the need to take a more coherent approach than the patchwork of exceptions that solve symptomatic problems one by one but never add up to a cure for the underlying problem; second, that no country can make copyright policy on its own. Probably everyone in the audience - and one speaker who had to dig out his handkerchief when he began to talk about Europe - knew that last point already.

The push toward harmonization has not in general been kind to copyright reformers. Because so much is subject to international treaties, governments have much less control over laws at the national level and what those laws say is far less democratically accountable. This is especially true as these treaties have changed in character. Earlier intellectual property agreements - beginning with the 1886 Berne Convention - focused specifically on intellectual property. Granted, the participants in the discussion tended to be limited to specialists working for either governments or large rights holders. Today's treaties, like the Trans Pacific Partnership are monster affairs of which intellectual property is just one piece.

Britain can't realistically break ranks with any of that. As Reda put it, "The future of copyright will not lie with those who will simply try to leave the international system of compromises that have been struck." The international collaboration the internet enables would be a bureaucratic nightmare in a world where every nation's individual laws had to be separately navigated.

Reda argued that the problems of lack of harmonization dwarf the other problem she highlighted, but the questions she raised around temporary copies are nonetheless much more interesting. Twenty years ago, at the beginning of the commercial web, the question of whether temporary copies should be legal was a big issue. In the analog world, all copies were permanent copies, and so all copies required payment. There was no such thing as a temporary copy; perhaps the closest to such a thing arrived with photocopiers, where you could make a copy at a modest enough cost that you might toss it when you were done with it.

It is impossible, however, to browse the web without making a temporary copy of the page you're looking at in your computer's memory. Therefore, incredible as it seems now, there was some debate about whether this should be allowed. In 2001, an exception to copyright law for transient or incidental copying as part of network transmission or legal use was included in the EU Copyright Directive. This exception makes all sorts of digital technologies possible that weren't conceived of at the time: for example, it makes it legal (in Reda's example) for people with cochlear implants to listen to music via the digital signal processor inside, and it also lies behind the EU court's ruling in 2014 that watching pirated broadcast streams is legal.

The point of this discussion of what Reda called "copyright exception gymnastics" was to highlight a proposal under discussion to create an exception for text and data mining. To Reda, this is the same basic problem mutatis mutandis; you're not extracting and copying the data for its own sake but as a transitional step to analyzing the data to learn from the results. So, Reda asked, rather than keep making exceptions for the same purpose, shouldn't we reform the exclusive reproduction right?

new-22portobelloroad.jpgWhat's so striking about Reda's point is the number of ways copyright can invade the physical world alongside the software and computer systems that are rapidly being embedded everywhere. We've talked about the Internet of Things and 3D printing, but Reda is the first person I've seen to see a connection between freedom of panorama and the images captured by CCTV cameras. Arguing that retaining such images violates the reproduction right would be an interesting way to campaign against surveillance - but, as Reda says, is copyright the tool you want to use for that purpose? Will new exceptions be needed for sensors, VR googles, and enhanced headphones, all of which create copies of inputs in order to process them?

"The mere perception of the world around us was never supposed to be covered by copyright. But this is exactly what the equation of digital copies with analogue copies achieves."

Reda is right to argue that change of the kind that's needed is not going to happen without wide collaboration and that it must incorporate the impact on developing nations. A global problem will require global solutions. Independence isn't what it used to be.


Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.