News Report: The Verge
Text of Bill: Text and legislative history at leginfo.legislature.ca.gov
Explainer: California’s Cellphone ‘Kill Switch’ Law: What You Need to Know at Mashable
Cautionary Note: How Cops and Hackers Could Abuse California’s New Phone Kill-Switch Law at WIRED.
Background: U.S. Senate Bill Proposes Sweeping Curbs on NSA surveillance – Reuters‘ news report.
Text: txt, pdf and html versions at Congress.gov.
Summary of the Bill: Senator Leahy’s NSA Reform Bill: A Quick and Dirty Summary — LawFare
Position of the Electronic Frontier Foundation: Understanding the New USA FREEDOM Act: Questions, Concerns, and EFF’s Decision to Support the Bill and The New Senate USA FREEDOM Act: A First Step Towards Reforming Mass Surveillance at EFF’s DeepLinks blog.
Other Commentary: Our Privacy and Liberty Still at Risk, Even if Leahy NSA Bill Passes – Elizabeth Goitein of the Brennan Center for Justice.
Debate (audio): Stewart Baker, former NSA general counsel, debating Harley Geiger, Deputy Director for the Freedom, Security and Surveillance Project at the Center for Democracy and Technology (Steptoe Cyberlaw Podcast); debate sponsored by the Federalist Society).
“Boards are almost exactly as they were a hundred years ago: a collection of grey eminences who meet for a few days a year to offer their wisdom. They may now include a few women and minorities. There may be a few outsiders. But the fundamentals remain the same. Board members are part-timers with neither the knowledge nor the incentives to monitor companies effectively. And they are beholden to the people they are supposed to monitor. Boards are thus showcases for capitalism’s most serious problems: they are run by insiders at a time when capitalism needs to be more inclusive and are dominated by part-timers at a time when it needs to be more vigilant about avoiding future crises. In the May edition of the Stanford Law Review Stephen Bainbridge of the University of California, Los Angeles, and Todd Henderson of the University of Chicago offer a proposal for fixing boards that goes beyond tinkering: replace individual directors with professional-services firms.” – The Economist
Professors Bainbridge and Henderson’s paper (pdf): Boards-R-Us: Reconceptualizing Corporate Boards
“It’s an imperfect analogy, but, given this extraordinary control over the means of global communication, Silicon Valley giants at this point are more akin to public utilities such as telephone companies than they are ordinary private companies when it comes to the dangers of suppressing ideas, groups and opinions. It’s not hard to understand the dangers of allowing, say, AT&T or Verizon to decree that its phone lines may not be used by certain groups or to transmit certain ideas, and the dangers of allowing tech companies to do so are similar. In the digital age, we are nearing the point where an idea banished by Twitter, Facebook and Google all but vanishes from public discourse entirely, and that is only going to become more true as those companies grow even further.” – Glenn Greenwald at The Intercept
“We need, as web inventor Tim Berners-Lee has urged, to re-decentralize the Internet, and restore its promise as a medium where the action takes place at the edges of networks—where we wouldn’t need permission to communicate and innovate. The first way we users of Internet services can re-decentralize is to create—and make use of—our own home base online. In practical terms, this means getting your own domain name and creating, at a minimum, a blog where you establish your own identity. The page you think is yours at LinkedIn, Tumblr, Instagram (Facebook), or any of the other centralized services is emphatically not truly your own; it’s theirs.” – Dan Gillmor at The Atlantic
“The path to a proper encrypted email system isn’t that far off. At minimum, any real solution needs:
‘A proper approach to key management. This could be anything from centralized key management as in Apple’s iMessage — which would still be better than nothing — to a decentralized (but still usable) approach like the one offered by Signal or OTR. Whatever the solution, in order to achieve mass deployment, keys need to be made much more manageable or else submerged from the user altogether.’
‘Forward secrecy baked into the protocol. This should be a pre-condition to any secure messaging system.’
‘Cryptography that post-dates the Fresh Prince. Enough said.’
‘Screw backwards compatibility. Securing both encrypted and unencrypted email is too hard. We need dedicated networks that handle this from the start.’”
– Professor Matthew Green, Johns Hopkins University, writing at his blog: A Few Thoughts on Cryptographic Engineering.
Cyber Law, Tech and Policy
On the 35th anniversary of the case which introduced the 3rd party doctrine (i.e., people have no expectation of privacy in information they expose to others (e.g., telcos and other businesses)): Smith v. Maryland Turns 35, But Its Health Is Declining — Electronic Frontier Foundation.
At Medium, Rex Sorgatz’s four part series on art and authenticity: Part I: This is Not a Vermeer; Part II: Uber for Art Forgeries; Part III: Forgeries Gone Wild; and Part IV: The End of Authentication.
The Scope of Ai Weiwei’s Imagination – photo essay in Hyperallergic on the recent “Ai Weiwei: Evidence” exhibition at the Martin-Gropius-Bau Museum in Berlin. Also: The Long Game: On the Repression of Ai Weiwei and Jafar Panahi — Full Stop.
David Foster Wallace on Writing, Self-Improvement, and How We Become Who We Are – Maria Popova at Brain Pickings. Related: mp3 of WBUR/The Connection radio program featuring David Foster Wallace and “Modern American Usage” editor/author, Bryan Garner, discussing English language usage.
The Interview: The Most Wanted Man in the World — James Bamford in Wired
Two Companion Pieces in WIRED: Snowden: I Left the NSA Clues, But They Couldn’t Find Them and Call Me Ed: A Day With Edward Snowden
Dan Geer, CISO for In-Q-Tel, a not-for-profit investment firm that invests in technology that supports the missions of the CIA and broader U.S. intelligence community (i.e., the CIA’s venture arm), garnered headlines this past week for the proposal that the U.S. intelligence community corner the market on security vulnerabilities and then disclose them. His presentation at Black Hat 2014, however, is well worth watching in its entirety, as he touches on policy proposals on a wider variety of topics including:
Mandatory Vulnerability Reporting: 16:46
Net Neutrality: 22:20
Product Liability for Software: 25:31
Cyber Attack Counterstrikes: 32:12
Vulnerability Finding: 38:44
Right to be Forgotten: 40:15
Internet Voting: (only in Transcript)
Software Abandonment: 44:47
Convergence of Cyberspace and “Meatspace”: 47:04
“Tails, the operating system favoured by journalists, activists, and Edward Snowden for its high degree of privacy protection, has been shown to have critical vulnerabilities in its code. By exploiting these, attackers could peal away a Tails user’s cloak of anonymity. It’s just the latest reminder that tools touted as ‘anonymous’ are not infallible.” — Another Reminder That Anonymity Tools Aren’t Foolproof – Vice’s MotherBoard
Back Doors in Apple’s Mobile Platform for Law Enforcement, Bosses, Spies (Possibly) — Cory Doctorow at BoingBoing: “Jonathan Zdziarski’s HOPE X talk, ‘Identifying Backdoors, Attack Points, and Surveillance Mechanisms in iOS Devices’, suggests that hundreds of millions of Iphone and Ipad devices ship from Apple with intentional back-doors that can be exploited by law enforcement, identity thieves, spies, and employers.”
Tor Break Talk Axed from Black Hat Conference — ZDNet: “A proposed talk by two Carnegie Mellon University researchers demonstrating how to de-anonymise Tor users on a budget of US$3,000 has been axed from the Black Hat USA 2014 conference in Las Vegas next month. The talk, ‘You don’t have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ by speakers, Alexander Volynkin and Michael McCord, from Carnegie Mellon University’s Computer Emergency Response Team, had reportedly been highly anticipated by punters.”
Visit the Wrong Website, and the FBI Could End Up in Your Computer — Wired: “Security experts call it a ‘drive-by download’: a hacker infiltrates a high-traffic website and then subverts it to deliver malware to every single visitor. It’s one of the most powerful tools in the black hat arsenal, capable of delivering thousands of fresh victims into a hackers’ clutches within minutes . . . For the last two years, the FBI has been quietly experimenting with drive-by hacks as a solution to one of law enforcement’s knottiest Internet problems: how to identify and prosecute users of criminal websites hiding behind the powerful Tor anonymity system.”
“Can you imagine how awesome it would have been to be an entrepreneur in 1985 when almost any dot com name you wanted was available? . . . The internet was a wide open frontier then . . . Looking back now it seems as if waves of settlers have since bulldozed and developed every possible venue, leaving only the most difficult and gnarly specks for today’s newcomers . . . But, but . . here is the thing. In terms of the internet, nothing has happened yet. The internet is still at the beginning of its beginning. If we could climb into a time machine and journey 30 years into the future, and from that vantage look back to today, we’d realize that most of the greatest products running the lives of citizens in 2044 were not invented until after 2014 . . . There has never been a better time [to start something on the internet] with more opportunities, more openings, lower barriers, higher benefit/risk ratios, better returns, greater upside, than now. Right now, this minute . . . It is the best time EVER in human history to begin. You are not late.”
“[T]he ‘Internet’ in ‘Internet.org’ is not a natural resource that looks and costs the same everywhere based on its inherent features. It is a result of complex, controversial policy decisions over the use and ownership of communication infrastructure. These decisions follow years of lobbying and clever manipulation of national and international bodies by telecom operators, and are a direct consequence of various privatization and liberalization reforms in those countries. Facebook, because of its own long-term interest in expanding its advertising reach in the developing world, can make that Internet more accessible. But to accept its bargain is to abandon the fight to create different institutional arrangements — say, to rein in the power of telecom operators and provide cheaper, more equitable services.” — from Morozov‘s OpEd in The New York Times
Brad Smith, executive vice president and general counsel at Microsoft, speaking at the Brookings Institution on “The Future of Global Technology, Privacy and Regulation” in light of the Snowden revelations.
“We need to recognize that we do need, in my opinion, a broad based legal and regulatory model when it comes to company use of personal information . . . . Imagine a bank that doesn’t take good care of its customers’ money. Do you think it has a bright future? What do you think of a tech company that doesn’t take good care of its customers information. I believe that over the long term the world will expect and even insist that we pay as much attention to the personal information of consumers as banks do to their money. And the sooner we get started on that, and the faster we come together to have [a] kind of broad based conversation . . . . . the more successful we will be.”
Total time: 1 hour, 30 minutes.
Brad Smith’s main presentation: 03:50 to 48:35
Moderator questions: 49:47 to 1.05:11
Audience questions: beginning 1.05:50
Related: Personal Privacy Is Only One of the Costs of NSA Surveillance — Wired:
“American firms in the cloud computing sector are feeling the pressure as consumers and corporate clients reconsider using third-party storage companies in the U.S. for their data. Companies like Dropbox and Amazon Web Services reportedly have lost business to overseas competitors like Artmotion, a Swiss hosting provider. The CEO of the European firm reported that within a month after the first revelations of NSA spying went public, his company’s business jumped 45 percent. Similarly, 25 percent of respondents in a survey of 300 British and Canadian businesses earlier this year said they were moving their data outside the US as a result of NSA spying. The Information Technology and Innovation Foundation has estimated that repercussions from the spying could cost the U.S. cloud computing industry some $22 to $35 billion over the next few years in lost business.”
Cyber Law, Tech and Policy
Meet Executive Order 12333: The Reagan Rule that Lets the NSA Spy on Americans — John Napier Tye, former section chief for Internet freedom in the State Department’s Bureau of Democracy, Human Rights and Labor, in an OpEd at The Washington Post:
“A legal regime in which U.S. citizens’ data receives different levels of privacy and oversight, depending on whether it is collected inside or outside U.S. borders, may have made sense when most communications by U.S. persons stayed inside the United States. But today, U.S. communications increasingly travel across U.S. borders — or are stored beyond them. For example, the Google and Yahoo e-mail systems rely on networks of ‘mirror’ servers located throughout the world. An e-mail from New York to New Jersey is likely to wind up on servers in Brazil, Japan and Britain. The same is true for most purely domestic communications. Executive Order 12333 contains nothing to prevent the NSA from collecting and storing all such communications — content as well as metadata — provided that such collection occurs outside the United States in the course of a lawful foreign intelligence investigation. No warrant or court approval is required, and such collection never need be reported to Congress. None of the reforms that Obama announced earlier this year will affect such collection. Without any legal barriers to such collection, U.S. persons must increasingly rely on the affected companies to implement security measures to keep their communications private. The executive order does not require the NSA to notify or obtain consent of a company before collecting its users’ data.”
Network Neutrality and Quality of Service: What a Non-Discrimination Rule Should Look Like – a new paper (pdf) by Stanford Law Professor Barbara Van Schewick.
Why the Security of USB Is Fundamentally Broken — Wired:
”Computer users pass around USB sticks like silicon business cards. Although we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken.”
40 Years on, the Barcode Has Turned Everything Into Information — Wired:
“On June 26, 1974, at 8:01 a.m., Sharon Buchanan used a barcode to ring up a 10-pack of Juicy Fruit at the Marsh Supermarket in Troy, Ohio. A tectonic shift in the underlying economics of trade in tangible, physical goods of all kinds soon followed. “
Revolutionary new blood test ‘could detect ALL types of cancer’ – The Daily Mail
National security reporter, Barton Gellman, responding in a Washington Post Q&A to the question of why anyone should care about U.S. government surveillance if they have nothing to hide:
“Information is power. The US government (and US companies) now learn more about us than anyone has ever known about anyone, and secrecy prevents us from learning what they do. That puts us, in effect, behind a one way mirror. As a citizen who wants to hold my government to account, I find that troubling. I am not saying that the government is abusing the power it has accrued. Sometimes the scandal is what’s legal, especially if lawmakers and citizens had no reasonable opportunity to learn what the executive branch believed it was authorized to do. But abuse is not far behind us in our history. Spying on enemies was one of the Articles of Impeachment against Nixon, and the FBI’s Hoover died in the lifetime of many people still living. I don’t know whether I’ve ever met someone who truly has nothing to hide. If you think that’s you, post a link to everything on your phone, your computer, your email accounts and your web browsing and purchasing history. And even if you have no secrets, you’re probably in possession of the secrets of others — the friend who is going to leave her husband, or wants to find a new job, or just got diagnosed with something she does not want people to know about. Privacy is relational. We may tell things to our friends we don’t tell our parents or our kids, and so on. I want control of my own secrets, personal and professional. That’s the bottom line.”
Also worthwhile: Barton Gellman‘s 2003 lecture at Princeton on Secrecy, Security and Self-Government: An Argument for Unauthorized Disclosures (transcript: Part I and Part II), as well as Conor Friedersdorf‘s Why the Press Can Publish Any Classified Material It Likes in The Atlantic.
Blackest is the New Black: Scientists Develop a Material So Dark that You Can’t See It – The Independent: “A British company has produced a ‘strange, alien’ material so black that it absorbs all but 0.035 per cent of visual light, setting a new world record. To stare at the ‘super black’ coating made of carbon nanotubes – each 10,000 times thinner than a human hair – is an odd experience. It is so dark that the human eye cannot understand what it is seeing. Shapes and contours are lost, leaving nothing but an apparent abyss.”
NSA = J. Edgar Hoover On Steroids – The Big Picture:
“With a few hundred cable probes and computerized decryption, the NSA can now capture the kind of gritty details of private life that J. Edgar Hoover so treasured and provide the sort of comprehensive coverage of populations once epitomized by secret police like East Germany’s Stasi. And yet, such comparisons only go so far. After all . . . . J. Edgar Hoover still only knew about the inner-workings of the elite in one city: Washington, D.C. To gain the same intimate detail for an entire country, the Stasi had to employ one police informer for every six East Germans — an unsustainable allocation of human resources. By contrast, the marriage of the NSA’s technology to the Internet’s data hubs now allows the agency’s 37,000 employees a similarly close coverage of the entire globe with just one operative for every 200,000 people on the planet. In the Obama years, the first signs have appeared that NSA surveillance will use the information gathered to traffic in scandal, much as Hoover’s FBI once did.”
Read the whole thing. Domestic bulk data collected by the NSA conveys immense power on those with access to this information and will be prone to political (and financial) abuse. History demonstrates that the lure of such data for improper purposes likely will be irresistible. Hoover stayed in office for decades, aided in large part by the information the the FBI had collected on politicians of the day. Imagine what could be done with the data collected by the NSA.