slight paranoia

Thoughts on the DMCA exemption process

2009-07-12T18:00:00.002-04:00

On Friday, we sent off our 11 page reply letter to the Copyright Office, in response to the questions they sent us regarding our Digital Millennium Copyright Act exemption requests for DRM abandon-ware.

There is a semi-decent chance that I will be either employed or engaged in consulting work half-time starting in September, which could make it difficult for me to blog (particularly given the style and tone that I tend to use). Thus, I want to take this opportunity now, while I still have the freedom to fully express my thoughts, to reflect on this process, and thank the many who assisted me.

First, I originally had the idea for the exemption request in May or so of last year. In the process of writing a law paper on the hacking of subsidized electronic goods by consumers, I spent a lot of time studying the cell-phone unlocking exemption that Jennifer Granick had won back in 2006. I think it would be fair to say I was inspired by her actions.

The DMCA process is one of the few ways through which an individual can actually make a difference to impact federal cyber law and copyright policy. It doesn't matter how many former Senate staffers you have working for your cause, nor are donations to PACs a necessary requirement for access. As someone with both a desire to make a difference, and a lack of money/access, the appeal was clear.

Writing up the request

My exemption submission simply wouldn't have been possible without the assistance of a skilled legal team, lead by Phil Malone at the Harvard cyberlaw clinic. While lay-persons do submit requests every year, they are never taken seriously (and when you read some of them, you understand why). The process is fairly straight-forward, but still requires some knowledge of the specifics of the DMCA.

I had the idea for both the consumer and researcher exemptions, and probably provided around 50-60% of the text in the original exemption request comment and in our reply letter. After reading Slashdot every day for the past 14 years, it was easy for me to dig up citations to all the past instances of failed media stores, a task which would have taken a clinical intern significanly more time.

I gather that most clinical clients do not participate as much, nor directly contribute as much to the final work product. However, since I know the DMCA fairly well, and knew the specifics of situation which we were examining, I think my participation helped quite a bit. Plus, it is (for a copyright policy geek) quite a fun activity.

However -- my participation alone was not enough. Phil Malone and Arjun Mehra turned my rantings of repeated industry abuse and a plea for relief into a compelling legal document. To be clear -- while I strongly encourage technologists and copyright activists to get involved with the DMCA exemption process, you really are wasting your time without the assistance of tech-savvy lawyers.

Arguing for the exemptions in DC

Before going to DC in May to argue in-person for my exemption requests, I went to a Federal Trade Commission town-hall focused on DRM. This event was something of a trial run, with many of the same characters who would later show up in DC.

The industry folks who argued on behalf of DRM at that event, were frankly, clueless shills masquerading as experts, and as such, they seemed to do a good enough job revealing their ignorance that I didn't need to do much to help.

As one copyright expert tried to warn me ahead of time, most of the people at the FTC town hall were on the "B-team", while the industry would make sure to send the "A-team" to the DMCA exemption hearing.

Unfortunately, I didn't really listen to him, and so when I did go to Washington to argue for my exemptions before the Copyright Office, I was a tad bit over-confident.

An important note for future copyright geeks: If you are considering asking for a DMCA exemption, and end up arguing for it in person, do not under-estimate Steve Metalitz, the industry's main attack dog on DMCA related issues. He is very good, and very quick on his feet. Unless you are a seasoned lawyer, do not allow him to drag you into the weeds in a discussion of the specifics of copyright law -- stick to issues of consumer harm and industry abuse.

The hearing itself was thrilling, exciting, and sort of like a court room -- with a panel of judges (well, copyright office lawyers) on a podium at the front of the room, and with the "good guys" (me) and the "bad guys" (Metalitz and someone from Time Warner) at two tables, seperated by an aisle.

My only real regret from the hearing was not having a hot-shot lawyer sit next to me, who I could defer to on legal related questions. It wasn't until the hearing was over that I looked back, and saw that both Wendy Seltzer and Fred von Lohmann had snuck into the hearing after it started, and had thus been watching it from the back row.

While I handled things pretty well, on questions relating to the specifics of section 1201, I wasn't as strong. Luckily, the Copyright Office attorneys didn't really hammer me with legal questions, and focused the questions on topics that I could actually provide expert testimony.

A word on timing and legal clinics

A DMCA exemption is a perfect, small, self-contained project for Law School legal clinics. Exemption requests are due in the fall, optional reply comments are due in the spring, the hearings are in the late spring, and then question reply comments are due over the summer. The entire process, from start to finish, is over in less than 9 months. Furthermore, it is something that can be done by a single (supervised) clinical intern.

As a result, it is not terribly surprising that university law clinics are now playing an increasingly prominent role in the DMCA exemption process.

In 2009, 3 different groups of exemptions were sought by individuals represented by the Harvard cyberlaw clinic, the Samuelson-Glushko Technology Law & Policy Clinic at the University of Colorado School of Law, and the Glushko-Samuelson Intellectual Property Law Clinic at the Washington College of Law, American University. Clinics have played a similarly strong role in previous years.

Unfortunately, it does not appear that the copyright office realizes the role that these clinics play (and the students who provide the manpower). As a result, the DMCA exemption hearings were scheduled for May 1 at Stanford, and May 6,7, 8 in Washington DC. For those of you not (or no longer) in academia -- this is right before, or during the middle of final exams for many law students.

Had the copyright office scheduled the hearings two or three weeks earlier, they would have made the lives of the clinical students much easier. I know from my own experience that it was very difficult to get much in the way of time as I tried to prepare for the hearings from Arjun Mehra (my clinical student) and Phil Malone (who teaches classes in addition to his role running the clinic, and thus had class projects and term papers to grade).

Likewise, sending out questions during the middle of the summer, when the clinical students are off working internships is not particularly helpful. Luckily, Berkman has a few fantastic students who are interning at our cyberlaw clinic for the summer. As a result, I was able to get the help of another fantastic clinical student, Rachel Gozhansky, who helped in drafting our reply to the Copyright Office's questions.

I am not sure if the two other clinics were able to gather the student summer labor necessary in order to work on the responses to the copyright office's questions.

Given the increasingly important role that law school clinics are playing in the DMCA process, I hope that the Copyright Office will consider the realities of the academic calendar for future DMCA exemption rulemakings.

Safecount: Please opt us out of TACO

2009-07-09T23:50:00.003-04:00

This afternoon, I received an interesting set of emails from Tom Kelly, the Chief Operating Officer at Safecount.

Hi Christopher -

A colleague forwarded us a link to your Taco download page where we were surprised to see Safecount listed with the likes of many ad networks.

While we, and I, find your development efforts to be interesting, and nicely in line with the entrepreneurial spirit of the web, some of the classifications on your page are quite mis-leading to consumers.

Safecount is a research company and we occasionally invite certain website visitors randomly to volunteer their opinions. We don't sell any products, we don't target anyone with advertising based on behavior or attitude, and we only work with publishers who give us permission to perform research on their sites.

That's the danger of generic 4th party cookie blocking, it ends up blocking web efforts OTHER than ad revenue, behavioral targeting profiteers. Maybe you'll consider removing Safecount from your list.

Respectfully,

- tom

After asking him if I could post his email to my blog, he followed up with this:

Sure thing, Chris. My point is that, while Safecount does place cookies on user's browsers based on certain ads they've seen:

A) we don't use that info to target any marketing or advertising to them - we're not a behavioral targeting group
B) we're 100% transparent in the cookies we do place

As a matter of fact, one can go to www.safcount.net and view ALL of the info we have for their computer (not personal info). There they can also delete that data and tell us how often they'd agree to be invited to take a quick survey, including "never". We're as much about control and transparency as I think you are.

Thanks, Chris.

- tom

It has been nearly four months since the first version of TACO was first released. The latest version supports 84 different behavioral advertising firms, has been downloaded nearly 250,000 times, and is in daily use by nearly 80,000 users. That means that my tool is responsible for 6.7 million opt-out cookies (actually, it's more, due to the fact that some networks require multiple cookies for different advertising domains). Holy cow!

In those four months, this is the first time that an advertising industry executive has asked me to remove his company's opt-out cookie from TACO, and so I am honestly not quite sure how to react.

My initial reaction is to say no, for the following reasons:

1. I have created TACO for fun, as a side project. I don't charge for TACO, and I have a day job (well, actually, several). I really don't have time to evaluate each advertising company one by one to figure out if the company engages in a good or bad activity. If consumers want that level of analysis, they are free to use the "complete" or "selective" opt-out tools provided by PrivacyChoice -- which is run by a former Yahoo! advertising executive who has Seen the Light, Loves Privacy And Who You Should Totally Trust (TM).

2. Picking individual advertising industry companies who should or should not be included in TACO is a slippery slope, which will open me up to criticism, and accusations of abuse of power. TACO currently includes every generic, non-identifiable opt-out http cookie of all the online advertising industry companies that I know about. This is an easy standard to adhere to, and should protect me from accusations of bias.

3. Safecount, WPP (the mega advertising firm which owns it), the Network Advertising Initiative and others are free to make their own competitors to TACO which provide users with more choice, which provide users with less choice, which make it more or less difficult to opt out, or which make you dinner and do your laundry. TACO is open source, so they are even free to fork my code, and save themselves the weekend of coding it will take to create it from scratch.

4. Safecount is an advertising industry firm, which uses long term cookies to track the browsing and other activities of end-users. The company might not be in the behavioral advertising business, but it is certainly in the collection of consumer data business, which is still creepy.

5. Safecount has provided consumers with the ability to opt-out of its data collection/use, but then objects when tools like TACO actually make it easy for consumers to opt-out. 99% of consumers have never heard of the company, and so wouldn't even know to visit their opt-out page in the first place.

6. If the company is really "as much about control and transparency" as I am, they could switch from an opt out model to an opt in model. Let consumers who value the survey taking experience choose to have data on their browsing across multiple websites collected and analyzed. If the company switched to this model, the opt-out mechanism provided by TACO would be moot.

7. Likewise, while consumers can "go to www.safcount.net and view ALL of the info we have for their computer (not personal info)," this simply isn't good enough. It is totally unrealistic to expect consumers to visit the websites of 90-100 different advertising firms to "view the data collected on them", evaluate it, consider each company's 20+ page privacy policy, and then evaluate the kind of business and data relationship that they'd like to have with that firm.

Consumers don't opt-out of telemarketing from individual advertising firms after evaluating each firm's policy on calling during dinner hours -- No. They sign up for a single do-not call list, and are then free of the annoyance. We need the same for the online advertising industry. A single opt out for all data collection and usage.

After writing this all down, I think I am even more convinced that leaving Safecount in the list of opt-outs provided by TACO is a good idea.

However, I suppose a reasonable case can be made that the company is not a behavioral advertising firm -- and so I am open to at least changing the language on the TACO page to note that Safecount is merely an advertising firm that collects detailed information on the browsing and web viewing activity of Internet users.

Blog readers -- do you have any thoughts on this? Please leave a comment.

Copyright geeks: please provide feedback

2009-07-09T12:37:00.002-04:00

Dear Copyright Experts of the Internets,

Tomorrow (Friday) at 5PM EST, we must submit our reply to the Copyright Office's questions regarding our request for two exemptions to the Digital Millennium Copyright Act.

Over the past week, we have worked feverishly to prepare the following draft, which I now feel is in pretty good shape.

However, we would love comments and suggestions.

Soghoian Response to DMCA Questions (draft)

Guess the party: Why privacy is different

2009-07-07T20:31:00.003-04:00

By and large, the US political parties have fairly predictable positions on most issues. The GOP is pro life, pro torture, and pro gun. The Democrats are pro choice, mostly anti-torture, and usually anti-gun.

However, privacy is one of those rare issues for which the parties don't seem to have official positions. As a result, you get extremely interesting statements from various members of Congress.

Case in point, consider the following three short video clips from the June 18th hearing on behavioral advertising in the House Energy And Commerce Committee. Watch the clips, and see if you can guess the parties of the the three House members. I suspect that many of you will be quite surprised.

Click here for a video of Rep. Stearns' full opening remarks.

Click here for a video of Rep. Boucher's full opening remarks.

Click here for a video of Rep. Barton's full opening remarks.

(Thanks to Dan Jones from the Berkman Center for helping me to turn the House video feed into something YouTube friendly.)

Praise for AT&T's gutsy defense of customer privacy

2009-07-06T05:00:00.003-04:00

I'm about to do something I never thought I would do: Praise AT&T for taking a strong stand on privacy by refusing to disclose a customer's communications records to the government without a court order.

Fresh from Wikileaks

On April 30th, a fascinating email showed up on Wikileaks, purporting to be from a Special Agent in the Florida Computer Crime Center, writing to other law enforcement colleagues to complain about his experience in trying to obtain identifying information on AT&T and Yahoo customers.

There is no way to verify the authenticity of the email message, however, a quick Google search reveals that Mike Duffey does indeed work for the Florida Computer Crime Center.

While the email is worth reading in full, I'll summarize it here.

Warning: the details of this case are not very nice -- if you don't think terrorists, drug dealers and pedophiles deserve the benefit of due process and 4th amendment rights, you may want to stop reading now -- or you'll just get angry and or upset.

On June 24, Special Agent Mike Duffey and his team were investigating a tip off regarding a gentleman who had reportedly bragged about molesting his six year old daughter on a Yahoo chat room and via Yahoo instant messenger.

Duffey's colleagues were able to find a MySpace page which listed the same Yahoo account in its contact information, and soon began to try and locate identifying information on several suspects.

First, Duffey's team contacted MySpace, claimed exigent circumstances, and were able to obtain the suspects' subscriber information and 30 days worth of historical IP address information, revealing the Internet address where the suspects had used to access their MySpace accounts. MySpace responded to Duffey's request within 20 minutes, and within 45 minutes had provided the agents with all the information they requests, all without requiring a subpoena or any other form of court order. The police simply claimed that this was a case of life or death, and MySpace handed over the information, no questions asked.

Second, Duffey's team contacted Yahoo in order to try and learn which IP addresses were used during the alleged chat room confession. Yahoo took three hours to respond to Duffey's request, at which point, the company rejected the "exigent circumstances" argument. In a follow-up conversation with Yahoo employees, Duffey was told that the company would be unable to provide any IP address information until 48 hours after they occurred. A further seven hours later, Yahoo provided 48 hour old IP address information, which, like the MySpace logs, pointed to an AT&T customer as the source.

Third, Duffey's team then contacted AT&T, who like Yahoo, refused his attempt to claim exigent circumstances. AT&T told him that they would not provide any information without a subpoena, which in Florida, must be issued by a court clerk.

Seven hours after initially contacting AT&T, Duffey obtained a subpoena, after which, AT&T immediately provided him with the name and address of the customer whose IP address had shown up in the most recent MySpace logs.

Two hours later, the suspect was arrested at his home, and quickly confessed.

Analyzing the law

The Electronic Communications Privacy Act strictly regulates service providers' sharing of customer information the government.

As Susan Brenner has described in greater depth:

18 U.S. Code § 2703(c) says that a government entity can “require a provider of electronic communication service . . . to disclose a record or other information pertaining to a . . . customer . . . (not including the contents of communications) only when the government” does one of the following: gets a search warrant; uses a subpoena or court order; or “has the consent of the . . . customer to such disclosure”...

8 U.S. Code § 2702(b)(8) says an ISP service provider can give information “to a governmental entity, if the provider . . . believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency”.

The difference between § 2703 and § 2702 is that § 2703 deals with law enforcement’s ability to compel an ISP to provide subscriber information, while § 2702 sets out the conditions under which an ISP can voluntarily share such information.

So essentially, by claiming exigent circumstances, Special Agent Mike Duffey gave MySpace, Yahoo and AT&T the legal protection to voluntarily disclose their customer's information to the police.

MySpace jumped at the opportunity to share this data, Yahoo spun its wheels before eventually coughing up some data, while AT&T ultimately refused, as it was legally permitted to do so. That is, while the exigent circumstances enable an ISP to voluntarily share data on their customers, § 2703 still prohibits the government from compelling the production of customer records without a court order. Until the government produces a subpoena, the ISP can always lawfully say no.

Exigent Circumstances

Why should AT&T refuse to provide critical information to police in what is clearly a life and death situation involving a small child and a pedophile?

Well, it turns out that law enforcement doesn't have the best track record when it comes to its use of exigent circumstances. As the EFF's Kurt Opsahl described back in 2007:

We already knew that the FBI’s use of “exigent circumstances” letters was illegal. DOJ’s Inspector General Fine already condemned them in a well-publicized IG report that outlined how hundreds of requests were made where there was no immediate danger of death or serious physical injury and, in any event, “the letters did not recite the factual predication necessary to invoke [the emergency] authority.”

Now I'm sure that in this case that the Florida police were telling the truth. However, in the past, both local police and federal law enforcement officers have been repeatedly caught fudging the truth in order to obtain these so called exigent circumstances. Furthermore, there is a fairly large body of case law in which police put people's lives at risk in order to create exigent circumstances -- in such cases, the courts have rightfully thrown out the searches.

AT&T is likely going to take a lot of heat for refusing the exigent request if and when it hits the news. Who knows, perhaps that is the reason this email was leaked in the first place.

It is thus important that members of the privacy community rally around AT&T and support the company for its legally justified insistence upon a court order in this case, no matter how much we all continue to detest AT&T's completely illegal in the NSA warrantless wiretapping program.

Perhaps subpoenas take an excessive amount of time to get. Certainly, it took the officers in this case more than 7 hours in order to obtain theirs. I am sure there would be no objection to speeding up this process -- perhaps by allowing police officers to submit their requests to the clerk of the court via a special website, for example? There is no reason why inefficiencies and wasted time in the subpoena process cannot be eliminated -- rather than permitting police to simply ignore the process altogether and claim exigent circumstances.

In this case, the police waited more than three hours for Yahoo to respond to their initial request -- which, if the system worked, should be more than enough time to obtain a subpoena.

Shining the light on a shadowy practice

Those of you who might be shocked by MySpace's total willingness to disclose customer records without a court order should not be -- it is quite possibly the norm in the industry.

While it is not known to the general public, practically every Internet company gets requests, daily, from law enforcement agents wishing to dig up information on that company's customers. In order to deal with these requests, these firms all have "legal compliance" departments, some of which are open 24 hours a day, 7 days per week. A full list of these can be found here.

Of course, these firms don't like to discuss the fact that they routinely disclose their customer's private information to law enforcement. See, for example:

"We do not comment on specific requests from the government. Microsoft is committed to protecting the privacy of our customers and complies with all applicable privacy laws. In particular, the Electronic Communications Privacy Act ("ECPA")
protects customer records and the communications of customers of online services."

“Given the sensitive nature of this area and the potential negative impact on the investigative capabilities of public safety agencies, Yahoo does not discuss the details of law enforcement compliance. Yahoo responds to law enforcement in compliance with all applicable laws.”

Q: How many subpoenas for server log data does Google receive each year?
A: As a matter of policy, we don’t provide specifics on law enforcement requests to Google.

Facebook is the only company to even discuss the topic and provide ballpark numbers, telling Newsweek just a few weeks ago that the company receives between 10-20 requests from police every day. That is, somewhere between 3600-7300 requests per year.

Wolves watching the sheep

Who is responsible for judging the requests for customer information from law enforcement, in order to determine if they are appropriate, lawful and do not request excessive information?

In many cases, it is former law enforcement agents and prosecutors.

The Chief Security Officer at MySpace, Hemanshu Nigam, is a former deputy district attorney from Los Angeles County, where he specialized in child exploitation and rape prosecutions.

Who is Google's new Senior Counsel in charge of Law Enforcement and Information Security? Richard Salgado, a former Senior Counsel in the Computer Crime and Intellectual Property Section of the United States Department of Justice.

What about Google's Privacy Counsel? That would be Jane Horvath, formerly the Chief Privacy Officer at the US Department of Justice under Alberto Gonzales,

What about Microsoft? The company's Senior Director for Global Criminal Compliance, Online Services Security & Compliance is Susan Koeppen and like Google's Salgado, she was formerly a Senior Attorney at Computer Crime and Intellectual Property Section of the United States Department of Justice.

This is not to say that these companies do not follow the law -- I am sure they follow it to the letter. Merely that when the police and FBI call up these companies to request customer information, the person on the other end of the phone is often very sympathetic to their point of view -- because often, they are former colleagues.

While there are certainly former staffers from the Electronic Frontier Foundation and other public interest groups working for Google and some of the other firms, you can bet your bottom dollar they are not let anywhere near sensitive issues like subpoenas, search warrants and national security letters where the companies might not be as pro-privacy as it they like people to believe.

Facebook is perhaps the only company to break from this norm -- by hiring a "privacy hawk" and former ACLU lawyer to be the company's point man on privacy issues.

A need for transparency

While it is clear that all Internet companies receive requests, what is unclear is the way they respond to them -- that is, do Google and Microsoft voluntarily disclose data whenever law enforcement officers claim exigent circumstances, or do they, like AT&T, push back and demand a subpoena?

The policy approach taken to these situations likely depends upon the people receiving and responding to the requests...and as I described above, they are often former colleagues of those agents who are attempting to circumvent the requirement for a subpoena in the first place.

What we need, desperately, is transparency. All Internet companies should follow Facebook's lead, and provide at least some aggregate numbers on the number of requests that they receive every year from law enforcement agents.

Furthermore, they should disclose how many of those requests the companies provide the relevant information without first requiring a subpoena or court order, and instead voluntarily disclose it after receiving an exigent circumstances letter.

We need transparency, and we need it now.

(H/T to Pogowasright for first spotting the letter on Wikileaks.)

Disclosure: I haven't discussed this case with anyone from AT&T nor have I ever received any funds from the company.

DMCA Questions from the Copyright Office

2009-06-24T15:57:00.004-04:00

Are you a copyright geek (preferably a lawyer) and interested in helping me (pro bono) with my reply to the Copyright Office? I can do the writing by myself, I just need help with strategy/legal questions. If so, please get in touch.

As many of my regular readers know, late last year, I (and the fantastic Berkman cyberlaw clinic) submitted a request for an exemption to the Digital Millennium Copyright Act. One month ago, I testified in person to argue in support of my request.

We originally requested two exemptions. The Copyright Office has now sent us some follow up questions with regard to the second exemption.

The second exemption text was for:

Lawfully purchased sound recordings, audiovisual works, and software programs distributed commercially in digital format by online music and media stores and protected by technological measures that depend on the continued availability of authenticating servers, prior to the failure of the authenticating servers for technologists and researchers studying and documenting how the authenticating servers that effectuate the technological measures function.

The Copyright Office has asked us to:

Please provide your reaction to the following limitation: "...when the information obtained by the technologists and researchers is used only to provide access to works protected by the technological measures that depend on the continued availability of an authenticating server when [1] access is provided only to persons to whom access had been provided by the authentication server prior to its failure, [2] the authentication server has permanently ceased functioning, and [3] the provider of the service has neither made alternatives means of access to the works available nor provided a refund for the loss of access to the purchased copies of the works.

Would it be appropriate to limit the persons who would be eligible to invoke the exemption? Why? If you believe it would be appropriate to limit the persons eligible for the exemption, what criteria could be used?

Are there any other appropriate ways to properly tailor the scope of the exemption

I still haven't had much time to think about this in depth. Our reply is due on July 10th.

My plan is to try and come up with a rough draft in the next week or so, and then put it online in a wiki for people from the Internet to comment on and edit.

FOIA: Following the money trail

2009-06-23T16:11:00.003-04:00

Sent by fax today to the Computer Crime & Intellectual Property Section (CCIPS) at the Department of Justice:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records, invoices and any other information detailing the amount of money paid by the Department of Justice to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests and national security letters.

Background

At the recent Computers, Freedom and Privacy Conference in Washington DC, Alan Davidson, Google’s Director of Government Relations and Public Policy revealed to the audience that Google routinely charges the government for the time and resources spent responding to requests by the Government for Google customers’ data.

This practice is permitted by various statutes. For example, 18 U.S.C. §§ 2518(4) states that:

Any provider of wire or electronic communication service, landlord, custodian or other person furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance.

Likewise, the 2008 Protect America Act amended the Foreign Intelligence Surveillance Act to state:

The Director of National Intelligence and Attorney General may direct a person to …. immediately provide the Government with all information, facilities, and assistance necessary to accomplish the acquisition … The Government shall compensate, at the prevailing rate, a person for providing information, facilities, or assistance pursuant to subsection (e).

While Google is one of the first Internet based service providers to admit to this practice, it is likely that the practice is widespread.

My request

I request all records, invoices, memos and any other information detailing the amount of money paid by the Department of Justice to major providers of Internet based services to compensate them for the time and resources used in responding to subpoenas, warrants, pen registers, trap & trace requests and national security letters.

At the very least, this request shall include documents relating to Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

The scope for this request shall include all documents created between January 01, 2006 and January 01, 2009.

Do we need net neutrality at 35,000ft?

2009-06-22T12:00:00.001-04:00

Just here for the step-by-step instructions? Click here to skip the explanation

Gogo Inflight Internet Wireless is the sole provider of in-flight Wi-Fi in the United States -- and is already installed aboard planes in the domestic fleets of Delta, American and Virgin America.

While their service is awesome -- their pricing plans currently involve some fairly horribly discriminatory pricing. "Mobile" devices including iPhones, Nokia handsets and various Windows Mobile devices pay $7.95 for flights of any length, whereas laptops pay $9.95 or $12.95 based on the length of the flight.

Metered pricing is currently a hot topic in telecom circles, primarily due to the fact that the carriers want to be able to ~~gouge~~ extract as much of a profit out of their customers as possible.

Gogo does not implement metered pricing. iPhones and laptops are provided with the same amount of bandwidth, and as far as I can tell, neither receives priority over the other. There are no bandwidth caps, nor any additional charges for using too much data during a single flight. Gogo simply wants to be able to charge its customers more money for watching a YouTube video on a laptop screen than an iPhone -- even though that laptop does not put any more of a burden on Gogo's network than the iPhone.

This is unfair, unreasonable, and frankly, something that the FCC should look into and prohibit.

Luckily, Gogo doesn't have any verifiable way to identify the kind of device a customer is using, and so it has opted to rely upon the self-reported User Agent string transmitted by the on-device Web browser.

This browser string is something under the control of the user (at least those a little bit tech savvy), and by manipulating this information, it is possible to connect a laptop to the Gogo Inflight Internet Wireless system for the cheaper $7.95 price normally restricted to mobile devices.

Best of all, if combined with a discount coupon (easily found online), this price can be reduced further, to a quite reasonable $3.95 for a 5+ hour flight.

Enabling fair, non-discriminatory pricing for Gogo Inflight Internet Wireless

Gogo's acceptable use policy requires that consumers not use the service in order to "engage in any fraud or misrepresentation." As a result, the following information is provided for purely educational purposes as an act of communications policy related activism. Do not follow these steps without first consulting with a lawyer.

Step 1. Download and install the User Agent Switcher Firefox add-on (this needs to be done before your flight).

Step 2. Restart Firefox.

Step 3. Select the Tools-> User Agent Switcher -> Options -> Options menu.

Step 4. Select the User Agents tab, and then click on the "Add" button to create a new user agent.

Step 5. In the "Description" field, type in "iPhone"

Step 6. Now that you have added the new user agent, you have to tell the browser to start using it. Do so by going to Tools -> User Agent Switcher, and then select the new iPhone option.

Step 7. Once you are on board a Gogo enabled flight, wait till the plane is above 10,000 ft, and connect to the open gogoinflight wireless access point.

Step 8. Type in any web site address. You will be redirected to the Gogo portal, and will be prompted to pay for wireless access.

Step 9. You should see a $7.95 option for mobile Internet access for your flight.

Should you wish to save a few more bucks, Gogo seems to regularly offer discount codes, further bringing the price down.

Step 10. After you have paid for the service, and are connected to the Internet, you can switch the user-agent string back to the default Firefox setting.

An open letter to Google

2009-06-16T10:00:00.000-04:00

This six page letter (pdf) to Google's CEO, Eric Schmidt, is signed by 38 researchers and academics in the fields of computer science, information security and privacy law. Together, they ask Google to honor the important privacy promises it has made to its customers and protect users' communications from theft and snooping by enabling industry standard transport encryption technology (HTTPS) for Google Mail, Docs, and Calendar.

Google already uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers' login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Google supports HTTPS encryption for the entire Gmail, Docs or Calendar session. However, this is disabled by default, and the configuration option controlling this security mechanism is not easy to discover. Few users know the risks they face when logging into Google's Web applications from an unsecured network, and Google.s existing efforts are little help.

Support for HTTPS is built into every Web browser and is widely used in the finance and health industries to protect consumers. sensitive information. Google even uses HTTPS encryption, enabled by default, to protect customers using Google Voice, Health, AdSense and Adwords. Google should now extend this degree of protection to users of Gmail, Docs and Calendar.

Rather than forcing its customers to "opt-in" to adequate security, Google should make security and privacy the default.

View the full letter at cloudprivacy.net

A shot across the bow

2009-06-10T12:35:00.000-04:00

At Computers, Freedom and Privacy last week, Google's DC policy guru Alan Davidson revealed that the company has between 1-20 employees working full time to respond to requests for private customer information from law enforcement. He also revealed that Google asks for financial compensation from the Government for the time required to satisfy these requests -- he noted that this practice is permitted by law.

Google is not alone in this. All major Internet companies receive thousands of requests per year, and as a "matter of policy", they all refuse to discuss this, or to give the public even a rough idea of how many requests they get.

A recent Newsweek article comes the closest, revealing that Facebook gets between 10-20 requests per day from law enforcement agencies.

This silence needs to end. We need transparency, sunshine, and some accountability. If users realized how often their data is disclosed to police, and how often it occurs without a warrant or any judicial oversight, many would be shocked.

So -- if you work in the privacy, legal or policy department of a major Internet provider (as I know a few of my readers do), consider this your warning.

You either need to come clean voluntarily, or the information will be forced out. Your customers have a right to know.

My first avenue of attack will be via a number of FOIA requests (see below) -- if that fails, I'll have to ramp things up a bit. The current level of secrecy is simply not acceptable.

(Sent to Criminal Division, Department of Justice)

Dear FOIA Officer:

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning guidance, reference manuals and sample requests provided to law enforcement agencies by major internet companies, search engines, web mail providers, and social networks.

Background

A recent Newsweek article (http://www.newsweek.com/id/195621) revealed that:

"NEWSWEEK reviewed both Facebook and MySpace documents that let law-enforcement agencies know what information they track and how to obtain it; MySpace's guide is more robust, offering agencies templates with language geared specifically to be admissible in court. Both sites disclose that they cooperate with police in the terms that users agree to when they sign up."

Practically all Internet related businesses have a legal compliance department. Some, like MySpace, are open 24 hours per day, 7 days a week. A list containing contact information for over 100 of these offices can be found here: http://www.search.org/programs/hightech/isp/

The same Newsweek article also revealed that:

"[Facebook] says it tends to cooperate fully and, for the most part, users aren't aware of the 10 to 20 police requests the site gets each day."

It is likely that other major Internet companies receive a similar number of requests. As a result, it is not surprising that the companies have created guides and sample requests for law enforcement agencies, in order to help to streamline requests, and reduce the amount of manpower required to handle each subpoena.

My request

I request any records, including memoranda, handbooks, emails, policies and procedures provided to the Department of Justice by Internet service providers, phone and cable providers, search engines, instant messaging companies, and social networking sites. Such documents likely contain guidance and frequently answered questions related to requests for subscriber information, and may also contain sample subpoenas and search warrant applications.

At the very least, this request shall include documents provided by or relating to Apple, Google, Microsoft, Yahoo, Facebook, MySpace, America Online, AT&T, Verizon, Comcast, Sprint and T-Mobile.

The scope for this request shall include all documents created between January 01, 2005 and May 10, 2009. It is likely that the Computer Crime & Intellectual Property Section (CCIPS) within the DOJ Criminal Division will have the most relevant documents.

My latest FOIA: DOJ's use of "hotwatch" orders for credit card transaction data

2009-05-11T12:18:00.004-04:00

(sent by fax this morning)

This letter constitutes a request under the Freedom of Information Act (“FOIA”), 5 U.S.C. §552. I am seeking records concerning the use of “hotwatch” orders directing credit card issuers to disclose prospective credit card transaction information.

Background

On October 11, 2005, the US Attorney from the Eastern District of New York submitted a court filing in the case of In re Application For Pen Register and Trap and Trace Device With Cell Site Location Authority (Magistrate's Docket No. 05-1093), which related to the use of pen register requests for mobile phone location records.

In that case, the US Attorney’s office relied on authority they believed was contained in the All Writs Act to justify their request for customer location information.

In support of its claim, the office revealed that:

Currently, the government routinely applies for and upon a showing of relevance to an ongoing investigation receives “hotwatch” orders issued pursuant to the All Writs Act. Such orders direct a credit card issuer to disclose to law enforcement each subsequent credit card transaction effected by a subject of investigation immediately after the issuer records that transaction.

A Google search reveals no other mentions of “hotwatch” orders other than the government’s filing in this case. Likewise, a search of Federal and State cases via Lexis Nexis reveals no other information.

I request any records, including memoranda, policies, procedures, legal opinions and statistics concerning the use of “hotwatch” orders or other requests for prospective credit card transaction information. The scope for this request shall include all documents created between January 01, 2000 and May 10, 2009.

FBI budget request raises questions

2009-05-10T17:15:00.004-04:00

From ABC News:

The budget request shows that the FBI is currently developing a new "Advanced Electronic Surveillance" program which is being funded at $233.9 million for 2010. The program has 133 employees, 15 of whom are agents.

According to the budget documents released Thursday, the program, otherwise known as "Going Dark," supports the FBI's electronic surveillance intelligence collection and evidence gathering capabilities, as well as those of the greater Intelligence Community.

"The term 'Going Dark' does not refer to a specific capability, but is a program name for the part of the FBI, Operational Technology Division's (OTD) lawful interception program which is shared with other law enforcement agencies," an FBI spokesman said.

... the program is designed to help the agency deal with changing technology and ways to intercept phone calls such as those used by VOIP (Voice Over Internet Protocol) phones or technology such as Skype.

That is rather interesting, considering that in 2008, there were only 10 electronic communications intercept court orders requested nation wide (by both Federal and State law enforcement). As for Skype and other encrypted communications -- again in 2008, only two instances of encryption were encountered, and neither posed a barrier to investigators, who were still able to obtain the information they wanted.

So. Either we're paying 23 million in development/staff costs per intercept (assuming the number has stayed the same since 2008), electronic intercepts have jumped in number by an order of magnitude, or.... the FBI and other agencies are engaging in electronic surveillance in a way that evades the traditional reporting requirements for wiretap and intercept orders. I wonder which it is?

Kudos to Yahoo

2009-05-10T17:00:00.004-04:00

I've been in Europe for a couple days now. I've logged into my Gmail account every day, and not seen any form of notice. However, I saw this today when logging into my Yahoo! junk mail account.

(click to see a larger image)

I've never seen anything like this before, from any Internet provider. Does this mean that if I log into my Gmail and Hotmail account from Europe or Asia, that the companies do not mirror my inbox on nearby servers? What about caching?

Is Yahoo the only one that mirrors, or simply the only one to disclose it to customers?

Whatever the case, good for Yahoo for being forthcoming, and for giving users the choice.

Now, if only they'd offer their users SSL encryption for the full Webmail session (and not just the username/password), perhaps they might get a bit more regular praise from this blog.

TACO: Admitting Defeat

2009-05-05T01:26:00.005-04:00

My Targeted Advertising Cookie Opt-Out tool is now comfortably over 10,000 active users. It has also now been added to Mozilla's list of recommended add-ons, and is thus prominently featured in parts of addons.mozilla.org.

This seemed like a good time to reevaluate my TACO strategy. In particular, I have decided to admit defeat in my rather futile attempt to bully Microsoft and Yahoo into better protecting the privacy of their users. I have come to realize that the benefits of protecting TACO users from Yahoo and Microsoft's behavioral advertising simply outweighs any potential pressure I might be applying to these companies.

Over the past two month, 5 different online advertising companies have switched to a non-identifiable opt-out cookie. My original (and somewhat naive) plan was to refuse to add support in TACO for any company which did not provide opted out users with complete anonymity. That is, once the user opted out, the company would cease installing any other identifiable cookies into that user's browser.

The fact is that users are really only given a single way of expressing their interest in having some privacy -- the behavioral advertising opt-out. While many companies interpret this as "We will still collect lots of data on you, but won't use it to customize advertisements", many users are likely to interpret it as a more comprehensive "stop tracking me, don't collect any identifiable data on me, and don't show me any targeted advertisements."

While I still believe that advertisers should offer this latter form of opt-out to end users, they currently do not, and I now realize that I do not have the power to force Yahoo and Microsoft down this path. For such a change to be made, the US Federal Trade Commission or Congress would need to take more of an interest.

For now, I continue to reject any support for advertisers whose opt-out mechanism itself is 100% identifiable. That is, while Yahoo and Microsoft offer a generic opt-out, they also force other identifiable cookies upon the end-user. Other advertising companies, such as Specific Media and Fetchback only offer identifiable opt-out cookies, which I believe are an unreasonable invasion of end-user privacy.

Version 1.7 of TACO is now available for experimental download, and it will be automatically rolled out to all TACO users in a few days, once the Mozilla team has reviewed the changes to make sure there is nothing malicious in the code.

Governmental response to Swine Flu and the threat to privacy

2009-04-27T02:10:00.002-04:00

While much of the media attention over the past day or two on the swine flu threat has focused on the very real public health issues, there are some rather troubling potential privacy issues that also deserve a bit of attention.

According to media reports, American officials know of 20 suspected cases of swine flu in the United States. At least 8 of those involve students at a private high school in New York, some of whom had recently returned from a trip to Mexico.

As government officials (in both the public health and national security fields) scramble to contain this outbreak, they are likely to turn to mobile phones and the records of customers' physical location history in order to identify other individuals who might have come into contact with the infected persons.

I think it is probably fair to assume that any student with enough money to both attend a private high school in New York and go on a spring break trip to Mexico likely has enough money for a cell phone.

Given how many people have already been infected in Mexico, it is unlikely that US government officials would feel the need to obtain physical location information from the roaming records of those teens while they were abroad. However, from the moment that they stepped foot in a US airport, the identities of the persons they came into contact with are likely going to be sought after.

The increasing use of location information

Those in the privacy community have long sounded the alarm about the increasing use of location information by law enforcement agencies. For example, the Washington Post wrote back in 2007 that:

Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.

In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime.

At a recent Berkman Center event, telecom lawyer Al Gidari revealed that each of the major wireless phone companies receives 100 requests per week for location information (4 companies * 100 requests per week = 20,000 requests per year). Furthermore, one request doesn't necessarily mean one person, but can mean "tell us the names of everyone near the corner of 1st and Main St at midnight on Saturday."

When phone records are sought in terrorism investigations, the FBI commonly asks for a "community of interest" -- that is, the names of everyone that a suspect has called, and then the names of the people that those persons have called. There is no reason to believe that similar techniques would not be used by public health officials looking to get information on the spread of the swine flu. For example, they could ask the wireless phone companies for the names and addresses of every person known to have been within 100 ft of someone known to have been infected.

Given that most historical cellular location records lack street level accuracy, such investigation methods would likely result in huge numbers of false positives -- that is, people who had been in the same neighborhood as infected persons, but who never came into close contact with them.

No warrant, no problem

Law enforcement agents routinely seek and gain location information without a warrant or any form of court order. In exigent circumstances such as kidnappings and terrorist threats, the information can usually be gained with a single phone call -- since telecom companies are loathe to say no to an emergency. It is equally likely that now, with bodies piling up in Mexico, and headlines across the world with news of the swine flu, that telecom company lawyers will likely not wish to second guess the requests of US government officials.

However, in the process, huge swaths of detailed location information detailing the movements of millions of Americans could be turned over to public health, law enforcement and intelligence agencies without any assurances that the data will only be used to prevent a swine flu epidemic. Once that data is given to the Government, there is little that can be done afterwards to stop it from being used for other purposes -- such as the war on drugs or investigations of "right wing extremists."

I want to be clear -- I am not taking a moral position here on the sharing and use of this data. The goal of this blog post is merely to try and draw attention to the fact that this information is going to be shared with government agencies, if it hasn't happened already. Furthermore, those of us in the privacy community need to make sure that if this information is handed over for public health purposes, that this is the only permitted use of the data -- and that it is not allowed to find its way into long term storage on government servers in Quantico, Virginia or Ft. Meade, Maryland.

Hire Me

2009-04-26T16:39:00.002-04:00

Apologies for this interruption to your regularly scheduled paranoid ramblings.....

I need a new gig. My fellowship at the Berkman Center ends on August 31. I still have another year left in my PhD, and I am not willing to go back to Indiana and spend 20 hours a week grading homework in exchange for a graduate stipend.

I'm looking for someone (a university, company, public interest group, government agency, or a rich individual) to support me for the 09/10 academic calendar year, while I write up my dissertation and wrap up my degree. In theory, I'd be able to give about 50% of my time to working on interesting non-degree related tasks.

Ideally, I'd like to get paid to do what I do best -- fun and result-orientated activism and research in the tech/policy sphere.

I have some very fun projects coming down the pipe in the next few months -- related to credit fraud, surveillance and wiretap reporting, log data anonymization, etc. I'd like to continue to do this kind of stuff, but need to be able to pay my rent at the same time.

If you know of anyone who might be interested in supporting this work, do get in touch. csoghoian at gmail dot com.

Even Congress has an 'unreasonable' expectation of privacy

2009-04-20T12:53:00.003-04:00

Talking about the brewing Jane Harman/AIPAC wiretapping scandal, Matthew Yglesias writes:

However, the substance of what was recorded really does look damning. Which reminds me of something I was thinking about during the Blago Era, namely how many politicians’ reputations could really stand up to serious surveillance? It seems very likely to me that if you picked a member of congress at random, decided you had probably cause to suspect him of corruption, and thus starting wiretapping all his calls with donors and key political supporters that you would find a ton of dubious quid-pro-quos and backscratching arrangements.

Looking at this scandal, you could come to the perspective that (as Yglesias does) pretty much any politician has dirt that would come out if you wiretapped them.

Or, if you don a tinfoil hat, you can look at it this way: Even members of Congress who serve on key intelligence committees and have direct and detailed knowledge of the NSA's wiretapping capabilities still don't have a realistic idea of how little privacy they have when using telephones and email.

Look -- either Jane Harman expected that the NSA would never tap her own calls, or she simply didn't understand how easy surveillance is. Given that this same Congresswoman with a Harvard Law degree took several years to realize that the NSA's "Terrorist Surveillance Program" was blatantly illegal, perhaps it is safer to assume ignorance rather than over-confidence.

Nevertheless, how can we expect average Americans to make rational decisions about their own privacy (and their risk of being overheard discussing something problematic on the phone) when their elected officials who are supposed to be providing oversight over these sorts of programs clearly can't engage in a basic analysis of the risks of their own use of technology.

Perhaps Harman should have watched a few episodes of the Wire before getting on the phone with that suspected Israeli agent. I'm sure Stringer Bell could have taught her a few lessons about operational security.

Online worlds for kids lack basic privacy

2009-04-19T21:27:00.004-04:00

Saturday's New York Times has an interesting article about the rise of automated moderation software used in the virtual worlds aimed at children and teenagers, such as Neopets and Club Pengiun. However, buried half way in the article is this nugget of information:

The software is integrated into a virtual world’s site. If the technology uncovers phrasing, syntax, slang or other patterns in a conversation that match known signs of bullying or sexual predation, it sends an alert to a moderator, who can then “drill down” to look not only at the entirety of the specific conversation, but also at every posting from either participant.

“We can capture a full picture of a user’s history on the game,” Mr. Lintell says.

Of course, the moderation software can't see into the future, and so the only way that it can provide the capacity to look through previous postings of users who type problematic messages is if the virtual worlds store every message that all users type, just in case that user ever later type a message that is prohibited.

Just last year, FBI director Robert Mueller went before Congress to ask that ISPs be forced to keep significant logs on the web histories of their customers, for the sake of the children:

"Records retention by ISPs would be tremendously helpful in giving us a historic basis to make a case on a number of child pornographers who use the Internet to push their pornography" or lure children, Mueller said.

It seems that at least for some Internet companies, especially those with products aimed at children, Congressional action wasn't even necessary.

Sure, cyber-bullying is a big deal. However, that doesn't mean that children don't also deserve a bit of privacy online too. If parents want to install spying software on their children's computers, I suppose that is up to them (although I still think that is wrong), but a service provider shouldn't be doing this at all.

Furthermore, I highly doubt if these companies make it clear that they are logging all messages (which are just a subpoena away should a law enforcement agency ever take an interest) -- and even if they do mention something in their terms of service, we can't expect a 12 year old to be able to understand those sorts of documents.

The 1998 Children's Online Privacy Protection Act is supposed to prevent companies from collecting personally identifiable information about Internet users under the age of 13. I'm not an expert on this law, and so I'll need to go and re-read the statutes -- however, I'm slightly troubled as to how these companies can essentially wiretap their customer's conversations "for their own safety".

Current Red Hat Linux employee & Fedora project lead may have played key role in use of government spyware in former job at FBI

2009-04-18T00:00:00.010-04:00

Updated at 10PM on April 20: There has been a fantastic discussion of this issue on a Fedora related mailing list. The short version is that only three people have access to the secret key used to sign Fedora updates, and Mr. Frields is not one of them.

Updated at 11AM on Saturday to provide a bit of clarity, and to define CIPAV

Did a current Red Hat employee and the project leader for Red Hat's Fedora free Linux distribution previously install and support government surveillance spyware onto the (Windows) computers of suspects while a FBI employee back in 2005?

Based on publicly available documents, it appears so.

Page 93 of the recent 153 page FOIA document dump (Warning: huge pdf) obtained by Wired News appears to be a ticket report from a 2005 surveillance request to the FBI's Cryptographic and Electronic Analysis Unit.

The document requests "CIPAV support as per discussion between EP [redacted]". The document also notes that the request is for a "Data/Voice Intercept with Encryption"

(click on image to see a larger version)

CIPAV ("computer and internet protocol address verifier") is, as Wired reports, a software tool designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia.

As Professor Paul Ohm tweeted on Friday evening, it appears that the censors at the FBI forgot to remove the username of one of the engineers working on a case: 'pfrields'.

A bit of Googling reveals that pfrields is the handle used by Paul W. Frields, now an employee of Red Hat Linux. His blog also notes that he is currently the Fedora Project Leader.

Of course, there could be more than one pfrields on the Internet... which is where PGP keys come into play.

A quick query of the MIT Public PGP server reveals that the following email addresses are all using the same public key:

pub 1024D/BD113717 1997/09/19

Paul W. Frields <pfrields@fbi.gov>
Paul W. Frields <paul@frields.com>
Paul W. Frields <paul@frields.org>
Paul W. Frields <stickstr@cox.net>
Paul W. Frields <pfrields@redhat.com>
Paul W. Frields <stickster@gmail.com>
Paul W. Frields <stickstr5@hotmail.com>
Paul W. Frields <pwfrields.cart@fbi.gov>
Paul W. Frields <Paul.Frields@ic.fbi.gov>
Paul W. Frields <stickstr@cyberrealm.net>
Paul W. Frields <stickstr@novacoxmail.com>
Paul W. Frields <pfrields@fedoraproject.org>

Based on this information, it would appear that someone claiming to be Paul W. Frields with an email address at fbi.gov is now using the same public key as someone signing emails as Paul W. Frields with a redhat.com email address. Based on documents from a PGP keysigning party in January of this year, this collection of email addresses appear to have been verified by other members of the Linux community.

Finally, a configuration file in a web-accessible subversion repository on Paul Frields' own webserver mention the fbi.gov email address, which seems to be a pretty solid link confirming that the Linux developer is a former FBI employee.

Of course, even if the pfrields who worked for the FBI is the same pfrields who now leads Red Hat's free Linux distribution, there isn't necessarily any cause for concern.

After all, unlike the CIA agents who tortured prisoners, and the illegal wiretapping performed by NSA employees, the work of the FBI seems to be above board -- well, except for the FBI's misuse of National Security Letters, oh and the likely illegal backdoor the FBI has to Verizon Wireless's backbone network.

No need to worry though, since all of the CIPAV spyware requests do seem to have been accompanied by a court-approved search warrant.

Let us for the moment assume the best -- that Mr. Frields is a good patriotic American who has the deepest respect for civil liberties, and went to work for the FBI in order to help hunt down terrorists and evil-doers.

Even so, I suspect that many users of the Fedora Linux distribution, particularly those outside of the United States, might be shocked to find out this news, just as many Americans might be shocked if they learned that a former KGB agent was now in charge of keeping their computers secure.

Given that a select few members of the Fedora project likely have access to the private keys necessary to sign and release automatic updates to the operating system, the fact that one of these persons has in the past been involved with the insertion of spyware onto the computers of individuals without their knowledge or permission might be something that many Fedora users might be concerned about.

It's not that former government employees - even those in charge of installing spyware - should be excommunicated from the rest of the development community (after all -- there are former NSA engineers who have done amazing work on the SE Linux project). It's just that we should think twice before placing them into the open source community's most sensitive positions - just as the FBI would never grant the highest security clearances to a former hacker.

As of press time (2AM on Saturday morning), Paul Frields had yet to respond to queries submitted via email or twitter. If he does respond at a later date, this blog post will be updated to reflect his comment.

Disclosure: I've had my own fairly negative experience with armed FBI agents, who later raided my home at 2AM. Readers of this blog should consider that when evaluating this article w/regard to any bias I might have.

Hat Tip: Wired's Kevin Poulsen was the first to google pfrields and discover that he might be a Linux geek.

Thoughts on the FBI spyware documents

2009-04-17T20:11:00.005-04:00

Kevin Poulsen of Wired has now posted the documents he received in response from the FBI to his FOIA request.

In short, the FBI has been using their own homebrewed spyware to collect information on suspects who are using proxy servers (such as Tor to hide their own IP addresses.

The EFF, CNET and Wired all submitted similar FOIA requests, and likely received the same documents in response. I do hope that either Wired or EFF appeal the heavy redaction by the FBI's FOIA office. As Professor Paul Ohm writes, "The 152 pages don't take long to read, because they have been so heavily redacted. The vast majority of the pages have no substantive content at all."

While there are lots of issues raised by the FBI's spyware tool, I want to focus on one particular issue here: The FBI's method of infection.

As Wired's Kevin Poulsen notes:

The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."

Remember now that this CIPAV spyware tool has been designed to locate hackers smart enough to use proxies to hide their IP address information.

Is the FBI's spyware tool spread through the use of suggestive messages (such as this hypothetical example) left on a suspect's MySpace page?:

"Hi, I am a sexy 18 year old cheerleader, and I'd like to meet you. Please click here to find out how to contact me"

Such a message will contain a link to a page on an FBI controlled web-server which then uses an unpatched browser vulnerability to force a drive by spyware infection.

While that might work for a few stupid teenagers, it is unlikely to work on real tech-savvy hackers.

What is far more likely is that the FBI has asked MySpace, Google or Yahoo to insert the drive-by malware infection code directly into their own websites, so that the next time the suspect signed into their account, their browser would automatically be infected without the need to trick them into visiting a FBI-controlled Web site.

Such cooperation by Web 2.0 companies (if it indeed occured) would be fascinating, troubling and would likely do significant damage to their reputations -- which would also explain the significant redaction in the FOIA documents.

If there is a lesson to be learned from this document release, it is that if you want to protect yourself from the FBI's CIPAV spyware tool, you should make sure you're running the latest version of your Web browser (and should probably avoid IE). Those people stupid enough to transmit anonymous bomb threats using Internet Explorer 6.0 are likely to end up in jail very quickly.

Contest: Mashup the FTC DRM Testimony

2009-04-13T18:10:00.000-04:00

Summary: Create a funny or interesting mashup of some of the FTC DRM town hall testimony. The creators of the best videos (judged by me) will have money ($100, $50 and $25) donated to the Electronic Frontier Foundation in their name. What are you waiting for?

Harvard Law Professor Charlie Nesson has been fighting to get the Tenenbaum v. RIAA trial streamed on the Internet. In its argument against this request, the RIAA has claimed that:

"[The video footage] will be readily subject to editing and manipulation by any reasonably tech-savvy individual. Even without improper modification, statements may be taken out of context, spliced together with other statements and broadcast (sic) rebroadcast as if it were an accurate transcript. Such an outcome can only do damage to Petitioner's case."

The idea of Internet users remixing the RIAA lawyers' words into subversive and biting political satire sounds like a great idea. So, why don't we see if we can do the same thing with some of the rather extreme positions expressed at the recent FTC DRM town hall meeting.

The Speakers

As some of you may have heard, the US Federal Trade Commission recently held a town hall meeting to discuss issues related to Digital Rights Management technology. While the talks went on for an entire day, the most interesting (and heated) discussions happened at the "DRM in Action" panel, in which I participated. Also there were Prof. J. Alex Halderman of the University of Michigan, Rashmi Rangnath, a staff attorney at Public Knowledge, Debbie Rose, an intellectual property fellow for the Association for Competitive Technology (ACT), and Patrick Ross, co-founder and Executive Director of the Copyright Alliance.

The FTC taped the entire session, and has made it available via online streaming video. To make things a little bit more viral video-friendly, I've downloaded the entire session, cut it up into smaller videos for each speaker, and uploaded them to Vimeo. Since the videos were recorded and made available by the FTC, they are (I believe) in the public domain, and thus this re-distribution should be kosher.

While all of the speakers were interesting, it was Debbie Rose whose testimony blew my mind. Before she went to work for ACT, Debbie worked as as a Counsel for the House Subcommittee on Courts, the Internet & Intellectual Property, and played a major role in drafting the Digital Millennium Copyright Act.

The DMCA is of course the very same law that is a perpetual thorn in the side of many researchers and innovators.

I've included a few of Debbie Rose's choice moments before on the DRM panel here. They're less than a minute each, and will be sure to cause a strong reaction (laughter, tears, or perhaps a simple WTF???).

The Contest

I have uploaded all of the videos to Vimeo for your viewing/viral embedding pleasure (see below). If you're interested in downloading the videos in a format that is more mashup friendly, a 200Mb .zip can be downloaded here.

The contest works as follows. People of the Internet are free to download these videos, edit the footage, and mash them up with anything else (remember your fair use rights). Upload the resulting videos/songs to the video/media/whatever sharing site of your choice, and then write a comment to this blog post with a link to your entry. To make things easier, if the content site offers tagging functionality, please tag your entry with "ftc drm mashup".

On June 1, 2009, the contest will end. In the days that follow, I will judge the entries, and pick the three that I find to be the most awesome (factors include the level of humor, creativity and impact). I will donate $100 to the Electronic Frontier Foundation in the name of the 1st place winner, $50 in the name of the 2nd place winner, $25 in the name of the third place winner, and then $1 each in the names of the next 23 best entrants. If I don't get any/enough submissions, I will still donate $200 to the EFF.

If you really want your name to be associated with my $200 donation, but you don't want to make a mashup... leave a comment in this blog post, and I'll include it anyway.

There are some absolute gems amongst the videos, and you are by no means restricted to using the videos of Debbie Rose's (I just happen to think they're the funniest, and so I've highlighted them).

Small Print

This contest/activity is not affiliated with or sponsored by the Electronic Frontier Foundation. I just happen to think that they are awesome.

Likewise, this is not something I am doing with the consent/approval of my employers at the Berkman Center -- this is being done in my own time, wearing my own hat. If for some reason someone dislikes what I've done and decides to lawyer-up, please send the cease and desist letter directly to me, and not to the Berkman folks.

I am not making any money out of this contest and the the $200 is coming out of my pocket. This is simply an activism related activity.

Finally, I am not a lawyer, and nothing in this blog post should be read as legal advice.

The Videos

This video contains just the footage of Debbie during the longer back-and-forth discussion which the next video shows in full.

My latest White House FOIA

2009-03-27T14:41:00.004-04:00

I sent this FOIA request (pdf) to to the Office of Administration today.

Essentially, I'm asking for a copy of all of the whitehouse.gov Web server logs, any analytics reports, data/log retention policies, as well as information on the amount of money paid by the White House for its use of Akamai and Amazon S3.

It'll be interesting to see how the White House counsel responds.

One Man's War on Advertising

2009-03-27T06:30:00.002-04:00

I can happily report that two more companies, Blue Kai and Media Math, have in the last few days modified their advertising systems to now use non-identifiable opt-out cookies. Hurrah.

I've received unofficial word that at least one other company is making a similar switch. One by one, most of the online advertising companies are realizing that identifiable opt out cookies are bad for consumers, and more importantly, really bad PR for them.

Expect a new version of TACO in the next few days, incorporating these new opt-out cookies.

As the weeks go on, I wouldn't be surprised to see that initial list of 17 bad advertisers shrink.... to just two: Microsoft and Yahoo. These firms are the largest of the offenders, are slow unwieldy corporations which are unable to turn on a dime, and in some cases, simply don't see why they should be forced to stop tracking users.

If we do get to a point where only these mega advertising titans are refusing to provide consumers with an anonymous way of opting out of tracking and targeting, progress may depend upon legislators showing a bit of interest in the topic.

---------------

In other news, Jim Harper @ CATO took another good-natured another whack at me this week.

Writing at the Tech Liberation Front, he stated that:

Chris is deeply focused on advertisers and his dislike of being tracked by advertisers. Though it is not absolute, I have a preference against tracking by anyone other than sites that I know, like, and trust. I’m no more worried about advertisers than any entity that would track my surfing - and there are many.

To say that I am solely focused on advertisers is unfair and incorrect. I wish to avoid being tracked by all parties, be they Facebook, the RIAA, online advertisers, or the US Government (remember, after all, the name of this blog). However, while the advertising industry has collectively provided consumers with a mechanism to opt-out of their more creepy practices (albeit one that is difficult to use), other would-be-watchers have not.

If Mr. Harper is aware of an opt-out cookie that I can load into my browser to opt myself out of the National Security Agency's illegal monitoring of domestic Internet traffic, I hope that he will let me know.

I will be the first to admit that privacy on the Internet sucks. I wish it were better. I wish we didn't have evil telecom companies who believe that they can monetize their customers' web browsing habits. I wish our government, even with the new President, respected the Fourth Amendment.

I am not claiming that my TACO add-on is perfect, or that it solves all of the privacy issues on the web. It is a specific technical solution for a particular policy problem. It is not a comprehensive solution to all the woes of web privacy -- it is just a way, I believe, for the little guy to reclaim a tiny little bit of that long forgotten right to be left alone.

Later on, Mr. Harper asserts that I am calling for new legislation:

With the right law in place, Chris appears to believe, “[t]he Federal Trade Commission and Congress would likely take an interest” when advertisers tried to skirt opt-out cookies, using other technologies to glean information about Web surfers’ interests.

Perhaps I was unclear in my previous post, but I do not believe that new legislation is required to go after advertisers who continue to engage in targeted advertising even after the user has opted out. The FTC has a clear legal mandate to go after those who engage in deceptive and unfair business practices. Advertisers who ignored their own opt-out cookies would seem to be engaging in an unfair and deceptive way. I would argue that the FTC already has all the authority it needs to go after such firms.

The benefits of using opt-outs

2009-03-21T14:37:00.008-04:00

This blog post provides a legal/policy argument in support of opt-out cookies. While the author knows a decent amount about Internet law, he is not a lawyer, and this is not legal advice.

While the response to my Targeted Advertising Cookie Opt-Out (TACO) Firefox add-on has been hugely positive, a number of users have questioned the utility of this tool, as compared to other pro-privacy and anti-advertising solutions.

As just one example of this line of mild criticism, Jim Harper over at the Tech Liberation Front, suggests that users can simply make use of the "block third party cookies" feature available in most Web browsers.

This is an approach that is similarly recommended by Google, which only provided an opt-out software extension to users of Internet Explorer and Firefox. Users of other browsers (such as Safari and Chrome) are advised to just block all advertising cookies.

The problem with blocking any form of unwanted behavior, is that it just leads to an arms race.

Arms races, and the lessons from the pop-up war

Consider, for example, the scourge that was pop-up advertisements. These were a huge problem on the web, and continue to be so for anyone unlucky enough to be using an ancient browser. Their over-use by Web sites can make browsing an unpleasant, and at times, unusable experience.

So how did we do away with them? First, a number of browser add-ons began to offer pop-up blocking functionality. However, these were only used by technically savvy users. It wasn't until similar functionality was included in Firefox and Safari, often by default, that the tables really turned.

Once anti pop-up technology came baked into the browser, the advertising industry effectively lost one of its most powerful tools.

These firms had a strong incentive to find a way around this blocking, and so, over the past few years, new, sneakier forms of advertising, some even using pop-up style effects, have become commonplace.

Advertisers didn't observe the blocking of their previous techniques, and think, 'Oh, I guess we should respect people's preference to not see annoying ads", but instead took it as an invitation to innovate, and create newer, more aggressive and unblockable forms of advertising.

That is, pop-up blocking technology, while providing users with some temporary relief, merely added fuel to the arms race.

Targeted advertisements use more than cookies

Over the past ten years, cookies have gotten a lot of criticism from privacy circles. Browsers have evolved to include sophisticated cookie handling tools, particularly in Safari and IE8. As a result, cookies have become far less useful as a way to track users. After all, every Safari user automatically rejects third party cookies by default.

Just as with the pop-up example mentioned above, this use of blocking technologies has merely encouraged an arms race, with advertisers turning to other methods for long term tracking. Technologies like Adobe's Flash, AIR, Microsoft's Silverlight, and the offline content in HTML5 can all be used to provide cookie-like tracking functionality.

Better yet for the advertisers, most users don't know that these technologies can be used to invade their privacy.

Ending the arms race

Should we follow the traditional approach, and just escalate the arms race? For example, the excellent BetterPrivacy Firefox add-on allows users to protect themselves against the tracking Flash cookies/LSO files used by YouTube, eBay and many other sites.

In my opinion, this cat and mouse game is a huge waste of energy. What we need is a way to remove ourselves from this cycle, and I think that opt-out cookies are a way to do this.

Unlike all of the previous anti-advertising technologies, the opt-out mechanism provides users with a way to positively affirm that they do not wish to be tracked and targeted. This opt-out cookie is something that advertisers cannot ignore.

Now, consider the following hypothetical situation: In a year or two Google/Doubleclick sees that 50% of Web users have opted out of their targeted advertising. In an attempt to innovate around this, the company switches to the use of Flash-based cookies to target and track users.

While the company's privacy policy specifically talks about the use of cookies, it would be tough to see how Google could argue that it had the right to use alternative tracking technologies to track users who had opted out of its older cookie-based system.

The Federal Trade Commission and Congress would likely take an interest, and any attempt by Google's lawyers to argue that opt-outs only applied to html cookies, even if their privacy policy stated as much, would draw laughter and ridicule.

Simply put, opt-out cookies are a game changer. Once consumers affirmatively state their desire to not be tracked, companies can not continue the cycle of innovating around blocking technologies. For the advertisers, the game is over.

Best practices, defense in depth

The funny thing is, you don't need to actually accept third party cookies to get the benefits of opt-out cookies.

On my own computer, I disable all third party cookies, I've set the browser to clear all cookies upon starting, I use the awesome AdBlock Plus and NoScript. However, I still use my own opt-out cookie add-on.

With the other technologies and policies that I've set, no advertising network can use the existing cookie based technologies in order to track and target me. Some might say that the opt-out cookies provide no added value.

However, I see them as a form of defense-in-depth. If these advertising firms find a way around AdBlock Plus, and innovate around the third party cookie block, my positive declaration of my desire to not be targeted might provide me with some more protection.

At the very least, if the advertisers are ever caught tracking opt-ed out users via some other technology, my own use of opt-outs will give me a far better position, should I wish to take legal action.

So -- what are you waiting for? Download the Targeted Advertising Cookie Opt-Out (TACO) add-on today.

Some companies get it

2009-03-18T22:35:00.004-04:00

This afternoon, I received a call from Aaron Ahola, the Chief Privacy Officer at Akamai. He had seen my blog post from last week describing my new opt-out cookie Firefox add-on (200 active users on Monday, 1000 users on Tuesday, 3000 on Wednesday), and the problems I had noted with the opt-out cookies used by several advertising networks (including his own).

Aaron told me that he looked into the advertising opt-out cookie issue and confirmed that what I had reported was true -- that Akamai was giving users an identifiable opt-out cookie when they asked to not be tracked.

Not only did he understand the privacy issues at play, but he immediately asked his engineers to look into the issue and fix it.

As of 4PM today, Akamai's advertising system now uses generic, non identifiable opt-out cookies.

While this pleases me immensely, I am more shocked than anything. Just 5 days after I started to tinker with the code for Google's open-source Advertising Cookie Opt Out Plugin, Akamai pushed through a change in policy across its entire advertising system.

Not only was this the right decision, but it was damn fast.

After working so much over last few years to debunk the doublespeak echoed by the privacy czars at companies like Google and Facebook, is is refreshing to find someone who speaks honestly, understands the concerns of the privacy community, and is willing to fix a flawed policy when it is pointed out.

Bravo Akamai. Now, lets see if the remaining advertising networks will show themselves to be as savvy.