Category Archives: Privacy

CISA is a terrible cybersecurity law

In what has become an annual tradition, Congress has renewed their efforts to pass some type of cybersecurity legislation. For the past four years, privacy advocates and security experts have consistently opposed these bills due to inadequate protections of American civil liberties, and this year’s offering, the Cybersecurity Information Sharing Act (CISA), is no exception.

CISA greatly expands the scope of government surveillance at the expense of American civil liberties. The bill would allow private companies to share any data they’ve created and collected with the government, who could then use it for their own purposes.

Data sharing can be useful, of course. To combat cyberthreats, private companies already share data with each other, and refer to this type of sharing as “threat intelligence.” Threat intelligence isn’t perfect, but helps companies identify dangers online in order to mitigate risks and secure their networks.

But this bill goes much further than that. CISA makes all information-sharing easier between the private sector and the government, not just for information relating to threats. For example, the federal government could use data collected from Google or Facebook during a criminal investigation. This violates the principle of due process, which suggests that courts should have oversight into how government agencies conduct investigations.

In this sense, CISA provides a clear way for the government to get around warrant requirements.

In exchange for providing this information, the bill grants legal immunity to private companies who break the law or who have poor network security. Thanks to this provision, it’s no surprise that industry groups like the Chamber of Commerce and the Financial Services Roundtable have been lobbying for this bill. CISA would also create a new exemption to Freedom of Information laws, preventing Americans from discovering what data about them is being shared with the government.

This immunity means that the government will be unable to prosecute companies who do not adequately protect their customers’ data. This is likely to lead to fewer resources being dedicated to cybersecurity threats, as the threat of a fine or lawsuit is reduced.

The growing volume of data that private companies gather on Americans makes this legislation more problematic. Google knows the contents of your email, as well as your search history, videos you’ve watched, and even where you’ve been. Facebook knows who your friends are, what type of articles you like, and whose profile you’re most likely to click on. To grant the government access to this information with no oversight on how it is used is not only unconstitutional, but also morally objectionable.

CISA advocates claim that there are adequate privacy protections to “scrub” personal data before it reaches the FBI or NSA. But included in the bill are loopholes which allow for unfettered access to this personal data at the discretion of these same government agencies.

If Congress is serious about addressing the evolving threats posed by criminals online, there are a number of proactive steps that should be taken. The Computer Fraud and Abuse Act of 1986 is in need of an overhaul. It’s ridiculous that our primary law written to stop computer crimes was written when the chief threat to the United States was the Soviet Union. As currently written, the law prevents security researchers from doing their jobs, such as building tools that help mitigate threats before the bad guys exploit them.

Second, Congress needs to get serious about the threat posed by the ‘Internet of Things. We know that Volkswagen intentionally evaded emissions testing by writing a few extra lines of computer code. We need to know that our self-driving cars, voting machines, and medical devices are working properly and securely, and cannot do so without being able to audit the code that powers them. We shouldn’t wait until a criminal takes control of these devices to begin properly securing our infrastructure.

We need legislation that addresses current and future threats. There are few, if any, cybersecurity experts that believe this bill will improve overall security. Nothing in the bill would have prevented major data breaches like what occurred at the Office of Personnel Management, which exposed the personal details of millions of innocent Americans, some at the highest levels of government. To the contrary, this bill would put even more data on the same insecure government servers that have already been exploited by criminals.

PostScript

I was hoping to have an edited version of the above published somewhere, but with the vote being likely to happen tomorrow, there isn’t enough time. That said, below are some accompanying notes for those who want to dig a bit deeper.

The first glaring hole with this bill are the lack of cybersecurity professionals who support this bill. I actually scoured the Internet to find someone respected within the industry who thought this was a good bill, and was unable to find a single one. On most other security-related issues, such as the potential regulation of 0day markets, there are a few different camps that security experts fall into. There is no such pro-CISA camp.

While I often side with the EFF on Internet-related issues, even experts that I usually disagree with politically are opposed to this. This letter in opposition to CISA features many respected information security experts (including Bruce Schneier), and Brian Krebs has also commented on why the bill is misguided:

So when experts are opposed to such a bill, who exactly is supporting it? As I mentioned above, the Chamber of Commerce and Financial Services Roundtable are two of the industry groups that support it, and the reasoning is obvious. Companies and banks that have poor information security practices become immune to cybersecurity-related lawsuits, provided they share their data with the government.

This incentive also makes data-sharing for companies less than the “voluntary” proposition that advocates claim. Instead of securing their networks, CISA creates a perverse incentive to reduce the impact of network security when doing a cost-benefit analysis. If this bill passes, there are two important ways to reduce the risk of a cybersecurity-related lawsuit: secure your network OR share your data with the government. While some companies like Facebook and Google will never share *all* their data with the government, they would be foolish to not share *just enough* data to keep themselves immune from lawsuits.

While often the backing of the financial industry is enough to pass legislation, they have a powerful ally in the intelligence community. Here’s some good reading on the intelligence community‘s potentially changed role if CISA passes.

But to me, the key reason I dislike this bill is deception. I don’t like that this is called a “cybersecurity” bill. It’s a surveillance bill. Snowden’s revelations have shifted the political landscape to largely oppose state surveillance, which makes it amazing that a bill which hands over large amounts of data to the state is close to passage.

As I briefly mentioned at the outset of my initial piece some of this has to do with issue fatigue. After witnessing the eventual passage of this bill (I consider it the successor of CISPA, first introduced in 2011), I am much more pessimistic about the future of American politics. The voice of industry professionals and civil liberties groups will never be as loud and sustained as those of industry groups who represent clients who all stand to benefit.

But the other reason I hate this bill is that it confuses real security with a false sense of security. The classic misdirectional dialogue applies:

“The situation is bleak, something must be done.”

“This is something, therefore this must be done!”

The Internet of Things presents an entirely new, and more immediate problem. We’re living in a world where new devices are not only running more code than ever, but are also reliant upon internet connections in new ways. Why does my thermostat need to be connected to the internet in order to keep my house’s temperature steady? Dick Cheney’s doctor disabled the WiFi on his patient’s pacemaker due to the threat posed by hackers, so why do the rest of American citizens accept such a risk?

They don’t, they’re just unaware of the reality of the threat. These threats will only increase as we push towards “modernization” without any thought for the consequences. I’ll write a bit more on the problems with the security of the Internet of Things in the coming months on my blog.

And finally, I’ve linked to her blog multiple times in this post, but there was another good post over at emptywheel which sums up why this is a bad bill.

National Security Letters and the USA Freedom Act

Several sections of the Patriot Act were allowed to expire at midnight on May 31, 2015, including the controversial Section 215, which allowed for government collection of bulk phone records, among other things. All indications are that the collection of bulk records will resume under the USA FREEDOM Act, but with slightly different verbiage which should allow for greater oversight. It’s not a perfect solution, but making small steps in the right direction is progress, especially in a politically-charged legislative environment (seems like things get done when Presidential Hopefuls take an interest in showcasing their “leadership” skills on certain issues).

Other reforms which are unrelated to Section 215 have also been introduced by the USA FREEDOM Act. One overlooked reform effort relates to the use of National Security Letters (NSLs) during government investigations.

In the past, when a government agency such as the FBI has requested documents or information from a person or entity, the request is accompanied by a gag order which prevent the person who received the letter from disclosing its existence. Over 300,000 NSLs have been issued since 2004, making them a powerful investigative tool which can be used without any judicial oversight. Nick Merrill was the recipient of one such NSL, and he was technically not allowed to tell anyone, even his lawyer, about it (he did anyway and successfully sued the US government). A group of librarians also sued the US government after receiving requests for information on library patrons with such a gag order attached.

The new provision still allows for these gag orders, but opens the door slightly wider for a challenge, as recipients are now allowed to share their existence with their lawyer. It’s disappointing to admit that a law which allows sharing information with a lawyer is considered progress, but it’s a reminder of how backwards some Patriot Act provisions are.

Of course, the USA FREEDOM Act does not solve the actual problem, which is that the FBI can still issue NSLs without any judicial oversight. Police are required to go to judges with evidence before they are issued a warrant. If the FBI is not held to a similar standard, NSLs essentially act as unsigned warrants which allow for unchecked power and the abuse that comes with it. I believe we should continue to fight for the abolition of NSLs, as all law enforcement actions need to be accountable. Even the President’s Review Group on Intelligence and Communications Technologies suggested that NSLs be subject to more stringent oversight (p. 89).

Letter to NY Times public editor

I’m trying to get in the habit of cc’ing the internet when I write to institutions, so here’s an email I sent to the New York Times public editor.  I’ll update with any response I receive.

To the Public Editor,

I am writing today about “Eyes Everywhere”, a Sunday Book Review of Glenn Greenwald’s recent memoir.  I found it on the web and am unclear on whether it has been published in the paper or not.
My primary criticism, which I will keep brief, boils down to the fact that this writer is clearly biased against Mr. Greenwald.  While I appreciate the candor of the reviewer – no attempt to conceal the bias is made – perhaps there is someone else who could review the book who doesn’t have such an axe to grind?  His sweeping generalizations (“Greenwald quotes any person or publication taking his side in any argument”), defense of weak journalism practices (“It seems clear, at least to me, that the private companies that own newspapers, and their employees, should not have the final say over the release of government secrets, and a free pass to make them public with no legal consequences. In a democracy (which, pace Greenwald, we still are), that decision must ultimately be made by the government.”), and assertions that Greenwald has been reckless with his reporting are all examples of a lazy review.
For the record, I’m currently a little over halfway through the book, and while it’s just a memoir and might only be interesting to a small group of people, I don’t think a book review is an appropriate place for the New York Times to continue its criticisms of Mr. Greenwald.  Furthermore, I hope that the editors of theNew York Times do not share Mr. Kinsley’s views regarding the role of journalism in modern society.  Expecting transparency from government institutions without the ability for journalists to publish government documents is a hopelessly naive position to take.

Best 30c3 videos

One of my favorite hacker conferences, the Chaos Communication Congress, has just ended.  The most famous talk given so far was given by Jacob Appelbaum, who detailed the ways that the NSA can intercept communications.  It was an interesting talk if you’re following the NSA scandal, and I recommend you watch it – and since it’s going to be freezing cold out tomorrow, what else are you going to do?

But there are some other wonderful talks to come out of this conference.  My personal favorite is called Seeing the Secret State: Six Landscapes.  An artist essentially attempts to “see” secrecy by tracking down the remnants that are still part of the non-secret world:

Another great talk is by Kurt Opsahl of the EFF, who details the NSA revelations and their relation to the law.  I try to pay attention to this and keep all the codenames straight and I still can’t do it, but this is a great one-hour overview.

Two security researchers look into how governments use third-party tools to monitor journalists and dissidents. This talk focuses on governments that are not the United States, and much of the research is firsthand.

If you want some historical context of how governments have always attempted to surveil their citizens, there are a couple of great talks that touch on the subject. The first is an analysis of surveillance and policing during the Romantic Age, and the second is an even broader look at how/why governments act the way they do – frequently to preserve their own power through technology. Both worth a watch.

Also, learn about how national ID cards are used in China. In a trial city of “only” 10 million, the cards contain information such as medical records and political history, and how this impacts human rights. (Funny how “human rights” is invoked when mass surveillance happens in another country, yet it’s necessary to “prevent terrorism” at home).

There’s more that you should be watching, but the above talks are probably the most accessible for a non-technical audience.  If nothing else, check out Six Landscapes – fascinating stuff.

Props to The Google

Someone asked me after I gave a brief talk on data mining last week, “So how does the government technically get this data from Google?” The next day, Google actually published some data on the National Security Letters they had received. This is definitely a step in the right direction.

I’d write more on this, but others have done so already. I recommend this piece by the ACLU, and this one by the EFF if you’d like to know more about this – I consider this as big a threat to due process as extrajudicial drone killings, but since actual death isn’t immediately involved, the topic tends to fly under the radar.

Quick aside on drones

In general, I try to avoid hearing about news when an interest of mine becomes enmeshed with some part of the political process. But it’s difficult to avoid the recent controversy surrounding John Brennan’s nomination to lead the CIA. (Also, I wish he had a different last name because I keep thinking about how Justice William Brennan would make a fine CIA director)

The entire “drone-killing” issue has many interesting moral wrinkles (as does the topic of drone surveillance generally speaking but that ship has sailed), such as nation-state sovereignty, the estimated accuracy of targeting information, whether anyone still has a right to trial, acceptability of collateral damage, etc. I hope most people would agree that the thought of the United States government ordering a drone strike against its own citizens because it’s too difficult to go trial is absolutely sickening. The United States is already willing to perform extrajudicial assassinations in Pakistan, so I don’t think it’s too much of a stretch for the government to consider using them domestically.

Also, consider what exactly a drone can do. A drone cannot arrest a suspect. A drone cannot command someone to stop. A drone cannot die. When a cop shoots someone, it’s generally either to protect himself, or to protect those in the area, and that killing is justified. Obviously a drone COULD be equipped with less-than-lethal force, but this hasn’t been a very high priority in the world of drones.

The removal of due process from our legal system is the real issue here, and it’s always amusing when I find myself aligning with a representative whose name ends with Paul…something about a broken clock being right twice a day?

Nice Ride and user privacy – crossing the line

I’m a really big fan of Nice Ride, the bike-sharing program we have here in the Twin Cities. It’s a great way to encourage cycling (especially for beginners) and exploration of the cities – there are so many little wonderful things you miss when you’re in a car or riding the bus. That’s why I was disappointed when Nice Ride disclosed rider data to the public without removing a field which can be used to individually identify riders.

Privacy has been in the Minnesota news recently, when it was discovered that the Minneapolis police department was scanning license plates and using that information to compile a database of driver activity (such as where and when a car was spotted). The mere existence of such a database is disturbing, but is unfortunately not news to those of us who follow the advancing deployment of technology. What was disturbing was that this data was semi-public – anyone could request the locations where a particular license plate was observed, and the police would provide that data. Since this story broke, efforts have been made to reduce the overall scale of the database, in addition to monitoring and/or restricting access to the public.

Nice Ride, on the other hand, apparently has no qualms about publishing their entire database, complete with a unique subscriber ID. This unique subscriber ID allows anyone with a copy of the database to track an individual user’s activity throughout the Nice Ride system. This is useful information for Nice Ride employees who are using this data to figure out how individual riders are using the bikes, allowing Nice Ride to better serve their customers. But releasing this data to the public means that a subscriber ID can be easily linked with an actual person, exposing an individual’s entire ride history. There are many conclusions one can draw about individual Nice Ride users by manipulating this data (and combining it with other data), so let’s take a look!

I’d like to start out by describing the easiest ways to correlate a subscriber ID and an actual user, but I don’t really have the heart to publish a thorough methodology – that’s one of the things I’m deeply opposed to, and is my main grievance with the irresponsible publication of this data. I did not personally use Nice Ride this year, so I don’t even have a subscriber ID in the system. But if you’re a user/consumer of social media, can you remember tweeting or updating your Facebook status when you rode on a Nice Ride? Remember someone else who did? Know of any ways that you can find this info again, as well as the date/time it was published? Well, that’s one way to start. (Again, I apologize for not writing more on this but I’m trying not to go too in-depth. Simple observation is the other obvious way – you saw that cute girl get on a Nice Ride at a certain date/place/time, and while you don’t have her name, now Nice Ride has told you everywhere she has ridden a shared bike)

Once you match a single person to a subscriber ID, the floodgates are open. You get every single individual ride’s start time/date, as well as location, and the same for the destination (time, date, location). It’s also trivial to glance at any person’s data and see if any other user has checked out a bike from the same location within the same timeframe, potentially gaining the subscriber ID of a known acquaintance, spouse, etc.

Or, to take an example from the Minneapolis Bike Love forum:

Let’s say I take a bike out every morning near my house and ride it to work. My ex-wife knows I do this. She uses this information to figure out my subscriber ID because I am the only one who daily takes that bike from there and rides to the location near my work. Using my ID she looks at my other activity. She sees that I am riding places in the middle of the day. She sees that I am riding places when I told her I was out of town. She sees that I am riding around when I told her I was too sick to take the kids. She sees that I am riding to a place where I spent Saturday night and ride away the next morning. I just do not want her knowing that shit and I did not pay NiceRide to tell her.

The bottom line is that publishing this data is irresponsible and potentially dangerous. Bike-share programs in other cities also publish the exact same data (in addition to cool charts), but without the subscriber ID. I support the great things that Nice Ride does in order to make biking more accessible to beginners and those who prefer to avoid the hassle of bike maintenance. But they seriously need to remove just one field before publishing their data.

Update as of 12/8/2012:

Of course there’s one more thing that I neglected to mention in the above post. If you go to Nice Ride’s sign-up page, you’re presented with the user agreement at the bottom. About 2/3 of the way through that document, the section on “Confidential Information” (which is the only aspect of the user agreement related to privacy, as far as I can tell) refers the user to the Privacy Policy on the website.

Now, most modern websites have some sort of Privacy Policy which governs data that is submitted or stored via the website, so that’s kind of sloppy – obviously subscriber ID, check-in times, station locations, etc. are not submitted via the website. And ignoring that oversight, most of the Privacy Policy is relatively standard boilerplate, even the section that reads:

We may share aggregated demographic information (data that cannot identify any individual person) with our partners and sponsors.

The data they have published is not aggregated data (and can potentially be used to identify individuals), and they are not providing it strictly to partners and sponsors, but to the public. There are good reasons for this (so other data nerds can make maps and track behavior). Even if Nice Ride removed the subscriber ID, they would still not be in technical compliance with their policy (because of the aggregation claim), but they would remove the possibility of identification of users, which is all I really care about.

And finally, Nice Ride published a similar dataset in 2011, but included Date of Birth, Gender, and ZIP Code – making it very easy to identify people. It doesn’t appear that they did much about this oversight (other than properly redacting this data in 2012), as Minneapolis Mayor RT Rybak’s subscriber ID appears to be in use in both the 2011 and 2012 data sets (though either he stopped using Nice Ride in May 2012, or was assigned a new subscriber ID – this doesn’t surprise me considering he’s an avid cyclist and probably prefers his own bike). It would have been a smart idea to re-assign subscriber IDs after that inadvertent disclosure.

And if you’re wondering, I did email the Director of IT for Nice Ride prior to publishing this, and he was unconcerned about the privacy implications of publishing the data. I didn’t tell him specifically about the privacy policy violations mentioned in this update, because I thought of that angle after he stopped replying to my email. The EFF sent me a form letter telling me to contact my local bar association, and a reporter from the Star Tribune couldn’t come up with an angle which was appealing enough to readers.

If anyone has any ideas on how to get this resolved (either updating their policy to state that they will share ride data about users, or to stop publishing the subscriber ID field), please let me know and share the link to this post. Thanks!