MEP explains the security problem with militarizing the Internet

The Dutch MEP Marietje Schaake has a fantastic, must-read essay on the problem with "cyber-war." She lays out the case for securing the Internet (and the world of people and systems that rely on it) through fixing vulnerabilities and making computers and networks as secure and robust as possible, rather than relying on weaknesses in security as vectors for attacking adversaries.

Mass surveillance, mass censorship, tracking and tracing systems, as well as hacking tools and vulnerabilities can be used to harm people as well as our own security in Europe. Though overregulation of the internet should never be a goal in and of itself, regulation of this dark sector is much needed to align our values and interests in a digital and hyper-connected world. There are many European examples. FinFisher software, made by UK’s Gamma Group was used in Egypt while the EU condemned human rights violations by the Mubarak regime. Its spread to 25 countries is a reminder that proliferation of digital arms is inevitable.

Vupen is perhaps best labelled as an anti-security company in France that sells software vulnerabilities to governments, police forces and others who want to use them to build (malicious) software that allows infiltrating in people’s or government’s computers.

It is unclear which governments are operating on this unregulated market, but it is clear that the risk of creating a Pandora’s box is huge if nothing is done to regulate this trade by adopting reporting obligations. US government has stated that American made, lawful intercept technologies, have come back as a boomerang when they were used against US interests by actors in third countries. Other companies, such as Area Spa from Italy designed a monitoring centre, and had people on the ground in Syria helping the Assad government succeed in anti-democratic or even criminal behaviour by helping the crackdown against peaceful dissidents and demonstrators.

It's just not good policy to make the people who are supposed to be securing our computers dependent on insecurity in computers to achieve that end.

In defense of digital freedom (via Techdirt)

Perils of smart cities

Here'a an excellent piece on the promise and peril of "smart cities," which could be part of a system to make cities fairer and more transparent, or could form the basis for an authoritarian lockdown. As Adam Greenfield says, "[the centralized model of the smart city is] disturbingly consonant with the exercise of authoritarianism." The author mentions Greenfield's upcoming book "The City is Here for You to Use" (a very promising-looking read) as well as Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia, which is out in the fall.

These critics are advocating not that cities shun technology, but that they foster a more open debate about how best to adopt it—and a public airing of the questions cities need to ask. One question is how deeply cities rely on private companies to set up and maintain the systems they run on. Smart-city projects rely on sophisticated infrastructure that municipal governments aren’t capable of creating themselves, Townsend points out, arguing that the more they rely on software, the more cities are increasingly shunting important civic functions and information into private hands. In recent talks and in his upcoming book, “Smart Cities: Big Data, Civic Hackers, and the Quest for a New Utopia,” Townsend portrays companies as rushing to become the indispensable middlemen without which the city cannot function.

Cities can easily lose leverage to private companies their citizens rely on, as the persistent battles of political leaders against telecom companies over price increases show. And private-sector software can operate behind a veil: Townsend says that while cities have made lots of data freely available online, there’s less concern about opening up the proprietary tools used to analyze that data—software that might help a city official decide who is eligible for services, or which neighborhoods are crime hotspots. “It’s the algorithms in government that need to be brought out to the light of day, not the data,” he says. “What I worry about are the de facto laws that are being coded in software without public scrutiny.”

Another concern is what will be done to protect the huge amount of data cities can gather about their citizens. The wealth of video at the Boston Marathon bombings, though it came from private cameras, showed how useful surveillance footage can be—and also how pervasive. Cameras, sensors, and tracking technologies like the Mass Pike’s EZPass can reveal a great deal about your life: where you live and travel, what you buy, even what time you take a shower. Smart grid utility-metering systems, for instance, collect and transmit detailed energy consumption information, which help consumers understand and curb their energy use but can also reveal their habits. As such, they have come under fire for threatening privacy and civil liberties, and several states have adopted legislation governing what kind of data can be shared with third parties and how customers can opt out. In Massachusetts, automated license plate recognition technology used by police cruisers has raised concerns about authorities tracking the whereabouts of citizens. The American Civil Liberties Union of Massachusetts has been pushing for a License Plate Privacy Act that would limit law enforcement’s ability to retain and use the information.

The too-smart city [Courtney Humphries/Boston Globe]

(via Beyond the Beyond)

Computer scientists to FBI: don't require all our devices to have backdoors for spies

In an urgent, important blog post, computer scientist and security expert Ed Felten lays out the case against rules requiring manufacturers to put wiretapping backdoors in their communications tools. Since the early 1990s, manufacturers of telephone switching equipment have had to follow a US law called CALEA that says that phone switches have to have a deliberate back-door that cops can use to secretly listen in on phone calls without having to physically attach anything to them. This has already been a huge security problem -- through much of the 1990s, AT&T's CALEA controls went through a Solaris machine that was thoroughly compromised by hackers, meaning that criminals could listen in on any call; during the 2005/6 Olympic bid, spies used the CALEA backdoors on the Greek phone company's switches to listen in on the highest levels of government.

But now, thanks to the widespread adoption of cryptographically secured messaging services, law enforcement is finding that its CALEA backdoors are of declining utility -- it doesn't matter if you can intercept someone else's phone calls or network traffic if the data you're captured is unbreakably scrambled. In response, the FBI has floated the idea of "CALEA II": a mandate to put wiretapping capabilities in computers, phones, and software.

As Felten points out, this is a terrible idea. If your phone is designed to secretly record you or stream video, location data, and messages to an adverse party, and to stop you from discovering that it's doing this, it puts you at huge risk when that facility is hijacked by criminals. It doesn't matter if you trust the government not to abuse this power (though, for the record, I don't -- especially since anything mandated by the US government would also be present in devices used in China, Belarus and Iran) -- deliberately weakening device security makes you vulnerable to everyone, including the worst criminals:

Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss.

Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system.

Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks.

Felten's remarks summarize a report [PDF] signed by 20 distinguished computer scientists criticizing the FBI's proposal. It's an important read -- maybe the most important thing you'll read all month. If you can't trust your devices, you face enormous danger.

CALEA II: Risks of wiretap modifications to endpoints

TSA hearing for "Naked American Hero" John Brennan

NewImageRemember our happy mutant comrade John Brennan, who removed his clothes at the Portland Airport during a TSA screening? He was acquitted of a ridiculous indecent exposure charge, and now he is appealing an equally stupid fine from the Transportation Security Administration for “interfering with the screening process.” This might sound silly, but it's serious business. As Brennan points out in his press release below, "This is the first time the TSA has followed through on assessing civil penalties for 'interference with screening" purely for nonviolent, non-obstructive protected expressive conduct.'"

I'm grateful to Brennan for being a civil liberties champion.

Read the rest

Short UK documentary about woman threatened with terrorism charges for videorecording cops while they stop-and-searched her boyfriend on the tube

Gemma sez, "You wrote a blog post about how I was assaulted by the police after filming my boyfriend being searched, back in 2009. The publicity we got from your post and the other press we got (Guardian and BBC) helped make thousands more people aware of this issue which led to the Metropolitan police eventually having to change their guidelines on photographing and filming the police. It was always my aim to get section 58a of the terrorism act clearer to all citizens in the UK and this hasn't changed. Today I'm releasing the animated short film about the case - It deals with broad issues of police accountability and citizen''s rights as well as the specifics of my case. We also hope it entertains you on its way."

Act of Terror

Obama's regressive record makes Nixon look like Che

Redditor Federal Reservations has made a handy post enumerating all the regressive, authoritarian, corporatist policies enacted by the Obama administration in its one-and-a-bit terms. You know, for someone the right wing press likes to call a socialist, Obama sure makes Richard Nixon look like Che Guevara. And what's more, this is only a partial list, and excludes the parade of copyright horrors and bad Internet policy emanating from the White House, via Joe Biden's push for Six Strikes, the US Trade Rep's push for secret Internet censorship and surveillance treaties like TPP and ACTA and TAFTA; the DoJ's push to criminalize every Internet user by expanding the CFAA, and much, much more.

Obama extends Patriot Act without reform - [1]
http://articles.nydailynews.com/2011-05-27/news/29610822_1_terrorist-groups-law-enforcement-secret-intelligence-surveillance

Signs NDAA 2011 (and 2012, and 2013) - [2]
http://www.forbes.com/sites/erikkain/2012/01/02/president-obama-signed-the-national-defense-authorization-act-now-what/

Appeals the Federal Court decision that “indefinite detention” is unconstitutional - [3]
http://www.activistpost.com/2013/02/ndaa-hedges-v-obama-did-bill-of-rights.html

Double-taps a 16-year-old American-born US citizen living in Yemen, weeks after the boy's father was killed. Administration's rationale? He "should have [had] a far more responsible father" - [4]
http://www.washingtonpost.com/world/national-security/anwar-al-awlakis-family-speaks-out-against-his-sons-deaths/2011/10/17/gIQA8kFssL_story.html

Continues to approve drone strikes that kill thousands of innocent civilians including women and children in Pakistan, Yemen, and other countries that do not want the US intervening; meanwhile, according to the Brookings Institute's Daniel Byman, we are killing 10 civilians for every one mid- to high- level Al Qaeda/Taliban operative. This is particularly disturbing, since now any military-aged male in a strike zone is now officially considered an enemy combatant - [5]
http://www.telegraph.co.uk/news/worldnews/asia/pakistan/7361630/One-in-three-killed-by-US-drones-in-Pakistan-is-a-civilian-report-claims.html

Protects Bush’s war crimes as State Secrets - [6] [7] [8]
http://www.salon.com/2010/09/08/obama_138/
https://www.eff.org/deeplinks/2009/04/obama-doj-worse-than-bush
http://washingtonindependent.com/33985/in-torture-cases-obama-toes-bush-line

Waives sections of a law meant to prevent the recruitment of child soldiers in Africa in order to deepen military relationship with countries that have poor human rights records -[9]
http://thecable.foreignpolicy.com/posts/2010/10/26/why_is_obama_easing_restrictions_on_child_soldiers

Read the rest

Today, we save the Internet (again): fix the CFAA!

Read this if you want to stay out of jail.

When my friend Aaron Swartz committed suicide in January, he’d been the subject of a DoJ press-release stating that the Federal prosecutors who had indicted him were planning on imprisoning him for 25 years for violating the terms of service of a site that hosted academic journals.

Read the rest

What problem are we trying to solve in the copyright wars?

My latest Guardian column is "Copyright wars are damaging the health of the internet" and it looks at what we really need from proposed solutions to the copyright wars:

I've sat through more presentations about the way to solve the copyright wars than I've had hot dinners, and all of them has fallen short of the mark. That's because virtually everyone with a solution to the copyright wars is worried about the income of artists, while I'm worried about the health of the internet.

Oh, sure, I worry about the income of artists, too, but that's a secondary concern. After all, practically everyone who ever set out to earn a living from the arts has failed – indeed, a substantial portion of those who try end up losing money in the bargain. That's nothing to do with the internet: the arts are a terrible business, one where the majority of the income accrues to a statistically insignificant fraction of practitioners – a lopsided long tail with a very fat head. I happen to be one of the extremely lucky lotto winners in this strange and improbable field – I support my family with creative work – but I'm not parochial enough to think that my destiny and the destiny of my fellow 0.0000000000000000001 percenters are the real issue here.

What is the real issue here? Put simply, it's the health of the internet.

Copyright wars are damaging the health of the internet

UK Open Rights Group is holding its first ever digital rights conference in the north

Ruth from the UK Open Rights Group sez:

ORGCon North is the first regional conference to build on the success of the national sell-out event, ORGCon, which takes place in London every year. On Saturday 13th April Open Rights Group, the UK digital rights campaigning organisation, will be running ORGCon North at the Manchester Friends' Meeting House. The event is a great introduction to digital rights issues that affect every internet user - like freedom from surveillance and free speech on Twitter and Facebook. The event runs from 11am till 5pm and is hosted by ORG-Manchester, the local campaigning group.

ORGCon North gathers experts from many technology fields and civil liberties groups across the country debating some of the big issues like: Will copyright eat the internet? Do we have a right to be offensive? There will be a keynote speech from John Buckman, chair of the Electronic Frontier Foundation (EFF) and founder of the independent record label Magnatune. He will be talking about upcoming challenges to digital rights, drawing on his experiences in the UK and US. Open Rights Group are also offering an 'unconference track' with room for anyone to lead sessions or pop up a debate, to build to the conference they want.

Individual tickets are priced at £11 or £6 for ORG supporters. Tickets are free if you join ORG this month.

ORGCon North 2013 (Thanks, Ruth!)

Politely refusing to talk to DHS checkpoints

Hugh sez, "Apparently DHS checkpoints nowhere near the border are a new thing. This video cuts together recordings of such encounters and citizens' polite refusal to answer questions."

Top quote: "Am I being detained?"

Checkpoints (some would say illegal checkpoints) have been popping up quite frequently in the USA. As you see in this video, you DO NOT have to comply with their question's or demands. Don't forget, you have rights.

Top DHS checkpoint refusals (Thanks, Hugh!)

MacLeod's dystopian masterpiece Intrusion in paperback

Ken Macleod's amazing dystopian novel Intrusion is out in paperback today. Here's my review from last March:

Ken MacLeod's new novel Intrusion is a new kind of dystopian novel: a vision of a near future "benevolent dictatorship" run by Tony Blair-style technocrats who believe freedom isn't the right to choose, it's the right to have the government decide what you would choose, if only you knew what they knew.

Set in North London, Intrusion begins with the story of Hope, a mother who has become a pariah because she won't take "the fix," a pill that repairs known defects in a gestating fetus's genome. Hope has a "natural" toddler and is pregnant with her second, and England is in the midst of a transition from the fix being optional to being mandatory for anyone who doesn't have a "faith-based" objection. Hope's objection isn't based on religion, and she refuses to profess a belief she doesn't have, and so the net of social services and laws begins to close around her.

MacLeod widens the story from Hope, and her husband Hugh (a carpenter working with carbon-sequestering, self-forming "New Wood") who has moved to London from an independent Scotland, and whose childhood hides a series of vivid hallucinations of ancient people from the Ice Age-locked past. Soon we're learning about the bioscientists who toil to improve the world's genomes, the academics who study their work, the refuseniks who defy the system in small and large ways, and the Naxals, city-burning wreckers who would obliterate all of society. The Naxals, along with a newly belligerent India and Russia, are a ready-made excuse for a war-on-terror style crackdown on every corner of human activity that includes ubiquitous CCTV, algorithmic behavior monitors, and drones in every corner of the sky.

With Intrusion, MacLeod pays homage to Orwell, showing us how a society besotted with paternalistic, Cass Sunstein-style "nudging" of behavior can come to the same torturing, authoritarian totalitarianism of brutal Stalinism. MacLeod himself is a Marxist who is lauded by libertarians, and his unique perspective, combined with a flair for storytelling, yields up a haunting, gripping story of resistance, terror, and an all-consuming state that commits its atrocities with the best of intentions.

Intrusion

Transcript of Lessig's talk: "Aaron's Law"

On Naked Capitalism, The Unknown Transcriber has transcribed the full text of Lawrence Lessig's Aaron's Law talk, which was one of Larry's finest moments.

So Aaron was a hacker. But he was not just a hacker. He was an Internet activist, but not just an Internet activist. Indeed, the most important part of Aaron’s life is the part most run over too quickly – the last chunk, when he shifted his focus from this effort to advance freedom in the space of copyright, to an effort to advance freedom and social justice more generally.

And I shared this shift with him. In June of 2007 I too announced I was giving up my work on Internet and copyright to work in this area of corruption. And I’m not sure when for him this change made sense, but I’m fairly sure when it made sense for me. Happened in 2006. Aaron had come to a conference, the C3 conference, the 23rd C3 conference in Berlin, and I was with my family at the American Academy in Berlin and Aaron came to visit me. And we had a long conversation, and in the course of that conversation Aaron said to me, how are you ever going to make progress in the areas that I was working on, copyright reform, Internet regulation reform, so long as there is, as he put it, this, quote, “corruption” in the political field. I tried to deflect him a bit. I said, “Look, that’s not my field.” Not my field. And he said, “I get it. As an academic, you mean?” And I said, “Yes, as an academic, that’s not my field.” And he said, “And as a citizen, is it your field?” As a citizen is it your field?

And this was his power. Amazing, unpatented power. Like the very best teachers, he taught by asking. Like the most effective leaders, his questions were on a path, his path. They coerced you, if you wanted to be as he was. They forced you to think of who you were and what you believed in and decide, were you to be the person you thought you were? So when people refer to me as Aaron Swartz’s mentor, they have it exactly backwards. Aaron was my mentor. He taught me, he pushed me, he led me. He led me to where I work today.

Transcript: Lawrence Lessig on “Aaron’s Laws – Law and Justice in a Digital Age”: Section I

EFF-Austin benefit after Cory's Book People event on Feb 22


After my event at Austin's Book People on Feb 22, I'll be doing a benefit for EFF-Austin on their location privacy campaign. We did this the last time I came through town and it was tremendous -- come on out!

An evening with Cory Doctorow and EFF-Austin

Cypherpunks: articulates and challenges Internet freedom


Cypherpunks -- a quick, stirring, scary read -- transcribes a wide-ranging conversation between Wikileaks co-founder Julian Assange, Jacob Appelbaum (Wikileaks/Tor Project), Andy Müller-Maguhn (Chaos Computer Club) and Jérémie Zimmermann (La Quadrature Du Net).

Edited together in thematic chapters (The Militarization of Cyberspace, Fighting Total Surveillance With the Laws of Physics, Private Sector Spying), Cypherpunks exceeded my expectations. I know some of the book's protagonists personally and know how smart and principled they are. But I was afraid, going into this, that what would emerge would be a kind of preaching-to-the-choir consensus, because all four of the participants are on the same side.

Instead, I found Cypherpunks to be a genuine debate, where each speaker's best arguments -- well-polished, well-spoken, and convincing -- were mercilessly tested by the others, who subjected them to hard questions and rigorous inspection. Most of our discussions about Wikileaks lack nuance, and they're often hijacked by personal questions about Assange. Whatever you feel about Assange, he is not Wikileaks -- Wikileaks is an activity, not an organization, and its participants, including Bradley Manning, are engaged in something important and difficult and fraught, and there is a place for a debate about whether the tactics of Wikileaks best serve a the strategic end of a free and open Internet in a just and humane society.

The debate recorded in Cypherpunks -- though leavened with humor and easy to follow -- covers a lot of nuance of the sort that has been missing from the discussion. The wider points -- that the universe's in-built mathematics favor the keeping of secrets because it is easier to encrypt a message than decrypt it, say -- may dazzle, but the getting down to cases afterward, the chewing the point over and challenging it, that's where the book shines.

There aren't many titles that pack as much argument, ambiguity and theory into as small a package as Cypherpunks. It's a book you can read in an hour or two, but you'll be thinking about it for years.

Cypherpunks

ACLU guide to running an online business that respects privacy & free speech

Danielle from the ACLU sez, "The ACLU has just released a new guide for tech companies on why they should and how they can better protect user privacy and free speech. The guide features dozens of real-life case studies from A(mazon) to Z(ynga) and updated recommendations for policies and practices to take the guesswork out of avoiding expensive lawsuits, government investigations, and public relations nightmares. It walks companies through essential questions and lays out steps to spot potential privacy and free speech issues in products and business models and address these issues head-on."

Five things companies can do to protect user privacy and free speech:

Respect your data.
Companies should carefully evaluate the costs of collecting and retaining data to avoid the fallout, lawsuits, and government fines that Path suffered for silently uploading users’ contacts.

Stand up for your users’ rights.
Companies can earn public praise and user trust for protecting user privacy rights like Amazon or for supporting free speech like Facebook.

Plan ahead.
Incorporate privacy and security from start to finish, and evaluate these practices as the company grows.

Be Transparent.
Give users the ability to make informed choices by letting them know what data you collect, and how it can be used, shared, or demanded by the government. Transparency reports like Google’s are important tools.

Encourage users to speak freely.
Give users control over the content they access and the tools they use rather than censoring content like PayPal.

ACLU Guide: Tips for Companies on Protecting User Privacy and Free Speech in 2013 (Thanks, Danielle!)