Boing Boing » privacy

Computer scientists to FBI: don't require all our devices to have backdoors for spies

Cory Doctorow — Fri, 17 May 2013 17:59:45 +0000

In an urgent, important blog post, computer scientist and security expert Ed Felten lays out the case against rules requiring manufacturers to put wiretapping backdoors in their communications tools. Since the early 1990s, manufacturers of telephone switching equipment have had to follow a US law called CALEA that says that phone switches have to have a deliberate back-door that cops can use to secretly listen in on phone calls without having to physically attach anything to them. This has already been a huge security problem -- through much of the 1990s, AT&T's CALEA controls went through a Solaris machine that was thoroughly compromised by hackers, meaning that criminals could listen in on any call; during the 2005/6 Olympic bid, spies used the CALEA backdoors on the Greek phone company's switches to listen in on the highest levels of government.

But now, thanks to the widespread adoption of cryptographically secured messaging services, law enforcement is finding that its CALEA backdoors are of declining utility -- it doesn't matter if you can intercept someone else's phone calls or network traffic if the data you're captured is unbreakably scrambled. In response, the FBI has floated the idea of "CALEA II": a mandate to put wiretapping capabilities in computers, phones, and software.

As Felten points out, this is a terrible idea. If your phone is designed to secretly record you or stream video, location data, and messages to an adverse party, and to stop you from discovering that it's doing this, it puts you at huge risk when that facility is hijacked by criminals. It doesn't matter if you trust the government not to abuse this power (though, for the record, I don't -- especially since anything mandated by the US government would also be present in devices used in China, Belarus and Iran) -- deliberately weakening device security makes you vulnerable to everyone, including the worst criminals:

Our report argues that mandating a virtual wiretap port in endpoint systems is harmful. The port makes it easier for attackers to capture the very same data that law enforcement wants. Intruders want to capture everything that happens on a compromised computer. They will be happy to see a built-in tool for capturing and extracting large amounts of audio, video, and text traffic. Better yet (for the intruder), the capability will be stealthy by design, making it difficult for the user to tell that anything is amiss.
Beyond this, the mandate would make it harder for users to understand, monitor, and fix their own systems—which is bad for security. If a system’s design is too simple or its operation too transparent or too easy to monitor, then wiretaps will be evident. So a wiretappability mandate will push providers toward complex, obfuscated designs that are harder to secure and raise the total cost of building and operating the system.
Finally, our report argues that it will not be possible to block non-compliant implementations. Many of today’s communication tools are open source, and there is no way to hide a capability within an open source code base, nor to prevent people from simply removing or disabling an undesired feature. Even closed source systems are routinely modified by users—as with jailbreaking of phones—and users will find ways to disable features they don’t want. Criminals will want to disable these features. Ordinary users will also want to disable them, to mitigate their security risks.

Felten's remarks summarize a report [PDF] signed by 20 distinguished computer scientists criticizing the FBI's proposal. It's an important read -- maybe the most important thing you'll read all month. If you can't trust your devices, you face enormous danger.

CALEA II: Risks of wiretap modifications to endpoints

HOWTO search the Web like the NSA

Cory Doctorow — Thu, 09 May 2013 21:49:48 +0000

Wired's Kim Zetter rounds up some of the highlights from Untangling the Web: A Guide to Internet Research [PDF], an NSA guide to finding unintentionally published confidential material on the Web produced by the NSA and released in response to a Muckrock Freedom of Information Act request. As Zetter notes, the tactics discussed as described as legal, but are the kind of thing that weev is doing 3.5 years in a Federal pen for:

Want to find spreadsheets full of passwords in Russia? Type “filetype:xls site:ru login.” Even on websites written in non-English languages the terms “login,” “userid,” and “password” are generally written in English, the authors helpfully point out.
Misconfigured web servers “that list the contents of directories not intended to be on the web often offer a rich load of information to Google hackers,” the authors write, then offer a command to exploit these vulnerabilities — intitle: “index of” site:kr password.
“Nothing I am going to describe to you is illegal, nor does it in any way involve accessing unauthorized data,” the authors assert in their book. Instead it “involves using publicly available search engines to access publicly available information that almost certainly was not intended for public distribution.” You know, sort of like the “hacking” for which Andrew “weev” Aurenheimer was recently sentenced to 3.5 years in prison for obtaining publicly accessible information from AT&T’s website.

Use These Secret NSA Google Search Tips to Become Your Own Spy Agency

Former FBI counterterrorism agent implies that US records all US phone calls

Cory Doctorow — Mon, 06 May 2013 18:35:48 +0000

Glenn Greenwald notes the alarming revelation from a CNN Out Front interview between host Erin Burnett and Tim Clemente, "a former FBI counterterrorism agent," where Clemente claimed that the FBI had access to recordings of every phone call made in America:

BURNETT: Tim, is there any way, obviously, there is a voice mail they can try to get the phone companies to give that up at this point. It's not a voice mail. It's just a conversation. There's no way they actually can find out what happened, right, unless she tells them?
CLEMENTE: "No, there is a way. We certainly have ways in national security investigations to find out exactly what was said in that conversation. It's not necessarily something that the FBI is going to want to present in court, but it may help lead the investigation and/or lead to questioning of her. We certainly can find that out.
BURNETT: "So they can actually get that? People are saying, look, that is incredible.
CLEMENTE: "No, welcome to America. All of that stuff is being captured as we speak whether we know it or like it or not."

Are all telephone calls recorded and accessible to the US government? (via /.)

DroneShield: crowdfunded, networked drone detectors

Cory Doctorow — Fri, 03 May 2013 20:58:39 +0000

DroneShield is an indieGOGO project from a DC aerospace engineer that aims to build a tiny, net-connected drone-detector/identifier. Based on a Raspberry Pi gumstick computer, it uses a mic to detect the audio signature of nearby drones, and then communicates about its findings over the Internet. The project promises free/open hardware and software specs on its main site. Ars Technica's Cyrus Farivar spoke to Chris Kyriakakis, a USC electrical engineering prof, who suggests the project is feasible, but believes it will need an array of mics for accurate identification. But John Franklin, who's running the effort, says the device will produce useful -- if imperfect -- output even with one mic.

The fully assembled drone detector costs at least $69 as a pre-order (as with all crowdfunded project, it's important to remember that you may never get your device). The project goal is to get them down to $20. For my part, I wonder how this would perform against active countermeasures: it's one thing to detect drones that aren't making any effort to remain hidden or fool detectors about which drone they are, but what about a drone that uses some technology (from playing a recording of a different drone to full-on modifications of its engines and blades) to sound different?

In any event, I expect that this is an intermediate step on the way to this thing disappearing into our phones and becoming an app that would make use of its open database of drone acoustic signatures. I can easily imagine a Drone Foursquare made by volunteers who upload drone "sightings" to realtime maps as they move around the world.

Meet Drone Shield, an ambitious idea for a $70 drone detection system (via /.)

Publishing should fight ebook retailers for more data

Cory Doctorow — Fri, 26 Apr 2013 19:40:30 +0000

I've got a guest column in the new edition of The Bookseller, the trade magazine for the UK publishing industry. It's called "Tangible Assets," and it points out that of all the fights that publishing has had with the ebook sector -- DRM, pricing, promotion -- the one they've missed is access to data. Whatever else is going on with publishers and Amazon, Google, Apple, et al, the fact that publishing knows almost nothing about its ebook customers and has no realtime view into its ebook sales; and that the ebook channel knows almost everything, instantaneously, is untenable and unsustainable.

I just came off a US tour for my YA novel Homeland, which Tor Teen published in the US in February, and which Titan will publish this coming September in the UK. I went to 23 cities in 25 days, a kind of bleary and awesome whirlwind where I got to see friends from across the USA—Internet People to a one—for about 8.5 minutes each, in a caffeinated, exhausted rush.

Inevitably, I had this conversation: "How's the book doing?" and I got to say: "Oh, awesome! It's a New York Times and Indienet bestseller!" (It stayed on the NYT list for four weeks, so I got to say this a lot). And then, always: "So, how many copies does that come out to?" And my answer was always, "No one knows."

This is where the Internet People began to boggle. "No one knows?"

"Oh, there's some Nielsen reporting from the tills of participating booksellers—you can get that if you spend a fortune. But there's no realtime e-book numbers given to the publishers. We'll all find out exactly how the book performed in a couple of months."

And that's where they lost their minds. The irate squawks that emerged from their throats were audible for miles. "You mean Amazon, Apple and Google knows exactly who comes to their stores, how they find their way to your books, where they're coming in from, how many devices they use and when, and they don't tell the publishers?"

Tangible assets

CISPA is dead! (again) (for now)

Cory Doctorow — Fri, 26 Apr 2013 14:24:15 +0000

After months of activist agitation and a crushing disappointment from the cowards in the House of Representatives, the US senate has effectively killed CISPA, a sweeping Internet surveillance proposal. This is astoundingly great news! But CISPA died once before, and came back from the dead, and it will not likely stay dead this time around either. The price of liberty is eternal vigilance, etc etc etc:

Sen. Jay Rockefeller (D-WV), the chairman of the U.S. Senate Committee on Commerce, Science and Transportation, said in a statement on April 18 that CISPA's privacy protections are "insufficient."
A committee aide told ZDNet on Thursday that Rockefeller believes the Senate will not take up CISPA. The White House has also said the President won't sign the House bill.
Staff and senators are understood to be "drafting separate bills" that will maintain the cybersecurity information sharing while preserving civil liberties and privacy rights.
Rockefeller's comments are significant as he takes up the lead on the Commerce Committee, which will be the first branch of the Senate that will debate its own cybersecurity legislation.
Michelle Richardson, legislative council with the American Civil Liberties Union, told the publication she thinks CISPA is "dead for now," and said the Senate will "probably pick up where it left off last year."

CISPA 'dead' in Senate, privacy concerns cited [Zack Whittaker/ZDNet]

Snooper's Charter is dead! (for now)

Cory Doctorow — Fri, 26 Apr 2013 06:50:34 +0000

Aw, yeah! The UK Communications Data Bill -- AKA the "Snooper's Charter," a sweeping, totalitarian universal Internet surveillance bill that the Conservative government had sworn to pass -- is dead! Yesterday, Nick Clegg, leader of the Liberal Democrats in Parliament, announced that his party would not support the bill, and effectively killed it. Though I've been bitterly disappointed with some of the terminal compromises the LibDems have made, this makes me grateful to have them in Parliament. The kind of universal surveillance proposed in the Snooper's Charter was broadly supported by the last Labour government, which radically expanded state surveillance powers, and by the Tories -- thank goodness for the LibDems mustering a scrap of backbone at last!

The only downside is that the Open Rights Group had a whole series of great "Professor Elemental" videos that used pointed, excellent humour to mock and undermine the bill and drum up opposition to it, and now that's all going to go to waste (I blogged episode one yesterday).

Aw, who'm I kidding? This kind of thing never stays dead.

The snooper's charter has reminded Nick Clegg, finally, he is a liberal

UK Home Office commissions a super villain-catching-machine from Prof. Elemental

Cory Doctorow — Wed, 24 Apr 2013 08:34:27 +0000

In this startling debut episode, the renowned Professor Elemental receives a commission from the government to build a marvellous snooping machine with which to catch the badduns. The Home Secretary has the right man for the job -- with the good professor's marvellous device, the Home Office will be able to spy on every communique that traverses the British Information Superhighway!

(It's all about the Snooper's Charter, the barmy UK legislative proposal to give nearly unlimited snooping powers to the government and police, and this video is courtesy of the good people at the Open Rights Group.

Professor Elemental build a Great Machine for Catching Villains Chapter One (Thanks, Jim!)

Siri keeps data for "up to two years", but only anonymously

Rob Beschizza — Fri, 19 Apr 2013 15:24:10 +0000

Robert McMillan explains what happens to the data generated and stored with Siri queries: "Once the voice recording is six months old, Apple “disassociates” your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes." [Wired]

Online privacy policies explained

Cory Doctorow — Fri, 19 Apr 2013 12:39:14 +0000

The Zero Knowledge Foundation's explainer on privacy policies is a pretty good introduction to where the fine-print on the sites you read comes from, and the surprisingly meaningful differences between different privacy policies on different sites. It's easy to assume (as I usually do) that the average privacy policy says, "You have no privacy," but there's a lot of difference between the policies on Craigslist, Facebook and Twitter, say.

The Fine Print of Privacy | Zero Knowledge Privacy Foundation (Thanks, Josh)

Siri, keeper of secrets

Rob Beschizza — Thu, 18 Apr 2013 14:09:39 +0000

Robert McMillan writes: "Not everyone realizes this, but whenever you use Siri, Apple’s voice-controlled digital assistant, she remembers what you tell her. How long does she remember? Apple isn’t saying. And the American Civil Liberties Union is concerned." [Wired]

CISPA: Congress wants to create unlimited Internet spying powers - KILL THIS BILL! KILL IT WITH FIRE!

Cory Doctorow — Wed, 17 Apr 2013 15:44:34 +0000

Rep. Rogers says #CISPA opponents are probably 14-year-olds in a basement. Tell him how wrong he is by tweeting to @repmikerogers.
— EFF (@EFF) April 16, 2013

CISPA is the latest Congressional proposal to do something unbelievably horrible with the Internet -- this time, it's letting US law enforcement and intelligence service raid all of your data, all the time, without letting you know, regardless of your service provider's privacy policy, in the name of preventing "cyberattacks," whatever they are.

It's about as horrible as it can be: the House Rules Committee won't even allow privacy-protecting amendments on the agenda; the bill's sponsor Rep. Mike Rogers dismisses people who oppose CISPA as 14-year-olds in their parents' basements; and a bunch of tech companies are lobbying in favor of CISPA because the bill cannily immunizes them from liability for firehosing your personal, sensitive information all over the place.

The sole bright light is this: the Obama White House has taken an uncharacteristically progressive stance on privacy this time around, and has threatened to veto the bill.

The Electronic Frontier Foundation is, as always, the best place to go to find things you can (and should, and MUST) do to kill this insane proposal.

Reddit co-founder calls Larry Page to get Google to join the anti-CISPA fight -- your help needed too!

Cory Doctorow — Thu, 11 Apr 2013 13:29:51 +0000

Evan from Fight for the Future sez, "In the hours before the House Intelligence Committee's secretive, closed-door markup on privacy killing bill, CISPA, we had to unleash our secret weapon. CISPA threatens to invalidate every privacy law on the books and give companies full legal immunity when they share our private data with the government. That's why the tech giants that stood with us during SOPA (Google, Facebook, and Twitter) haven't said much about CISPA. Our chief Internet Defender, Reddit-Cofounder Alexis Ohanian, helped us make this video of him calling Google and asking to speak to CEO Larry Page about that fact that if CISPA passes, every privacy policy on the web will be a total joke."

Sign the petition, kill CISPA, save the Internet (again!).

Google, Twitter, & Facebook: What's your privacy policy? (Thanks, Evan)

ISPs and creepy ad company injecting traffic into secure Web sessions

Cory Doctorow — Mon, 08 Apr 2013 06:11:26 +0000

A company called RT66 appears to be injecting code into secure Web-sessions, possibly with collusion from ISPs like CMA Communications. No one's sure how they're doing this, neither RT66 or CMA are answering questions, and it's bad news all around.

American public schools in 9 states sharing every conceivable personal detail of their students with third parties

Cory Doctorow — Fri, 05 Apr 2013 03:03:58 +0000

Update: A PR person who has apparently been retained to represent inBloom strenuously objected to Greg's characterization of her client's practices below. She sent me an email, which I've posted to the comments. I've also made a factual correction, regarding constraints, below (look for the strikethrough)

Greg Costikyan sez,

inBloom, a Gates-funded non-profit to harness data to improve grade school education, has partnered with New York and eight other states to encourage the development of apps to "further education" by using intimate data about students, without parental consent and with no ability for parents to opt out.
Among the data shared are name, address, phone numbers, test scores, grades, economic status, test scores, disciplinary records, picture, email, race, developmental delay... just about everything conceivable, and all specific, none of it anonymized. inBloom has arrangements with nine states (New York, Massachusetts, Louisiana, Colorado, Illinois, North Carolina, Georgia, Delaware and Kentucky) to do this.
The XML schema used are downloadable here. Anyone can register as a developer and start using "sample" data, but "real" data is supposedly only available to developers with contracts with a school board. But this includes for-profit, third party developers, such as, say, Amplify, a News Corp subsidiary with a contract with New York. ~~And it doesn't appear there are any constraints on their use of this data.~~ Ed: apparently constraints can be imposed by districts and states, though the system can allow unconstrained access if the district/state chooses.

Who is Stockpiling and Sharing Private Information About New York Students? (Thanks, Greg!)

What problem are we trying to solve in the copyright wars?

Cory Doctorow — Thu, 28 Mar 2013 20:13:11 +0000

My latest Guardian column is "Copyright wars are damaging the health of the internet" and it looks at what we really need from proposed solutions to the copyright wars:

I've sat through more presentations about the way to solve the copyright wars than I've had hot dinners, and all of them has fallen short of the mark. That's because virtually everyone with a solution to the copyright wars is worried about the income of artists, while I'm worried about the health of the internet.
Oh, sure, I worry about the income of artists, too, but that's a secondary concern. After all, practically everyone who ever set out to earn a living from the arts has failed – indeed, a substantial portion of those who try end up losing money in the bargain. That's nothing to do with the internet: the arts are a terrible business, one where the majority of the income accrues to a statistically insignificant fraction of practitioners – a lopsided long tail with a very fat head. I happen to be one of the extremely lucky lotto winners in this strange and improbable field – I support my family with creative work – but I'm not parochial enough to think that my destiny and the destiny of my fellow 0.0000000000000000001 percenters are the real issue here.
What is the real issue here? Put simply, it's the health of the internet.

UK Open Rights Group is holding its first ever digital rights conference in the north

Cory Doctorow — Thu, 28 Mar 2013 17:07:09 +0000

Ruth from the UK Open Rights Group sez:

ORGCon North is the first regional conference to build on the success of the national sell-out event, ORGCon, which takes place in London every year. On Saturday 13th April Open Rights Group, the UK digital rights campaigning organisation, will be running ORGCon North at the Manchester Friends' Meeting House. The event is a great introduction to digital rights issues that affect every internet user - like freedom from surveillance and free speech on Twitter and Facebook. The event runs from 11am till 5pm and is hosted by ORG-Manchester, the local campaigning group.
ORGCon North gathers experts from many technology fields and civil liberties groups across the country debating some of the big issues like: Will copyright eat the internet? Do we have a right to be offensive? There will be a keynote speech from John Buckman, chair of the Electronic Frontier Foundation (EFF) and founder of the independent record label Magnatune. He will be talking about upcoming challenges to digital rights, drawing on his experiences in the UK and US. Open Rights Group are also offering an 'unconference track' with room for anyone to lead sessions or pop up a debate, to build to the conference they want.
Individual tickets are priced at £11 or £6 for ORG supporters. Tickets are free if you join ORG this month.

ORGCon North 2013 (Thanks, Ruth!)

Researchers show method for de-anonymizing 95% of "anonymous" cellular location data

Cory Doctorow — Thu, 28 Mar 2013 13:34:18 +0000

Unique in the Crowd: The privacy bounds of human mobility, a Nature Scientific Reports paper by MIT researchers and colleagues at Belgium's Universite Catholique de Louvain, documents that 95% of "anonymous" location data from cellphone towers can be de-anonymized to the individual level. That is, given data from a region's cellular towers, the researchers can ascribe individuals to 95% of the data-points.

“We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy,” they explain. “Indeed, this uniqueness means that little outside information is needed to re-identify the trace of a targeted individual even in a sparse, large-scale, and coarse mobility dataset. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern.”
The data they studied involved users in an unidentified European country, possibly Belgium, and involved anonymized data collected by their carriers between 2006 and 2007.

Anonymized Phone Location Data Not So Anonymous, Researchers Find [Wired/Kim Zetter]

Clueless Texas Congressman Louie Gohmert can't get how Gmail ads work through his thick, thick skull

Cory Doctorow — Thu, 21 Mar 2013 16:49:17 +0000

Rep Louie Gohmert (R-TX) is an ignoramus, as is demonstrated by his questioning during this hearing on reforms to the Electronic Communications Privacy Act. Gohmert questions a Google rep about how Adwords in Gmail work. For the record, here's how it works: Google parses the email for keywords, checks to see if anyone has bid to have text-ads displayed on emails with those words, and displays ads that match. Here's how Gohmert thinks they work: A computer at Google reads your email, sends your identity to an advertiser, and asks it if it wants to display ads on your email.

Gohmert may have confused Adwords with some of the realtime auctions for display ads. Google rep very patiently, and repeatedly tries to explain this to Gohmert, who refuses to get it, and instead smugly keeps asking whether the government could buy the right to see who's sending what email from Google in the way he imagines (incorrectly) that advertisers do.

If watching the video is too painful, have no fear, TechDirt's Mike Masnick has thoughtfully transcribed some of the choicest moments:

Gohmert: Okay, so what would prevent the federal government from making a deal with Google, so they could also "Scroogle" people, and say "I want to know everyone who has ever used the term 'Benghazi'" or "I want everyone who's ever used... a certain term." Would you discriminate against the government, or would you allow the government to know about all emails that included those words?
Lawyer [confounded look] Uh... sir, I think those are apples and oranges. I think the disclosure of the identity...
Gohmert: I'm not asking for a fruit comparison. I'm just asking would you be willing to make that deal with the government? The same one you do with private advertisers, so that the government would know which emails are using which words.
Lawyer: Thank you, sir. I meant by that, that it isn't the same deal that's being suggested there.
Gohmert: But I'm asking specifically if the same type of deal could be made by the federal government? [some pointless rant about US government videos aired overseas that is completely irrelevant and which it wasn't worth transcribing] But if that same government will spend tens of thousands to do a commercial, they might, under some hare-brained idea like to do a deal to get all the email addresses that use certain words. Couldn't they make that same kind of deal that private advertisers do?

For the record, I think there are real privacy concerns with Gmail's ads, but not the dumbass ones that Gohmert is worried about. Also for the record, Gohmert believes that a trans-Alaskan pipeline will help caribou get more sex; denies climate change; and thinks that school shootings can be averted by giving school principals M-4 rifles.

Rep. Gohmert's Record For Stunning Technological Ignorance Is Broken By... Rep. Gohmert

EFF explains yesterday's National Security Letter ruling

Cory Doctorow — Sat, 16 Mar 2013 18:42:48 +0000

Further to Xeni's post from yesterday about the landmark ruling by a San Francisco district court judge that the FBI may not issue "national security letters" (NSLs), the Electronic Frontier Foundation, who fought the case, has posted a good explanation about what NSLs are and why they were so creepy:

The controversial NSL provisions EFF challenged on behalf of the unnamed client allow the FBI to issue administrative letters -- on its own authority and without court approval -- to telecommunications companies demanding information about their customers. The controversial provisions also permit the FBI to permanently gag service providers from revealing anything about the NSLs, including the fact that a demand was made, which prevents providers from notifying either their customers or the public. The limited judicial review provisions essentially write the courts out of the process.
In today's ruling, the court held that the gag order provisions of the statute violate the First Amendment and that the review procedures violate separation of powers. Because those provisions were not separable from the rest of the statute, the court declared the entire statute unconstitutional. In addressing the concerns of the service provider, the court noted: "Petitioner was adamant about its desire to speak publicly about the fact that it received the NSL at issue to further inform the ongoing public debate."
"The First Amendment prevents the government from silencing people and stopping them from criticizing its use of executive surveillance power," said EFF Legal Director Cindy Cohn. "The NSL statute has long been a concern of many Americans, and this small step should help restore balance between liberty and security."

I am so proud of my friends at EFF this morning. Go team!

National Security Letters Are Unconstitutional, Federal Judge Rules

Inside the awful world of RATters - the men who spy on people through their computers with "remote administration tools"

Cory Doctorow — Mon, 11 Mar 2013 15:39:07 +0000

Nate Anderson's long Ars Technica piece on RATters -- men who use "Remote Administration Tools" to spy on others, mostly women, via their laptop cameras, and to plunder their computers for files and passwords -- is a must-read. Anderson lays out the way that online communities like Hack Forums provide expertise, tools, and, most importantly, validation for the men who participate in this "game." Anderson explains the power of software like DarkComet, which allows for near-total control of compromised computers (everything from opening the CD trays to disabling the Start menu in Windows); the dehumanizing language used by Ratters (they call their victims "slaves"); and the way that these tools have found their way into the arsenals of totalitarian governments, like the Assad regime in Syria, which used these tools to spy on rebels.

For many ratters, though, the spying remains little more than a game. It might be an odd hobby, but it's apparently no big deal to invade someone's machine, rifle through the personal files, and watch them silently from behind their own screens. "Most of my slaves are boring," wrote one aspiring ratter. "Wish I could get some more girls with webcams. It makes it more exciting when you can literally spy on someone. Even if they aren't getting undressed!"
One poster said he had already archived 200GB of webcam material from his slaves. "Mostly I pick up the best bits (funny parts, the 'good' [sexual] stuff) and categorize them (name, address, passwords etc.), just for funsake," he wrote. "For me I don't have the feeling of doing something perverted, it's more or less a game, cat and mouse game, with all the bonuses included. The weirdest thing is, when I see the person you've been spying on in real life, I've had that a couple of times, it just makes me giggle, especially if it's someone with an uber-weird-nasty habit."
By finding their way to forums filled with other ratters, these men—and they appear to be almost exclusively men—gain community validation for their actions. "lol I have some good news for u guys we will all die sometime, really glad to know that there are other people like me who do this shit," one poster wrote. "Always thought it was some kind of wierd sick fetish because i enjoy messing with my girl slaves."

Everything we do today involves computers and everything we do tomorrow will require computers. It's imperative that computers be designed to reveal themselves to their users and owners -- every program and process accessible to users and owners by design. But we continue to erode this fundamental through bans on jailbreaking and unlocking, and through the governmental trade in "zero-day" exploits intended for use in so-called cyberwar.

Meet the men who spy on women through their webcams [Nate Anderson/Ars Technica]

New bill to protect your webmail and location privacy needs your support

Cory Doctorow — Sat, 09 Mar 2013 20:00:15 +0000

The Electronic Communications Privacy Act (ECPA) of 1986 is an ancient law that governs the privacy of the files you keep on servers, including your webmail and other private stuff. The 1986 law assumes that any file left on a server for more than six months is abandoned, and gives law enforcement the power to retrieve it without a warrant. Many attempts have been made to update this, but the nation's law enforcement apparatus always kicks up a huge fuss when anyone proposes closing this glaring loophole.

Now there's a new, bipartisan bill from Representatives Zoe Lofgren (D-Calif.), Ted Poe (R-Texas) and Suzan DelBene (D-Wash.) that will update electronic privacy law for the bold world of the 1990s (at least!). The Electronic Frontier Foundation's Rainey Reitman has more:

We’re pleased to see Representatives Lofgren, Poe, and DelBene take up this crucial issue, but the current draft isn’t a perfect solution to all ECPA woes. For example, the bill has room for improvement on the issue of evidence suppression for email content collected without a warrant. We hope this already promising bill can be further improved through amendments.

By introducing this reform bill, the 113^th Congress has an opportunity to enact powerful protections for everyday Internet users – which would be particularly appreciated, since all too often Congress uses its power to try to undermine our digital civil liberties.

If you agree that the government shouldn’t be snooping through inboxes without a warrant, then please sign our petition, which will automatically send an email to Congress demanding they reform ECPA.

New Bill Would Ensure Law Enforcement Gets a Warrant Before Reading Email

US Ninth Circuit says forensic laptop searches at the border without suspicion are unconstitional

Cory Doctorow — Sat, 09 Mar 2013 17:22:43 +0000

An en banc (~~all the~~ 11/20 judges together) decision from the 9th Circuit has affirmed that you have the right to expect that your laptop and other devices will not be forensically examined without suspicion at the US border. It's the first time that a US court has upheld electronic privacy rights at the border, and the court also said that using an encrypted device that can't be casually searched is not grounds for suspicion. The judges also note that the prevalence of cloud computing means that searching at the border gives cops access to servers located all over the world. At TechDirt, Mike Masnick has some great analysis of this welcome turn of events:

The ruling is pretty careful to strike the right balance on the issues. It notes that a cursory review at the border is reasonable:
Officer Alvarado turned on the devices and opened and viewed image files while the Cottermans waited to enter the country. It was, in principle, akin to the search in Seljan, where we concluded that a suspicionless cursory scan of a package in international transit was not unreasonable.
But going deeper raises more questions. Looking stuff over, no problem. Performing a forensic analysis? That goes too far and triggers the 4th Amendment. They note that the location of the search is meaningless to this analysis (the actual search happened 170 miles inside the country after the laptop was sent by border agents to somewhere else for analysis). So it's still a border search, but that border search requires a 4th Amendment analysis, according to the court.
It is the comprehensive and intrusive nature of a forensic examination—not the location of the examination—that is the key factor triggering the requirement of reasonable suspicion here....
Notwithstanding a traveler’s diminished expectation of privacy at the border, the search is still measured against the Fourth Amendment’s reasonableness requirement, which considers the nature and scope of the search. Significantly, the Supreme Court has recognized that the “dignity and privacy interests of the person being searched” at the border will on occasion demand “some level of suspicion in the case of highly intrusive searches of the person.” Flores-Montano, 541 U.S. at 152. Likewise, the Court has explained that “some searches of property are so destructive,” “particularly offensive,” or overly intrusive in the manner in which they are carried out as to require particularized suspicion. Id. at 152, 154 n.2, 155–56; Montoya de Hernandez, 473 U.S. at 541. The Court has never defined the precise dimensions of a reasonable border search, instead pointing to the necessity of a case-by-case analysis....

The court is led by Chief Judge Alex Kozinski, who is a fan of my book Little Brother (which features a scene where DHS officials force a suspect to decrypt his devices, on the grounds that his encryption itself is suspicious), and was kind enough to write me a blurb for the new edition of the book. I'm not saying that Little Brother inspired Kozinski to issue this decision, but I'm delighted to discover that something I've been pushing through fiction since 2008 has made it into law in 2013.

9th Circuit Appeals Court: 4th Amendment Applies At The Border; Also: Password Protected Files Shouldn't Arouse Suspicion

Petition demands an end to drone surveillance

Cory Doctorow — Wed, 06 Mar 2013 23:57:27 +0000

Marc from the Electronic Privacy Information Center (EPIC) sez, "The Electronic Privacy Information Center has published a petition to the Bureau of Customs and Border Protection, demanding the suspension of the drone program pending the development of privacy regulations for the use of drones in US airspace. Documents recently obtained by EPIC under the Freedom of Information Act indicate that the drones are equipped with technology for signals interception and human identification. The agency currently operates ten Predator B drones along the border region, an area that encompasses more than two-thirds of the U.S. population. EPIC is urging individuals and organizations to Sign the Petition before March 18. Under federal law, the agency is required to respond to public petitions."

MacLeod's dystopian masterpiece Intrusion in paperback

Cory Doctorow — Wed, 06 Mar 2013 12:35:08 +0000

Ken Macleod's amazing dystopian novel Intrusion is out in paperback today. Here's my review from last March:

Ken MacLeod's new novel Intrusion is a new kind of dystopian novel: a vision of a near future "benevolent dictatorship" run by Tony Blair-style technocrats who believe freedom isn't the right to choose, it's the right to have the government decide what you would choose, if only you knew what they knew.
Set in North London, Intrusion begins with the story of Hope, a mother who has become a pariah because she won't take "the fix," a pill that repairs known defects in a gestating fetus's genome. Hope has a "natural" toddler and is pregnant with her second, and England is in the midst of a transition from the fix being optional to being mandatory for anyone who doesn't have a "faith-based" objection. Hope's objection isn't based on religion, and she refuses to profess a belief she doesn't have, and so the net of social services and laws begins to close around her.
MacLeod widens the story from Hope, and her husband Hugh (a carpenter working with carbon-sequestering, self-forming "New Wood") who has moved to London from an independent Scotland, and whose childhood hides a series of vivid hallucinations of ancient people from the Ice Age-locked past. Soon we're learning about the bioscientists who toil to improve the world's genomes, the academics who study their work, the refuseniks who defy the system in small and large ways, and the Naxals, city-burning wreckers who would obliterate all of society. The Naxals, along with a newly belligerent India and Russia, are a ready-made excuse for a war-on-terror style crackdown on every corner of human activity that includes ubiquitous CCTV, algorithmic behavior monitors, and drones in every corner of the sky.
With Intrusion, MacLeod pays homage to Orwell, showing us how a society besotted with paternalistic, Cass Sunstein-style "nudging" of behavior can come to the same torturing, authoritarian totalitarianism of brutal Stalinism. MacLeod himself is a Marxist who is lauded by libertarians, and his unique perspective, combined with a flair for storytelling, yields up a haunting, gripping story of resistance, terror, and an all-consuming state that commits its atrocities with the best of intentions.

Intrusion

Track CISPA's every move in Congress with the Sunlight Foundation's Scout alert service

Cory Doctorow — Wed, 20 Feb 2013 22:06:59 +0000

Nicko from the Sunlight Foundation sez, "Since the reintroduction of the controversial CISPA bill, I imagine many in the Boing Boing community will be interested to follow the latest developments on the legislation. The Sunlight Foundation's Scout alert service will send anyone an email or text message for any official activity and votes on the bill including notices of upcoming hearings and when it's coming to the floor. I've created a collection of alerts about CISPA so you can follow speeches in Congress that use the phrase 'Cyber Intelligence Sharing and Protection Act' or 'CISPA' and, for those interested in wider coverage, there are alerts for any mentions of 'Cybersecurity' in federal regulations and state-level bills. It's just a few clicks to follow the full collection of CISPA alerts, cherry-pick favorites or create your own custom ones with Scout."

CISPA is back: worst Internet law since SOPA needs you to fight it!

Cory Doctorow — Mon, 18 Feb 2013 17:56:08 +0000

CISPA is a sweeping, privacy-annihilating Internet law that we killed last year. The Congressmen who introduced it haven't learned their lesson and they've reintroduced it. The price of freedom is eternal vigilance, right? We killed CISPA once before. We will kill CISPA again. It only works if you take part.

Last year, Representatives Rogers and Ruppersberger introduced CISPA, which would create a gaping new exemption to existing privacy law. CISPA would grant companies more power to obtain “threat” information (such as from private communications of users) and to disclose that data to the government without a warrant -- including sending data to the National Security Agency.
This week, CISPA was reintroduced in the House of Representatives. EFF is joining groups like ACLU and Fight for the Future in combating this legislation.
Last year, tens of thousands of concerned individuals used the EFF action center to speak out against overbroad and ineffective cybersecurity proposals. Together, we substantially changed the debate around cybersecurity in the U.S., moving forward a range of privacy-protective amendments and ultimately helping to defeat the Senate bill.
Now we need your help again. Can you send a message to your Representatives asking them to oppose this bill?

CISPA is Back.

(Image: eye of providence, a Creative Commons Attribution Share-Alike (2.0) image from emperley3's photostream)

Logic of surveillance and problems of the enforcer class

Cory Doctorow — Mon, 18 Feb 2013 15:13:41 +0000

Ian Welsh's piece on the "logic of surveillance" makes several good points, but this one really smacked me in the face: "The enforcer class...is paid in large part by practical immunity to many laws and a license to abuse ordinary people."

Surveillance is part of the system of control. The more surveillance the more control, is the majority belief amongst the ruling elites. Automated surveillance requires fewer “watchers”, and since the watchers cannot watch all the surveillance, long term storage increases the ability to find some “crime” anyone is guilty of. When you add in recognition systems based on face, gait or other procedures, you have the theoretical ability to track a person from the moment they leave their home till they return to it. Other measures make it possible to see what people are doing in their own homes (IR heat maps, for example.) A world in which everyone is tracked all the time is very possible.
Quis custodiet ipsos custodes
This is one of the biggest problems the current elites face: they want the smallest enforcer class possible, so as to spend surplus on other things. The enforcer class is also insular, primarily concerned with itself (see Dorner) and is paid in large part by practical immunity to many laws and a license to abuse ordinary people. Not being driven primarily by justice and a desire to serve the public and with a code of honor which appears to largely center around self-protection and fraternity within the enforcer class, the enforcers reliability of the enforcers is in question: they are blunt tools and their fear for themselves makes them remarkably inefficient.

The Logic of Surveillance (via Naked Capitalism)

(Image: Surveillance, a Creative Commons Attribution Share-Alike (2.0) image from jonathanmcintosh's photostream)

Video from my book tour: Cincinnati presentation

Cory Doctorow — Sat, 16 Feb 2013 17:00:33 +0000

Kevin Loughin came out to my Homeland tour-stop in Cincinnati on Valentine's Day and made a great video of the presentation and Q&A. He was kind enough to post it to YouTube -- thanks, Kevin!

Cory Doctorow talk on Homeland.

Raytheon making social-network-mining software to help gov'ts spy on citizens

Cory Doctorow — Mon, 11 Feb 2013 03:54:34 +0000

Raytheon's "RIOT" (Rapid Information Overlay Technology) is intended to help governments all over the world by providing a "Google for spies" that mines multiple online sources to build up detailed pictures of the personal activities of their citizens:

The sophisticated technology demonstrates how the same social networks that helped propel the Arab Spring revolutions can be transformed into a "Google for spies" and tapped as a means of monitoring and control.
Using Riot it is possible to gain an entire snapshot of a person's life – their friends, the places they visit charted on a map – in little more than a few clicks of a button.
In the video obtained by the Guardian, it is explained by Raytheon's "principal investigator" Brian Urch that photographs users post on social networks sometimes contain latitude and longitude details – automatically embedded by smartphones within so-called "exif header data."
Riot pulls out this information, showing not only the photographs posted onto social networks by individuals, but also the location at which the photographs were taken.
"We're going to track one of our own employees," Urch says in the video, before bringing up pictures of "Nick," a Raytheon staff member used as an example target. With information gathered from social networks, Riot quickly reveals Nick frequently visits Washington Nationals Park, where on one occasion he snapped a photograph of himself posing with a blonde haired woman.
"We know where Nick's going, we know what Nick looks like," Urch explains, "now we want to try to predict where he may be in the future."
Riot can display on a spider diagram the associations and relationships between individuals online by looking at who they have communicated with over Twitter. It can also mine data from Facebook and sift GPS location information from Foursquare, a mobile phone app used by more than 25 million people to alert friends of their whereabouts. The Foursquare data can be used to display, in graph form, the top 10 places visited by tracked individuals and the times at which they visited them.
The video shows that Nick, who posts his location regularly on Foursquare, visits a gym frequently at 6am early each week. Urch quips: "So if you ever did want to try to get hold of Nick, or maybe get hold of his laptop, you might want to visit the gym at 6am on a Monday."

The associated patent says that Raytheon believes that its software can judge whether its subjects constitute a "security risk"

Software that tracks people on social media created by defence firm [Guardian/Ryan Gallagher]