Privacy, Security & Government Surveillance

What Does It Mean to “Have a Conversation” about a New Technology?

by on May 23, 2013 · 0 comments

My colleague Eli Dourado brought to my attention this XKCD comic and when tweeting it out yesterday he made the comment that “Half of tech policy is dealing with these people”:

The comic and Eli’s comment may bit a bit snarky, but something about it rang true to me because while conducting research on the impact of new information technologies on society I often come across books, columns, blog posts, editorials, and tweets that can basically be summed up with the line from that comic: “we should stop to consider the consequences of [this new technology] before we …”  Or, equally common is the line: “we need to have a conversation about [this new technology] before we…”

But what does that really mean? Certainly “having a conversation” about the impact of a new technology on society is important. But what is the nature of that “conversation”? How is it conducted? How do we know when it is going on or when it is over? Continue reading →

SHARE: 0 comments

The Best Essay on ‘The Right to be Forgotten’ That You Will Read This Year

by on May 15, 2013 · 2 comments

The International Association of Privacy Professionals (IAPP) has been running some terrific guest essays on its Privacy Perspectives blog lately. (I was honored to be asked to submit an essay to the site a few weeks ago about the ongoing Do Not Track debate.) Today, the IAPP has published one of the most interesting essays on the so-called “right to be forgotten” that I have ever read. (Disclosure: We’ve written a lot here about this issue here in the past and have been highly skeptical regarding both the sensibility and practicality of the notion. See my Forbes column, “Erasing Our Past on the Internet,” for a concise critique.)

In her fascinating and important IAPP guest essay, archivist Cherri-Ann Beckles asks, ”Will the Right To Be Forgotten Lead to a Society That Was Forgotten?” Beckles, who is Assistant Archivist at the University of the West Indies, powerfully explains the importance of archiving history and warns about the pitfalls of trying to censor history through a “right to be forgotten” regulatory scheme. She notes that archives “protect individuals and society as a whole by ensuring there is evidence of accountability in individual and/or collective actions on a long-term basis. The erasure of such data may have a crippling effect on the advancement of a society as it relates to the knowledge required to move forward.”

She concludes by arguing that:

From the preservation of writings on the great pharaohs to the world’s greatest thinkers and inventors as well as the ordinary man and woman, archivists recognise that without the actions and ideas of people, both individually and collectively, life would be meaningless. Society only benefits from the actions and ideas of people when they are recorded, preserved for posterity and made available. Consequently, the “right to be forgotten” if not properly executed, may lead to “the society that was forgotten.”

Importantly, Beckles also stresses the importance of individual responsibility and taking steps to be cautious about the digital footprints they leave online. “More attention should instead be paid to educating individuals to ensure that the record they create on themselves is one they wish to be left behind,” she notes. “Control of data at the point of creation is far more manageable than trying to control data after records capture.”

Anyway, read the whole essay. It is very much worth your time.

SHARE: 2 comments

Timothy Ravich on drones

by on May 14, 2013 · 0 comments

Timothy Ravich

Timothy Ravich, a board certified aviation lawyer in private practice and an adjunct professor of law at the Florida International University School of Law and the University of Miami School of Law, discusses the future of unmanned aerial system (UAS), also known as drones.

Ravich defines what UAVs are, what they do, and what their potential non-military uses are. He explains that UAV operations have outpaced the law in that they are not sufficiently supported by a dedicated and enforceable regime of rules, regulations, and standards respecting their integration into the national airspace.

Ravich goes on to explain that Congress has mandated the FAA to integrate UAS into the national airspace by 2015, and explains the challenges the agency faces. Among the novel issues domestic drone use raises are questions about trespass, liability, and privacy.

Download

Related Links

SHARE: 0 comments

Do Not Track, Silver Bullets, and Long-Term Privacy Protection

by on May 2, 2013 · 0 comments

Today over at the International Association of Privacy Professionals (IAPP) Daily Dashboard blog, I have a guest post entitled, “Let’s Not Place All Our Eggs in the Do Not Track Basket.” The essay builds on my Senate Commerce Committee testimony last week by arguing that:

If there’s one lesson I’ve learned in twenty-one years of covering information technology policy, it’s that there are no simple silver-bullet solutions to complex issues like online safety, hate speech, spam, cybersecurity, data breaches or digital privacy. Problems such as these demand a layered, multifaceted approach that incorporates many solutions, the first among these being education and awareness-based efforts.

I continue on to explain why that means we should be cautious about placing too much faith in privacy techno-fixes like Do Not Track, which won’t likely be any more successful than past silver bullet efforts. (Note: Justin Brookman of CDT will be offering a counterpoint to my essay next week on the IAPP blog. I look forward to seeing what he has to say. He also testified alongside me in the Senate last week.)

By the way, for those of you not familiar with the IAPP, it is “the largest and most comprehensive global information privacy community and resource, helping practitioners develop and advance their careers and organizations manage and protect their data. More than just a professional association, the IAPP provides a home for privacy professionals around the world to gather, share experiences and enrich their knowledge.” In my opinion, the IAPP is doing amazing work and deserves the attention of anyone who cares about the future of privacy and privacy policy. I strongly recommend you check out their excellent site and explore all the important resources they provide and other things they do.

Anyway, if you are interested in the issues discussed in my IAPP guest post, you might also want to check out some of the related essays down below the fold: Continue reading →

SHARE: 0 comments

My Senate Testimony on Privacy, Data Collection & Do Not Track

by on April 24, 2013 · 3 comments

Today I’ll be testifying at a Senate Commerce Committee hearing on online privacy and commercial data collection issues. In my remarks, I make three primary points:

  1. First, no matter how well-intentioned, restrictions on data collection could negatively impact the competitiveness of America’s digital economy, as well as consumer choice.
  2. Second, it is unwise to place too much faith in any single, silver-bullet solution to privacy, including “Do Not Track,” because such schemes are easily evaded or defeated and often fail to live up to their billing.
  3. Finally, with those two points in mind, we should look to alternative and less costly approaches to protecting privacy that rely on education, empowerment, and targeted enforcement of existing laws. Serious and lasting long-term privacy protection requires a layered, multifaceted approach incorporating many solutions.

The testimony also contains 4 appendices elaborating on some of these themes.

Down below, I’ve embedded my testimony, a list of 10 recent essays I’ve penned on these topics, and a video in which I explain “How I Think about Privacy” (which was taped last summer at an event up at the University of Maine’s Center for Law and Innovation). Finally, the best summary of my work on these issues can be found in this recent Harvard Journal of Law & Public Policy article, “The Pursuit of Privacy in a World Where Information Control is Failing.” (This is the first of two complimentary law review articles I will be releasing this year dealing with privacy policy. The second, which will be published early this summer by the George Mason University Law Review, is entitled, “A Framework for Benefit-Cost Analysis in Digital Privacy Debates.”) Continue reading →

SHARE: 3 comments

Hate the Idea of a National ID? Wanna Do Something About it?

by on April 23, 2013 · 1 comment

The Cato Institute is seeking a “researcher to support a campaign to educate the public and policymakers on the implications of biometric identification systems related to immigration policy reforms.

The better applicants will know how many different governmental systems work—legislation, appropriation, regulation, procurement, grant-making, and so on—and have zeal to chase down all the ways the national ID builders are using them to advance their cause.

Immigration reform legislation in the Senate that features a vast expansion of E-Verify is yet another reason to join the fight against having a national ID in the United States.

SHARE: 1 comment

Silk Road proprietor: Bitcoin’s volatility doesn’t really matter

by on April 18, 2013 · 0 comments

2013-03-07_0113-4A couple of weeks ago I wrote that bitcoin’s valuation doesn’t really matter for the currency to effectively function as a medium of exchange. Now comes word from none other than the proprietor of the notorious Silk Road encrypted black market that indeed the recent wild volatility has not affected the transactions on his site. As Andy Greenberg reports:

In a rare (and brief) public statement sent to me, the Dread Pirate Roberts (DPR) said that despite Silk Road’s reliance on Bitcoin, commerce on the site hasn’t been seriously hurt by Bitcoin’s wild rise and fall. “Bitcoin’s foundation, its algorithms and network, don’t change with the exchange rate,” the pseudonymous site administrator writes. “It is just as important to the functioning of Silk Road at $1 as it is at $1,000. A rapidly changing price does have some effect, but it’s not as big as you might think.”

Silk Road’s customers, after all, aren’t generally interested in Bitcoin’s worth as an investment vehicle, so much as in how it makes it possible to privately buy heroin, cocaine, pills or marijuana. They use Bitcoin because it’s not issued or stored by banks and doesn’t require any online registrations, and thus offers a certain amount of anonymity. …

Silk Road has built-in protections against Bitcoin’s spikes and crashes. Although purchases on Silk Road can only be made with Bitcoin, sellers on the site have the option to peg their prices to the dollar, automatically adjusting them based on Bitcoin’s current exchange rate as defined by the central Bitcoin exchange Mt. Gox. To insulate those sellers against Bitcoin fluctuations, the eBay-like drug site also offers a hedging service. Sales are held in escrow until buyers receive their orders via mail, and vendors are given the choice to turn on a setting that pegs the escrow’s value to the dollar, with Silk Road itself covering any losses or taking any gains from Bitcoin’s swings in value that occur while the drugs are in transit. So while Bitcoin’s crash last week from $237 to less than $100 means that the Dread Pirate Roberts was likely forced to pay out much of the extra gains Silk Road made from Bitcoin’s rise, most of his sellers were protected from those price changes and continued to trade their drugs for Bitcoins despite the currency’s plummeting value.

What this shows is that Silk Road is separating the “unit of account” function of money from the “medium of exchange” function. Prices are denominated in dollars (as a unit of account) but payments are made in bitcoin (as a medium of exchange). Hedging is used to smooth out volatility.

Continue reading →

SHARE: 0 comments

CISPA’s Vast Overreach

by on April 17, 2013 · 0 comments

Last summer at an AEI-sponsored event on cybersecurity, NSA head General Keith Alexander made the case for information sharing legislation aimed at improving cybersecurity. His response to a question from Ellen Nakashima of the Washington Post (starting at 54:25 in the video at the link) was a pretty good articulation of how malware is identified and blocked using algorithmic signatures. In his longish answer, he made the pitch for access to key malware information for the purpose of producing real-time defenses.

What the antivirus world does is it maps that out and creates what’s called a signature. So let’s call that signature A. …. If signature A were to hit or try to get into the power grid, we need to know that signature A was trying to get into the power grid and came from IP address x, going to IP address y.

We don’t need to know what was in that email. We just need to know that it contained signature A, came from there, went to there, at this time.

[I]f we know it at network speed we can respond to it. And those are the authorities and rules and stuff that we’re working our way through.

[T]hat information sharing portion of the legislation is what the Internet service providers and those companies would be authorized to share back and forth with us at network speed. And it only says: signature A, IP address, IP address. So, that is far different than that email that was on it coming.

Now it’s intersting to note, I think—you know, I’m not a lawyer but you could see this—it’s interesting to note that a bad guy sent that attack in there. Now the issue is what about all the good people that are sending their information in there, are you reading all those. And the answer is we don’t need to see any of those. Only the ones that had the malware on it. Everything else — and only the fact that that malware was there — so you didn’t have to see any of the original emails. And only the ones that had the malware on it did you need to know that something was going on.

It might be interesting to get information about who sent malware, but General Alexander said he wanted to know attack signatures, originating IP address, and destination. That’s it.

Now take a look at what CISPA, the Cybersecurity Information Sharing and Protection Act (H.R. 624), allows companies to share with the government provided they can’t be proven to have acted in bad faith:

information directly pertaining to—

(i) a vulnerability of a system or network of a government or private entity or utility;

(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;

(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or

(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.

That’s an incredible variety of subjects. It can include vast swaths of data about Internet users, their communications, and the files they upload. In no sense is it limited to attack signatures and relevant IP addresses.

What is going on here? Why has General Alexander’s claim to need attack signatures and IP addresses resulted in legislation that authorizes wholesale information sharing and that immunizes companies who violate privacy in the process? One could only speculate. What we know is that CISPA is a vast overreach relative to the problem General Alexander articulated. The House is debating CISPA Wednesday and Thursday this week.

SHARE: 0 comments

Begun the next crypto wars have

by on April 10, 2013 · 0 comments

34890833The mid-to-late 90s saw the crypto wars, probably the Internet’s first major victory against government attempts to control information online. At stake was the public’s right to use strong encryption, which facilitates commerce and allows individuals to maintains their personal privacy, but which government feared would allow “drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity,” as FBI Director Louis Freeh told the Senate Judiciary Committee in 1997. In the end, popular opinion overwhelmed government efforts to include back doors in publicly available encryption, which might as well have been no encryption at all.

Leading the charge in the crypto wars were the cypherpunks, many of whom were radical libertarians who predicted that privacy and anonymity powered by strong encryption would fundamentally shift the balance of power between individuals and the state. For example, in this paper (also from 1997) Tim May, one of the cypherpunk’s founders, describes the some of the social implications of “untraceable digital cash”:

Some of these “marginal” uses are terrible to consider. Extortion, kidnapping, and even murder contracts become easier to set up. Extortion, for example, becomes almost unstoppable at the usual place: the collection of a payoff and/or the spending of the payoff money. The extortionist makes his threat from the safety of his home PC, using networks of remailers and message pools, and demands payment in untraceable digital cash… .

Similar to extortion are markets for kidnappings (riskier, due to the physical act), and even untraceable markets for murders. For murder contracts, the usual risk is in setting up the hit—asking around is almost a guaranteed way of getting the FBI involved, and advertising in traceable ways is a similar invitation. This risk is largely removed when anonymous contact and payment methods are used. To ensure the job is completed, third party escrow services—anonymous, of course, but with an established cyberspatial reputation—hold the digital cash until completion.

The thing is, untraceable digital cash has not been a reality until now. Over at Reason, I write that while much of the discussion about Bitcoin is focused on whether the virtual currency has all the attributes of money and whether it can ever be a viable alternative to state-backed fiat currency, its real revolutionary potential is as untraceable digital cash.

Time will tell whether the gold bugs or the skeptics are right, but what’s being overlooked is that it doesn’t matter whether Bitcoin makes it as a store of value or a unit of account for it to work as a medium of exchange. Even if the Bitcoin market remains volatile and never pans out as a good store of value or unit of account, one can imagine users converting their dollars or euros to bitcoins for just long enough to make a transaction; perhaps just minutes. And as long as it works as a medium of exchange, it is the true digital cash that was missing from the cypherpunks’ predictions.

With a little bit of effort, today you can purchase bitcoins anonymously with physical cash. You could then do all sorts of things the government doesn’t want you to do. You could buy illegal drugs on the notorious Silk Road, an encrypted website that has been operating with impunity for the past two years facilitating annual sales estimated at almost $15 million. You could gamble at various casinos or prediction markets, buy contraband Cuban cigars, or even give money to WikiLeaks. Dissidents in Iran or China can use Bitcoin to buy premium blogging services from WordPress, which now accepts payment in the currency. Perhaps more importantly, Bitcoin makes the cypherpunks predictions of markets for stolen secret information and even assassinations feasible.

I predict that we will soon see another round of the crypto wars. Now that Bitcoin has broken through to at least some public notice, I suspect we will see greater use of the currency and with it greater illicit use. I also suspect we will see the intelligence community, law enforcement, and child safety advocates take greater notice of Bitcoin as an anonymous payment processor. (Indeed, you can glean from this speech by the director of the Financial Crimes Enforcement Network that they see decentralized virtual currencies like Bitcoin as “emerging payment systems.”) And I suspect that traditional payment processors who might be in competition with Bitcoin to take notice as well. If these stars align, I imagine we will see public calls to “do something” about Bitcoin.

Although Bitcoin’s decentralized nature makes it difficult to regulate, its ecosystem (and even the network itself) is not impervious to attack. Those of us who see the benefits, and not just the costs of digital cash should begin preparing for this likely confrontation.

SHARE: 0 comments

Andy Greenberg on WikiLeaks and cypherpunks

by on April 9, 2013 · 0 comments

Andy Greenberg

Andy Greenberg, technology writer for Forbes and author of the new book “This Machine Kills Secrets: How WikiLeakers, Cypherpunks, and Hacktivists Aim to Free the World’s Information,” discusses the rise of the cypherpunk movement, how it led to WikiLeaks, and what the future looks like for cryptography.

Greenberg describes cypherpunks as radical techie libertarians who dreamt about using encryption to shift the balance of power from the government to individuals. He shares the rich history of the movement, contrasting one of t the movement’s founders—hardcore libertarian Tim May—with the movement’s hero—Phil Zimmerman, an applied cryptographer and developer of PGP (the first tool that allowed regular people to encrypt), a non-libertarian who was weary of cypherpunks, despite advocating crypto as a tool for combating the power of government.

According to Greenberg, the cypherpunk movement did not fade away, but rather grew into a larger hacker movement, citing the Tor network, bitcoin, and WikiLeaks as example’s of its continuing influence. Julian Assange, founder of WikiLeaks, belonged to a listserv followed by early cypherpunks, though he was not very active at the time, he says.

Greenberg is excited for the future of information leaks, suggesting that the more decentralized process becomes, the faster cryptography will evolve.

Download

Related Links

SHARE: 0 comments

← Previous Entries