Privacy, Security & Government Surveillance

The Case of the Non-Hacking Hacker

by Cord Blomquist on May 2, 2011 · 5 comments

Wired reports that a recent federal court decision would make it possible for a private-sector employee to be found in violation of the the Computer Fraud and Abuse Act for simply violating their employer’s data policies, without any real “hacking” having occurred. This not only applies to data access, like grabbing data via a non-password-protected computer, but also to unauthorized use, such as emailing or copying data the employee might otherwise have permission to access.

On face, this doesn’t seem entirely unreasonable. Breaking and entering is a crime, but so is casually walking into a business or home and taking things that aren’t yours, so it seems like data theft, even without any “hacking,” should be a crime. For the law to be otherwise would create a “but he didn’t log out” defense for would-be data thieves.

But what about unauthorized use? Is there a physical property equivalent of this? Could I be criminally liable for using the corporate car to drag race my against my neighbor, or would I only be fired and potentially sued in civil court? Does this new interpretation CFAA simply expand the scope of this law into realms already covered, perhaps more appropriately, by statutes that specifically address trade secrets or other sensitive information in a broader way that doesn’t involve computing technology?

Judge Tena Campbell noted in the dissent that under the ruling, “any person who obtains information from any computer connected to the internet, in violation of her employer’s computer-use restrictions, is guilty of a federal crime.” So, perhaps this is a case of the court overreaching in an incredibly dramatic fashion.

I hope my lawyerly co-bloggers can weigh-in on this issue.

HT: Ryan Lynch

5 comments

When It Comes to Information Control, Everybody Has a Pet Issue & Everyone Will Be Disappointed

by Adam Thierer on April 29, 2011 · 8 comments

When it comes to information control, everybody has a pet issue and everyone will be disappointed when law can’t resolve it. I was reminded of this truism while reading a provocative blog post yesterday by computer scientist Ben Adida entitled “(Your) Information Wants to be Free.” Adida’s essay touches upon an issue I have been writing about here a lot lately: the complexity of information control — especially in the context of individual privacy. [See my essays on “Privacy as an Information Control Regime: The Challenges Ahead,” “And so the IP & Porn Wars Give Way to the Privacy & Cybersecurity Wars,” and this recent FTC filing.]

In his essay, Adida observes that:

In 1984, Stewart Brand famously said that information wants to be free. John Perry Barlow reiterated it in the early 90s, and added “Information Replicates into the Cracks of Possibility.” When this idea was applied to online music sharing, it was cool in a “fight the man!” kind of way. Unfortunately, information replication doesn’t discriminate: your personal data, credit cards and medical problems alike, also want to be free. Keeping it secret is really, really hard.

Quite right. We’ve been debating the complexities of information control in the Internet policy arena for the last 20 years and I think we can all now safely conclude that information control is hugely challenging regardless of the sort of information in question. As I’ll note below, that doesn’t mean control is impossible, but the relative difficulty of slowing or stopping information flows of all varieties has increased exponentially in recent years.

But Adida’s more interesting point is the one about the selective morality at play in debates over information control. That is, people generally expect or favor information freedom in some arenas, but then get pretty upset when they can’t crack down on information flows elsewhere. Indeed, some people can get downright religious about the whole “information-wants-to-be-free” thing in some cases and then, without missing a beat, turn around and talk like information totalitarians in the next breath. Continue reading →

8 comments

The iPhone flap and the anatomy of a privacy panic

by Larry Downes on April 27, 2011 · 4 comments

I’ve written a long article this morning for CNET (See “Privacy panic debate: Whose data is it?”) on the discovery of the iPhone location tracking file and the utterly predictable panic response that followed. Its life-cycle follows precisely the crisis model Adam Thierer has so frequently and eloquently traced, most recently here on TLF.

In particular, the CNET article takes a close and serious look at Richard Thaler’s column in Saturday’s New York Times, “Show us the data. (It’s ours, after all.)” Thaler uses the iPhone scare as occassion to propose a regulatory fix to the “problem” of users being unable to access in “computer-friendly form” copies of the information “collected on” them by merchants. Continue reading →

4 comments

White House Takes Wrong Side on Police GPS Tracking

by Steven Titch on April 25, 2011 · 2 comments

It is disappointing that the Obama administration, which campaigned against George W. Bush’s poor record on civil liberties protection, is pursuing a course that aims to limit Fourth Amendment rights when it comes to the use of location tracking technology.

The Washington Post reported yesterday that the Obama administration has petitioned the U.S. Supreme Court to overturn a ruling last year by the U.S. Court of Appeals for the D.C. Circuit that forces police to obtain a warrant before tracking the movements of a suspect using a global positioning device.

The motion is significant because various state laws conflict over procedure and the Supreme Court, if it takes the case, could establish long-term procedure going forward. In the case at hand, United States vs. Antoine Jones, the D.C. court sided with the defendant, overturning the conviction against Jones, who was accused of being a major cocaine dealer, ruling that D.C. police violated due process by using a GPS device to track Jones’ movements for one month without a warrant. Appellate courts in New York and California, on the other hand, have ruled in favor of police in similar cases.

Continue reading →

2 comments

Video: Debating Privacy & Online Advertising on the Stossel Show

by Adam Thierer on April 22, 2011 · 0 comments

On this week’s John Stossel show on Fox Business Network, I debated Internet privacy, advertising, and data collection issues with Michael Fertik of Reputation.com. In the few minutes we had for the segment, I tried to reiterate a couple of keep points that we’ve hammered repeatedly here in the past:

There’s no free lunch. All the free sites and service we enjoy online today are powered by advertising and data collection. [see this op-ed]
There is no clear harm in most cases, or what some argue is harm also can have many benefits that are rarely discussed. [see this paper.]
There’s little acknowledgement of the trade-offs involved in having government create an information control regime for the Internet. [see this filing and these three essays: 1, 2, 3.]
The ultimate code of “fair information practices” is the First Amendment, which favors free speech, openness, and transparency over secrecy and information control. [see this piece.]
“Hands Off the Net” is a policy that has served us well. There are dangerous ramifications for our economy and long-term Internet freedoms if we continue down the road of “European-izing” privacy law here in the States. [see this essay and this filing.]
At some point, personal responsibility needs to come into the equation. With so many privacy enhancing empowerment tools already on the market, it begs the question: If consumers don’t take steps to use those tools, why should government intervene and take action for them?

Anyway, here’s the 7-min video of the debate between Fertik and me:

http://www.youtube.com/v/rYBsOK47LUw&hl=en_US&feature=player_embedded&version=3

0 comments

Bitcoin, intermediaries, and information control

by Jerry Brito on April 20, 2011 · 36 comments

I’m gratified that my recent writing on the Bitcoin virtual currency project has stirred much conversation and I thought I’d take a moment to continue that conversation.

Tim Lee has written two posts critiquing the viability of Bitcoin from the supply and demand side. Dan Rothschild has responded in part. Tyler Cower also weighed in.

To address Tim I’ll simply say this: Do I think Bitcoin will replace the dollar? No. Might Bitcoin have certain systemic design flaws that might impede its success? Quite possibly. Will Bitcoin become the de facto, manipulation-proof currency of the internet? Who knows. Tim’s posts are a somewhat technical critique of Bitcoin’s long-term feasibility. It’s a great contribution, but since I’m neither a gold bug nor a Bitcoin booster per se, I don’t find it especially interesting.

That all said, what I do think is revolutionary about Bitcoin is that its developers have solved, without the use of a middleman, the double-spending problem faced by virtual currencies. That gives us license to realistically imagine a world without regulable financial intermediaries online.

While Tim overlooks what makes Bitcoin radical, Tom Sydnor groks it viscerally. Writing in a lengthy comment on my post, Tom expresses dismay at what Bitcoin represents and offers what I would, with apologies, characterize as the cyber-conservative response. Continue reading →

36 comments

An Internet Eraser Button to Protect Privacy? Unwise & Probably Impossible

by Adam Thierer on April 19, 2011 · 1 comment

In my latest “Technologies of Freedom” column for Forbes, I take a closer look at the idea of an “Internet eraser button” as one method of protecting privacy or safeguarding reputation online. The child safety group Common Sense Media has suggested it is needed to help kids and others wipe out embarrassing facts we’ve place online but later come to regret. The Eraser Button idea is similar to “the right to be forgotten” proposal currently being hotly debated in Europe.

In my column, I argue that “it is unlikely that such a mechanism could be implemented, and even if it could, it would have troubling ramifications for freedom of speech, digital commerce, and Internet governance more generally.” I dwell a bit on the free speech issues and note that “What we are talking about here is the destruction of history, otherwise known as censorship. Few would have suggested that burning books was a smart way to protect privacy in the past. Is burning binary bits of information any wiser?” But the point seems moot in light of the significant enforcement challenges the notion faces, including the question: Who actually owns the data collected by online sites and services?

Anyway, read the rest of the essay over at Forbes. And here are a few other pieces we’ve run here at the TLF on the issue: 1, 2, 3.

1 comment

The Epsilon Breach: Inference and Exaggeration

by Jim Harper on April 17, 2011 · 12 comments

News about the Epsilon breach has spread relatively slowly. The breach of data held by an email service provider is bad—no question—but it’s not terribly consequential. Emails aren’t generally kept private.

But the Epsilon story may soon heat up. The presence of an email address on a list creates inferences about aspects of a person’s life that may be sensitive. So it is with GlaxoSmithKline’s lists related to prescriptions. As the Coalition Against Unsolicited Commercial Email points out, correlation between email addresses and interest in particular drugs makes spear-phishing attacks more potent. Fraudulent email that is tailored to a medication a person takes will have a higher uptake than average, and could be used to defraud people on matters relating to their health.

But is it helpful to exaggerate this serious threat? CAUCE titles its post: “Criminals Now Know What Prescriptions You Take.” Thought leaders like Jules Polenetsky have picked up that meme and run with it.

For people who are not data-literate, a likely implication of “criminals know what prescriptions you take” is that criminals have access to lists of the prescriptions they take. A person on ten different medications might think that criminals know each and every prescription he or she takes. That’s more frightening than knowing that an association between one or two prescriptions and an email address is available to criminals. (It’s possible that people have signed up for email relating to each of their prescriptions, all of which are from drug companies who use Epsilon as their email service provider, but I think it is unlikely and rare enough to treat as an irrelevant outlier.)

What criminals know is that people are on lists related to prescriptions. Many do take that prescription. Some used to take that prescription. Some have a loved one who takes it, some sell it, some prescribe it, and so on.

What’s the point of this observation? Not much. But under the rule of media and politics—“if it bleeds, it leads”—we may soon see a media and policy stampede. That stampede will treat an important security issue that deserves careful attention as a techno-cyber-apocalypse that demands immediate overreaction.

12 comments

Bitcoin: Imagine a net without intermediaries

by Jerry Brito on April 16, 2011 · 43 comments

Yesterday the FBI effectively shut down three of the largest gambling sites online and indicted their executives. From a tech policy perspective, these events highlight how central intermediary control is to the regulation of the internet.

Department of Justice lawyers were able to take down the sites using the same tools we’ve seen DHS use against alleged pirate and child porn sites: they seize the domain names. Because the sites are hosted overseas (where online gambling is legal), the feds can’t physically shut down the servers, so they do the next best thing. They get a seizure warrant for the domain names that point to the servers and force the domain name registrars to point them instead to a government IP address, such as 50.17.223.71. The most popular TLDs, including .com, .net, .org, and .info, have registrars that are American companies within U.S. jurisdiction.

Another intermediary point of control for the federal government are payment processors. The indictments revealed yesterday relate to violations of the Unlawful Internet Gambling Enforcement Act, which makes it illegal for banks and processors like Visa, MasterCard and PayPal to let consenting adults use their money to gamble online. According to the DOJ, in order to let them bet, the poker sites “arranged for the money received from U.S. gamblers to be disguised as payments to hundreds of non-existent online merchants purporting to sell merchandise such as jewelry and golf balls.” (PDF)

Now, imagine if there were no intermediaries.

In my TIME.com Techland column today, I write about Bitcoin, a completely decentralized and anonymous virtual currency that I think will be revolutionary.

Because Bitcoin is an open-source project, and because the database exists only in the distributed peer-to-peer network created by its users, there is no Bitcoin company to raid, subpoena or shut down. Even if the Bitcoin.org site were taken offline and the Sourceforge project removed, the currency would be unaffected. Like BitTorrent, taking down any of the individual computers that make up the peer-to-peer system would have little effect on the rest of the network. And because the currency is truly anonymous, there are no identities to trace.

And if a P2P currency can make it so that there is no fiscal intermediary to regulate, how about a distributed DNS system so that there are no registrars to coerce? This is something Peter Sunde of Pirate Bay fame has been working on. These ideas may sound radical and far-fetched, but if we truly want to see an online regime of “denationalized liberalism,” as Milton Mueller puts it, then getting rid of the intermediaries in the net’s infrastructure might be the best path forward.

Again, check out my piece in TIME for a thorough explanation of Bitcoin and its implications. I plan to be writing about it a lot more and devote some of my research time to it.

43 comments

FERPA Regulation Amendments as a Teachable Moment

by Jim Harper on April 16, 2011 · 6 comments

When legislation or regulation is what you rely on for privacy protection, your privacy protection relies on political consensus staying the same. When political consensus changes, your privacy can go away.

Witness the Department of Education’s proposed change to FERPA regulations—the Family Education Rights and Privacy Act—to make more data about students available to more people. The privacy protections that have applied until now are unlikely to withstand the Education Department’s belief that using data about students is more important.

To anyone who relied on FERPA for privacy protection: Oops!

6 comments

← Previous Entries

Next Entries →