Privacy, Security & Government Surveillance

At Game::Business::Law 2011 – Livetweeting & Talking About Privacy

by on January 26, 2011 · 2 comments

Hosted by SMU’s Guildhall video game law graduate program, the Game::Business::Law summit is the leading conference in the field. Follow the discussion on the #GBL2011 hashtag. Here’s the make-up of my privacy panel:

Moderator Professor Xuan-Thao Nguyen, SMU Dedman School of Law Speakers Jennifer Archie, Partner, Latham & Watkins LLP Andrew S. Ehmke, Partner, Haynes and Boone, LLP Dr. Joshua Fairfield, Washington & Lee School of Law Berin Szoka, Founder, TechFreedom

This is an all-star cast. Prof. Nguyen is a big name in video game law field; I had the privilege to work with Jennifer Archie on Internet law when I practiced at Latham; and Josh Fairfield is one of the few law professors I find myself in perfect philosophical harmony with. Check out this summary of his excellent 2009 paper Virtual Parentalism. I only met Andy last night at the reception, but he’s a solid thinker on the law of gaming. As they say on postcards: Wish you were here!

SHARE: 2 comments

OECD: “Cyberwar” Overhyped

by on January 21, 2011 · 2 comments

(HT: Schneier) Here’s a refreshingly careful report on cybersecurity from the Organization for Economic Cooperation and Development’s “Future Global Shocks” project. Notably: “The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.” There will be no cyber-“The Day After.”

Here are a few cherry-picked top lines:

Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact.
The vast majority of attacks about which concern has been expressed apply only to Internet-connected computers. As a result, systems which are stand-alone or communicate over proprietary networks or are air-gapped from the Internet are safe from these. However these systems are still vulnerable to management carelessness and insider threats.
Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.

The hyping of “cyber” threats—bordering on hucksterism—should stop. Many different actors have a good deal of work to do on securing computers, networks, and data. But there is no crisis, and the likelihood of any cybersecurity failure causing a crisis is extremely small.

SHARE: 2 comments

Why you should always encrypt your smartphone

by on January 17, 2011 · 4 comments

The smartphone is arguably one of the most empowering and revolutionary technologies of the modern era. By putting the processing power of a personal computer and the speed of a broadband connection into a device that fits in a pocket, smartphones have revolutionized how we communicate, travel, learn, game, shop, and more.

Yet smartphones have an oft-overlooked downside: when they end up in the wrong hands, they offer overreaching agents of the state, thieves, hackers, and other wrongdoers an unparalleled avenue for uncovering and abusing the volumes of sensitive personal information we increasingly store on our mobile phones.

Over on Ars Technica, I have a long feature story that examines the constitutional and technical issues surrounding police searches of mobile phones:

Last week, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF) , holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

California’s opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, it’s not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest. In this article, we will discuss the rationale for allowing police to conduct warrantless searches of arrestees, your right to remain silent during police interrogation, and the state of mobile phone security.

Continue reading →

SHARE: 4 comments

new paper: “Unappreciated Benefits of Advertising and Commercial Speech”

by on January 14, 2011 · 0 comments

Today the Mercatus Center has released a short new paper I have authored on “Unappreciated Benefits of Advertising and Commercial Speech.”  I begin the piece by noting that:

Federal policy makers, state legislators, and state attorneys general have recently shown interest in regulating commercial advertising and marketing. Several new regulatory initiatives are being proposed, or are already underway, that could severely curtail or restrict advertising or marketing on a variety of platforms. The consequences of these stepped-up regulatory efforts will be profound and will hurt consumer welfare both directly and indirectly.

I go on to note that “advertising can be an easy target for politicians or regulatory activist groups who make a variety of (typically unsubstantiated) claims about its negative impact on society,” but then continue on to explain how “the role of commercial speech in a free-market economy is often misunderstood or taken for granted.” I outline how, despite regulators’ concerns, consumers actually derive three important types of benefits from advertising and marketing: (1) Informational / Educational Benefits; (2) Market Choice / Pro-Competitive Benefits; and (3) Media Promotion / Cross-Subsidization.  After discussing each benefit, I conclude that:

For these reasons, a stepped-up regulatory crusade against advertising and marketing will hurt consumer welfare since it will raise prices, restrict choice, and diminish marketplace competition and innovation—both in ad-supported content and service markets, and throughout the economy at large.  Simply stated, there is no free lunch.

Read the entire 1,800-word essay here.  I have also embedded the document down below in a Scribd reader.

Continue reading →

SHARE: 0 comments

Adobe Improves Privacy Controls Before Regulators Can Saddle Up

by on January 14, 2011 · 6 comments

Via @csoghoian (who can be wrathful if you don’t attribute), Adobe buries the lede in its blog post about privacy improvements to the Flash player. They’re working with the most popular browser vendors on integrating control of “local shared objects”—more commonly known as “Flash cookies”—into the interface. Users control of Flash cookies will soon be similar to control of ordinary cookies.

It doesn’t end there:

Still, we know the Flash Player Settings Manager could be easier to use, and we’re working on a redesign coming in a future release of Flash Player, which will bring together feedback from our users and external privacy advocates. Focused on usability, this redesign will make it simpler for users to understand and manage their Flash Player settings and privacy preferences. In addition, we’ll enable you to access the Flash Player Settings Manager directly from your computer’s Control Panels or System Preferences on Windows, Mac and Linux, so that they’re even easier to locate and use. We expect users will see these enhancements in the first half of the year and we look forward to getting feedback as we continue to improve the Flash Player Settings Manager.

Mysterious, sinister “Flash cookies” were Exhibit A in the argument for a Do Not Track regulation. There is no way that people can cope with the endless array of tracking technologies advertisers are willing to deploy, the argument went, so the government must step in, define what it means to be “tracked,” and require it to stop—without kneecapping the free Internet. (Good luck with that!)

But Flash cookies are now quickly taking their place as a feature that users can control from the browser (or OS), customizing their experience of the Web to meet their individual privacy preferences. This is not a panacea, of course: People must still be made aware of the importance of controlling Flash cookies, as well as regular cookies. New tracking technologies will emerge, and consumer-friendly information controls meeting those challenges will be required in response.

But if this is what the drawn-out “war” against tracking technologies looks like, color me pro-war!

In a few short months, Adobe has begun work on the controls needed to put Flash cookies under peoples’ control. The Federal Trade Commission—prospective imposer of peace through complex, top-down regulation—took more than a year to produce a report querying whether a Do Not Track regulation might be a good idea. This problem will essentially be solved (and we’ll be on to the next one) before the FTC would have gotten saddled up.

Yes, Adobe may have acted because of the threat of damaging government regulation. That seems always to be what gets these companies moving. Of course it does, when the primary modus operandi of privacy advocacy is to push for government regulation. Were the privacy community to work as assiduously on boycotts as acting through intermediary government regulators, change might come even faster.

We could do without the standing army of regulators. Having a government sector powerful enough to cow the business sector is costly, both in terms of freedom and tax dollars.

With the failure of Do Not Track, the vision of a free and open Internet—populated by aware, empowered individuals—lives on.

SHARE: 6 comments

Privacy Community Wracked by Controversy—Are DoJ Officials Mustache-Twisting Enemies of Privacy?

by on January 12, 2011 · 6 comments

I’ve been bemused by a minor controversy about remarks Ryan Calo of Stanford University made to a New York Times reporter for this story on Internet privacy and government access.

“When your job is to protect us by fighting and prosecuting crime, you want every tool available,” said Ryan Calo, director of the consumer privacy project at the Center for Internet & Society at Stanford Law School. “No one thinks D.O.J. and other investigative agencies are sitting there twisting their mustache trying to violate civil liberties. They’re trying to do their job.”

That apparently didn’t sit well in some corners of the privacy community, and Calo felt obligated to explain the comment as though he had implied that DoJ efforts to undercut privacy should not be resisted. He hadn’t.

But evidently some people do think DoJ officials, or some relevant segment of them, are mustache-twisting privacy-haters. There are a few genuine oddballs committed to undercutting privacy, but it’s not worth casting aspersions on the entire security bureaucracy because of these few.

I believe the motivations of the vast majority of DoJ officials are good. They feel a real sense of honor from doing their self-chosen task of protecting the country from various threats. On average, they’ll likely weigh security and safety more heavily than the average privacy advocate or civil libertarian. Because they don’t think about privacy as much, they may not understand as well what privacy is and how to protect it consistent with pursuing justice. These are all good faith reasons why DoJ officials may undervalue and, in their work, undercut privacy. It is not necessary to believe that a dastardly enemy sits on Constitution Avenue mocking the document that street is named after.

The theory of the evil DoJ official says more about the theoretician than the DoJ. Experience in Washington has shown me that incompetence is almost always the better explanation than malice. (That’s not very nice, talking about “incompetence,” but there are some DoJ officials who lack competence in the privacy area.) Some people apparently need a dramatic story line to motivate themselves.

I’m sure it feels good to cast oneself as a white hat facing down a team of secretive, nefarious, government-sponsored black hats. But this mind-set gives away strategic leverage in the fight for privacy. The story is no longer how to protect privacy; it’s who is bad and who is good. Everyone (everyone thoughtful about messaging and persuasion, anyway) recognizes that Wikileaks veered off course by letting Wikileaks itself and Julian Assange become the story. We’re not having the discussion we should have about U.S. government behavior because of Assange’s self-regard.

I agree with my privacy brethren on the substance of the issues, but those who have similar self-regard, who insist on good-vs.-evil framing in order to cast themselves as heroic—they are closing the ears of DoJ officials they might reach and giving away opportunities to actually improve protections for privacy in the country.

SHARE: 6 comments

Do-Not-Track: The Recipe for Frosting is Not the Wedding Cake

by on January 11, 2011 · 2 comments

I laughed out loud when I read the following line in Harlan Yu’s post, “Some Technical Clarifications About Do Not Track“:

“[T]he Do Not Track header compels servers to cooperate, to proactively refrain from any attempts to track the user.”

(Harlan’s a pal, but I’m plain-spoken with friends just like everyone else, so here goes, buddy.)

To a policy person, that’s a jaw-dropping misstatement. An http header is a request. It has no coercive power whatsoever. (You can learn this for yourself: Take 30 minutes and write yourself a plug-in that charges ten cents to every site you visit. Your income will be negative 30 minutes of your time.)

Credit goes to the first commenter on his post who said, “What if they ignore the header? . . . Wouldn’t there also need to be legal penalties in place for violations, in order for this to work? (To encourage advertising companies to put in those lines of code.) Is this in the works?” Continue reading →

SHARE: 2 comments

Facebook as Identity Provider

by on January 9, 2011 · 8 comments

It might take Facebook a while to turn identity provision into a revenue opportunity, but if it is a money-maker, it could be a substantial one. Simson Garfinkel has a piece in Technology Review that goes into some of the things Facebook is doing with its “Connect” service.

As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.

It’s a good, relatively short article, worth a read.

As an online identity provider, Facebook could facilitate secure commerce and communication in a way that’s easy and familiar for consumers. That adds value to the Internet ecosystem, and Facebook may be able to extract some of the surplus for itself—perhaps by charging sites and services that are heavy users small amounts per login via Connect. The security challenges of such a system would grow as more sites and services rely on it, of course, and Garfinkel highlights them in an accessible way.

Quibbles are always more interesting, so I’ll note that I cocked my head to one side where Garfinkel asks “whether it’s a good thing for one company to hold such a position of power.” Strange.

Taking “power” in its philosophical sense to mean “a measure of an entity’s ability to control its environment, including the behavior of other entities,” Facebook Connect gives the company very little power. Separate, per-site logins—or a parallel service that might be created by Google, for example—are near at hand and easy to switch to for anyone who doesn’t like Facebook’s offering.

Ironically, Garfinkel refers to these identity services as “Internet driver’s licenses,” inviting a comparison with the power structure in the real-world licensing area. If you want to drive a car legally, there are no alternatives to dealing with the state, so the state can impose onerous conditions on licensing. Drivers’ licenses require one to share a great deal of information, they cost a lot of money (relative to Facebook’s dollar price of “free”), and switching is not an option if the issuer starts to change the bargain and enroll licensees in a national ID system. Garfinkel himself noted how drivers’ licenses enhance state power in a good 1994 Wired article.

In sum, the upsides of an identity marketplace are there, for both consumers and for Facebook. The downsides are relatively small. The “power” exercised by any provider in a marketplace for identity provision is small compared to the alternative of using states as identity providers.

SHARE: 8 comments

Google “Spy-Fi” Privacy Regulation: An eye for an eye leaves everyone blind

by on January 7, 2011 · 4 comments

Here at TLF, our privacy discussions often center around such concepts as expectations of privacy, notice and choice, opt-in/out, and the like. These are all important and legitimate of course, but the privacy issue that seems to make news more than any other is Google Spy-Fi, and the defiant attitude Google has against governments. And this has me worried.

Not that I think governments necessarily need to regulate privacy, or that Google’s data collection from unsecured hotspots was even illegal. I’m thinking much more practically. People are concerned about privacy, governments are investigating Google to see what data it really collected, and Google seems to be cherry-picking the kinds of information it provides to different authorities. And in this defiant game of chicken, it’s the rest of the industry that’s the bacon – and I’m afraid we’re all slowly being fried.

There’s an old adage among practitioners of non-violent resistance that “an eye for an eye” retaliation leaves everyone blind. With yesterday’s news that authorities raided Google’s Korean office and found massive amounts of personal data, I’m wondering when—not if—bad behavior from the industry leader will result in a black eye for all online companies.

Korea’s National Police Agency claims to have found hundreds of thousands of emails, instant messages and other personal data” on Google’s hard drives. This is the latest finding similar to a string of other countries like Germany, Canada, Germany, France and the UK.

If it were all just foreign, that would be one thing. Continue reading →

SHARE: 4 comments

Obama Admin’s “Let’s-Be-Europe” Approach to Privacy Will Undermine U.S. Competitiveness

by on January 5, 2011 · 2 comments

Reading through the respective December 2010 privacy reports from the Federal Trade Commission (FTC) and Department of Commerce (DoC), one cannot help but be struck by the Obama Administration’s seeming desire to make America’s tech sector — and the regulatory regime that governs it — more closely resemble Europe’s.  The push for an ambitious new “privacy framework” and set of “fair information practices” is just a riff borrowed from the EU data directive.  And although the Obama team stops short of calling privacy a “dignity right” as many European policymakers are prone to do, it’s clear from both the FTC and DoC reports that that’s were they want to take us.

It’s interesting to me, though, that the Obama Administration relies on two fundamentally flawed rationales for the “European-ification” of American privacy law.  In this regard, I’ll reference some passages from the DoC’s report that appear in the section on “The Economic Imperative” for a new regime, which appears on pages 13-16 of the report.

Myth #1: Privacy Regs Are Needed to Get More People Online or Using Digital Technology

First, the DoC pulls out the old saw about the need for expanded privacy regs to ensure greater online trust and, as a result, promote increased online interactions.  The report claims that “maintaining consumer trust is vital to the success of the digital economy” and that “an erosion of trust will inhibit the adoption of new technologies” (p. 15)  The problem with the theory that online commerce or consumer interactions online are somehow being thwarted by a lack of more privacy regulation is that it is plainly contradicted by the facts.  Continue reading →

SHARE: 2 comments

← Previous Entries

Next Entries →