Posts tagged as:

Government Control of Language and Other Protocols

by on June 6, 2011 · 1 comment

It might be tempting to laugh at France’s ban on words like “Facebook” and Twitter” in the media. France’s Conseil Supérieur de l’Audiovisuel recently ruled that specific references to these sites (in stories not about them) would violate a 1992 law banning “secret” advertising. The council was created in 1989 to ensure fairness in French audiovisual communications, such as in allocation of television time to political candidates, and to protect children from some types of programming.

Sure, laugh at the French. But not for too long. The United States has similarly busy-bodied regulators, who, for example, have primly regulated such advertising themselves. American regulators carefully oversee non-secret advertising, too. Our government nannies equal the French in usurping parents’ decisions about children’s access to media. And the Federal Communications Commission endlessly plays footsie with speech regulation.

In the United States, banning words seems too blatant an affront to our First Amendment, but the United States has a fairly lively “English only” movement. Somehow, regulating an entire communications protocol doesn’t have the same censorious stink.

So it is that our Federal Communications Commission asserts a right to regulate the delivery of Internet service. The protocols on which the Internet runs are communications protocols, remember. Withdraw private control of them and you’ve got a more thoroughgoing and insidious form of speech control: it may look like speech rights remain with the people, but government controls the medium over which the speech travels.

The government has sought to control protocols in the past and will continue to do so in the future. The “crypto wars,” in which government tried to control secure communications protocols, merely presage struggles of the future. Perhaps the next battle will be over BitCoin, an online currency that is resistant to surveillance and confiscation. In BitCoin, communications and value transfer are melded together. To protect us from the scourge of illegal drugs and the recently manufactured crime of “money laundering,” governments will almost certainly seek to bar us from trading with one another and transferring our wealth securely and privately.

So laugh at France. But don’t laugh too hard. Leave the smugness to them.

SHARE: 1 comment

And You Look to Government for Cybersecurity?

by on September 10, 2010 · 0 comments

Washington Times reporter Shaun Waterman has a characteristically excellent article out today about U.S. cybersecurity authorities failing to secure their own systems.

According to a new report by government auditors, systems at the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, were not maintained with updates and security patches in a timely fashion and as a result were riddled with vulnerabilities that hackers could exploit.

Time and again, people look to government intervention based on what they imagine government might do under ideal conditions. Real conditions produce far weaker results.

We’re better off distributing the problem of data, network, and computer security among all the self-interested actors in the country—fallible as they are. We should not abandon the problem to a central authority whose failure fails us all.

SHARE: 0 comments

book review: Cyber War by Clarke & Knake

by on August 6, 2010 · 4 comments

While on vacation last week, I finished up a few new cyber-policy books and one of them was  Cyber War: The Next Threat to National Security and What to Do About It by Richard A. Clarke and Robert K. Knake.  The two men certainly possess the right qualifications for a review of the subject.  Clarke was National Coordinator for Security, Infrastructure Protection, and Counterterrorism during the Clinton years and also served in the Reagan and two Bush administrations. Knake is an international affairs fellow at the Council on Foreign Relations where he specializes in cybersecurity.

Clarke and Knake’s book is important if for no other reason than, as they note, “there are few books on cyber war.” (p. 261) Thus, their treatment of the issue will likely remain the most relevant text in the field for some time to come.

They define cyber war as “actions by a nation-state to penetrate another nation’s computers or networks for the purposes of causing damage or disruption” (p. 6) and they argue that such actions are on the rise.  And they also claim that the U.S. has the most to lose if and when a major cyber war breaks out, since we are now so utterly dependent upon digital technologies and networks.

At their best, Clarke and Knake walk the reader through the mechanics of cyber war, who some of the key players and countries are who could engage in it, and identify what the costs of such of war would entail.  Other times, however, the book suffers from a somewhat hysterical tone, as the authors are out here not just to describe cyber war, but to also issue a clarion call for regulatory action to combat it.  Ryan Singel of Wired, for example, has taken issue with the book’s “doomsday scenario that stretches credulity” and claims that “Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories.”  Bruce Schneier and Jim Harper have raised similar concerns elsewhere.

Continue reading →

SHARE: 4 comments

WordPress Worm: Cyber-Security Begins at Home

by on September 5, 2009 · 9 comments

Wordpress has experienced a major security vulnerability, with a worm making its way around the ‘Net, attacking earlier versions of WordPress. Fortunately, because of the hard work of the Wordpress open source community, the current (2.8.4) and most recent (2.8.3) versions are immune. Yet as with any piece of program, some users haven’t upgraded.  In the case of Wordpress (which we use at the TLF), upgrading can be difficult for sites that rely on plug-ins that aren’t always updated quickly when a new version of WordPress is released.

While my heart goes out to my fellow Wordpress bloggers who may have experienced an attack, I’m just glad that, for once, the message isn’t that somehow we need the government to protect us all from cyber-catastrophes, but, instead, a little good-old-fashioned digital self-help!  From the Wordpress Blog:

WordPress is a community of hundreds of people that read the code every day, audit it, update it, and care enough about keeping your blog safe that we do things like release updates weeks apart from each other even though it makes us look bad, because updating is going to keep your blog safe from the bad guys. I’m not clairvoyant and I can’t predict what schemes spammers, hackers, crackers, and tricksters will come up with with in the future to harm your blog, but I do know for certain that as long as WordPress is around we’ll do everything in our power to make sure the software is safe. We’ve already made upgrading core and plugins a one-click procedure. If we find something broken, we’ll release a fix. Please upgrade, it’s the only way we can help each other.

As with parental controls and privacy, protecting your security online begins at home. Government can help to educate and promote empowerment solutions, and industry certainly has a role to play in both, and communities like Wordpress can offer invaluable support, but at the end of the day, only you can protect yourself online!

SHARE: 9 comments

Privacy Solutions (Part 5): CCleaner

by on July 17, 2009 · 18 comments

CCleanerby Eric Beach & Adam Thierer

In our ongoing “Privacy Solutions Series” we have been outlining various user-empowerment or user “self-help” tools that allow Internet users to better protect their privacy online. These tools and methods form an important part of a layered approach that we believe offers a more effective alternative to government-mandated regulation of online privacy. [See entries 1, 2, 3, 4]  In this installment, we will be exploring CCleaner, a free Windows-based tool created by UK-based software developer Piriform that scrubs you computer’s hard drive and cleans its registry. We’ll describe how CCleaner helps you destroy data and protect your private information.

Whenever you move files to the recycling bin and subsequently purge the recycling bin, the affected files remain on your computer. In other words, deleting files from the recycling bin does not remove them from the computer. The reason for this is important and, in many ways, beneficial. In some respects, many computer file systems work like an old library catalog system. A file is like a catalog card and contains the reference to the actual place on the hard drive where the information contained in the file is stored. When a user deletes a file, the computer does not actually clean all the affected hard drive space. Instead, to extend the analogy, the computer simply removes the card catalog entry that points to the hard drive space where the file is contained and frees up this space for new files. The reason this is usually beneficial is that cleaning the hard drive space occupied by a file can take a while. If you want evidence of this, look no further than the length of time required to reformat a hard drive (reformatting a hard drive actually clears the disk’s contents). The practical implication of the way hard drives work is that when you delete an important memo from your computer, it is not actually gone. Similarly, when you clear your browsing history, it is not gone. The bottom line is that an individual who can access your hard drive (a thief, the government, etc.) could view many or all of the files you deleted.

The solution to this problem is to ensure that when a file is deleted, the space on the hard drive occupied by that file is not simply flagged as available space but is entirely rewritten with unintelligible data. One of the best programs for accomplishing this is CCleaner (which formerly stood for “Crap Cleaner”!)

Continue reading →

SHARE: 18 comments

TPW 44: Unsafe at Any Setting (A Conversation with Chris Soghoian)

by on June 19, 2009 · 5 comments

chris soghoianIn episode #44 of “Tech Policy Weekly,” Berin Szoka and Adam Thierer engage in a debate with Internet security expert Chris Soghoian, who is a student fellow at the Berkman Center for Internet & Society at Harvard University. He is also a Ph.D. candidate at Indiana University’s School of Informatics.

Chris is an up-and-coming star in the field of cyberlaw and technology policy as he has quickly made a name for himself in debates over privacy policy, data security, and government surveillance.  He straddles the line between academic and activist, and the role he often plays in many tech policy debates is somewhat akin to what Ralph Nader has done in many other fields through the years. Except, in this case, instead of “Unsafe at Any Speed” it’s more like “Unsafe at Any Setting,” since Chris is often raising a stink about what he regards as unjust or unreasonable privacy or security settings that various online websites or service providers use.

On the show, Chris talks about two of his recent crusades to get certain online providers to change their default settings to improve user security or privacy: (1) His effort this week to get major email providers—and Google in particular—to change their default security settings on their email offerings; and (2) his earlier crusade to create permanent opt-out cookies to stop behavioral advertising by advertising networks.

There are several ways to listen to today’s TLF Podcast. You can press play on the player below to listen right now, or download the MP3 file. You can also subscribe to the podcast by clicking on the button for your preferred service. (And do us a favor, Digg this podcast!)

[display_podcast]

Continue reading →

SHARE: 5 comments

The Costs of SSL Encryption for Webmail & Other Cloud Services

by on June 16, 2009 · 23 comments

Internet policy Shame Artist extraordinaire Chris Soghoian has struck again! Chris recently shamed the online advertising industry into improving their privacy practices with his Targeted Advertising Cookie Opt-Out (TACO) plug-in for Firefox. Now Chris has set his sight on the security practices of cloud service providers.

A letter released this morning, signed by 37 leading online security experts (and organized by Chris), calls on Google to offer persistent SSL (HTTPS) encryption by default for all Google servicesor at the very least, to make more visible the option currently given to users to opt-in to use SSL for all communications. Google, in its response, indicated that it was already “looking into whether it would make sense to turn on HTTPS as the default for all Gmail users.”

While Google’s response identifies some clear problems with implementing persistent SSL for all users (esp. connection speed), few would deny that it makes sense for webmail providers to encrypt all traffic using SSL, rather than sending email data “in the clear,” which risks interception by hackers. We at PFF hold no brief for Google, in fact we have found ourselves disagreeing with them on many other occasions on a range of issues (most notably net neutrality mandates). Nonetheless, on this front, Google has long been a leader, having offered SSL since Gmail launched and having begun providing the persistent HTTPS option last summer while most of their competitors still use SSL only for the initial authentication that occurs when a user first signs in. While the letter focuses on Google and webmail in particular, this issue has far broader implications for all online cloud service providers.

No Free Lunch: The Costs of Encryption Gmail, Yahoo! Mail, Hotmail, etc. are, of course, “free” ( i.e., ad-supported). Google in particular has lead the way in increasing the functionality offered in Gmail, not just constantly increasing the total storage space provided to every user (now over 7GB), but regularly adding innovative new features—at no charge to users. Continue reading →

SHARE: 23 comments

Privacy Trade-offs: Why We Don’t Really Care about Our Privacy as Much as We Say

by on March 1, 2009 · 33 comments

I was reading this Sun Magazine interview with the always-interesting Nick Carr and I liked what he had to say here about the public’s inconsistent views on privacy:

If you ask people whether they’re concerned about the ability of the government or corporations to gather information about them online, they’ll say yes. But if you look at how they behave online, they don’t display much fear of exposing themselves. What that says about people — and it’s true for most of us — is that we will readily forgo our privacy in exchange for convenient and useful services, particularly if they’re free. That’s a trade-off you make all the time on the Internet. Even if people were more conscious of how this information might be exploited, I doubt most would change their behavior.

This reminds me of the classic “hamburgers for DNA” quip from security expert Bruce Schneier who once famously noted that:

If McDonalds in the United States would give away a free hamburger for an DNA sample they would be handing out free lunches around the clock. So people care about their privacy, but they don’t care to pay for it. In the United States we have frequent shopper cards, which will track down people’s purchases for a 5 cents discount on a can of tuna fish. I don’t think you can convince the public to care about it.

Continue reading →

SHARE: 33 comments

Internet Security Concerns, Online Anonymity, and Splinternets

by on February 15, 2009 · 31 comments

What would it take to create a more secure Internet?  That’s what John Markoff explores in his latest New York Times article, “Do We Need a New Internet?”  Echoing some of the same fears Jonathan Zittrain articulates in his new book The Future of the Internet, Markoff wonders if online viruses and other forms of malware have gotten so out-of-control that extreme measures may be necessary to save the Net.  Compared to when cyber-security attacks first started growing over 20 years ago, Markoff argues that:

[T]hings have gotten much, much worse. Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.

Like many others, Markoff fingers anonymity as one potential culprit:

The Internet’s current design virtually guarantees anonymity to its users. (As a New Yorker cartoon noted some years ago, “On the Internet, nobody knows that you’re a dog.”) But that anonymity is now the most vexing challenge for law enforcement. An Internet attacker can route a connection through many countries to hide his location, which may be from an account in an Internet cafe purchased with a stolen credit card. “As soon as you start dealing with the public Internet, the whole notion of trust becomes a quagmire,” said Stefan Savage, an expert on computer security at the University of California, San Diego.

Consequently, Markoff suggests that:

A more secure network is one that would almost certainly offer less anonymity and privacy. That is likely to be the great tradeoff for the designers of the next Internet. One idea, for example, would be to require the equivalent of drivers’ licenses to permit someone to connect to a public computer network. But that runs against the deeply held libertarian ethos of the Internet.

Indeed, not only does it run counter to the ethos of the Net, but as Markoff rightly notes, “Proving identity is likely to remain remarkably difficult in a world where it is trivial to take over someone’s computer from half a world away and operate it as your own. As long as that remains true, building a completely trustable system will remain virtually impossible.”  I’ve spent a lot of time writing about that fact here and won’t belabor the point other than to say that efforts to eliminate anonymity for the entire Internet would prove extraordinarily intrusive and destructive — of both the Internet’s current architecture and the rights of its users.  There’s just something about a “show-us-you-papers,” national ID card-esque system of online identification that creeps most of us out. That’s why I spend so much time fighting age verification mandates for social networking sites and other websites; it’s the first step down a very dangerous road.

But what if we could apply such solutions in a narrower sense?  That is, could we create more secure communities within the overarching Internet superstructure that might provide greater security?  Markoff starts thinking along those lines when he suggests… Continue reading →

SHARE: 31 comments

Nuts & Bolts: Everything You Wanted To Know About Cookies But Were Afraid To Ask

by on January 27, 2009 · 16 comments

As a means of introducing myself to TLF readers, this is an article that I wrote for the PFF blog in September that has not been previously mentioned on the TLF. Most of my other PFF blog posts have been cross-posted by Adam Thierer or Berin Szoka, but I’ve taken ownership of those posts so they appear on my TLF author page.

This is the first in a series of articles that will focus directly on technology instead of technology policy. With an average age of 57, most members of Congress were at least 30 when the IBM PC was introduced in 1981. So it is not surprising that lawmakers have difficulty with cutting-edge technology. The goal of this series is to provide a solid technical foundation for the policy debates that new technologies often trigger. No prior knowledge of the technologies involved is assumed, but no insult to the reader’s intelligence is intended.

This article focuses on cookies–not the cookies you eat, but the cookies associated with browsing the World Wide Web. There has been public concern over the privacy implications of cookies since they were first developed. But to understand them , you must know a bit of history.

According to Tim Berners Lee, the creator of the World Wide Web, “[g]etting people to put data on the Web often was a question of getting them to change perspective, from thinking of the user’s access to it not as interaction with, say, an online library system, but as navigation th[r]ough a set of virtual pages in some abstract space. In this concept, users could bookmark any place and return to it, and could make links into any place from another document. This would give a feeling of persistence, of an ongoing existence, to each page.”[1. Tim Berners-Lee, Weaving The Web: The Original Design and Ultimate Destiny of the World Wide Web. p. 37. Harper Business (2000).] The Web has changed quite a bit since the early 1990s.

Today, websites are much more dynamic and interactive, with every page being customized for each user. Such customization could include automatically selecting the appropriate language for the user based on where they’re located, displaying only content that has been added since the last time the user visited the site, remembering a user who wants to stay logged into a site from a particular computer, or keeping track of items in a virtual shopping cart. These features are simply not possible without the ability for a website to distinguish one user from another and to remember a user as they navigate from one page to another. Today, in the Web 2.0 era, instead of Web pages having persistence (as Berners-Lee described), we have dynamic pages and “user-persistence.”

This paper describes the various methods websites can use to enable user-persistence and how this affects user privacy. But the first thing the reader must realize is that the Web was not initially designed to be interactive; indeed, as the quote above shows, the goal was the exact opposite. Yet interactivity is critical to many of the things we all take for granted about web content and services today.

Continue reading →

SHARE: 16 comments

← Previous Entries

Next Entries →