When my consulting team did security stuff (note technical terminology) at Lotus, we found that the biggest risk from passwords is the Post-It note: users write down their passwords because security policies mandate ones that aren’t readily remembered. Try wandering around your office environment and see how many of these you can find 1) attached to monitors, 2) under keyboards, or 3) on office desk calendars / blotters. Far too much security protocol relies on conventional wisdom and accepted practice rather than empirical data.

Google uses industry-standard Hypertext Transfer Protocol Secure (HTTPS) encryption technology to protect customers’ login information. However, encryption is not enabled by default to protect other information transmitted by users of Google Mail, Docs or Calendar. As a result, Google customers who compose email, documents, spreadsheets, presentations and calendar plans from a public connection (such as open wireless networks in coffee shops, libraries, and schools) face a very real risk of data theft and snooping, even by unsophisticated attackers. Tools to steal information are widely available on the Internet.

Thanks to Chris Soghoian for his leadership on this one!

Filtering Workshop: Implications for ISPs (University of New South Wales, 4 March 2009)

My theme is that the proposed Australian filtering program contemplates a wholesale change in the role of the Internet Service Provider (ISP). This alteration creates a significant risks of undesirable, secondary effects.

ISPs are attractive regulatory targets, especially where enforcement against primary actors such as end users is expensive, uncertain, or problematic due to those actors’ behavior. This may be particularly true in countries such as Australia, the United States, or the United Kingdom, where the network architecture is decentralized. Countries such as China and Saudi Arabia designed their Internet infrastructure to enable centralized control at key choke points, making the involvement of intermediaries in filtering less crucial.
There can be benefits from requiring ISPs to act as enforcers. The application of restrictions is likely to be more uniform than with controls on end users directly, and ISP-based enforcement offers greater immunity against user error or evasion. Filtering at the ISP level is “always on.” In addition, lists of proscribed material are more readily updated since they are deployed at fewer locations on the network.

However, ISP-based restraints create critical challenges. ISPs shift from passing bits to differentiating among them. Power over content decisions shifts from end users at the edge of the cloud to providers, in conjunction with government, at the center. ISPs become regulators with significant power, especially under a system that permits or encourages variation in content blocking. It is not clear, under the current Australian plan, what requirements (if any) ISPs would have to adhere to in terms of transparency about filtering decisions.

Concomitantly, providers may be hesitant about assuming such a role, for they will become enmeshed in heated debates over content. They may be forced into difficult normative judgments, as with decisions regarding fair use versus copyright infringement under the U.S. Digital Millennium Copyright Act (DMCA) or its Australia equivalent. ISPs will quickly face demands for restrictions from a variety of interest groups – consider spam, hate speech, defamation, and illegal drugs sites among others. IP infringement is likely to be the first successor to initial content filtering – note that a requirement for filtering copyrighted material was proposed as a rider to the economic stimulus legislation recently passed in the U.S. ISPs, in short, will be converted to general-purpose watchdogs. The ease with which filtering can be accomplished will tempt interest groups to use it as a way of achieving their goals while minimizing debate or scrutiny. Moreover, ISPs are likely to face varying or inconsistent decisions based on the content at issue (which may be difficult to ascertain without reassembling all of the packets involved in a transaction). For example, U.S. ISPs confront a range of incentives or penalties depending on whether the content at issue infringes copyright, trademark law, bans on child pornography, defamation, or anti-spam statutes.

If faced with these demands to prevent access to content, ISPs may be overdeterred. The threat of liability may cause them to target questionable or even innocent content for blocking. Consider, for example, blog hosts or e-mail service providers in China. Research by the OpenNet Initiative and Rebecca MacKinnon, among others, shows both variation in filtering – suggesting uncertainty about the boundaries of proscribed content – and targeting of seemingly innocent keywords and phrases. In China, and elsewhere, ISPs must consider that failure to prevent access to banned material may lead to draconian or highly visible sanctions as an example to other, similarly situated entities.

Finally, tertiary effects from this role change are likely, but difficult to predict. Data retention efforts or mandates may increase, as governments seek to track who attempts to access banned pages in addition to blocking those efforts. Filtering may substitute for alternative enforcement regimes that are more effective. Consider that in New York, the state attorney general pushed major ISPs into dropping Usenet newsgroups over child pornography concerns while admitting that prosecuting those who produced and distributed the material was infeasible (though probably a more effective way to protect children). An impact on user privacy is nearly certain. ISPs may be required to detect the creation or publishing of banned content, and techniques such as deep packet inspection create risks that can chill communication. Filtering can undercut innovation: it may require blocking protocols such as BitTorrent, or peer-to-peer software more generally, or limiting encryption. It threatens to undercut the end-to-end principle central to the Internet’s design and thus the production of new communications technologies.

Finally, there is the Cylon problem: ISPs may have incentives to filter not just on our behalf, but on their own. For example, the Canadian provider Telus blocked access to the Web site of a labor group involved in an action against it. Similar concerns emerge from the network neutrality debates about ISPs favoring content from partners or subsidiaries. Detecting self-interested measures becomes more difficult in a system where blocking is ubiquitous and mandatory.

In conclusion, ISPs are ground zero in the filtering debate. They may be a necessary component of any blocking system due to the architecture of Australia’s network, but enrolling them as content regulators fundamentally changes the nature of the ISP and raises issues we must address before moving forward.

And the new group’s policy agenda sounds pretty good, culminating in this rather grand statement:

FPF will advocate for privacy advances that are business practical, but that substantially raise the bar to ensure personal autonomy for all who seek to embrace the benefits of our digital society. We will seek to work with industry, advocates and policymakers to ensure the future of privacy is one where we are not enslaved by our data, but rather where data serves the benefit of humankind.

It will be interesting to see how the FPF pursues its mission and how it fits in with existing industry initiatives as well as established advocacy groups like the Electronic Privacy Information Center and the Center for Democracy and Technology.

The New York Times reports on some terrific research done by my former ONI colleague Nart Villeneuve – he found that the TOM-Skype text messaging service in China not only scans messages for sensitive keywords, it also stores copies of offending messages along with information identifying the sender and receiver. This raises a host of scary issues. First, these messages are clearly stored for a purpose. It might be to help TOM-Skype kick people who send sensitive messages off the service; more sinister (and more likely) is that it might help the Chinese government keep tabs on those users (and, probably, analyze traffic data for trends in what’s discussed or to detect new keywords to block). Second, the surveillance is insecure: Nart’s hax0r skills are rare, but there are other skilled folks out there, too, who might find (or have found) uses for this information. Third, Skype has consistently denied doing this sort of thing. Oops. Finally, eBay (which has thus far eluded the scrutiny that Microsoft, Google, and others have faced over operations in China) has responded by saying they’ll have TOM-Skype fix the “security breach.” No, not the one that stores all these messages – the one that let Nart access them. This is like spotting a sewage leak like by the flies above it, and vowing to do something about those flies.

This research also elucidates the link between censorship and surveillance: the former can enable the latter to be better-targeted. Indeed, Nart’s work suggests that TOM-Skype messages were stored not simply because of content, but because the service identified certain users as more likely to send texts with sensitive keywords. That’s scary. And it moves (or should move) the debate about corporate complicity with authoritarian states’ actions up a notch: this is more like Yahoo! selling out Shi Tao than Google censoring search results. We’ll see what, if anything, eBay does in response.

The problem isn’t a failure of imagination on the part of the question-conjurers. It’s the impossibility of coming up with a question that’s easy to answer but hard to guess. After throwing in the caveat that “there is no one perfect question,” the proprietor of Good Security Questions lists 16 that he considers the best. Almost all of them are terrible. What was your childhood nickname? Didn’t have one, sadly. What is the name of your favorite childhood friend? Do Legos count as a friend? What is your oldest sibling’s birthday month? I’m guessing it would take a hacker two tries to get to February.

I’ll add two more problems. First, oftentimes more than one person has legitimate access to the account, like a spouse. Are they asking me about my first pet or hers? Second, there is often more than one possible answer. Who is my favorite childhood friend? I seem to recall that data changed weekly, and that many schoolyard fights emerged over the constant churn in “best” friends.

Not that I have a brilliant solution. I guess it’s another possible argument in favor of what those Identity Gang people are up to…

(Professor Felten, of course, is no stranger to controversy — he was an expert witness for the government in the Microsoft antitrust case and the plaintiff in the short-lived Felten v. RIAA DMCA litigation. While I’m sure would not object to participating in a new DMCA test case, this probably isn’t the way he would have chosen to become involved.)

UPDATE:  Professor Felten’s blog is back, and I believe the Ars Technica story is referring to this post (although, to be honest, I have not read all — or even “most,” or even “many” — of the nearly 500 comments to be certain).

UPDATE:  Professor Felten has more.

The Algorithm Sees the Internet the Way Dmitry Sklyarov Sees a Poorly Encrypted DRM File.

That made for an interesting (and, to me at least, eye-catching) headline, not least because I’m willing to bet that the vast majority of the Journal’s readers have absolutely no idea who Dmitry Sklyarov is or why he’s noteworthy, but also because, of that subset of the Journal’s readers and advertisers who remember Sklyarov, a fair percentage probably disapprove of his conduct. His is an interesting, slightly edgy, name for a ten-billion-dollar intellectual property company to drop, even if it is only by way of alluding to his skill at breaking DRM technologies. (Although if Ask.com wants to get really edgy, I’ve got a name for their next ad campaign that’s even more provocative, and more timely, than Dmitry’s — see below).

Dmitry Sklyarov, for those playing along at home, was the first person ever criminally prosecuted in the United States for violating the Digital Millennium Copyright Act. His crime? Sklyarov, a Russian computer programmer, created a software program to turn copy-protected Adobe eBook files into ordinary PDFs. On the one hand, this made the eBooks far more useful to their owners — Sklyarov’s program enabled eBooks to be printed and to be read aloud via text-to-speech software, for example; capabilities not implemented by Adobe’s own eBook software. On the other hand, Sklyarov’s program also eliminated the copy protections that Adobe had built into the eBooks. Such software was lawful in Russia where Sklyarov actually developed his program. (Insert your own “In Soviet Russia…” joke here.)

When Sklyarov traveled to the United States in the summer of 2001, however, he was arrested — one suspects, at the instigation of Adobe Systems — after speaking at a hacker convention in Las Vegas. He was jailed pending trial and forbidden to return home to Russia. Sklyarov’s case became something of a cause célèbre among Internet civil libertarians in the U.S., and a web site, Free Sklyarov, was set up to track developments in the case. After Sklyarov and his employer, the Russian software company Elcomsoft, unsuccessfully attempted to have the indictment dismissed (United States v. Elcom Ltd., 203 F. Supp. 2d 1111 (N.D. Cal. 2002)), Sklyarov turned state’s evidence and agreed to testify for the government.

The first-ever criminal DMCA trial ended in a defense verdict acquitting Elcomsoft of all charges. The arrest and prosecution of Sklyarov, however, had a perceptible chilling effect on foreign researchers and computer scientists, who reacted with alarm to the U.S. government’s arrest of a foreign national, transiently present in the U.S., based on conduct that was lawful where committed in the national’s home country. Dutch computer engineer Niels Ferguson famously refused to publish the results of his research into Intel’s proprietary HDCP DRM system for digital video transmission for fear of arrest the next time he traveled to the United States, and the Association for Computing Machinery warned that the risk of arrest would discourage its foreign-based members from attending conferences hosted in the United States.

So has Dmitry completed the transition from Robin Hood-style outlaw folk hero to respectable corporate icon? Maybe so — although invoking Sklyarov gives the Ask.com ad a slight whiff of subversiveness among those who actually know his story, it’s likely to inspire far more muted reactions among the greater number of readers who can infer from the ad only that Dmitry must be a talented computer guy of some sort.

Here’s a challenge for Ask.com: next time you’re planning to invoke a controversial cyber vigilante/folk hero/miscreant/martyr in an ad stuffed with other obscure references, forget Sklyarov and go with DVD Jon, the author of DeCSS, QTFairUse, PyMusique, and many other circumvention tools, a professional thorn in the side of the digital content industry whose blog is tellingly captioned (with puckish insouciance) So Sue Me. That might even provoke a WSJ editorial denouncing you (and DVD Jon) as threats to capitalism itself, and hey, there’s no such thing as bad press in advertising, right?

First, the legal point. It is highly instructive to think about this dispute against the backdrop of the landmark case Seattle Times v. Rhinehart, which involved a defamation and privacy suit against the newspaper over critical reporting about a fringe religious group. In the course of normal civil discovery for the defamation case, the defendant newspaper obtained all sorts of internal documents on matters such as finances that would have helped its investigative reporting of the religious group. The Supreme Court unanimously upheld a court order preventing the newspaper from disclosing the details of material uncovered in discovery. The court found it was not an unconstitutional prior restraint. (The order there included the important qualification that the newspaper could publish the same information if it was learned through different channels; I see no indication of any such alternate sources of information in the Zyprexa flap.)

Seattle Times seems to me to stand for the simple proposition that just because information is produced in discovery it doesn’t necessarily belong to the public domain. (For non-lawyers: it is important to realize that most discovery materials are not filed with the court or even used by counsel in their arguments. Often huge volumes are produced and very little of it becomes relevant to the case.) So, some of the sweeping rhetoric we see in the Zyprexa controversy — about sunshine, open courts, the public right to know, and the like — is just plain wrong. This material was sealed by court order. The expert witness who leaked the documents (and whom Lilly alleges colluded with the Alaska lawyer to cook up the subpooena) could and probably should get in a lot of trouble. Yes, there is an argument that documents seeming to show misdeeds of a pharmaceutical giant are in the public interest, but change the facts and see how you feel: what if the court order protected embarrasing private information about an individual whose opponent leaked them onto the internet maliciously? How else can we judge the balance of public interest and private litigants’ interests if not by relying on the courts entering these protective orders?

Fine. That takes care of the initial leak. But what about the second, technological point? In our networked world, the court is basically impotent to contain the leak once it occurs. There is something faintly ridiculous about the order at issue here. Judge Weinstein (who is, btw, a very famous and highly respected federal judge) listed 17 people and entities that were banned from disseminating the leaked documents, and then concluded his list with zyprexa.pbwiki.com. Needless to say, an injunction against a wiki is a little like an injunction against the whole world. And nothing in his order reaches the multiple other sites, some of them wikis or otherwise peer-produced, that have since mushroomed up to post or link to the documents, often anonymized by Tor or otherwise. Once the cat is out of the bag in a networked world, there is little the court can do. Or, as TortsProf Blog memorably headlined it: “Judge Tries to Unring Bell Hanging Around Neck of Horse Already Out of Barn Being Carried on Ship That Has Sailed.”

If this strikes you as a very bad thing, then once again change the facts and see how you feel. It just so happens that the Washington Post reports this morning on Wikileaks, a new effort to create a central, peer-produced wiki for anonymously posting government documents, particularly those exposing corruption and human rights abuses in repressive regimes:

Wikileaks.org is a Web-based way for people with damning, potentially helpful or just plain embarrassing government documents to make them public without leaving fingerprints. Modeled on the participatory, online encyclopedia Wikipedia, the site is expected to go live within the next two months.

[snip]

The site relies on a worldwide web of volunteers and contributors to post and vet the information, and dodge any efforts to shut it down. To protect document donors and the site itself, Wikileaks uses its own coded software combined with, for the techies out there, modified versions of Freenet and PGP.

So, how can we have a world where the good of helping anonymous dissidents in China can coexist with the (arguably) bad of leaking confidential court documents or even private information the same way? How can we decide what information is in the public interest and what information rightfully remains sealed? That’s a big question. The general answer is that we must rely on sensible, nuanced, and rigorously checked systems at the disclosure points. More specifically, to go back to Zyprexa, courts should enter confidentiality orders with care and under well-considered standards to balance protection of the public interest, privacy, and the smooth functioning of discovery and other functions of the civil litigation system. Sealing orders should not be, as too often they are, routine ministerial matters. Finally, there should be real penalties, not wrist-slaps, for violating a conscientiously considered order.

And what does a judge do when the cat/bell/horse/ship is already out/rung/free/sailed? Hold a hearing. Punish the initial leakers if they acted in bad faith. And throw up his hands. I predict that is what will occur in Brooklyn tomorrow.