Congressmen pushing awful cybersecurity bill fail cybersecurity 101

Over the last several months, several cybersecurity bills have been proposed by various Congressional committees. One of the leading bills, the Cyber Intelligence Sharing and Protection Act (CISPA), has been proposed by Congressmen Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.). Many of the major civil liberties groups like EFF and ACLU have legitimately criticized the substance of the bill, which would give companies a free pass to share their customers' private information with the government.

I'm not going to get into the weeds and criticize specific portions of this bill. Instead, I want to make a broader point - Congress knows absolutely nothing about cybersecurity, and quite simply, until it knows more, and starts leading by example, it has no business forcing its wishes on the rest of us.

Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.

HTTPS and Congressional websites

HTTPS encryption is the most basic form of security that websites should use - providing not only confidentiality, but also authentication and integrity, so that visitors to a site can be sure they are indeed communicating with the site they believe they are visiting. All big banks and financial organizations use HTTPS by default, Google has used it for Gmail since January 2010, and even the CIA and NSA websites use HTTPS by default (even though there is absolutely nothing classified on either of the two spy agency public sites). Some in Congress have even lectured companies about their lack of default HTTPS encryption - one year ago, Senator Schumer wrote to several major firms including Yahoo and Amazon, telling them that "providers of major websites have a responsibility to protect individuals who use their sites and submit private information. It’s my hope that the major sites will immediately put in place secure HTTPS web addresses.”

It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry. It is therefore alarming that not only do Congressional websites not offer HTTPS by default, but most members' websites don't support HTTPS at all.

Rogers

For example, the webserver running Congressman Mike Rogers's website seems to support HTTPS, however, attempting to visit https://mikerogers.house.gov/ (or https://www.mikerogers.house.gov/) will result in a certificate error.

This is perhaps a bit better than Congressman Roger's campaign website, which does not appear to be running a HTTPS webserver at all. Attempting to visit https://www.mikerogersforcongress.com/ results in a connection error.

Ruppersberger

When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.

Congressional websites could do HTTPS

While most Congressional websites return HTTPS certificate errors, the problems largely seem to be configuration issues. The webserver that runs all of the house.gov websites is listening on port 443 and it looks like Akamai has issued a wildcart *.house.gov certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it. After all, if Nancy Pelosi's site can offer a secure experience, other members of Congress should be able to get similar protections too.

Remember SOPA

During the SOPA debate several months ago, a few members seemed to take pride in acknowledging their total ignorance regarding technology, proclaiming that they were not nerds, didn't understand the Internet, but even so still thought that SOPA was a good bill. Those members were justifiably ridiculed for ignoring technical experts while voting for legislation that would significantly and negatively impact the Internet.

Here, we have members who've not even bothered to ask the Congressional IT staff to make sure that their website support HTTPS, let alone use it by default, who are now telling the rest of the country that we should trust their judgement on the complex topic of cybersecurity.

Until the respective Congressional committees that deal with technology issues actually hire subject matter experts, any legislation they propose will lack legitimacy and, most likely, will probably be ineffective. Likewise, if Congress thinks that cybersecurity is a priority, perhaps it should lead by example.

The Daily Show with Jon Stewart
Get More: Daily Show Full Episodes,Political Humor & Satire Blog,The Daily Show on Facebook

Google's pro-privacy legal position re: DOJ could assist class action lawyers in search referrer privacy lawsuit

In the summer of 2010, I filed a FTC complaint (pdf) against Google for deceiving its users about the extent to which it knowingly leaks user search queries to third parties via the referring header sent by web browsers. Shortly after my complaint was made public, a class action firm hit Google with a lawsuit over the practice.

Like many privacy class actions, the lawyers included every possible legal argument they could think of. One of their claims was that Google had violated the Stored Communications Act, which prohibits companies from sharing the contents of users' communications contents with other parties (even law enforcement agencies, unless they have a warrant).

The federal judge assigned to the case recently threw out all but one of the class action firm's claims, but but has permitted the case to continue solely focusing on Google's alleged violations of the Stored Communications Act. As such, one of the next big, important issues that the court is going to have to address is determining whether or not search queries are considered communications content under the Stored Communications Act.

As law professor Eric Goldman recently observed, "the SCA's poor drafting means that no one (including the judges) knows exactly what's covered by the statute." This is certainly true, and made worse by the fact that the statute hasn't really been updated since it was passed in 1986, long before the first web search engine or referrer header. It is for this very reason that DOJ has argued that the government should be able to get search engine query data without a warrant. Thankfully, Google disagrees.

Google: Search queries are content

At a recent event at San Francisco Law School, Richard Salgado, Google's Director of Law Enforcement and Information Security spoke publicly (for the first time) about Google's aggressively pro-privacy legal position on search queries and government access:

As far as search warrants and content go, Google and I think a lot of providers are taking this position, sees the 4th amendment particularly as it has been applied in the Warshak cases, as establishing that there is a reasonable expectation of privacy such that disclosure of the contents held with the third party is protected by the 4th Amendment. And not limited to email, but other material that is uploaded to the service provider to be handled by the service provider.

You hear a lot about ECPA about electronic communications service, ECS and remote computing sevice, RCS, and the crazy rules that apply [for example], the 180 day rule. I think most providers now, although I really should only speak to Google, view the way the case law is going and certaininly viewing the 4th Amendment as applying to any content that is provided by the user to the service, so that, for Google, would include things like Calendar and Docs, and all those others, even where there is not a communication function going on, that there's not another party involved in the Doc that you're uploading, the notes that you're keeping for yourself. It's still material that you've put with the service provider as part of the service that the company, in this case Google, is holding on your behalf. Its our view that that is protected by the 4th amendment, and unless one of the exceptions to the warrant requirement apply, its not to be disclosed to a government entity as a matter of compulsion.

Question: Where does search fall in that?

Answer: Search is one where we take a pretty hard stance, the same with other material, so we view search that its provided to us the way that other information is provided to us. That is very consistent with the ligitiation with the Department of Justice back in 2006.

Now, it seems pretty clear that Salgado is primarily talking about Google's view that the 4th Amendment protects user search queries, and is not arguing that they are communications content under the Stored Communications Act. Prior to this public event, I had heard reliable rumors that Google had adopted a warrant position for search queries based on the Stored Communications Act. Perhaps my sources were wrong, or perhaps Google realizes that it is going to be difficult to simultaneously argue two different positions on search engine queries and the SCA.

Even so, I suspect Google's legal team is still going to have a difficult time convincing the judge in this case that search engine queries are private enough for the company to repeatedly argue that they deserve warrant protections under the 4th Amendment, yet not private enough to deserve protections under the Stored Communications Act's prohibition against sharing communications content.

After all, as Al Gidari, Google's top privacy outside lawyer himself said at Brookings last year:

"[C]ontent is content, I don’t care how many times you try to repackage it into something else, content is still content, and the standards that we try to apply that give lesser protection to that content inevitably falls short, as well, when people stop and think about it."

ACLU docs reveal real-time cell phone location spying is easy and cheap

"Technological progress poses a threat to privacy by enabling an extent of surveillance that in earlier times would have been prohibitively expensive."
-- US v. Garcia, 474 F. 3d 994 - Court of Appeals, 7th Circuit 2007

In 2009, I attended a surveillance industry trade show (the "wiretapper's ball") in Washington DC where I recorded an executive from Sprint describing, in depth, the location tracking capabilities his company provided to law enforcement agencies:

"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in.
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

The information that I gathered was one of the first real data points revealing the scale and ease with which law enforcement and intelligence agencies can now collect real-time location data from wireless phone carriers. This is because unlike wiretaps, there are no annual statistics produced by the courts that detail the number of location surveillance orders issued each year.

My disclosure of this information led to significant news coverage, but also to a citation from Judge Kozinski of the 9th Circuit, who observed in dissent in U.S. v. Pineda-Moreno that:

When requests for cell phone location information have become so numerous that the telephone company must develop a self-service website so that law enforcement agents can retrieve user data from the comfort of their desks, we can safely say that "such dragnet-type law enforcement practices" are already in use.

ACLU FOIA docs reveal other carriers have followed Sprint's lead

It appears that Sprint is not the only wireless company to provide law enforcement agencies with an easy way to track the location of targets in real-time.

Among the 5500 pages of documents obtained by the ACLU as part of a nationwide FOIA effort, are a few pages from Tucson AZ detailing (or at least hinting at) the real-time location tracking services provided to the government by the major wireless carriers.

AT&T's Electronic Surveillance Fee Schedule reveals that the company offers an "E911 Tool" to government agencies, which it charges $100 to activate, and then $25 per day to use.

While it is no secret that Sprint provides law enforcement agencies subscriber real-time GPS data via its "L-Site" website (read the L-site manual), Sprint's Electronic Surveillance Fee Schedule reveals that the company charges just $30 per month for access to this real-time data.

The documents from T-Mobile provides by far the greatest amount of information about the company's real-time location tracking capabilities. The company's Locator Tool service, which it charges law enforcement agencies $100 per day to access, generates pings at customizable 15 / 30/ 60 minute intervals, after which, the real-time location information is emailed directly to the law enforcement agency.

Unfortunately, Verizon's surveillance pricing sheets do not reveal any information about GPS tracking. It is almost certain that the company does provide real-time location data, but for now, we don't know how it is provided, or at what cost.

Federal judge: Google free to tell user about mysterious gov requests, likely related to Wikileaks

Summary

In two 1-page orders issued today, a Federal judge in Virginia has (for a second time) ruled that Google is permitted to tell a customer (and only that customer) about two mysterious surveillance orders -- a 2703(d) order and a search warrant -- issued in June, 2011 for records (likely including communications content) associated with their Google account.

While Google is only permitted to notify the subscriber that was the subject of surveillance, that person is permitted to tell anyone else they wish, should they wish to do so.

Background

One month ago, a federal judge published two (pdf) orders (pdf) [hereafter the February 2012 orders], related to two previously secret surveillance orders obtained in June, 2011 by the government seeking data about a Google subscriber. In the two February 2012 orders, the judge ruled that Google could tell the user about the earlier surveillance orders.

Soon after, the government filed a motion with the court, seeking to clarify whether Google could tell any person about the orders, or merely the impacted user.

In the two orders issued today, the judge seems to have been convinced by the government's clarifying motion. Thus, in 14 days (unless the government appeals), Google will be free to tell the impacted user (and no one else) about the June 2011 surveillance orders.

This may involve Wikileaks

When Jeff Rollins at PaidContent first highlighted the existence of these two mysterious court orders, he suggested that they might be related to the Megaupload investigation. The Megaupload connection was mere speculation on his part (as he acknowledged), as there simply isn't anything solid in those two brief court orders that identifies a particular target.

However, for the reasons I outline below, I believe that these surveillance orders are actually related to the investigation of to Wikileaks.

First, in one of the February 2012 orders (page 2), the judge noted that "[t]he existence of the investigation in issue and the government’s wide use of § 2703(d) orders and other investigative tools has been widely publicized now."

The only high-profile federal investigation that I can think of in recent times involving 2703(d) orders is the government's investigation of individuals associated with Wikileaks. That is, while the Megaupload indictment was also filed in the Eastern District of Virginia, there has been little publicity surrounding the actual investigative legal instruments used in the case.

Specifically, I've not seen any published media report indicating that a 2703(d) order was used in that investigation. In contrast, the 2703(d) order issued to Twitter as part of the Wikileaks investigation has itself been a major story, as have the (failed) efforts of the ACLU, EFF and others to quash the order.

In December 2010, a judge from the same court issued a 2703(d) order to Twitter, forcing the company to disclose information about several users associated with Wikileaks. A month later, the Twitter judge agreed to unseal that order, allowing Twitter to notify the impacted individuals. Once existence of the surveillance order was made public, the media went crazy.

The Wall Street Journal later revealed that Google and California broadband provider Sonic had received similar requests as part of the same investigation. At the time of the WSJ report, those surveillance orders remained sealed.

Second, one persistent rumor in Washington DC over the past year has been that one of the main reasons DOJ has cited justifying the continued sealing of the Wikileaks/Google/Sonic orders is a fear of harassment from the Internet community directed at the prosecutors involved in the case.

As the WSJ revealed earlier this year, the address of Tracy Doherty McCormick, the prosecutor whose name was on the original Twitter order "was spread online, and the person's email account [tracy.mccormick@usdoj.gov] was subscribed to a pornography site." According to the unnamed officials quoted by the WSJ, she was also "bombarded with harassing phone calls."

The WSJ also reported that fear of similar harassment led "the government to take the rare step of keeping officials' names out of news releases and public statements when the government shut down the website Megaupload.com." It is likely that similar fears were the reason that no prosecutors names were listed in the recently published Lulzsec indictments.

Why do I mention this? Well, the two orders issued by the judge today specifically state that Google may share a copy of the 2703(d) order and search warrant with the impacted subscriber, but that the email address and name of the attesting official must be redacted first.

This suggests that someone at DOJ has told the judge they are fearful of retaliation from the Internet community -- thus also suggesting that this surveillance is related to a high-profile investigation of a target to whom Anonymous and other Internet activists may feel some sympathy. While this certainly could be the Megaupload case, I'd be willing to bet a few dollars that this involves Wikileaks.

Firefox switching to HTTPS Google search by default (and the end of referrer leakage)

A few days ago, Mozilla's developers quietly enabled Google's HTTPS encrypted search as the default search service for the "nightly" developer trunk of the Firefox browser (it will actually use the SPDY protocol). This change should reach regular users at some point in the next few months.

This is a big deal for the 25% or so of Internet users who use Firefox to browse the web, bringing major improvements in privacy and security.

First, the search query information from these users will be shielded from their Internet service providers and governments who might be using Deep Packet Inspection (DPI) equipment to monitor the activity of users or censor and filter search results.

Second, the search query information will also be shielded from the websites that consumer visit after conducting a search. This information is normally leaked via the "referrer header". Google has in the past gone out of its way to facilitate referrer header based data leakage (which led to me filing a FTC complaint against the firm in 2010).

However, in October 2011, Google turned on HTTPS search by default for signed-in users, and at the same time, began scrubbing the search query from the non-HTTPS URL that HTTPS users are redirected to (and that subsequently leaks via the referrer header) before they reach the destination website:

Over the next few weeks, many of you will find yourselves redirected to https://www.google.com (note the extra “s”) when you’re signed in to your Google Account. This change encrypts your search queries and Google’s results page....

What does this mean for sites that receive clicks from Google search results? When you search from https://www.google.com, websites you visit from our organic search listings will still know that you came from Google, but won't receive information about each individual query.

At the time of the announcement, Google told the search engine optimization (SEO) industry (a community that very much wants to be able to continue to passively receive this kind of detailed user data) that the percentage of users whose search queries would be shielded would be a "single digit" -- and thus, at least 90% of Google users would still continue to unknowingly leak their search queries as they browse the web.

Shortly after Google's October announcement, search engine industry analyst Danny Sullivan told the SEO community that the days of referrer leakage were doomed:

By the future is clear. Referrer data is going away from search engines, and likely from other web sites, too. It’s somewhat amazing that we’ve had it last this long, and it will be painful to see that specific, valuable data disappear.

But from a consumer perspective, it’s also a better thing to do. As so much more moves online, referrers can easily leak out the location of things like private photos. Google’s move is part of a trend of blocking that already started and ultimately may move into the browsers themselves.

It looks like Danny was right.

Google's October 2011 decision to start proactively scrubbing search queries from the referrer header was a great first step, but a small percentage of Google's search users benefited. Now that Mozilla is switching to HTTPS search, hundreds of millions of Firefox users will have their privacy protected, by default.

The only surprising aspect to this otherwise great bit of good news is that the first major browser to use HTTPS search is Firefox and not Chrome. I reasonably assumed that as soon as Google's pro-privacy engineers and lawyers won the internal battle over those in the company sympathetic to needs of the SEO community, that Google's flagship browser would have been the first to ship HTTPS by default.

Just as it showed strong privacy leadership by being the first browser to embrace Do Not Track, Mozilla is similarly showing its users that privacy is a priority by being the first to embrace HTTPS search by default. For Mozilla, this is a clear win. For the Chrome team, whose browser has otherwise set the gold standard for security (and who have proposed and implemented a mechanism to enable websites to limit referrer leakage), this must be extremely frustrating and probably quite embarrassing. Hopefully, they will soon follow Mozilla's lead by protecting their users with HTTPS search by default.

(Just to be clear - the ultimate decision to enable HTTPS search by default was largely in the hands of Google's search engineers, who are responsible for dealing with the increased traffic. Mozilla's privacy team deserves the credit for pressuring Google, and Google's search engine team deserve a big pat on the back for agreeing to cope with encrypted searches from hundreds of millions of users.)