Monday, April 27, 2009

Governmental response to Swine Flu and the threat to privacy

While much of the media attention over the past day or two on the swine flu threat has focused on the very real public health issues, there are some rather troubling potential privacy issues that also deserve a bit of attention.

According to media reports, American officials know of 20 suspected cases of swine flu in the United States. At least 8 of those involve students at a private high school in New York, some of whom had recently returned from a trip to Mexico.

As government officials (in both the public health and national security fields) scramble to contain this outbreak, they are likely to turn to mobile phones and the records of customers' physical location history in order to identify other individuals who might have come into contact with the infected persons.

I think it is probably fair to assume that any student with enough money to both attend a private high school in New York and go on a spring break trip to Mexico likely has enough money for a cell phone.

Given how many people have already been infected in Mexico, it is unlikely that US government officials would feel the need to obtain physical location information from the roaming records of those teens while they were abroad. However, from the moment that they stepped foot in a US airport, the identities of the persons they came into contact with are likely going to be sought after.

The increasing use of location information

Those in the privacy community have long sounded the alarm about the increasing use of location information by law enforcement agencies. For example, the Washington Post wrote back in 2007 that:
Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.

In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime.

At a recent Berkman Center event, telecom lawyer Al Gidari revealed that each of the major wireless phone companies receives 100 requests per week for location information (4 companies * 100 requests per week = 20,000 requests per year). Furthermore, one request doesn't necessarily mean one person, but can mean "tell us the names of everyone near the corner of 1st and Main St at midnight on Saturday."

When phone records are sought in terrorism investigations, the FBI commonly asks for a "community of interest" -- that is, the names of everyone that a suspect has called, and then the names of the people that those persons have called. There is no reason to believe that similar techniques would not be used by public health officials looking to get information on the spread of the swine flu. For example, they could ask the wireless phone companies for the names and addresses of every person known to have been within 100 ft of someone known to have been infected.

Given that most historical cellular location records lack street level accuracy, such investigation methods would likely result in huge numbers of false positives -- that is, people who had been in the same neighborhood as infected persons, but who never came into close contact with them.

No warrant, no problem

Law enforcement agents routinely seek and gain location information without a warrant or any form of court order. In exigent circumstances such as kidnappings and terrorist threats, the information can usually be gained with a single phone call -- since telecom companies are loathe to say no to an emergency. It is equally likely that now, with bodies piling up in Mexico, and headlines across the world with news of the swine flu, that telecom company lawyers will likely not wish to second guess the requests of US government officials.

However, in the process, huge swaths of detailed location information detailing the movements of millions of Americans could be turned over to public health, law enforcement and intelligence agencies without any assurances that the data will only be used to prevent a swine flu epidemic. Once that data is given to the Government, there is little that can be done afterwards to stop it from being used for other purposes -- such as the war on drugs or investigations of "right wing extremists."

I want to be clear -- I am not taking a moral position here on the sharing and use of this data. The goal of this blog post is merely to try and draw attention to the fact that this information is going to be shared with government agencies, if it hasn't happened already. Furthermore, those of us in the privacy community need to make sure that if this information is handed over for public health purposes, that this is the only permitted use of the data -- and that it is not allowed to find its way into long term storage on government servers in Quantico, Virginia or Ft. Meade, Maryland.

Sunday, April 26, 2009

Hire Me

Apologies for this interruption to your regularly scheduled paranoid ramblings.....

I need a new gig. My fellowship at the Berkman Center ends on August 31. I still have another year left in my PhD, and I am not willing to go back to Indiana and spend 20 hours a week grading homework in exchange for a graduate stipend.

I'm looking for someone (a university, company, public interest group, government agency, or a rich individual) to support me for the 09/10 academic calendar year, while I write up my dissertation and wrap up my degree. In theory, I'd be able to give about 50% of my time to working on interesting non-degree related tasks.

Ideally, I'd like to get paid to do what I do best -- fun and result-orientated activism and research in the tech/policy sphere.

I have some very fun projects coming down the pipe in the next few months -- related to credit fraud, surveillance and wiretap reporting, log data anonymization, etc. I'd like to continue to do this kind of stuff, but need to be able to pay my rent at the same time.

If you know of anyone who might be interested in supporting this work, do get in touch. csoghoian at gmail dot com.

Monday, April 20, 2009

Even Congress has an 'unreasonable' expectation of privacy

Talking about the brewing Jane Harman/AIPAC wiretapping scandal, Matthew Yglesias writes:
However, the substance of what was recorded really does look damning. Which reminds me of something I was thinking about during the Blago Era, namely how many politicians’ reputations could really stand up to serious surveillance? It seems very likely to me that if you picked a member of congress at random, decided you had probably cause to suspect him of corruption, and thus starting wiretapping all his calls with donors and key political supporters that you would find a ton of dubious quid-pro-quos and backscratching arrangements.
Looking at this scandal, you could come to the perspective that (as Yglesias does) pretty much any politician has dirt that would come out if you wiretapped them.

Or, if you don a tinfoil hat, you can look at it this way: Even members of Congress who serve on key intelligence committees and have direct and detailed knowledge of the NSA's wiretapping capabilities still don't have a realistic idea of how little privacy they have when using telephones and email.

Look -- either Jane Harman expected that the NSA would never tap her own calls, or she simply didn't understand how easy surveillance is. Given that this same Congresswoman with a Harvard Law degree took several years to realize that the NSA's "Terrorist Surveillance Program" was blatantly illegal, perhaps it is safer to assume ignorance rather than over-confidence.

Nevertheless, how can we expect average Americans to make rational decisions about their own privacy (and their risk of being overheard discussing something problematic on the phone) when their elected officials who are supposed to be providing oversight over these sorts of programs clearly can't engage in a basic analysis of the risks of their own use of technology.

Perhaps Harman should have watched a few episodes of the Wire before getting on the phone with that suspected Israeli agent. I'm sure Stringer Bell could have taught her a few lessons about operational security.

Sunday, April 19, 2009

Online worlds for kids lack basic privacy

Saturday's New York Times has an interesting article about the rise of automated moderation software used in the virtual worlds aimed at children and teenagers, such as Neopets and Club Pengiun. However, buried half way in the article is this nugget of information:

The software is integrated into a virtual world’s site. If the technology uncovers phrasing, syntax, slang or other patterns in a conversation that match known signs of bullying or sexual predation, it sends an alert to a moderator, who can then “drill down” to look not only at the entirety of the specific conversation, but also at every posting from either participant.

“We can capture a full picture of a user’s history on the game,
” Mr. Lintell says.

Of course, the moderation software can't see into the future, and so the only way that it can provide the capacity to look through previous postings of users who type problematic messages is if the virtual worlds store every message that all users type, just in case that user ever later type a message that is prohibited.

Just last year, FBI director Robert Mueller went before Congress to ask that ISPs be forced to keep significant logs on the web histories of their customers, for the sake of the children:

"Records retention by ISPs would be tremendously helpful in giving us a historic basis to make a case on a number of child pornographers who use the Internet to push their pornography" or lure children, Mueller said.

It seems that at least for some Internet companies, especially those with products aimed at children, Congressional action wasn't even necessary.

Sure, cyber-bullying is a big deal. However, that doesn't mean that children don't also deserve a bit of privacy online too. If parents want to install spying software on their children's computers, I suppose that is up to them (although I still think that is wrong), but a service provider shouldn't be doing this at all.

Furthermore, I highly doubt if these companies make it clear that they are logging all messages (which are just a subpoena away should a law enforcement agency ever take an interest) -- and even if they do mention something in their terms of service, we can't expect a 12 year old to be able to understand those sorts of documents.

The 1998 Children's Online Privacy Protection Act is supposed to prevent companies from collecting personally identifiable information about Internet users under the age of 13. I'm not an expert on this law, and so I'll need to go and re-read the statutes -- however, I'm slightly troubled as to how these companies can essentially wiretap their customer's conversations "for their own safety".

Saturday, April 18, 2009

Current Red Hat Linux employee & Fedora project lead may have played key role in use of government spyware in former job at FBI

Updated at 10PM on April 20: There has been a fantastic discussion of this issue on a Fedora related mailing list. The short version is that only three people have access to the secret key used to sign Fedora updates, and Mr. Frields is not one of them.

Updated at 11AM on Saturday to provide a bit of clarity, and to define CIPAV

Did a current Red Hat employee and the project leader for Red Hat's Fedora free Linux distribution previously install and support government surveillance spyware onto the (Windows) computers of suspects while a FBI employee back in 2005?

Based on publicly available documents, it appears so.

Page 93 of the recent 153 page FOIA document dump (Warning: huge pdf) obtained by Wired News appears to be a ticket report from a 2005 surveillance request to the FBI's Cryptographic and Electronic Analysis Unit.

The document requests "CIPAV support as per discussion between EP [redacted]". The document also notes that the request is for a "Data/Voice Intercept with Encryption"

(click on image to see a larger version)


CIPAV ("computer and internet protocol address verifier") is, as Wired reports, a software tool designed to infiltrate a target's computer and gather a wide range of information, which it secretly sends to an FBI server in eastern Virginia.

As Professor Paul Ohm tweeted on Friday evening, it appears that the censors at the FBI forgot to remove the username of one of the engineers working on a case: 'pfrields'.

A bit of Googling reveals that pfrields is the handle used by Paul W. Frields, now an employee of Red Hat Linux. His blog also notes that he is currently the Fedora Project Leader.

Of course, there could be more than one pfrields on the Internet... which is where PGP keys come into play.

A quick query of the MIT Public PGP server reveals that the following email addresses are all using the same public key:

pub 1024D/BD113717 1997/09/19

Paul W. Frields <pfrields@fbi.gov>
Paul W. Frields <paul@frields.com>
Paul W. Frields <paul@frields.org>
Paul W. Frields <stickstr@cox.net>
Paul W. Frields <pfrields@redhat.com>
Paul W. Frields <stickster@gmail.com>
Paul W. Frields <stickstr5@hotmail.com>
Paul W. Frields <pwfrields.cart@fbi.gov>
Paul W. Frields <Paul.Frields@ic.fbi.gov>
Paul W. Frields <stickstr@cyberrealm.net>
Paul W. Frields <stickstr@novacoxmail.com>
Paul W. Frields <pfrields@fedoraproject.org>


Based on this information, it would appear that someone claiming to be Paul W. Frields with an email address at fbi.gov is now using the same public key as someone signing emails as Paul W. Frields with a redhat.com email address. Based on documents from a PGP keysigning party in January of this year, this collection of email addresses appear to have been verified by other members of the Linux community.

Finally, a configuration file in a web-accessible subversion repository on Paul Frields' own webserver mention the fbi.gov email address, which seems to be a pretty solid link confirming that the Linux developer is a former FBI employee.

Of course, even if the pfrields who worked for the FBI is the same pfrields who now leads Red Hat's free Linux distribution, there isn't necessarily any cause for concern.

After all, unlike the CIA agents who tortured prisoners, and the illegal wiretapping performed by NSA employees, the work of the FBI seems to be above board -- well, except for the FBI's misuse of National Security Letters, oh and the likely illegal backdoor the FBI has to Verizon Wireless's backbone network.

No need to worry though, since all of the CIPAV spyware requests do seem to have been accompanied by a court-approved search warrant.

Let us for the moment assume the best -- that Mr. Frields is a good patriotic American who has the deepest respect for civil liberties, and went to work for the FBI in order to help hunt down terrorists and evil-doers.

Even so, I suspect that many users of the Fedora Linux distribution, particularly those outside of the United States, might be shocked to find out this news, just as many Americans might be shocked if they learned that a former KGB agent was now in charge of keeping their computers secure.

Given that a select few members of the Fedora project likely have access to the private keys necessary to sign and release automatic updates to the operating system, the fact that one of these persons has in the past been involved with the insertion of spyware onto the computers of individuals without their knowledge or permission might be something that many Fedora users might be concerned about.

It's not that former government employees - even those in charge of installing spyware - should be excommunicated from the rest of the development community (after all -- there are former NSA engineers who have done amazing work on the SE Linux project). It's just that we should think twice before placing them into the open source community's most sensitive positions - just as the FBI would never grant the highest security clearances to a former hacker.

As of press time (2AM on Saturday morning), Paul Frields had yet to respond to queries submitted via email or twitter. If he does respond at a later date, this blog post will be updated to reflect his comment.

Disclosure: I've had my own fairly negative experience with armed FBI agents, who later raided my home at 2AM. Readers of this blog should consider that when evaluating this article w/regard to any bias I might have.

Hat Tip: Wired's Kevin Poulsen was the first to google pfrields and discover that he might be a Linux geek.

Friday, April 17, 2009

Thoughts on the FBI spyware documents

Kevin Poulsen of Wired has now posted the documents he received in response from the FBI to his FOIA request.

In short, the FBI has been using their own homebrewed spyware to collect information on suspects who are using proxy servers (such as Tor to hide their own IP addresses.

The EFF, CNET and Wired all submitted similar FOIA requests, and likely received the same documents in response. I do hope that either Wired or EFF appeal the heavy redaction by the FBI's FOIA office. As Professor Paul Ohm writes, "The 152 pages don't take long to read, because they have been so heavily redacted. The vast majority of the pages have no substantive content at all."

While there are lots of issues raised by the FBI's spyware tool, I want to focus on one particular issue here: The FBI's method of infection.

As Wired's Kevin Poulsen notes:
The documents shed some light on how the FBI sneaks the CIPAV onto a target's machine, hinting that the bureau may be using one or more web browser vulnerabilities. In several of the cases outlined, the FBI hosted the CIPAV on a website, and tricked the target into clicking on a link. That's what happened in the Washington case, according to a formerly-secret planning document for the 2007 operation. "The CIPAV will be deployed via a Uniform Resource Locator (URL) address posted to the subject's private chat room on MySpace.com."

Remember now that this CIPAV spyware tool has been designed to locate hackers smart enough to use proxies to hide their IP address information.

Is the FBI's spyware tool spread through the use of suggestive messages (such as this hypothetical example) left on a suspect's MySpace page?:
"Hi, I am a sexy 18 year old cheerleader, and I'd like to meet you. Please click here to find out how to contact me"
Such a message will contain a link to a page on an FBI controlled web-server which then uses an unpatched browser vulnerability to force a drive by spyware infection.

While that might work for a few stupid teenagers, it is unlikely to work on real tech-savvy hackers.

What is far more likely is that the FBI has asked MySpace, Google or Yahoo to insert the drive-by malware infection code directly into their own websites, so that the next time the suspect signed into their account, their browser would automatically be infected without the need to trick them into visiting a FBI-controlled Web site.

Such cooperation by Web 2.0 companies (if it indeed occured) would be fascinating, troubling and would likely do significant damage to their reputations -- which would also explain the significant redaction in the FOIA documents.

If there is a lesson to be learned from this document release, it is that if you want to protect yourself from the FBI's CIPAV spyware tool, you should make sure you're running the latest version of your Web browser (and should probably avoid IE). Those people stupid enough to transmit anonymous bomb threats using Internet Explorer 6.0 are likely to end up in jail very quickly.

Monday, April 13, 2009

Contest: Mashup the FTC DRM Testimony

Summary: Create a funny or interesting mashup of some of the FTC DRM town hall testimony. The creators of the best videos (judged by me) will have money ($100, $50 and $25) donated to the Electronic Frontier Foundation in their name. What are you waiting for?

Harvard Law Professor Charlie Nesson has been fighting to get the Tenenbaum v. RIAA trial streamed on the Internet. In its argument against this request, the RIAA has claimed that:
"[The video footage] will be readily subject to editing and manipulation by any reasonably tech-savvy individual. Even without improper modification, statements may be taken out of context, spliced together with other statements and broadcast (sic) rebroadcast as if it were an accurate transcript. Such an outcome can only do damage to Petitioner's case."

The idea of Internet users remixing the RIAA lawyers' words into subversive and biting political satire sounds like a great idea. So, why don't we see if we can do the same thing with some of the rather extreme positions expressed at the recent FTC DRM town hall meeting.

The Speakers

As some of you may have heard, the US Federal Trade Commission recently held a town hall meeting to discuss issues related to Digital Rights Management technology. While the talks went on for an entire day, the most interesting (and heated) discussions happened at the "DRM in Action" panel, in which I participated. Also there were Prof. J. Alex Halderman of the University of Michigan, Rashmi Rangnath, a staff attorney at Public Knowledge, Debbie Rose, an intellectual property fellow for the Association for Competitive Technology (ACT), and Patrick Ross, co-founder and Executive Director of the Copyright Alliance.

The FTC taped the entire session, and has made it available via online streaming video. To make things a little bit more viral video-friendly, I've downloaded the entire session, cut it up into smaller videos for each speaker, and uploaded them to Vimeo. Since the videos were recorded and made available by the FTC, they are (I believe) in the public domain, and thus this re-distribution should be kosher.

While all of the speakers were interesting, it was Debbie Rose whose testimony blew my mind. Before she went to work for ACT, Debbie worked as as a Counsel for the House Subcommittee on Courts, the Internet & Intellectual Property, and played a major role in drafting the Digital Millennium Copyright Act.

The DMCA is of course the very same law that is a perpetual thorn in the side of many researchers and innovators.

I've included a few of Debbie Rose's choice moments before on the DRM panel here. They're less than a minute each, and will be sure to cause a strong reaction (laughter, tears, or perhaps a simple WTF???).








The Contest

I have uploaded all of the videos to Vimeo for your viewing/viral embedding pleasure (see below). If you're interested in downloading the videos in a format that is more mashup friendly, a 200Mb .zip can be downloaded here.

The contest works as follows. People of the Internet are free to download these videos, edit the footage, and mash them up with anything else (remember your fair use rights). Upload the resulting videos/songs to the video/media/whatever sharing site of your choice, and then write a comment to this blog post with a link to your entry. To make things easier, if the content site offers tagging functionality, please tag your entry with "ftc drm mashup".

On June 1, 2009, the contest will end. In the days that follow, I will judge the entries, and pick the three that I find to be the most awesome (factors include the level of humor, creativity and impact). I will donate $100 to the Electronic Frontier Foundation in the name of the 1st place winner, $50 in the name of the 2nd place winner, $25 in the name of the third place winner, and then $1 each in the names of the next 23 best entrants. If I don't get any/enough submissions, I will still donate $200 to the EFF.

If you really want your name to be associated with my $200 donation, but you don't want to make a mashup... leave a comment in this blog post, and I'll include it anyway.

There are some absolute gems amongst the videos, and you are by no means restricted to using the videos of Debbie Rose's (I just happen to think they're the funniest, and so I've highlighted them).

Small Print

This contest/activity is not affiliated with or sponsored by the Electronic Frontier Foundation. I just happen to think that they are awesome.

Likewise, this is not something I am doing with the consent/approval of my employers at the Berkman Center -- this is being done in my own time, wearing my own hat. If for some reason someone dislikes what I've done and decides to lawyer-up, please send the cease and desist letter directly to me, and not to the Berkman folks.

I am not making any money out of this contest and the the $200 is coming out of my pocket. This is simply an activism related activity.

Finally, I am not a lawyer, and nothing in this blog post should be read as legal advice.

The Videos


















This video contains just the footage of Debbie during the longer back-and-forth discussion which the next video shows in full.