Wednesday, April 18, 2012

Congressmen pushing awful cybersecurity bill fail cybersecurity 101

Over the last several months, several cybersecurity bills have been proposed by various Congressional committees. One of the leading bills, the Cyber Intelligence Sharing and Protection Act (CISPA), has been proposed by Congressmen Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.). Many of the major civil liberties groups like EFF and ACLU have legitimately criticized the substance of the bill, which would give companies a free pass to share their customers' private information with the government.

I'm not going to get into the weeds and criticize specific portions of this bill. Instead, I want to make a broader point - Congress knows absolutely nothing about cybersecurity, and quite simply, until it knows more, and starts leading by example, it has no business forcing its wishes on the rest of us.

Congressmen Rogers and Ruppersberger are, respectively, the chairman and ranking member of the House Intelligence Committee. Although it is no secret that most members of Congress do not have technologists on staff providing them with policy advice, we can at least hope that the two most senior members of the Intelligence Committee have in-house technical advisors with specific expertise in the area of information security. After all, without such subject area expertise, it boggles the mind as to how they can at least evaluate and then put their names on the cybersecurity legislation that was almost certainly ghostwritten by other parts of the government - specifically, the National Security Agency.

So, given that these two gentlemen feel comfortable forcing their own view of cybersecurity on the rest of the public, I thought it would be useful to look at whether or not they practice what they preach. Specifically, how is their own information security. While I am not (for legal reasons) going to perform any kind of thorough audit of the two members' websites or email systems, even the most cursory evaluation is pretty informative.

HTTPS and Congressional websites

HTTPS encryption is the most basic form of security that websites should use - providing not only confidentiality, but also authentication and integrity, so that visitors to a site can be sure they are indeed communicating with the site they believe they are visiting. All big banks and financial organizations use HTTPS by default, Google has used it for Gmail since January 2010, and even the CIA and NSA websites use HTTPS by default (even though there is absolutely nothing classified on either of the two spy agency public sites). Some in Congress have even lectured companies about their lack of default HTTPS encryption - one year ago, Senator Schumer wrote to several major firms including Yahoo and Amazon, telling them that "providers of major websites have a responsibility to protect individuals who use their sites and submit private information. It’s my hope that the major sites will immediately put in place secure HTTPS web addresses.”

It is now 2012. HTTPS is no longer an obscure feature used by a few websites. It is an information security best practice and increasingly becoming the default across the industry. It is therefore alarming that not only do Congressional websites not offer HTTPS by default, but most members' websites don't support HTTPS at all.


For example, the webserver running Congressman Mike Rogers's website seems to support HTTPS, however, attempting to visit (or will result in a certificate error.

This is perhaps a bit better than Congressman Roger's campaign website, which does not appear to be running a HTTPS webserver at all. Attempting to visit results in a connection error.


When I manually tried to visit the HTTPS URL for Congressman Ruppersberger's website last night, it instead redirected me to the Congressional Caucus on Intellectual Property Promotion. Soon after I called the Congressman's office this morning to question his team's cybersecurity skills, the site stopped redirecting visitors, and now instead displays a misconfiguration error.

Congressman Dutch's campaign webserver appears to support HTTPS, but returns a certificate error.

Congressional websites could do HTTPS

While most Congressional websites return HTTPS certificate errors, the problems largely seem to be configuration issues. The webserver that runs all of the websites is listening on port 443 and it looks like Akamai has issued a wildcart * certificate that can be used to secure any Congressional website. As an example, Nancy Pelosi's website supports HTTPS without any certificate errors (although it looks like there is some non-HTTPS encrypted content delivered from that page too.) This means that the Congressional IT staff can enable HTTPS encryption for Rogers, Ruppersberger and every other member without having to buy any new HTTPS certificates or setting up new webservers. The software is already all there - and the fact that these sites do not work over HTTPS connections already suggests that no one in the members' offices have asked for it. After all, if Nancy Pelosi's site can offer a secure experience, other members of Congress should be able to get similar protections too.

Remember SOPA

During the SOPA debate several months ago, a few members seemed to take pride in acknowledging their total ignorance regarding technology, proclaiming that they were not nerds, didn't understand the Internet, but even so still thought that SOPA was a good bill. Those members were justifiably ridiculed for ignoring technical experts while voting for legislation that would significantly and negatively impact the Internet.

Here, we have members who've not even bothered to ask the Congressional IT staff to make sure that their website support HTTPS, let alone use it by default, who are now telling the rest of the country that we should trust their judgement on the complex topic of cybersecurity.

Until the respective Congressional committees that deal with technology issues actually hire subject matter experts, any legislation they propose will lack legitimacy and, most likely, will probably be ineffective. Likewise, if Congress thinks that cybersecurity is a priority, perhaps it should lead by example.

Wednesday, April 04, 2012

Google's pro-privacy legal position re: DOJ could assist class action lawyers in search referrer privacy lawsuit

In the summer of 2010, I filed a FTC complaint (pdf) against Google for deceiving its users about the extent to which it knowingly leaks user search queries to third parties via the referring header sent by web browsers. Shortly after my complaint was made public, a class action firm hit Google with a lawsuit over the practice.

Like many privacy class actions, the lawyers included every possible legal argument they could think of. One of their claims was that Google had violated the Stored Communications Act, which prohibits companies from sharing the contents of users' communications contents with other parties (even law enforcement agencies, unless they have a warrant).

The federal judge assigned to the case recently threw out all but one of the class action firm's claims, but but has permitted the case to continue solely focusing on Google's alleged violations of the Stored Communications Act. As such, one of the next big, important issues that the court is going to have to address is determining whether or not search queries are considered communications content under the Stored Communications Act.

As law professor Eric Goldman recently observed, "the SCA's poor drafting means that no one (including the judges) knows exactly what's covered by the statute." This is certainly true, and made worse by the fact that the statute hasn't really been updated since it was passed in 1986, long before the first web search engine or referrer header. It is for this very reason that DOJ has argued that the government should be able to get search engine query data without a warrant. Thankfully, Google disagrees.

Google: Search queries are content

At a recent event at San Francisco Law School, Richard Salgado, Google's Director of Law Enforcement and Information Security spoke publicly (for the first time) about Google's aggressively pro-privacy legal position on search queries and government access:

As far as search warrants and content go, Google and I think a lot of providers are taking this position, sees the 4th amendment particularly as it has been applied in the Warshak cases, as establishing that there is a reasonable expectation of privacy such that disclosure of the contents held with the third party is protected by the 4th Amendment. And not limited to email, but other material that is uploaded to the service provider to be handled by the service provider.

You hear a lot about ECPA about electronic communications service, ECS and remote computing sevice, RCS, and the crazy rules that apply [for example], the 180 day rule. I think most providers now, although I really should only speak to Google, view the way the case law is going and certaininly viewing the 4th Amendment as applying to any content that is provided by the user to the service, so that, for Google, would include things like Calendar and Docs, and all those others, even where there is not a communication function going on, that there's not another party involved in the Doc that you're uploading, the notes that you're keeping for yourself. It's still material that you've put with the service provider as part of the service that the company, in this case Google, is holding on your behalf. Its our view that that is protected by the 4th amendment, and unless one of the exceptions to the warrant requirement apply, its not to be disclosed to a government entity as a matter of compulsion.

Question: Where does search fall in that?

Answer: Search is one where we take a pretty hard stance, the same with other material, so we view search that its provided to us the way that other information is provided to us. That is very consistent with the ligitiation with the Department of Justice back in 2006.

Now, it seems pretty clear that Salgado is primarily talking about Google's view that the 4th Amendment protects user search queries, and is not arguing that they are communications content under the Stored Communications Act. Prior to this public event, I had heard reliable rumors that Google had adopted a warrant position for search queries based on the Stored Communications Act. Perhaps my sources were wrong, or perhaps Google realizes that it is going to be difficult to simultaneously argue two different positions on search engine queries and the SCA.

Even so, I suspect Google's legal team is still going to have a difficult time convincing the judge in this case that search engine queries are private enough for the company to repeatedly argue that they deserve warrant protections under the 4th Amendment, yet not private enough to deserve protections under the Stored Communications Act's prohibition against sharing communications content.

After all, as Al Gidari, Google's top privacy outside lawyer himself said at Brookings last year:

"[C]ontent is content, I don’t care how many times you try to repackage it into something else, content is still content, and the standards that we try to apply that give lesser protection to that content inevitably falls short, as well, when people stop and think about it."

Tuesday, April 03, 2012

ACLU docs reveal real-time cell phone location spying is easy and cheap

"Technological progress poses a threat to privacy by enabling an extent of surveillance that in earlier times would have been prohibitively expensive."
-- US v. Garcia, 474 F. 3d 994 - Court of Appeals, 7th Circuit 2007

In 2009, I attended a surveillance industry trade show (the "wiretapper's ball") in Washington DC where I recorded an executive from Sprint describing, in depth, the location tracking capabilities his company provided to law enforcement agencies:

"[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. One of the things, like with our GPS tool. We turned it on the web interface for law enforcement about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the tool has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests they anticipate us automating other features, and I just don't know how we'll handle the millions and millions of requests that are going to come in.
-- Paul Taylor, Electronic Surveillance Manager, Sprint Nextel.

The information that I gathered was one of the first real data points revealing the scale and ease with which law enforcement and intelligence agencies can now collect real-time location data from wireless phone carriers. This is because unlike wiretaps, there are no annual statistics produced by the courts that detail the number of location surveillance orders issued each year.

My disclosure of this information led to significant news coverage, but also to a citation from Judge Kozinski of the 9th Circuit, who observed in dissent in U.S. v. Pineda-Moreno that:

When requests for cell phone location information have become so numerous that the telephone company must develop a self-service website so that law enforcement agents can retrieve user data from the comfort of their desks, we can safely say that "such dragnet-type law enforcement practices" are already in use.

ACLU FOIA docs reveal other carriers have followed Sprint's lead

It appears that Sprint is not the only wireless company to provide law enforcement agencies with an easy way to track the location of targets in real-time.

Among the 5500 pages of documents obtained by the ACLU as part of a nationwide FOIA effort, are a few pages from Tucson AZ detailing (or at least hinting at) the real-time location tracking services provided to the government by the major wireless carriers.

AT&T's Electronic Surveillance Fee Schedule reveals that the company offers an "E911 Tool" to government agencies, which it charges $100 to activate, and then $25 per day to use.

While it is no secret that Sprint provides law enforcement agencies subscriber real-time GPS data via its "L-Site" website (read the L-site manual), Sprint's Electronic Surveillance Fee Schedule reveals that the company charges just $30 per month for access to this real-time data.

The documents from T-Mobile provides by far the greatest amount of information about the company's real-time location tracking capabilities. The company's Locator Tool service, which it charges law enforcement agencies $100 per day to access, generates pings at customizable 15 / 30/ 60 minute intervals, after which, the real-time location information is emailed directly to the law enforcement agency.

Unfortunately, Verizon's surveillance pricing sheets do not reveal any information about GPS tracking. It is almost certain that the company does provide real-time location data, but for now, we don't know how it is provided, or at what cost.