I submitted a Freedom Of Information Act (FOIA) request to the FBI last month, to get "access to and copies of any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating or mentioning to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies""
I received word today that my request had come back empty. This is rather shocking, since I've personally spoken to FBI agents who know about Tor - and logically, it, or similar anonymizing proxies must have come up during investigations....
It turns out that with a standard FOIA request, no matter what you ask for, or how it is phrased, the FBI only searches their database for records that have the words of interest in the subject. If an FBI agent writes a case note about someone under investigation, and Tor comes up as part of the report, you won't get it back under a simple FOIA request. Simply put, an agent has to include the word "tor" in the subject of the memo/note for it to come back during a FOIA search.
The magic words, it seems, is to ask for a "full cross-reference search". If you do this, I'm told (by the FBI FOIA people), then they will actually search the contents of all records, instead of just the subject headers..
Grrr.. 1 month wasted just to find that out.
FOIA resubmitted....
Showing posts with label tor. Show all posts
Showing posts with label tor. Show all posts
Thursday, April 05, 2007
Sunday, March 04, 2007
How The RIAA and MPAA Unknowingly Assist Child Pornographers
Or: How the Media Companies did more to spread cryptography, anonymity preserving technology and general knowledge about good online privacy hygiene than an army of activist cypherpunks ever could have
[Ed: I have to admit, I'm pretty proud of the fact that I've managed to tar two of the great Satans in the world, the RIAA and MPAA, with the kiddie porn brush. It's about time, since they've been doing the same to anonymity researchers for years]
A few years back, after waiting all night outside the US Supreme Court, I saw a semi-familiar face walking towards the front of the court-house. Without thinking, I ran up to him, and asked if I could have my photo taken with him. True, he is an extremely evil and corrupt man. Not quite as bad as Pol Pot, or even Cheney, but still evil enough. His name is Jack Valenti, and this blog-post describes how, strangely enough, he and his cohorts make the lives of child pornographers far better, and far safer.
-------
Music and software piracy existed long before Napster. It took place on Internet news groups (usenet), bulletin board systems (BBS), ftp, and good old fashioned person-to-person exchange via floppy disks. The real threat that Napster posed, was that it was really easy to use. So simple, that a non-technical user could quickly figure it out. What Napster did, essentially, was make an entire generation of non-technical users into 'pirates'.
We all know the story: Napster was shut down by the record labels, and shortly afterwards, improved systems like Gnutella and Kazaa took its place. While Napster had been a centralized system (with verbose logging, should law enforcement ever need it), the new systems were extremely difficult to take down, and presented a significant problem for anyone who wished to do forensic analysis after the fact - since there were no centralized records of who downloaded and uploaded what files.
Whereas before, the FBI could have sent Napster a supoena stating "Tell us every user sharing these 5000 kiddie porn files", the new networks were purpose built to not be able to have that ability. Not because the designers wanted to help those sharing kiddie porn, but because the record labels used the very same techniques that the FBI used to combat child porn.
Fast forward a few years.
The record companies have their agents (like BayTSP) regularly trawling P2P networks looking for copyrighted content. The FBI and other parts of the government are either already using similar technologies, or surely have to be developing them....
In response, users have deployed technologies like PeerGuardian - which block network addresses known to be used by the record companies and their clients. And since DOJ has decided to begin, albeit slowly, prosecuting major P2P offenders, they will soon find themselves added to these blacklists - if they haven't been added already.
Let us now consider the case of encryption:
Shortly after the crypto-wars, the only people using encryption on their machines were paranoid crypto-geeks, or cypherpunks, as they called themselves. Systems were far too difficult to use to be deployed by the common man.
Fast forward a few years. The makers of Kazaa learned many lessons from their interactions with the record labels. When they developed their next program, Skype, they made sure to design cryptographic protocols into the core level of the program. Every single Skype call is encrypted - and if the call never leaves the skype network, then no one but the two callers can listen in. To make things even more difficult, just as with Kazaa, Skype was developed in eastern Europe, and owned in another country. This multi-jurisdictional separation makes subpoenas quite tricky.
Skype is now the most widely deployed cryptographic application, ever. It's easy to use, it is used by millions of Internet users around the world, and the government has no real way to tap voice data as it crosses the network - CALEA, or not.
The point that I am trying to make is the following:
By going after people for sharing movies and music online, the major media companies have essentially created a huge market for anonymous (or close to anonymous) technologies. Technologies such as Tor, Freenet, Gnutella, and Skype arguably wouldn't exist as they do today if the Media companies didn't go after 'pirates' with such vigor. And with the influx of millions of new users, these programs have become better - either through more financial support/advertising, or through new developers/open source coders who are finding bugs and adding features.
P2P enforcement forced anonymity and evasion technologies to evolve far faster than they ever would have if the FBI had been the only 'threat' to privacy online.
However, these technologies do not just make the task of detecting copyrighted works more difficult - they make the FBI's job of finding child pornographers more difficult. Far more people use encryption now. Far more people erase data, and turn off logging.
The mass publicity of the NSA lawsuits has only cemented the idea in the public consciousness that email can be read, and so, I would argue, that less and less sensitive information is sent by email. More, not all, but more, people know that their email is not secure.
And now with all the press relating to data loss/breaches by companies, we are finding that many Fortune 500 companies are demanding full disk encryption from their Operating System suppliers. This will roll downhill. Someone who gets comfortable with the idea of an encrypted filesystem at work will be far more likely to turn that option on when they install Windows Vista at home. This will of course, hugely frustrate the FBI. This isn't to say that they can't break it, but it makes their lives far far more difficult.
What is the moral to this story? The record companies have made an entire generation of college students into criminals, and as such, those college kids have resorted to technical means of avoiding detection - which create a gigantic crowd of encrypted and obfuscated data in which 'real' criminals can hide. These evasion methods are the very same techniques which can frustrate legitimate and useful law enforcement, which as an unintended side-effect, suffer. The ability to catch genuine terrorists and child pornographers is significantly limited through the short sighted actions of the major media companies.
And the thing is - it's too late to fix it. The genie is out of the bottle.
Just as the drug war has made an entire generation fear and mistrust the police, the P2P wars have given the Internet generation a reason to protect their privacy, or at least frustrate forensic analysis of their online activity.
So the next time you see an article describing a new tactic that the record labels are taking to stamp out piracy - Stop for a moment, and please, think of the children.
Note: I started coming up with the idea for this blog post a week ago over lunch with a colleague. However, I decided to hurry up and finish it after reading a recent law review article by Eric Stieglitz (ANONYMITY ON THE INTERNET: HOW DOES IT WORK, WHO NEEDS IT, AND WHAT ARE ITS POLICY IMPLICATIONS? ). You can find it on westlaw or lexis if you're lucky enough to have an account.
[Ed: I have to admit, I'm pretty proud of the fact that I've managed to tar two of the great Satans in the world, the RIAA and MPAA, with the kiddie porn brush. It's about time, since they've been doing the same to anonymity researchers for years]
A few years back, after waiting all night outside the US Supreme Court, I saw a semi-familiar face walking towards the front of the court-house. Without thinking, I ran up to him, and asked if I could have my photo taken with him. True, he is an extremely evil and corrupt man. Not quite as bad as Pol Pot, or even Cheney, but still evil enough. His name is Jack Valenti, and this blog-post describes how, strangely enough, he and his cohorts make the lives of child pornographers far better, and far safer.
-------
Music and software piracy existed long before Napster. It took place on Internet news groups (usenet), bulletin board systems (BBS), ftp, and good old fashioned person-to-person exchange via floppy disks. The real threat that Napster posed, was that it was really easy to use. So simple, that a non-technical user could quickly figure it out. What Napster did, essentially, was make an entire generation of non-technical users into 'pirates'.
We all know the story: Napster was shut down by the record labels, and shortly afterwards, improved systems like Gnutella and Kazaa took its place. While Napster had been a centralized system (with verbose logging, should law enforcement ever need it), the new systems were extremely difficult to take down, and presented a significant problem for anyone who wished to do forensic analysis after the fact - since there were no centralized records of who downloaded and uploaded what files.
Whereas before, the FBI could have sent Napster a supoena stating "Tell us every user sharing these 5000 kiddie porn files", the new networks were purpose built to not be able to have that ability. Not because the designers wanted to help those sharing kiddie porn, but because the record labels used the very same techniques that the FBI used to combat child porn.
Fast forward a few years.
The record companies have their agents (like BayTSP) regularly trawling P2P networks looking for copyrighted content. The FBI and other parts of the government are either already using similar technologies, or surely have to be developing them....
In response, users have deployed technologies like PeerGuardian - which block network addresses known to be used by the record companies and their clients. And since DOJ has decided to begin, albeit slowly, prosecuting major P2P offenders, they will soon find themselves added to these blacklists - if they haven't been added already.
Let us now consider the case of encryption:
Shortly after the crypto-wars, the only people using encryption on their machines were paranoid crypto-geeks, or cypherpunks, as they called themselves. Systems were far too difficult to use to be deployed by the common man.
Fast forward a few years. The makers of Kazaa learned many lessons from their interactions with the record labels. When they developed their next program, Skype, they made sure to design cryptographic protocols into the core level of the program. Every single Skype call is encrypted - and if the call never leaves the skype network, then no one but the two callers can listen in. To make things even more difficult, just as with Kazaa, Skype was developed in eastern Europe, and owned in another country. This multi-jurisdictional separation makes subpoenas quite tricky.
Skype is now the most widely deployed cryptographic application, ever. It's easy to use, it is used by millions of Internet users around the world, and the government has no real way to tap voice data as it crosses the network - CALEA, or not.
The point that I am trying to make is the following:
By going after people for sharing movies and music online, the major media companies have essentially created a huge market for anonymous (or close to anonymous) technologies. Technologies such as Tor, Freenet, Gnutella, and Skype arguably wouldn't exist as they do today if the Media companies didn't go after 'pirates' with such vigor. And with the influx of millions of new users, these programs have become better - either through more financial support/advertising, or through new developers/open source coders who are finding bugs and adding features.
P2P enforcement forced anonymity and evasion technologies to evolve far faster than they ever would have if the FBI had been the only 'threat' to privacy online.
However, these technologies do not just make the task of detecting copyrighted works more difficult - they make the FBI's job of finding child pornographers more difficult. Far more people use encryption now. Far more people erase data, and turn off logging.
The mass publicity of the NSA lawsuits has only cemented the idea in the public consciousness that email can be read, and so, I would argue, that less and less sensitive information is sent by email. More, not all, but more, people know that their email is not secure.
And now with all the press relating to data loss/breaches by companies, we are finding that many Fortune 500 companies are demanding full disk encryption from their Operating System suppliers. This will roll downhill. Someone who gets comfortable with the idea of an encrypted filesystem at work will be far more likely to turn that option on when they install Windows Vista at home. This will of course, hugely frustrate the FBI. This isn't to say that they can't break it, but it makes their lives far far more difficult.
What is the moral to this story? The record companies have made an entire generation of college students into criminals, and as such, those college kids have resorted to technical means of avoiding detection - which create a gigantic crowd of encrypted and obfuscated data in which 'real' criminals can hide. These evasion methods are the very same techniques which can frustrate legitimate and useful law enforcement, which as an unintended side-effect, suffer. The ability to catch genuine terrorists and child pornographers is significantly limited through the short sighted actions of the major media companies.
And the thing is - it's too late to fix it. The genie is out of the bottle.
Just as the drug war has made an entire generation fear and mistrust the police, the P2P wars have given the Internet generation a reason to protect their privacy, or at least frustrate forensic analysis of their online activity.
So the next time you see an article describing a new tactic that the record labels are taking to stamp out piracy - Stop for a moment, and please, think of the children.
Note: I started coming up with the idea for this blog post a week ago over lunch with a colleague. However, I decided to hurry up and finish it after reading a recent law review article by Eric Stieglitz (ANONYMITY ON THE INTERNET: HOW DOES IT WORK, WHO NEEDS IT, AND WHAT ARE ITS POLICY IMPLICATIONS? ). You can find it on westlaw or lexis if you're lucky enough to have an account.
Saturday, February 03, 2007
FOIA Fun
Much respect to the the reporters committee for freedom of the press for their kickass FOIA letter generator .
FOIA/PA Mail Referral Unit
Department of Justice
Room 114, LOC
Washington, DC 20530-0001
Dear FOI Officer:
Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of Any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies" . I am interested in anything that matches this description between the dates 01/01/2002 and 02/01/2007.
*edited*
Transportation Security Administration
TSA-20, West Tower
FOIA Division
601 South 12th Street
Arlington, VA 22202-4220
Dear FOI Officer:
Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of All documents including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to the storage and or data deletion policies for the data from chemical/explosive analysis of passengers, passengers bags, items and personal possessions. In particular, I am requesting information on how long TSA keeps the data generated by the machines that perform the explosive residue analysis on the swabs that TSA agents wipe on passenger's bags/objects. I am also requesting information on how long data is kept from the "puffer" machines used by TSA (these are typically made by either GE or Smiths), which shoot air at passengers and then analyze the particles that are dislodged. In addition to this data, I also request any and all information relating to how the information is matched or associated to specific passengers, in what format, and held in what databases, if it is at all. The scope of this request is for all information matching this description between the dates of 01/01/2003 and 02/01/2007.
FOIA/PA Mail Referral Unit
Department of Justice
Room 114, LOC
Washington, DC 20530-0001
Dear FOI Officer:
Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of Any and all documents (including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to "Tor", "onion routing", "onion router", and "anonymous/anonymizing proxy/proxies" . I am interested in anything that matches this description between the dates 01/01/2002 and 02/01/2007.
*edited*
Transportation Security Administration
TSA-20, West Tower
FOIA Division
601 South 12th Street
Arlington, VA 22202-4220
Dear FOI Officer:
Pursuant to the federal Freedom of Information Act, 5 U.S.C. § 552, I request access to and copies of All documents including but not limited to) memos, electronic mail, presentations, briefings, meeting notes, guidelines and policies relating to the storage and or data deletion policies for the data from chemical/explosive analysis of passengers, passengers bags, items and personal possessions. In particular, I am requesting information on how long TSA keeps the data generated by the machines that perform the explosive residue analysis on the swabs that TSA agents wipe on passenger's bags/objects. I am also requesting information on how long data is kept from the "puffer" machines used by TSA (these are typically made by either GE or Smiths), which shoot air at passengers and then analyze the particles that are dislodged. In addition to this data, I also request any and all information relating to how the information is matched or associated to specific passengers, in what format, and held in what databases, if it is at all. The scope of this request is for all information matching this description between the dates of 01/01/2003 and 02/01/2007.
Friday, February 02, 2007
Tor: Lies or Ignorance?
I went to a symposium on Search and Seizure in the digital age at Stanford last week.
One topic that kept popping up was the so called "Creepiness Factor" of various surveillance technologies. Just like the 'ol government standard for obscenity, we can't quite define creepy surveillance, but we know it when we see it.
One of the last speakers of the day was an Assistant US Attorney - based in Silicon Valley, and who focused on cyber crimes. I'm fairly sure that his name was Matthew Lamberti. Fairly early into his talk, it was plainly obvious that his opinions did not mesh too well with the rest of the room - at least after he quite proudly announced that he didn't think it was in any way creepy to go through someone's trash. Facial expressions around the room quickly changed.
After his talk was over, I walked up to him, introduced myself, and asked him what he thought of Tor.
(I'm paraphrasing here)
"What's that", he asked.
I explained that it was an anonymity preserving system that enabled hundreds of thousands of Internet users to browse the web and communicate anonymously.
He replied that he wasn't familiar with the technology, so he really couldn't answer my question.
----
Back in November, when I met with the Cybercrime specializing Assistant US Attorney in Indianpolis, his eyes lit up at the mere mention of Tor, and he proceeded to give me a long lecture on the evils of the technology, and how Indiana University has no business doing anything that even comes close to anonymity-promoting research.
I find it shocking, yet amazing that an Assistant US Attorney who works out of the San Jose DoJ office - who prosecutes Internet/IP crime cases all the time - in possibly the most high-tech areas in the country, and who has never heard of Tor.
Are the Indianapolis DoJ more Internet Savvy than those in Silicon Valley? Did I catch Mr Lamberti on an off day, or what?
And that's where my latest FOIA request will come in handy ;-)
One topic that kept popping up was the so called "Creepiness Factor" of various surveillance technologies. Just like the 'ol government standard for obscenity, we can't quite define creepy surveillance, but we know it when we see it.
One of the last speakers of the day was an Assistant US Attorney - based in Silicon Valley, and who focused on cyber crimes. I'm fairly sure that his name was Matthew Lamberti. Fairly early into his talk, it was plainly obvious that his opinions did not mesh too well with the rest of the room - at least after he quite proudly announced that he didn't think it was in any way creepy to go through someone's trash. Facial expressions around the room quickly changed.
After his talk was over, I walked up to him, introduced myself, and asked him what he thought of Tor.
(I'm paraphrasing here)
"What's that", he asked.
I explained that it was an anonymity preserving system that enabled hundreds of thousands of Internet users to browse the web and communicate anonymously.
He replied that he wasn't familiar with the technology, so he really couldn't answer my question.
----
Back in November, when I met with the Cybercrime specializing Assistant US Attorney in Indianpolis, his eyes lit up at the mere mention of Tor, and he proceeded to give me a long lecture on the evils of the technology, and how Indiana University has no business doing anything that even comes close to anonymity-promoting research.
I find it shocking, yet amazing that an Assistant US Attorney who works out of the San Jose DoJ office - who prosecutes Internet/IP crime cases all the time - in possibly the most high-tech areas in the country, and who has never heard of Tor.
Are the Indianapolis DoJ more Internet Savvy than those in Silicon Valley? Did I catch Mr Lamberti on an off day, or what?
And that's where my latest FOIA request will come in handy ;-)
Tuesday, January 23, 2007
Why the government should embrace Tor
As security researchers keep saying, Tor really is useful.
And not just if you are worried about your employer firing you for looking up information on unions, or your husband finding out that you've been googling for information on spouse abuse laws....
If you're a government employee, and you're investigating someone, you really don't want server logs to betray who you are.
I -really- hope that the FBI has some kind of leased line/private DSL connection that they use when they investigate child porn cases....
At the very least, TSA clearly doesn't:
pnxuser1.tsa.dhs.gov - - [23/Jan/2007:05:58:32 -0800] "GET /chris/ HTTP/1.1" 200 2683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
And not just if you are worried about your employer firing you for looking up information on unions, or your husband finding out that you've been googling for information on spouse abuse laws....
If you're a government employee, and you're investigating someone, you really don't want server logs to betray who you are.
I -really- hope that the FBI has some kind of leased line/private DSL connection that they use when they investigate child porn cases....
At the very least, TSA clearly doesn't:
pnxuser1.tsa.dhs.gov - - [23/Jan/2007:05:58:32 -0800] "GET /chris/ HTTP/1.1" 200 2683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
Subscribe to:
Posts (Atom)