Privacy discussion (US vs EU)

A couple of weeks ago, Georgetown University hosted a panel discussion on the differences between privacy issues in the US and the EU. This is a fascinating issue given that as people travel more and more, and governments try to protect their borders via information discovery, the implications to the loss of privacy are quite large. Although I think this panel spent too much time mentioning a few issues (passenger list disclosure, if corp. aggregation or govt. aggregation of data is more concerning and the differences between US and EU privacy law, much of the electronic privacy law issues (like if IP addresses are Personally identifiable Information (PII)) was left out. Of course in a one hour discussion you can’t really even begin to touch all the privacy issues but it seems a shame that such a great panel of experts was stuck on the surface of many issues and didn’t dig that deep into many. None the less, it’s a interesting listen if you are interested in privacy issues and the law.

Tell the world you're made in America

American Apparel is proud to say they are at the forefront of marking their clothing with radio transmitters (called Radio Frequency Identification tags (or RFID tags for short)). While touting the supply chain benefits of these RFID tags they don't quite mention small details (like whether the tag gets turned off after you leave the store. This kind of potential surveillance (and the ensuing PR issues) led American Eagle to drop a similar plan in 2006. I've covered RFID tags before and their privacy implications. The folks over at Spychips also have a long list of interesting research they have done on RFID chips (including a book that's a little bit over the top but does raise some really interesting issues based upon patent applications). I figure if people have tried out tracking folks with Nike+iPod running gear then it can be only a matter of time before someone tries this with American Apparel's system.

Aren't you glad your government listens to you?

Well, I guess that might depend on who you are. If you are one of the folks who was wiretapped in the past year, then you might not be that excited about it. The Administrative Office of the United States Courts released its yearly report on wiretaps. Of course this only covers the "public" wiretaps (e.g. FISA approved wiretaps are not listed). None the less, we can see the wiretapping is on the rise and the costs are falling (though arstechnica points out that $48,477 per investigations isn't exactly money to be found in your couch cushions). The major use of these taps seems to be for drug related offenses (though we don't know about the FISA taps to know about what our war on terrorism is costing us in government surveillance). Of course all of this is only including the taps that occurred before wiretaps were cut off because we hadn't paid the bills for the ones we'd already implemented. The folks at the Electronic Privacy Information Center have a synopsis of this report as well.

Chip hacking; ain't just for ninjas at the Lays factory

Chip hacking you say? That's right. This was quite a surprise to me but apparently some folks have started to explore the concept of making malicious semiconductors. The concept here is that a specially designed chip would be able to function just as the standard chip but would also allow back doors and access to data that would be undetectable from software. Of course, if you can access someone's physical computer, security has already been compromised. The danger here is not that someone will do a 'sneak and peek' and replace a systems microprocessors (though in theory this could happen; in reality it is far more likely that someone would take a copy of the hard drive to look at; install spy-ware or just plug in a key logger to be retrieved at a latter date).

What is of concern is that someone would put these chips into the commercial stream (or even target it at specific customers). If that sounds outlandish; you may be in for a surprise that some of the computer communications routers (the devices that send messages around the net) have already been hit by counterfeit chips. Indeed; in this case the routers that were purchased went to the US military. Although there is no proof at the moment that these chips were compromised (in terms of having a back door installed) no-one really knows. This has sent the Department of Defense scrambling to inspect all of it's routers for these phony chips (for those who think this sounds like overkill; it may be given that the US (and Chinese) governments have already insisted that communications equipment makers design their equipment to be able to allow transmission monitoring (Cisco documentation).

The interesting part here is that this is forcing government agencies to flip the usual "privacy for security" trade-off" discussion on its head. In this case, the way they can ensure the security of their populations, is though increased privacy (this is the same argument that people make about anonymity being important to avoid governmental tyranny). Although governments are likely to do a two-step about how what's good for them is bad for you; the real danger here is that chips coming from unidentified sources (say Fabs (fabrications facilities) outside of the US) and then put in products to be resold could have back doors waiting to be unlocked (or have the machines disabled at a critical time). The fear for governments here is obvious but the impact to business and users is also important. I'd love to see a solution for how to protect against malicious hardware (somewhat akin to the challenge of sending secret messages across monitored channels that encryption faced until public key encryption was discovered).

Why Didn't I Think of That; Research in Thought Crime

Last week there was a really interesting article by Nita Farahany in the Washington Post. The article talks about DARPA research into remote brainwave analysis and it's applicability for crime prevention. The article spends most of it's time talking about the technology but there are a few short references made to the civil liberty issues that this research raises. Of particular privacy concern is the 4th amendment protections from unreasonable search and seizure as scanning someone's brain certainly falls into the area most of us would consider private. There is also the possibility that there are 5th amendment issues of self-incrimination from asking questions and then looking at the brain scans of the suspect to define guilt (or perhaps just reasonable suspicion for more questions or a more invasive search). An argument can also be made that there is a lack of due process in such actions. as guilt could be decided based upon nothing more than a machines output. These are definitely some interesting things to question, and ones we should answer before we introduce such technologies; but I don't think that it's quite time to call for tinfoil hats.

The best analogy I can think of is the polygraph (Lie detector) machine. Such machines are banned for compulsory use in prosecutions and have questionable use in defense or civil proceedings. Employers are also banned from using them though that came about via federal law (Employee Polygraph Protection Act of 1988 (EPPA)). The danger in such a thing might come from its "illegal" use in pointing law enforcement in the right direction or if covered up by gag rule legislations (like that which accompanies NSLs).

Perhaps the part of this article that bothers me most is the scenarios that are presented. For some reason the "ticking timebomb" example gets evoked with alarming frequency these days. Forgive my naive nature but how frequent an occurrence is someone in custody who knows about a time bomb that we are so willing to curtail our rights for it? I would think it would be much more common for people with anxiety disorders to be detained and questioned because their condition might create a "false positive" reading. Is this the balance of liberty we want?

Of course this is also assuming that those in power only ever use their power for the good of the society. If someone with such a device were much more unscrupulous (#2). In such a situation authority figures could use such tools to detect which people would pay a bribe; or even worse who might not report an illegal action like a beating or rape by that official.

The real danger is that in such a society, it’s not the though reading that is the end result; it's just the start. Thought reading necessarily leads people to thought control where people are afraid to even think certain thoughts (and in this it sounds quite Orwellian). Just think if everyone around you could read your mind, you would probably think very different thoughts. Such coerced thought control is antithetical to a society that believes in liberty.

If the best reasons for such a technology is to catch a person with knowledge of a "ticking timebomb" then I think it's time we really evaluated the risk/benefit trade off. We debate the safety of Mercury in fish, BPA in bottles and alcohol in drivers; each of these impacts many more people a year than "ticking timebombs". Still; people get angry when police set up "sobriety checkpoints"; why would we want something that stops far less crime and is far more invasive?

Why RFID Should Never be Taken to Mean Private or Secure

I came across two interesting videos this week showing just how insecure RFID can be. I’ve linked them below. You should note that the first uses a system called Oyster that is used in many cases (including entry cards (as the video shows). The second shows an American Express card. Caveat emptor.

Note: the second video is done with a $0.99 reader off eBay (plus $7.99 in shipping). In general these cost around $50 but the prices are dropping and $50 is not much of a barrier. Tracking based on these things we carry (in this case an id or credit card) has the potential to be cheap and ubiquitous.

Oyster cards hacked and cloned by college kids

American Express cards are easily readable

Power Corrupts; Absolute Power Corrupts; Absolutely

Hidden between the salacious headlines about a prostitute patronizing governor, the release of a report by the Department of Justice seeped out. Apparently the government we have entrusted with our security, and with the legal, and moral, requirement to protect our privacy has been playing fast and loose with the second of those obligations. According to the report, the FBI was using National Security Letters (authorized under the USA PATRIOT Act for surveillance outside of usual 4^th amendment protections and requirements) to spy on subject who they were not allowed to, forbidden by courts from monitoring or simply casting their net much wider than they had approval to do.

For those wondering how this ties to our current debate about providing telecoms with immunity for prosecution (the telecoms are who the FBI delivered these NSLs to and were then given people’s private records or access to wiretaps), The Senate has already approved such immunity while the House voted this week to pass surveillance legislation without telecom immunity. Bush has threatened a veto without this clause and there has been much discussion about this issue. What is interesting here is that our government, entrusted to protect us, has asked for powers to monitor us out side of its abilities and in violation of the constitution. As in the past (think Hoover administration, Files that showed up on the Clinton White House, etc.) we see that those given the ability to secretly monitor are abusing that privilege. When we discuss the concepts of domestic spying and why that must be done out the oversight, we should also ask who watches the watchers?