Privacy discussion (US vs EU)

A couple of weeks ago, Georgetown University hosted a panel discussion on the differences between privacy issues in the US and the EU. This is a fascinating issue given that as people travel more and more, and governments try to protect their borders via information discovery, the implications to the loss of privacy are quite large. Although I think this panel spent too much time mentioning a few issues (passenger list disclosure, if corp. aggregation or govt. aggregation of data is more concerning and the differences between US and EU privacy law, much of the electronic privacy law issues (like if IP addresses are Personally identifiable Information (PII)) was left out. Of course in a one hour discussion you can’t really even begin to touch all the privacy issues but it seems a shame that such a great panel of experts was stuck on the surface of many issues and didn’t dig that deep into many. None the less, it’s a interesting listen if you are interested in privacy issues and the law.

Tell the world you're made in America

American Apparel is proud to say they are at the forefront of marking their clothing with radio transmitters (called Radio Frequency Identification tags (or RFID tags for short)). While touting the supply chain benefits of these RFID tags they don't quite mention small details (like whether the tag gets turned off after you leave the store. This kind of potential surveillance (and the ensuing PR issues) led American Eagle to drop a similar plan in 2006. I've covered RFID tags before and their privacy implications. The folks over at Spychips also have a long list of interesting research they have done on RFID chips (including a book that's a little bit over the top but does raise some really interesting issues based upon patent applications). I figure if people have tried out tracking folks with Nike+iPod running gear then it can be only a matter of time before someone tries this with American Apparel's system.

Aren't you glad your government listens to you?

Well, I guess that might depend on who you are. If you are one of the folks who was wiretapped in the past year, then you might not be that excited about it. The Administrative Office of the United States Courts released its yearly report on wiretaps. Of course this only covers the "public" wiretaps (e.g. FISA approved wiretaps are not listed). None the less, we can see the wiretapping is on the rise and the costs are falling (though arstechnica points out that $48,477 per investigations isn't exactly money to be found in your couch cushions). The major use of these taps seems to be for drug related offenses (though we don't know about the FISA taps to know about what our war on terrorism is costing us in government surveillance). Of course all of this is only including the taps that occurred before wiretaps were cut off because we hadn't paid the bills for the ones we'd already implemented. The folks at the Electronic Privacy Information Center have a synopsis of this report as well.

Chip hacking; ain't just for ninjas at the Lays factory

Chip hacking you say? That's right. This was quite a surprise to me but apparently some folks have started to explore the concept of making malicious semiconductors. The concept here is that a specially designed chip would be able to function just as the standard chip but would also allow back doors and access to data that would be undetectable from software. Of course, if you can access someone's physical computer, security has already been compromised. The danger here is not that someone will do a 'sneak and peek' and replace a systems microprocessors (though in theory this could happen; in reality it is far more likely that someone would take a copy of the hard drive to look at; install spy-ware or just plug in a key logger to be retrieved at a latter date).

What is of concern is that someone would put these chips into the commercial stream (or even target it at specific customers). If that sounds outlandish; you may be in for a surprise that some of the computer communications routers (the devices that send messages around the net) have already been hit by counterfeit chips. Indeed; in this case the routers that were purchased went to the US military. Although there is no proof at the moment that these chips were compromised (in terms of having a back door installed) no-one really knows. This has sent the Department of Defense scrambling to inspect all of it's routers for these phony chips (for those who think this sounds like overkill; it may be given that the US (and Chinese) governments have already insisted that communications equipment makers design their equipment to be able to allow transmission monitoring (Cisco documentation).

The interesting part here is that this is forcing government agencies to flip the usual "privacy for security" trade-off" discussion on its head. In this case, the way they can ensure the security of their populations, is though increased privacy (this is the same argument that people make about anonymity being important to avoid governmental tyranny). Although governments are likely to do a two-step about how what's good for them is bad for you; the real danger here is that chips coming from unidentified sources (say Fabs (fabrications facilities) outside of the US) and then put in products to be resold could have back doors waiting to be unlocked (or have the machines disabled at a critical time). The fear for governments here is obvious but the impact to business and users is also important. I'd love to see a solution for how to protect against malicious hardware (somewhat akin to the challenge of sending secret messages across monitored channels that encryption faced until public key encryption was discovered).