Schneier on Security
A blog covering security and security technology.
« The Sham of Criminal Profiling |
| Illuminated Site of the Week »
November 14, 2007
This kind of thinking can do enormous damage to a free society:
As Congress debates new rules for government eavesdropping, a top intelligence official says it is time that people in the United States change their definition of privacy.
Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguard people's private communications and financial information.
"Our job now is to engage in a productive debate, which focuses on privacy as a component of appropriate levels of security and public safety," Kerr said. "I think all of us have to really take stock of what we already are willing to give up, in terms of anonymity, but [also] what safeguards we want in place to be sure that giving that doesn't empty our bank account or do something equally bad elsewhere."
Anonymity, privacy, and security are intertwined; you can't just separate them out like that. And privacy isn't opposed to security; privacy is part of security. And the value of privacy in a free society is enormous.
EDITED TO ADD (11/15): His actual comments are more nuanced. Steve Bellovin has some comments.
Posted on November 14, 2007 at 12:51 PM
• 47 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
...and thus the so-called land-of-the-free takes yet another giant step to becoming the very thing it railed against during the cold war.
"Instead, it should mean that government and businesses properly safeguard people's private communications and financial information."
No, it means that the government passes laws RESTRICTING what kind of information can be collected by businesses and how long the businesses can keep it and how to verify that it has been deleted correctly.
It means that the government is restricted on what information it can collect and how long it can hold it and how to verify that it has CORRECTLY been deleted.
"Mark Klein, a retired AT&T technician, helped connect a device in 2003 that he says diverted and copied onto a government supercomputer every call, e-mail, and Internet site access on AT&T lines."
And that is the problem. The government wants to collect EVERYTHING ... and then decide what it wants to do with the information.
That's bull**** and it's wrong!
This is certainly a frightening idea, but I suspect that the issue of privacy is going to be getting far, far worse before it gets better. Look at the popularity of Social Networking sites like MySpace and Facebook. While they don't need to be inherently evil themselves from a privacy standpoint, the way people use them suggests that people don't care about their privacy.
Until people en masse understand the importance of privacy, this situation will not be improving.
Misereátur Omnípotens Deus
The problem with Kerr's statements is that it's a one-way relationship. The citizen is not permitted to remain anonymous, whereas the government official has recourse to 'executive privilege' (and when that fails, just lose the e-mails you shouldn't have had on a separate server to begin with).
Privacy "should mean that government and businesses properly safeguard people's private communications and financial information."
Who are we protecting the data from? Would it not be those entities themselves who are most threatening to our privacy? Who are these people kidding?
It's just like the terrorism shell game. Everything get reduced to protecting us from lone gun-men or small cliques, rather than focusing on the systematic abuses.
Deputy Director of National Intelligence.
Ya know... maybe it is time for some guerrilla art installations... place dummy security cameras in public restroom stalls with signs saying "in the interest of public safety and national security these cameras are for your protection. If you aren't doing anything wrong, what do you have to hide?"
Worst part, there are people who could be convinced it is a good idea to place real cameras in the stalls.
Oh and this is especially rich: 'Kerr said at an October intelligence conference in San Antonio, Texas, that he finds it odd that some would be concerned that the government may be listening in when people are "perfectly willing for a green-card holder at an [Internet service provider] who may or may have not have been an illegal entrant to the United States to handle their data.'
So, I have more to worry from some !! Illegal Engineers !! stealing my data, than from the gummint or large corporations cross-correlating all my data and abusing their knowledge? And we completely elide the fact that unknown numbers of !! Illegal Engineers !! are stealing my data as employees of companies that are completely under regulated in terms of data protection?
So we can trust the most powerful entities in the world with unrestricted data, but we should be scared of illegals? They're not only terrorist-loving job-takers, but also malevolent IT workers? My God, you are too kind calling this sort of fear-mongering simply "dangerous thinking"!
MFHeadcase: The cameras should be in the urinals and the toilets.
Unter: Naaah, i would want to engage in a little subtlety... make it so that the apparent aim is crotch level, but place them on the stall doors or above the urinals... leave it so that the fake cameras can vaguely pass for official.
It's time that we all email and call our Reps. and bombard them with protests. I am getting so tired of this attempt of our leadership to control and grab for power. We need to start voting people out of office and firing some of these control freaks.
Even from the pdf with all of his comments ... he keeps bringing up different attacks in attempts to justify ... something.
And he still doesn't seem to understand the difference between what people voluntarily post on some social site and what the government can demand.
...our embassies in Nairobi, Kenya, and Dar es Salaam, Tanzania were attacked by al Qaeda.
...Osama bin Laden on our FBI “Ten Most Wanted��? list.
...attack on the USS Cole ...
...17 sailors who lost their lives.
...glimpses of al Qaeda.
...in advance of Hurricane Dean’s landfall...
...the Kailau Kona Earthquake...
...Tropical Storm Ernesto...
"But in our interconnected and wireless world, anonymity – or the appearance of anonymity – is quickly becoming a thing of the past."
What does "wireless" have to do with anything?
And he's wrong. Anonymity is not "a thing of the past". As long as we can prevent the government from collecting the information.
"Anonymity results from a lack of identifying features."
Pretty much. And it is only the government that can coerce the collection of those "identifying features".
"Protecting anonymity isn’t a fight that can be won."
Yes it can. Simply by limiting the information the government is allowed to collect.
"Instead, privacy, I would offer, is a system of laws, rules, and customs with an infrastructure of Inspectors General, oversight committees, and privacy boards on which our intelligence community commitment is based and measured."
No, that is one way to protect privacy.
It is not privacy.
"And so, it’s not for us to inflict one size fits all."
Wrong. The government DOES "inflict one size fits all". If individual citizens wish to share more of their information, that is their choice.
"Eventually, we can only hope that people’s perceptions – in Hollywood and elsewhere – will catch up."
Nice play there. But too many facts have been leaked that contradict you. The government DOES violate privacy for purely political reasons.
...240 U.S. Marines and sailors were killed.
He's still trying to use fear to push his agenda. And the only reason to do that is to get people to surrender their Rights.
Why does the fact that *some* people don't care about privacy mean that *no-one* does? Sure, a lot of people put up some ridiculously personal information for the world to see. Some post fake info. Some don't post. I don't think this means that collectively we don't care about privacy. I care more about my fellows having a right to privacy than I do about my personal privacy.
Also relevant in this context is this SecurityFocus article: http://www.securityfocus.com/columnists/456
The government argues that there is no expectation of privacy in E-Mail. Because you voluntarily disclose your mail to an ISP, there can be no expectation of privacy.
Hence, the fourth amendment against unreasonable seizure does not apply to E-Mail (and by extension to all Internet traffic), so it's free for the taking by the government, no warrant necessary.
Assuming you were responding to me, my point was certainly not that it is okay to violate everyone's privacy just because some people are okay with it.
My fear is that the vast majority of people don't care about privacy enough to do anything about it, and because the majority doesn't care, they can be easily coerced by fear-mongers to give it up.
One thing (amoung many) from the article that really bothered me was his justification that people are used to giving their information away anyway. The next step it to outlaw private encryption.
"Anonymity, privacy, and security are intertwined..."
Absolutely. I would add one other word to the list: FREEDOM.
"If you aren't doing anything wrong, what do you have to hide?"
That's got a simple answer. Not everything that is legal, is acceptable (of course the converse is also true.)
Take for example a perfectly normal Satan worshipper who does nothing worse than say a few prayers in front of a black candle a couple of times a week. This is both legal and for everybody else, harmless. But she is also a teacher...
We are approaching a point where the state will use peer pressure to force everybody to conform. In the process, those that will not conform will be assumed to be enemies of the state and one day you are living in a modern version of East Germany where 30% of the population is reporting on the remaining 70%
FP: would this also mean that when you're talking on an unencrypted landline, it can be evesdropped at will?
> The government argues that there is no expectation of privacy in E-Mail. Because you voluntarily disclose your mail to an ISP, there can be no expectation of privacy.
So, by insane extension, does that mean if I put my return address on any piece of (postal) mail, ever, I have relinquished the expectation of privacy of all of my letters and packages for evermore?
If I am a cute girl and some cop writes down my tag, because I display the tag according to law, does it allow him to find my address and stop by? No! Privacy is important and should not be invaded short of a true legal investigation that follows the LETTER OF THE LAW (we call that the Constitution where I am from!)
"The government argues that there is no expectation of privacy in E-Mail. Because you voluntarily disclose your mail to an ISP, there can be no expectation of privacy.
I wonder if the government would take such a view of a journalist publishing the official emails of government officials.
He's right about one thing, for western society as a whole, the privacy ship has already sailed. We can't call it back to harbor, so the *best* we can do is try to intelligently create a new vision. Goodness knows I'm no one to create the new vision and I certainly don't trust my government to do it, but I think some needs to, and fast.
I guess I got a differnet copy than you.
"The right of the people to be secure in their privacy, anonymity and secrecy..."
Check out the dissenting opinion in the supreme court case ("Katz v. United States") that the SecurityFocus article quotes:
"In his dissent, Justice Hugo Black argued that the Fourth Amendment, as a whole, was only meant to protect "things" from physical search and seizure; it was not meant to protect personal privacy. Additionally, Black argued that the modern act of wiretapping was analogous to the act of eavesdropping, which was around even when the Bill of Rights was drafted. Black concluded that if the drafters of the Fourth Amendment had meant for it to protect against eavesdropping they would have included the proper language." Quoted from: http://en.wikipedia.org/wiki/...
So because the founding fathers did not explicitly prohibit eavesdropping, it (and thus wiretapping) must be legal.
Now this is not the legally uneducated ramblings from some random schmuck, but the official opinion of a (former) supreme court justice.
How long before this dissenting opinion becomes the majority?
Mac, it's not that "a new vision" is needed, we just have to adapt to the times.
We had privacy before by default - it was fairly difficult to track people. At worst, you moved to the next town and changed your name. IDs were spotty at best, databases were difficult to search (being composed mostly of paper), photographs were rare, ....
Since the '30s, massive databases have been created, and misused is to destroy lives and kill. The US government has been fairly slow on this, because Americans are by nature conservative and have resisted a lot of the reforms that have created the databases. But it's been 80 years - social security numbers are abused (by the government and corps), databases are fast, the net is in full swing, ids are becoming more and more complete, credit checks and private databases are rampant, ...
We can't pretend that we can go back to 1900. But we don't need to. And we don't need a "new vision". We just need to put in some checks-and-balances as we've done before, so that the status quo ante comes from regulation and not just from the default state of affairs.
We can regulate government acquisition of data. We can regulate private databases - what can be collected, how long it can be kept, with whom it can be shared, and make appropriately draconian punishments for violaters.
It doesn't take great genius ("New Vision"), just the same plodding bureaucrats we've always had, doing the dull and unglamorous job of writing regulation and investigating violations.
I agree. Moreso that privacy [is an element of] freedom. Just don't ask Rudy Giuliani to solve that equation for you:
"...freedom is not a concept in which people can do anything they want, be anything they can be. Freedom is about authority. Freedom is about the willingness of every single human being to cede to lawful authority a great deal of discretion about what you do."
Newspeak anyone? As long as they want to redefine the language on us and eliminate the concepts that made this nation great, why don't they just scratch the word "bad" for "ungood"?
"So because the founding fathers did not explicitly prohibit eavesdropping, it (and thus wiretapping) must be legal."
You can have it one way or the other; either everything that is not explicitly denied is allowed, or everything that is not explicitly allowed is denied.
Even a small amount of thought helps one to realize that it is better to allow everything that is not denied in the real world, and deal with the rest as they come up.
That said, the state of privacy in the US and the American approach to Freedom is terrifying.
"You can have it one way or the other; either everything that is not explicitly denied is allowed, or everything that is not explicitly allowed is denied."
The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people.
The Constitution was SUPPOSED to be a document detailing what the government was ALLOWED to do.
Not what the citizens were allowed to do.
Now what Rights the citizens had.
If the Constitution does not specifically state that the government can do X then the government cannot do X.
The problem is that the Constitution has been "interpreted" over the years to justify just about anything.
The Constitution is MEANT to limit the government. It is not meant to limit the people.
Y'know, defining privacy as something that does not include a measure of anonymity is fine for the people who can afford body guards-- or have them provided by the Treasury Department-- to insulate them from the consequences of their traceable behaviors.
I guess this connects with the idea of not having anonymity w/r/t your vote in an election.
> We had privacy before by default - it was fairly difficult to track people.
This is an over-generalization. We also didn't have privacy before, by default; because the tribe only had N users, where N was small enough that you knew everybody intimately (and you couldn't exactly leave the tribe).
This is still the case, many places, in fact. If you live in a small town, you have a much different expectation of privacy than if you live in the suburbs. Packing up and leaving town may not be a viable solution if your privacy is invaded. More to the point, it's not exactly just for the victim to have to adapt to recover.
Article X sums it up better than IX:
"The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."
We have a property system in which my personal data is considered the property of corporations who buy and sell it on a routine basis, co-existing with a legal environment which chills free speech, a regulatory environment which is incomprehensible to the layperson, and a regime of social control that keeps massive tabs on everybody (from DMV to warrant checks to instant files courtesy of Total Information Awareness). It is difficult to imagine the situation getting _worse_, except perhaps through the kind of voluntary internal self-policing pushed by this particularly vapid DDI. How does he think the evidence will be gathered to punish the government's illicit use of information, when it is already nearly impossible to sue a Federal agency without its own permission?
I note in passing that OJ Simpson's DMV information was run by over seventy law enforcement agencies, including dispatchers and supervisors, who knew perfectly damn well that they had no legal need for or right to his data. I know ex-wives who are terrified of their current law enforcement husbands, because one little plate check means that they have to move again. If this DDI thinks there is no abuse of systems like this, he is incompetent to hold his position and should go do something useful. Like participate in non-torture waterboarding effectiveness studies.
If any of you are from Florida, I would advise that you take advantage of the Florida Driver Privacy Protection Act and download and return this form: http://www.hsmv.state.fl.us/html/withhold.pdf
Many other states may have something similar. Please spread the word. We can use the laws to protect out information to some degree.
Privacy, like the Geneva Conventions, is quaint. "Get over it".
That is what this guy is saying. McNealy was wrong when he said it, and this assclown is wrong now.
Bruce posted something like this a short while back:
It was a fascinating read:
Interesting article: Neil M. Richards & Daniel J. Solove, "Privacy's Other Path: Recovering the Law of Confidentiality," 96 Georgetown Law Journal, 2007.
"top intelligence official says it is time that people in the United States change their definition of privacy"
... why? Has anyone answered this with a coherent statement?
I suspect unreasonable fear.
Privacy is opening up your privates to the world.
Negative is just a plus plus.
Repeat Repeat to get more thought speak.
Too late in USA, UK, powers want DRM trusted computing.
Mark of the beast really means that no privacy.
Profit or be profitted. Trusted computing and control is coming, unless people get real.
Oh well. YMMV
By definition, governments are after more and more power. They can best pursue it unopposed in a climate of fear. It seems 9/11 has given the US government one chance in a lifetime to erode personal freedoms, brainwash citizens and atomize them so they can spend their time spying and squealing on each other, and accept being spied and squealed on. How real is this famous "terrorist threat" anyway? How more real is it than, say, 20 years ago? How does it look compared to, say, World War II, when there was a real enemy and a real battle for democracy?
"No, it means that the government passes laws RESTRICTING what kind of information can be collected by businesses and how long the businesses can keep it and how to verify that it has been deleted correctly."
Passing a law never stops anyone from doing anything. Instead, the people themselves need to become more versed in protecting themselves and their communications.
Now, you can stop government from passing laws outlawing self-protection. But you can't pass a law that "protects" anything and expect all the bad guys to just follow it.
@Pat: "This is an over-generalization. We also didn't have privacy before, by default; because the tribe only had N users, where N was small enough that you knew everybody intimately (and you couldn't exactly leave the tribe)."
True enough. But when N is small enough, you have other gains in exchange for privacy, such as real political power. With a large N (the 19th century case I was talking about), a very small percentage of the population has any significant political power, but that power is limited by the anonymity of the society. When N is small, everyone is in your business, but you are also in everyone else's business. There is a real opportunity for you to have influence over your community.
In the post-modern case, we're talking about the worst of both worlds. N is so large, very few people have political influence, but additionally, those few have a great deal of information about the rest of the population. It's that global villiage idea, except with six billion serfs.
I see a conflict between public records and privacy needs. In our legal system, many records are public, and properly so. I do not want privacy misconstrued so that public records are removed from the public to protect our privacy.
We really must think about privacy and public records.
"Top Gummit Eavesdropper Sez Peons Should Accept Eavesdropping"
> In the post-modern case, we're talking about the worst of both worlds. N is so large,
> very few people have political influence, but additionally, those few have a great deal
> of information about the rest of the population. It's that global villiage idea, except with six
> billion serfs.
I agree totally, just wanted to clarify ;)
As Franklin says, "Those that would give up liberty in the pursuit of security shall have neither."
Recently the government has been infringing on our rights and privacy online globally. This doesnt just effect the United States, the NSA in the United States is and has been logging more than 50% of all internet communications. And most likely All smtp/pop/imap and webmail is probably logged and filtered for certain keywords.
I take Privacy & The freedoms we had and are now loosing seriously.
The Electronic Frontier Foundation has been fighting for our rights for years and needs more support. The EFF has fought the FBI for the past few years and got important information shedding light on DCS-3000 aka Red Hook. This system logs phone communications. And this is just the FBI.. The NSA has the biggest & best computer systems in the world with the most storage and could actively sort/log everything that it needs to.
NSA Affiliated IP ranges: These ip ranges are mostly Name Servers and also full isp's including qwest.net, comcast, cox, sprint, att.. to name a few.. These Ip ranges have been confirmed by thousands of sources that work in ISP's as well as whistleblowers.
I strongly suggest encrypting all your data communications online via the tor network that is sponsored by the Electronic Frontier Foundation at tor.eff.org.
Surveillance & its Effects on society
Surveillance is a process of keeping people (such as customers and employees, as well as members of the public) under close supervision. What are the effects of surveillance? Here are two answers from an interesting blog (now called Into The Machine) whose main purpose seems to be to critique the authoritarian policies of the UK Home Secretary (past and present).
* All CCTV monitoring does is lock down the public face of our nation, allowing us in our public capacity to simply sweep aside all the factors that lead to the crime and attitude we're experiencing every day. (The Two Faces of CCTV)
* Surveillance will always produce nothing but underground revelry and a false sense of security. (The Ubiquity of Unnatural surveillance)
It is clearly important to understand the effects on those being observed. But it is also interesting to note the effects on those doing (or relying upon) the observing.
Jeremy Bentham’s panopticon was originally a prison so designed that the warder could watch all the prisoners at the same time. By extension, this term is used to describe any technical or institutional arrangement to watch/ monitor large numbers of people. It forms part of Foucault's analysis of discipline, and provides a useful metaphor for various modern technologies
* workforce monitoring
* database systems such as customer relationship management (CRM)
The panopticon provides surveillance and may result in a loss of privacy for the people being watched / monitored, but may also make people feel they are being looked after (better quality of service, safer). If you know you’re being watched, this may trigger various feelings – both positive and negative.
Besides the impact on the people being watched, the pantopticon often has an adverse effect on the watcher. The panopticon gives the illusion of transparency and completeness – so the watcher comes to believe three fallacies
* that everything visible is undistorted truth
* that everything visible is important
* that everything important is visible
This is one of the reasons why surveillance mechanisms often become dysfunctional even for those doing the surveillance. For example, instead of customer relationship management (CRM) promoting better relationships with the customer, it becomes a bureaucratic obsession with the content of the customer database
Why we need Tor
Using Tor protects you against a common form of Internet surveillance known as "traffic analysis." Traffic analysis can be used to infer who is talking to whom over a public network. Knowing the source and destination of your Internet traffic allows others to track your behavior and interests. This can impact your checkbook if, for example, an e-commerce site uses price discrimination based on your country or institution of origin. It can even threaten your job and physical safety by revealing who and where you are. For example, if you're travelling abroad and you connect to your employer's computers to check or send mail, you can inadvertently reveal your national origin and professional affiliation to anyone observing the network, even if the connection is encrypted.
How does traffic analysis work? Internet data packets have two parts: a data payload and a header used for routing. The data payload is whatever is being sent, whether that's an email message, a web page, or an audio file. Even if you encrypt the data payload of your communications, traffic analysis still reveals a great deal about what you're doing and, possibly, what you're saying. That's because it focuses on the header, which discloses source, destination, size, timing, and so on.
A basic problem for the privacy minded is that the recipient of your communications can see that you sent it by looking at headers. So can authorized intermediaries like Internet service providers, and sometimes unauthorized intermediaries as well. A very simple form of traffic analysis might involve sitting somewhere between sender and recipient on the network, looking at headers.
But there are also more powerful kinds of traffic analysis. Some attackers spy on multiple parts of the Internet and use sophisticated statistical techniques to track the communications patterns of many different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Internet traffic, not the headers.
@defcon: "I strongly suggest encrypting all your data communications online via the tor network..."
This is a potentially misleading statement.
I realise that you do know what TOR does (you explain it in more detail further down your post), but anyone reading this sentence who is unfamiliar with TOR could get the wrong idea from this particular line.
To clarify: TOR just makes it very difficult for eavesdroppers to determine what Internet sites you are connecting to -- it *does not* encrypt those communications (except in the middle). Specifically, anyone operating the last TOR machine before the site you're communicating with, and anyone between that machine and the site, can see the un-encrypted data.
So don't use TOR for encryption, only for anonymisation. You need to use something else (possibly in addition) if you want end-to-end encryption. (Note that there is some evidence of Bad People operating TOR machines, precisely to exploit this misunderstanding.)
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.
"that he finds it odd that some would be concerned that the government may be listening in when people are perfectly willing for a green-card holder at an [Internet service provider] who may or may have not have been an illegal entrant to the United States to handle their data.''
This is all fine, but this assumes that the green card holding "terrorist" never ends up in government. After seeing movies like Breach, I'm not able to trust the government, or the corporations, because both entities are filled with people whom I don't know, and whose loyalties may not be to the USA.
It's possible, that someone who hates the USA, and it's citizens, could end up in charge of the very information that is most private.
@Lucian: "It's possible, that someone who hates the USA, and it's citizens, could end up in charge of the very information that is most private. " - I dont think this will happen.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.