Page 2 of 6
For years, the DMCA has been used to stifle legitimate research into the security of embedded systems. Finally, the research exemption to the DMCA is in effect (for two years, but we can hope it’ll be extended forever).
The EFF has a good analysis of all the ways Windows 10 violates your privacy.
EFF has the story of malware from the Kazakhstan government against “journalists and political activists critical of Kazakhstan’s authoritarian government, along with their family members, lawyers, and associates.”
Cory Doctorow has a good post on the EFF website about how they’re trying to fight digital rights management software in the World Wide Web Consortium.
So we came back with a new proposal: the W3C could have its cake and eat it too. It could adopt a rule that requires members who help make DRM standards to promise not to sue people who report bugs in tools that conform to those standards, nor could they sue people just for making a standards-based tool that connected to theirs. They could make DRM, but only if they made sure that they took steps to stop that DRM from being used to attack the open Web.
The W3C added DRM to the web’s standards in 2013. This doesn’t reverse that terrible decision, but it’s a step in the right direction.
Announcing Let’s Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.
This is an absolutely fantastic idea.
The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you’re actually talking to is the server you intended to talk to. For many server operators, getting even a basic server certificate is just too much of a hassle. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s a pain to update.
Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
[…]
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
- Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
- Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
- Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
- Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.
Slashdot thread. Hacker News thread.
It’s not happening often, but it seems that some ISPs are blocking STARTTLS messages and causing web encryption to fail. EFF has the story.
Last week, we learned that the NSA targets people who look for information about Tor. A few days later, the operator of a Tor exit node in Austria has been found guilty as an accomplice, because someone used his computer to transmit child porn. Even more recently, Tor has been named as a defendant in a revenge-porn suit in Texas because it provides web-porn operators with privacy.
Here’s the EFF: “Seven Things You Should Know About Tor.”
EDITED TO ADD (7/16): It seems that article about Tor in Austria was wrong.
The latest story from the Snowden documents is about five prominent Muslim Americans who were spied on by the NSA and FBI. It’s a good story, and I recommend reading it in its entirety. I have a few observations.
One, it’s hard to assess the significance of this story without context. The source document is a single spreadsheet that lists 7,485 e-mail addresses monitored between 2002 and 2008.
The vast majority of individuals on the “FISA recap” spreadsheet are not named. Instead, only their email addresses are listed, making it impossible in most cases to ascertain their identities. Under the heading “Nationality,” the list designates 202 email addresses as belonging to “U.S. persons,” 1,782 as belonging to “non-U.S. persons,” and 5,501 as “unknown” or simply blank. The Intercept identified the five Americans placed under surveillance from their email addresses.
Without knowing more about this list, we don’t know whether this is good or bad. Is 202 a lot? A little? Were there FISA warrants that put these people on the list? Can we see them?
Two, the 2008 date is important. In July of that year, Congress passed the FISA Amendments Act, which restricted what sorts of surveillance the NSA can do on Americans. So while this story tells us about what was happening before the FAA, we don’t know what—if anything—changed with the passage of the FAA.
Three, another significant event at the time was the FBI’s prosecution of the Holy Land Foundation on terrorism charges. This brought with it an overly broad investigation of Muslim Americans who were just associated with that charity, but that investigation came with approved warrants and all the due process it was supposed to have. How many of the Americans on this list are there as a result of this one case?
Four, this list was just the starting point for a much broader NSA surveillance effort. As Marcy Wheeler pointed out, these people were almost certainly associationally mapped. CAIR founder Nihad Awad is one of the NSA targets named in the story. CAIR is named in an EFF lawsuit against the NSA. If Awad had any contact with the EFF in 2008, then they were also being spied on—that’s one hop. Since I had lots of contact with the EFF in the affected time period, I was being spied on as well—that’s two hops. And if any of you e-mailed me around that time—well, that’s three hops. This isn’t “just metadata”; this is full-take content that’s stored forever. And, yes, the president instructed the NSA to only spy people up to two hops away this January, but that was just one program under one authority.
This is a hard story to analyze, because it’s more anecdote than data. I much preferred last Saturday’s story that tried to analyze broad trends about who the subjects of NSA surveillance are. But anecdotes are more persuasive than data, so this story might be more compelling to a mainstream audience.
Other commentary: EFF, Ben Wittes, the Director of National Intelligence. I’m curious to watch how this story unfolds in the media.
One final note: I just couldn’t think of a headline more sensationalist than the descriptive one.
Now we know why the president gave his speech on NSA surveillance last week; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board.
Last week, it issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this.
What frustrates me about all of this—this report, the president’s speech, and so many other things—is that they focus on the bulk collection of cell phone call records. There’s so much more bulk collection going on—phone calls, e-mails, address books, buddy lists, text messages, cell phone location data, financial documents, calendars, etc.—and we really need legislation and court opinions on it all. But because cell phone call records were the first disclosure, they’re what gets the attention.
EDITED TO ADD (1/28): I should add links to yesterday’s story that the NSA is collecting data from leaky smart phone apps.
Fascinating report from Citizen Lab on the use of malware in the current Syrian conflict (EFF summary and Wired article).
Sidebar photo of Bruce Schneier by Joe MacInnis.