Privacy, Government, and Business

This week there were two big moments for privacy. First, was a ruling by a court that Apple had to unlock in some manner, call it decrypt or creating a backdoor into this specific phone. Second, was the fact that Apple, and now Google, has given the state a big middle finger saying “No!” These are important because of the gravity of both of these. The FBI is using “The All Writs Act” something from the 18th century and definitely not written to support dealing with difficult technological issues on technology that would appear to be magic to the author’s of the act. This is definitely stretching this law to its limits and likely beyond what is realistic, but it sets a precedence which is dangerous. The second part is important as both of these companies have been working with the government to provide data to them in the past.

While both of these companies are standing up to the government is great, it’s not enough. With a limited number of powerful players, it’s only a matter of time before they lose to the government or be threatened in some way that will require them to play ball with the government. On the other hand, smaller companies won’t have the money to fight the government, so even if you want to support a smaller company with privacy as its core values, there is no guarantee that they will be able to follow through. Furthermore, if the government forces the company to re-write its operating system, like Apple effectively has to do, the company might go bankrupt. With a precedence set by the Apple decision, a small phone company like Silent Circle and their Blackphone, would be forced to capitulate unless they were able to show that this was unduly burdensome.

The other issues with this case is that businesses are only fighting for what is “right” here because it will help them improve their bottom line. Of course, they are also fighting for their own personal privacy as an employee of the company and consumer of its products, but the goal is to improve profitability. Across the world it has been shown that privacy and protection from agencies like the NSA (US) and GCHQ (UK) is something that people are willing to pay for. Apple learned this from Blackberry during the Arab Spring – they emulated the encryption of the Blackberry Messenger with their iMessage application. This help transition some of the last hold-outs to Apple and eventually spurred other similar apps.

I believe it is likely that the Electric Frontier Foundation will be a strong advocate for Apple, so if you want to support Apple in their battle with the government I recommend donating to the EFF, especially if you don’t support Apple for its other business practices. I know I will.

We know that NSA is hurting tech companies – that’s a good thing

Snowden leaked his documents a year ago. We’ve been getting a slow trickle ever since. However, some of these documents are getting date and surely the NSA is doing more stuff than they had in the past. That being said, they are continually being surprised by a new document that’s released or another. They clearly haven’t fully figured out the full list of documents that Snowden managed to take. Furthermore, they haven’t learned anything by not changing the techniques that they currently use. The NSA should have systematically shut down every program that could have been possibly leaked and moved onto something different. They haven’t, which means that they don’t really feel they need to change anything unless we force them to acknowledge that they’re doing something Americans (and the rest of the world) don’t want.

Today the guy that founded Netscape (a Silicon Valley Venture Capitalist) thinks that the fact the Edward Snowden released these documents hurt US technology companies. He thinks that because we now know that the US government does bad things with OUR tech company’s technology before it reaches a customer is hurting our companies. He blames Snowden. This is the most assinine thing I’ve ever heard. Marc Anderssen should be pissed off at the US government and praising Snowden because NOW US tech companies can DO something about it.

This is what a good manager or leader does. They support and acknowledge the fact that a person raise the attention of a problem, used them to address the root cause of the problem, and move on to the next problem. This is what Lean process improvement is all about. You NEVER shoot the messenger, you shoot the root cause of the problem eliminate it and make sure it never comes back. Saying that Snowden is a traitor because he highlighted the fact that the US government is taking good companies work (Cisco) and add malware is counter productive. We need to know when anyone government or otherwise is intentionally trying to break the internet. I do not believe that Mr. Netscape believes that the person who leaked the TransPacific Partnership is a traitor – when they essentially highlighted a similar problem.

I also believe, that labeling Snowden a traitor implicitly removes any blame from those companies that are being harmed by the US government. In many cases those companies have bee fully complicit with not just the US government, but “rogue” states (Iran, China, and other oppressive regimes) as well as companies (like Comcast, TWC, etc..) through enabling deep packet inspection (which allows anyone to snoop at anything you do. All of these have to have been enabled by a US technology company. These companies found a benefit to their benefit by doing this.

Now other companies, like Google, WordPress, and others are trying to get around both of these by encrypting their data. I actually suggested this as a tool to get around data caps or fast/slow lanes (if all data is encrypted you can’t slow or speed up traffic). This will inherently force a more net neutral internet (baffling deep packet inspection) and defeating much of the tools of the NSA.

All of these are good things. We know this because of Snowden. We know that tech companies need to address problems that the NSA and other government agencies have caused. This is a cause for celebration not condemnation. We need more people like him so that the internet can continue to thrive and be an economic driver. Don’t blame the messenger, if the US government is hurting US tech companies, we need to know so we can stop that from happening.

Protecting the web and user through a Internet Bill of Rights

The guy who helped invent the internet, no not Al Gore, Tim Berners-Lee wants a new Magna Carta for the internet. If he was American it’d be a bill of rights or declaration of independence, if he was an anarchist, it’d be a manifesto. This call for a clear set of rules for the online/cyberspace is nothing new. The first article was written in 1986 – 3 years before the internet was created. This was when kids were using phones and a few other systems to hack things. The most recent was only a few years ago from an internet website.

Creating these documents is an effort in futility. We already have a bill of rights in the US that SHOULD be protecting us from the NSA, GCHQ, CIA, and other organizations. These organizations, at least the US ones, should be forbidden from given information they “accidentally” collect on US citizens to other governments. They do though. We have secret courts with secret interpretations of laws that we as citizens have no idea what they are. How is ANOTHER Magna Carta going to help?

There’s absolutely no reason to expect our governments to abide by these new laws when they are flouting the current laws – attempting to undermine existing laws through intentionally narrower interpretations of rulings – in many cases getting slapped on the wrist later for infractions that have been going on for years.

Creating a new bill of rights, Magna Carter, or whatever will not solve the problem. The problem is not the current set of laws, though that doesn’t help, the root cause of the problem is corruption and arrogance.

Now that it’s been uncovered that the CIA hacked Congress’s Intelligence Committee, one that had been defending the NSA, there’s all sorts of kerfuffle. Congress didn’t care, excepting Ron Wyden (and a few others), until they realized that they were just as likely targets any the average Joe.

Most members of Congress are funded through companies and special interest groups. These include companies that support the NSA and other intelligence organizations. If any of those orgs funded any member of Congress on a committee that oversees anything related to intelligence gathering there’s going to be corruption. Regardless of if it’s quid pro quo or not.

We will never pass a bill of rights for the internet as long as there’s potential conflicts of interest (funded by companies that bills are trying to regulate). We must address corruption before we can hope to have an effective set of rights for the internet or anywhere else.

NSA Bulk Metadata ruled likely unconstitutional

Today was a pretty big day for privacy fans. The NSA’s bulk collection of metadata has been ruled likely unconstitutional. Why is this a big deal? It’s “Just” metadata. Well, as the CBS 60 Minutes report showed the NSA is able to convert that information into a network. Networks show everyone that you talked with and despite assurances otherwise that phone numbers weren’t used, it’s fairly easy to unmask a person in a network based on the network characteristics. I wrote a blog post about this a while back that talked about a paper showing the power of metadata. I think it’s important to reiterate here what that is.

In the article, titled Using Metadata to find Paul Revere, the author explains by using who talks who it is possible to construct a large network and that it was likely to determine the major players of the US revolutionary war. Just using club membership, it wasn’t even what they talked about, just what groups they were members of and how they were all associated. Based on the metadata Paul Revere is a pretty central figure and knows a lot of the other leaders of the revolution.

The NSA would take this view and say, “See it could have caught those terrorists back before the revolution!” However, the judge in this case says that the government did not do a sufficient job showing that this actually worked. It is, in fact, likely that the British had some of this membership information but wasn’t able to put it to good use. In this case, the judge ruled that the collection of Bulk metadata is a violation of the 4th amendment.

What can we expect next? Well, the ACLU has a very similar case that is being heard. If the judge rules differently the Supreme Court may need to weigh in to deal with the problem once and for all. Which depending on how these cases are dealt with could be a good or bad thing.

It is unclear at this point how this will change the conversation in DC, it will likely just lead to more denials from the NSA and White House. They will argue it’s still legal and that they will appeal to the highest court that they can. If they lose this case, it will likely lead to a lot of other questions being asked and possibly calls for impeachment and resignations. I would not be surprised if some of the more extreme on the right call for Obama’s arrest as well.

The other piece that is of interest to me is the question about the companies that have been complicit with sharing of our metadata. Are they going to be in the clear or not? In the case of AT&T there was a law that protected them retroactively. I am interested to know if that will also be ruled unconstitutional as it enabled the government to break the law farther than it could have before.

In general this is something really good, but I believe it opens many more questions than it answers about the long term repercussions of this program. I will continue to blog about this topic!

The NSA, FBI, and Internet Security

Over the past few months we’ve learned a lot about how the US government looks at its own citizens. We’ve learned this through the actions of Edward Snowden. He’s done us a great service by forcing a conversation that the NSA and FBI didn’t want us to have. The NSA lied to the Senate recently by claiming that it never tracked US citizens through Cell Phones. We would never have known about these activities if it wasn’t for Snowden.

Snowden was using email to send information back and forth between himself and Glenn Greenwald. Since email is in one of those fuzzy gray areas of the law around data retention and government access to it this has caused a bit of a problem. It make things more difficult Snowden used an encrypted email service called Lavabit. It’s encryption was at such a level that when the FBI requested data from it, they were confounded and essentially attempted to blackmail (legally of course) the owner into handing over the encryption key. This would have effectively rendered the service these people were paying for worthless. They were paying to have their email traffic be secured from both public and private entities.

As we hear and more about how the US government has been behaving towards internet security, the more we’re learning that the NSA and other US agencies are doing their best to thwart it. They have worked with the NIST and weakened the encryption key they developed. The problem with these backdoors is that if it’s there for the “good guys” (whoever that might be) it’s also there for the “bad guys” (whoever that might be). This isn’t just general encryption keys, it’s things that we use every day without using it. Whenever we are using any website that includes “https” we are using a basic encryption protocol called SSL. Think about when you’re banking, you see the https. Google now allows you to use this when you send information to and from them. This encryption has also been broken by the NSA. This is our personal stuff and if it’s broken by the NSA it can be broken by other people. Now does this mean we’re likely to have a rash of new fraud cases or theft cases? No, as it’s been compromised for some time. However, people do know about it now and this of course is a greater cause for concern.

What can we do about this? Well, first, look into more secure encryption methods. I wouldn’t be surprised if Google and applications like HTTPS everywhere will change their algorithm in result. Second, contact your representative and your senator. I’m lucky my senator in Oregon is very vocal (Ron Wyden) not everyone is so please help inform your leaders. Third, buy from companies that you know haven’t given up data to the NSA, don’t use Facebook and the like and basically try to follow the great writing that Sean did several months ago over on KBMOD. He nailed it then and it’s even more pressing than before to keep up with security.