May 29, 2017

Archives for January 2004

Dean's Smart-Card Speech

Declan McCullagh at CNet criticizes a speech given by Howard Dean about two years ago, in which Dean called for aggressive adoption of smartcard-based state driver’s licenses and smartcard readers. Declan highlights the privacy-endangering aspects of the smartcard agenda, and paints Dean as a hypocrite for pushing that agenda while positioning himself as pro-privacy.

Larry Lessig (among others) argues that Declan mischaracterized Dean’s speech, and urges people to read the text of Dean’s speech. Others have compared this incident to Declan’s infamous role in manufacturing the “Al Gore claims to have invented the Internet” meme back in 2000.

There is certainly a disconnect between the tone of Declan’s article and that of Dean’s speech. Reading the speech, we see Dean genuflecting properly, and at length, to the importance of privacy. We don’t hear about that in Declan’s article.

But Declan’s omissions aren’t the whole story. The first half of Declan’s piece quotes extensively from Dean’s speech, and it portrays accurately the technical proposal that Dean was endorsing. Declan’s reaction to that technical agenda is not unreasonable. For example, a National Academy study report on national ID technologies took a position closer to Declan’s than to Dean’s.

The fact is that there is a deep disconnect between the different sections of Dean’s speech. It’s hard to reconcile the privacy-is-paramount part of the speech with the smartcards-everywhere part. At least, it’s hard to reconcile them if you really understand the technology. Dean makes a compelling argument that computer security is important, and he makes an equally compelling argument in favor of preserving privacy. But how can we have both? Enter the smartcard as deus ex machina. It sounds good, but unfortunately it’s not a technically sound argument.

Now, nobody expects state governors to understand technology well enough to spot the technical flaws in Dean’s speech. Probably, nobody advising Dean at the time had the knowledge to notice the problem. That’s not good; but it hardly makes Dean unique.

At bottom, what we have here is a mistake by Dean, in deciding to give a speech recommending specific technical steps whose consequences he didn’t fully understand. That’s not good. But on the scale of campaign gaffes, this one seems pretty minor.

[Disclaimer: My longstanding policy is to avoid partisan politics on this blog. I’m commenting on this issue because of my expertise in computer security, and not to make a political point or to urge anyone to vote for or against Dean.]

Was the Senate File Pilfering Criminal?

Some people have argued that the Senate file pilfering could not have violated the law, because the files were reportedly on a shared network drive that was not password-protected. (See, for instance, Jack Shafer’s Slate article.) Assuming those facts, were the accesses unlawful?

Here’s the relevant wording from the Computer Fraud and Abuse Act (18 U.S.C. 1030):

Whoever … intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any department or agency of the United States … shall be punished as provided in subsection (c) …

[T]he term ”exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

To my non-lawyer’s eye, this looks like a judgment call. It seems not to matter that the files were on a shared server or that the staffers may have been entitled to access other files on that server.

The key issue is whether the staffers were “entitled to” access the particular files in question. And this issue, to me at least, doesn’t look clear-cut. The fact that it was easy to access the files isn’t dispositive – “entitled to access” is not the same as “able to access”. (An “able to access” exception would render the provision vacuous – a violation would require someone to access information that they are unable to access.)

The lack of password protection cuts in favor of an entitlement to access, if failure to protect the files is taken to indicate a decision not to protect them, or at least an indifference to whether they were protected. But if the perpetrators knew that the failure to use password protection was a mistake, that would cut against entitlement. The rules and practices of the Senate seem relevant too, but I don’t know much about them.

The bottom line is that unsupported claims that the accesses were obviously lawful, or obviously unlawful, should be taken with a large grain of salt. I’d love to hear the opinion of a lawyer experienced with the CFAA.

(Disclaimer: This post is only about whether the accesses were lawful. Even if lawful, they appear unethical.)

Senate File Pilfering "Extensive"

Charlie Savage reports in today’s Boston Globe:

Republican staff members of the US Senate Judiciary Commitee infiltrated opposition computer files for a year, monitoring secret strategy memos and periodically passing on copies to the media, Senate officials told The Globe.

From the spring of 2002 until at least April 2003, members of the GOP committee staff exploited a computer glitch that allowed them to access restricted Democratic communications without a password. Trolling through hundreds of memos, they were able to read talking points and accounts of private meetings discussing which judicial nominees Democrats would fight – and with what tactics.

We already knew there were unauthorized accesses; the news here is that they were much more extensive than had previously been revealed, and that the results of the snooping were leaked to the media on several occasions.

Committee Chairman Orrin Hatch (a Republican) has strongly condemned the accesses, saying that he is “mortified that this improper, unethical and simply unacceptable breach of confidential files may have occurred on my watch.”

The accesses were possible because of a technician’s error, according to the Globe story:

A technician hired by the new judiciary chairman, Patrick Leahy, Democrat of Vermont, apparently made a mistake [in 2001] that allowed anyone to access newly created accounts on a Judiciary Committee server shared by both parties – even though the accounts were supposed to restrict access only to those with the right password.

An investigation is ongoing. It sounds like the investigators have a pretty good idea who the culprits are. Based on Sen. Hatch’s statement, it’s pretty clear that people will be fired. Criminal charges seem likely as well.

UPDATE (Friday, January 23): Today’s New York Times runs a surprisingly flat story by Neil A. Lewis. The story seems to buy the accused staffer’s lame rationalization of the accesses, and it treats the investigation, rather than the improper acts being investigated, as the main news. The headline even refers, euphemistically, to files that “went astray”. How much of this is sour grapes at being beaten to this story by the Globe?