February 8, 2023

Archives for February 2012

The New Ambiguity of "Open Government"

David Robinson and I have just released a draft paper—The New Ambiguity of “Open Government”—that describes, and tries to help solve, a key problem in recent discussions around online transparency. As the paper explains, the phrase “open government” has become ambiguous in a way that makes life harder for both advocates and policymakers, by combining the politics of transparency with the technologies of open data. We propose using new terminology that is politically neutral: the word adaptable to describe desirable features of data (and the word inert to describe their absence), separately from descriptions of the governments that use these technologies.

Clearer language will serve everyone well, and we hope this paper will spark a conversation among those who focus on civic transparency and innovation. Thanks to Justin Grimes and Josh Tauberer, for their helpful insight and discussions as we drafted this paper.

Download the full paper here.


“Open government” used to carry a hard political edge: it referred to politically sensitive disclosures of government information. The phrase was first used in the 1950s, in the debates leading up to passage of the Freedom of Information Act. But over the last few years, that traditional meaning has blurred, and has shifted toward technology.

Open technologies involve sharing data over the Internet, and all kinds of governments can use them, for all kinds of reasons. Recent public policies have stretched the label “open government” to reach any public sector use of these technologies. Thus, “open government data” might refer to data that makes the government as a whole more open (that is, more transparent), but might equally well refer to politically neutral public sector disclosures that are easy to reuse, but that may have nothing to do with public accountability. Today a regime can call itself “open” if it builds the right kind of web site—even if it does not become more accountable or transparent. This shift in vocabulary makes it harder for policymakers and activists to articulate clear priorities and make cogent demands.

This essay proposes a more useful way for participants on all sides to frame the debate: We separate the politics of open government from the technologies of open data. Technology can make public information more adaptable, empowering third parties to contribute in exciting new ways across many aspects of civic life. But technological enhancements will not resolve debates about the best priorities for civic life, and enhancements to government services are no substitute for public accountability.

New research: There's no need to panic over factorable keys–just mind your Ps and Qs

You may have seen the preprint posted today by Lenstra et al. about entropy problems in public keys. Zakir Durumeric, Eric Wustrow, Alex Halderman, and I have been waiting to talk about some similar results. We will be publishing a full paper after the relevant manufacturers have been notified. Meanwhile, we’d like to give a more complete explanation of what’s really going on.

We have been able to remotely compromise about 0.4% of all the public keys used for SSL web site security. The keys we were able to compromise were generated incorrectly–using predictable “random” numbers that were sometimes repeated. There were two kinds of problems: keys that were generated with predictable randomness, and a subset of these, where the lack of randomness allows a remote attacker to efficiently factor the public key and obtain the private key. With the private key, an attacker can impersonate a web site or possibly decrypt encrypted traffic to that web site. We’ve developed a tool that can factor these keys and give us the private keys to all the hosts vulnerable to this attack on the Internet in only a few hours.

However, there’s no need to panic as this problem mainly affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers. (It’s certainly not, as suggested in the New York Times, any reason to have diminished confidence in the security of web-based commerce.) Unfortunately, we’ve found vulnerable devices from nearly every major manufacturer and we suspect that more than 200,000 devices, representing 4.1% of the SSL keys in our dataset, were generated with poor entropy. Any weak keys found to be generated by a device suggests that the entire class of devices may be vulnerable upon further analysis.

We’re not going to announce every device we think is vulnerable until we’ve contacted their manufacturers, but the attack is fairly easy to reproduce from material already known. That’s why we are working on putting up a web site that you can use to determine whether your device is immediately vulnerable.

Read on for more details, and watch for our full paper soon.

IEEE blows it on the Security & Privacy copyright agreement

Last June, I wrote about the decision at the business meeting of IEEE Security & Privacy to adopt the USENIX copyright policy, wherein authors grant a right for the conference to publish the paper and warrant that they actually wrote it, but otherwise the work in question is unquestionably the property of the authors. As I recall, there were only two dissenting votes in a room that was otherwise unanimously in favor of the motion.

Fast forward to the present. The IEEE Security & Privacy program committee, on which I served, has notified the authors of which papers have been accepted or rejected. Final camera-ready copies will be due soon, but we’ve got a twist. They’ve published the new license that authors will be expected to sign. Go read it.

The IEEE’s new “experimental delayed-open-access” licensing agreement for IEEE Security & Privacy goes very much against the vote last year of the S&P business meeting, bearing only a superficial resemblance to the USENIX policy we voted to adopt. While both policies give a period of exclusive distribution rights to the conference (12 months for USENIX, 18 months for IEEE), the devil is in the details.

For the IEEE, authors must assign “a temporary joint and undivided ownership right and interest in all copyright rights” to the IEEE, giving the IEEE an exclusive to distribute the paper for 18 months. Thereafter, the license “expires.”

Those quotation marks around “expires” are essential, because there’s language saying “IEEE shall nonetheless retain the sole and exclusive right to archive the Work in perpetuity” which sounds an awful lot to me like they’re saying that the agreement doesn’t actually expire at all. It just moves into a second phase. For contrast, USENIX merely retains a non-exclusive right to continue distributing the paper. That’s an essential difference.

There are some numbered carve-outs in the IEEE contract that seem to allow you to post your manuscript to your personal web page or institutional library page, but not to arXiv or anything else. (What if arXiv were to offer me a “personal home page service?” Unclear how this license would deal with it.) This restriction appears to apply in both the initial 18 month phase and the “in perpetuity” phase.

My conclusion: authors of papers accepted to IEEE Security & Privacy should flatly refuse to sign this. I don’t have a paper of my own that’s appearing this year at S&P, but if I did, I’d send them a signed copy of the USENIX agreement. That’s what the members agreed upon.

Disclosure: I am currently running for the board of directors of the USENIX Association. That’s because I like USENIX. Of all the venues where I publish, USENIX has been the most willing to break with traditional publishing models, and my platform in running for USENIX is to push this even further. Getting ACM and IEEE caught up to USENIX is a separate battle.