April 16, 2014


Oral arguments in NJ voting-machines lawsuit appeal

The appellate hearing (oral argument) of the New Jersey voting-machines lawsuit (Gusciora v. Christie) has been rescheduled to March 5, 2013 in Trenton, NJ.

To learn what this is all about, and why you should attend, click here.

To recheck the location, time of day, and date of the hearing before you go down to Trenton, check this very post for updates.

Note new time!

Time:  10:00 a.m. 11:30 a.m., March 5, 2013  (but arrive significantly earlier, because it takes some time to get through security).

Place:  8th Floor, N. Wing, Hughes Justice Complex, Trenton, NJ.   Specifically,  Part E: Judges Messano, Ostrer and Lihotz.

Transportation:  If anyone from the Princeton area is interested in carpooling, send me mail.


Are genomes “anonymous data”?

Recently researchers showed that an unknown person’s genome (i.e., the genetic information stored in their DNA) can often be linked to their identity. The researchers used the genome plus some publicly available information to link this information. Just as interesting as the result itself is the way that people talked about it. As an example, here’s the opening paragraph of Gina Kolata’s New York Times story:

The genetic data posted online seemed perfectly anonymous — strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had no part in the study — identifying nearly 50 people.

Why would a genome “seem[] perfectly anonymous”? The genome is almost certainly unique to one person. So at the very least, the genome is a pseudonym. But of course the genome is also correlated with all sorts of physical characteristics of the person that are visible. And police use DNA evidence (parts of a genome) to identify people all the time. That’s hardly anonymous.
[Read more...]


Personal Democracy Robots?

A few weeks ago I wrote a post for Slate arguing that it is time to consider developing—and maybe even using—democracy robots on Twitter.  Preprogrammed messages released on a strategic schedule could have an impact on public opinion in sensitive moments for an authoritarian regime.  The EFF’s eloquent Jillian York retorted “let’s not”.

In short, I argued that the other side is using social media armies and bots in their campaigns to manipulate the opinion of their publics, diasporas overseas, and even international opinion.  Since authoritarian governments are investing in such technologies, D-bots could be an important part of a systematic response from the democracies that want to promote democracy.

Most of these crafty bots generate inane commentary and try to sell stuff, but some are given political tasks. For example, pro-Chinese bots have clogged Twitter conversations about the conflict in Tibet. In Mexico’s recent presidential election, the political parties played with campaign bots on Twitter. And even an aspiring parliamentarian in Britain turned to bots to appear popular on social media during his campaign. Furthermore, the Chinese, Iranian, Russian, and Venezuelan governments employ their own social media experts and pay small amounts of money to large numbers of people (“50 cent armies”) to generate pro-government messages, if inefficiently.

[Read more...]


FCC Open Internet Advisory Committee Progress

Earlier this year, I wrote about the launch of the Open Internet Advisory Committee (OIAC). The committee’s mandate is to, “track and evaluate the effect of the FCC’s Open Internet rules, and to provide any recommendations it deems appropriate to the FCC regarding policies and practices related to preserving the open Internet.” I’m chairing the group looking at the unique issues in Mobile Broadband networks. Our group just issued its first report, a case study about AT&T’s handling of Apple’s FaceTime application:

AT&T/FaceTime Case Study
Mobile Broadband Working Group, Open Internet Advisory Committee, Federal Communications Commission

I spoke about the progress of our working group, and about the open Internet issues facing mobile broadband networks more generally, here at Princeton as part of CITP’s luncheon series on December 13th: “Open Internet Challenges in Mobile Broadband Networks”. See the video below:


Announcing the Aaron Swartz Memorial Grants

Last week, our community lost Aaron Swartz. We are still reeling. Aaron was a fighter for openness and freedom, and many people have been channeling their grief into positive actions for causes that were close to Aaron’s heart. One of these people is Aaron Greenspan, creator of the open-data site Plainsite and the Think Computer Foundation. Together, we have established a generous set of grants to be awarded to the first person (or group) that develops the following upgrades to RECAP, our court record liberation system. RECAP would not exist without the work of Aaron Swartz.

Three grants are being made available related to RECAP. Each grant is worth $5,000.00:

  1. Grant 1: Develop and release a version of RECAP for the Google Chrome browser that matches the current Firefox browser extension functionality

  2. Grant 2: Develop and release a version of RECAP for Internet Explorer that matches the current Firefox browser extension functionality

  3. Grant 3: Update the Firefox browser extension to capture appellate court documents, and update the RECAP server code to parse them and respond appropriately to browser extension requests

For more details, see The Aaron Swartz Memorial Grants. If you are interested, you must register by the end of January.

We are honored to be part of one of the many projects being undertaken in Aaron Swartz’s honor.


Grieving Aaron Swartz

Aaron took his life yesterday. The world has lost a good soul. Aaron was brilliant, inventive, generous, and passionate. The intense pressure on Aaron was unfair, and it was a direct result of his well-intentioned fight to make the world a better place. I feel sad, angry, and even guilty. Experts will tell you that these emotions are natural in the case of suicide. They are also very real.

Those of you unfamiliar with Aaron Swartz should read Tim Lee’s article, “Internet pioneer and information activist takes his own life”. Memorials and responses are spreading across the web. Cory Doctorow offers his memories and admiration. Larry Lessig expresses his sadness and anger. James Grimmelmann remembers Aaron’s incredible passion, wit, and ingenuity. Hundreds of others are posting about Aaron, and the community of people that he touched is wrestling with it all. His family and partner have posted an official statement.

I was not one of Aaron’s close friends, but for what it’s worth I’ll offer some reflections: my memories of Aaron, my experience with suicide, and my thoughts on the perverse policy and politics that weighed on him. If the last seems inappropriate right now, I would argue that Aaron–of all people–would have wanted this to be discussed.
[Read more...]


How the Nokia Browser Decrypts SSL Traffic: A “Man in the Client”

Over the past couple of days there has been some press coverage over security researcher Guarang Pandya’s report that the browser on his Nokia phone was sending all of his traffic to Nokia proxy servers, including his HTTPS traffic. The disturbing part of his report was evidence that Nokia is not just proxying, but actually decrypting the HTTPS traffic. Nokia replied with a statement (in the comments section of Pandya’s blog post, and to several news outlets):

We take the privacy and security of our consumers and their data very seriously. The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans. Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.

Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.

We aim to be completely transparent on privacy practices. As part of our policy of continuous improvement we will review the information provided in the mobile client in case this can be improved.

You can find out more about Nokia’s privacy practices at http://www.nokia.com/privacy.

So, it turns out that Pandya was correct: Nokia is decrypting SSL traffic in their proxy servers. This is not disclosed in their privacy policy, and the somewhat vague assurance of things being done “in a secure manner” is not entirely comforting. Beyond that, the statement gave some other interesting clues. One clue was that this is a feature of the Nokia Xpress Browser, an app that is available for the popular Nokia Lumia phones that run Windows Phone 8. These phones are available from the major US carriers, whereas Pandya’s phone (the Asha) is mostly sold abroad. So I tracked down a Lumia phone, installed Nokia Xpress, and did my own investigation. Results after the jump.

[Read more...]


Predictions for 2013

After a year’s hiatus, our annual predictions post is back! As usual, these predictions reflect the results of brainstorming among many affiliates and friends of the blog, so you should not attribute any prediction to any individual (including me–I’m just the scribe). Without further ado, the tech policy predictions for 2013:

[Read more...]


Turktrust Certificate Authority Errors Demonstrate The Risk of “Subordinate” Certificates

Update: More details have continued to come out, and I think that they generally support the less-paranoid version of events. There continues to be discussion on the mozilla.dev.security.policy list, Turktrust has given more details, and Mozilla has just opened up for public viewing their own detailed internal response documentation (including copies of all of the certs in question). None of this changes the fundamental riskiness of subordinate certificates, or the improvements that should be made to the CA system. It just means that in this case, the failure didn’t progress to a full-blown meltdown.

Today, the public learned of another failure by a Certificate Authority–one of of companies that certifies SSL-encryption for our internet communications. (See the end of this post for a catalogue of our past writing on problems with this “CA” system.) This time, the company Turktrust was revealed to have issued two subordinate certificates (also known as “intermediate” certificates) to entities that should not have had them. Subordinate certificates are very powerful. They give the holder the ability to issue SSL certificates for any domain name as though they have control of the parent CA’s “root” certificate. In this case, Google discovered that one of Turktrust’s previously undisclosed subordinate certificates had issued SSL certificates for the domain gmail.com, and that these certificates had been used to intercept Gmail users’ traffic… somewhere. This is where the details get foggy, but Turktrust has begun to describe their version of events.

There is a less paranoid and a more paranoid way of interpreting what happened.

[Read more...]


Report on the NSF “Secure and Trustworthy Cyberspace” PI meeting

The National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Principal Investigator Meeting (whew!) took place Nov. 27-29, 2012, at the Gaylord Hotel just outside Washington, DC.  The SaTC program is NSF’s flagship for cybersecurity research, although it certainly isn’t the only NSF funding in this area.  The purpose of this blog posting is to tell a bit about the event.  While I’m one of the NSF program officers for SaTC, the following reflects my opinions, and does not necessarily speak for NSF.  The program for the event was organized by Carl Landwehr and Lance Hoffman from George Washington University (with help from other people mentioned below), and logistics were handled by the Annapolis, MD, office of Vanderbilt University.  I was the cat herder, but all the credit goes to the GWU, Vanderbilt, and other organizers.
[Read more...]