April 16, 2014

Ed Felten


How to protect yourself from Heartbleed

The Heartbleed vulnerability is one of the worst Internet security problems we have seen. I’ll be writing more about what we can learn from Heartbleed and the response to it.

For now, here is a quick checklist of what you can do to protect yourself.
[Read more...]


Secure protocols for accountable warrant execution

Last week the press reported that the White House will seek to redesign the NSA’s mass phone call data program, so that data will be held by the phone companies and accessed by the NSA, subject to a new warrant requirement. The Foreign Intelligence Surveillance Court will issue the warrants.

Today Josh Kroll and I, with colleagues at Stanford University, released a draft paper on how to use cryptography to implement warrants to data in a secure, private, and accountable way.
[Read more...]


Algorithms can be more accountable than people

At an academic meeting recently, I was surprised to hear some social scientists accept as obviously correct the claim that involving “algorithms” in decision-making, instead of sticking with good old-fashioned human decision-making, necessarily reduces accountability and increases the risk of bias. I tend to believe the opposite, that making processes algorithmic improves our ability to understand why they give the results they do. Let me explain why.
[Read more...]


Why Dorian Nakamoto Probably Isn’t Satoshi

When Newsweek published its cover story last week claiming to have identified the creator of Bitcoin, I tweeted that I was reserving judgment on their claim, pending more evidence. At this point it looks like they don’t have more evidence to show us—and that Newsweek is probably wrong.
[Read more...]


Understanding Bitcoin’s transaction malleability problem

In recent days, several Bitcoin exchanges have suspended certain kinds of payments due to “transaction malleability” issues. There has been a lot of talk about why this happened, and some finger-pointing. In this post, I will try to unpack what “transaction malleability” is and why it has proven to be a problem for some companies.
[Read more...]


It matters what the NSA does

It seems axiomatic that if we want to have an informed conversation about the legality, ethics, and policy implications of the NSA’s actions, it is useful to know what the NSA is doing. Yet a vocal subset of NSA defenders seem to be taking the contrary position, that information about the agency’s activities serves no public purpose.

Consider Tuesday’s Washington Post op-ed by Mark Thiessen. He argues that information about the NSA’s activities is just “espionage porn:”

As President Obama prepared to address the nation on surveillance, the New York Times revealed that the National Security Agency (NSA) has developed the capability to access computers that are not connected to the Internet. According to the Times, based on classified documents obtained from Edward Snowden, the NSA uses “a covert channel of radio waves that can be transmitted from tiny circuit boards and USB cards inserted surreptitiously into . . . computers” or in some cases “a briefcase-size relay station that intelligence agencies can set up miles away from the target.”

Evidence of another NSA plot to spy on Americans? Not at all. The Times reports, “There is no evidence that the N.S.A. has implanted its software or used its radio frequency technology inside the United States.” And the NSA confirmed that the “N.S.A.’s activities are focused and specifically deployed against — and only against — valid foreign intelligence targets.”

In other words, this (no longer) secret program poses precisely zero threat to American civil liberties.

So what is the redeeming social value of the Times’ story? What “abuse” is being revealed? Why is this something the public needs to know?

The answers are: None. None. And it isn’t.

Thiessen seems unaware that the Times was not the first to report on this capability—a German publication, Spiegel, had already published much more detailed information including the so-called “Spy Mall Catalog” detailing specific NSA “implant” technologies used for these attacks.

And of course it has been known for a long time that, even without any secretly implanted antennas, computers disconnected from the network can radiate information over a considerable distance. There are entire book chapters devoted to this, and the NSA itself has released non-classified articles about it.

Our adversaries surely knew all of this, even if DC pundits did not.

But even if this information was previously unknown, it would still have implications for the public debate. As Steve Vladeck argues, the NSA debate is not just about the legality of the agency’s actions, but also about whether they are good public policy—which surely depends at least in part on how they affect people internationally, especially our allies.

Of course, there might be a good argument in a specific case that publication of certain facts would cause national security harm that outweighs the benefit to public debate. Sanger and the Times have said that they will withhold facts if they believe this is the case. But Thiessen’s argument is not just that there is more weight on the national security side of the scale—he is arguing that there is nothing at all on the public debate side. “None.”

There is another subtext in the “espionage porn” argument that bears discussion: the label tends to get thrown at information that is technical in nature. The DC debate, which is dominated by lawyers, has no trouble accepting the relevance of every last detail of the statutory history of Section 215 or the wording of opinions in U.S. v. Jones. Yet somehow the facts about what the NSA is actually doing are seen as peripheral, if those facts involve technology.

Technical facts are not “porn.” They are more like an MRI—information about the patient’s body, yes, but information you need to get if you care about the patient’s health.


NSA call data analysis: inside or outside government?

Last week the President suggested that the NSA’s database of phone call data be stored outside the government, and he asked his Administration to study how this could be done. Today I’d like to start unpacking the options.
[Read more...]


Can Washington re-architect the NSA phone data program?

In the President’s NSA reform speech last week, he called for a study of how to re-architect the NSA’s phone call data program, to change where the data is stored. This raises a bunch of interesting computer science questions, which I’m planning to explore in a series of posts here.
[Read more...]


Top Tech Policy Stories of 2013

As the year draws to a close, it’s time to review the top tech policy stories of 2013.

(1) NSA Surveillance. The most important story by far was the revelations about the scope and scale of surveillance by the U.S. National Security Agency and allied services. It took a major leak of documents by Edward Snowden to enable this conversation. Those of us in the independent security community were not suprised that the NSA had these capabilities in the abstract, but we were surprised at the scale and aggressiveness with which the agency has been eavesdropping on people all around the world, and even on Americans on U.S. soil. Snowden’s documents allowed us to push past the superficial denials, quasi-denials, and occasional lies that had shielded the agency’s practices for years. The implications of this story will take years to unfold.

(2) Aaron Swartz. Aaron’s death at the beginning of the year was a kick in the gut to many of us. We lost a thoughtful and talented activist who saw the best that technology could enable, due to an overzealous prosecutor wielding overly harsh laws, enabled by Aaron’s own bad judgement. If any good came from this tragedy, it was in the soul-searching at MIT and elsewhere about how to reconcile technical creativity with the desires of an increasingly powerful state.

(3) Bitcoin. The cryptocurrency hit the mainstream this year, with governments, investors, and academics all trying to understand its dynamics and implications. This story too will take years to unfold. Whether or not Bitcoin survives in the long run, it has opened the door to a new era of technically enabled currencies.

(4) Drones and robots. From drones to self-driving cars, this is an issue that began to hit the mainstream in 2013. Expect it to move higher on the list in upcoming years.

(5) 3-D printing. A bit farther from the mainstream policy discussion, but also likely to rise on the list as the technology continues to mature.

(6) Commercial privacy. Although it was pushed down the list by the attention lavished on government intrusions on privacy, the issues around commercial data collection continued a slow boil this year.

(7) Fairness and algorithms. Concern increased about the effect of complex data-driven algorithms on people, especially around fairness issues such as the thin line between personalization and redlining, and questions of digital due process.

(8) Cell phone unlocking. Consumers insisted on the ability to unlock their phones, and the policy community listened. The big question going forward is whether this is the beginning of a trend away from regulating consumers’ use of the technologies they have purchased.

(9) The TPP process and trade negotiations generally. Pressure mounted on the U.S. government to provide some transparency into the Trans Pacific Partnership negotiations, and more generally to be more open about trade negotiations and to refrain from using trade agreements as a backdoor path to creating new restrictive intellectual property laws.