October 12, 2024

Posts Comments

Google Attacks Highlight the Importance of Surveillance Transparency

January 14, 2010 by

Ed posted yesterday about Google’s bombshell announcement that it is considering pulling out of China in the wake of a sophisticated attack on its infrastructure. People more knowledgeable than me about China have weighed in on the announcement’s implications for the future of US-Sino relations and the evolution of the Chinese Internet. Rebecca MacKinnon, a China expert who will be a CITP visiting scholar beginning next month, says that “Google has taken a bold step onto the right side of history.” She has a roundup of Chinese reactions here.

One aspect of Google’s post that hasn’t received a lot of attention is Google’s statement that “only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.” A plausible explanation for this is provided by this article (via James Grimmelmann) at PC World:

Drummond said that the hackers never got into Gmail accounts via the Google hack, but they did manage to get some “account information (such as the date the account was created) and subject line.”

That’s because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press.

Obviously, this report should be taken with a grain of salt since it’s based on a single anonymous source. But it fits a pattern identified by our own Jen Rexford and her co-authors in an excellent 2007 paper: when communications systems are changed to make it easier for US authorities to conduct surveillance, it necessarily increases the vulnerability of those systems to attacks by other parties, including foreign governments.

Rexford and her co-authors point to a 2006 incident in which unknown parties exploited vulnerabilities in Vodafone’s network to tap the phones of dozens of senior Greek government officials. According to news reports, these attacks were made possible because Greek telecommunications carriers had deployed equipment with built-in surveillance capabilities, but had not paid the equipment vendor, Ericsson, to activate this “feature.” This left the equipment in a vulnerable state. The attackers surreptitiously switched on the surveillance capabilities and used it to intercept the communications of senior government officials.

It shouldn’t surprise us that systems built to give law enforcement access to private communications could become vectors for malicious attacks. First, these interfaces are often backwaters in the system design. The success of any consumer product is going to depend on its popularity with customers. Therefore, a vendor or network provider is going to deploy its talented engineers to work on the public-facing parts of the product. It is likely to assign a smaller team of less-talented engineers to work on the law-enforcement interface, which is likely to be both less technically interesting and less crucial to the company’s bottom line.

Second, the security model of a law enforcement interface is likely to be more complex and less well-specified than the user-facing parts of the service. For the mainstream product, the security goal is simple: the customer should be able to access his or her own data and no one else’s. In contrast, determining which law enforcement officials are entitled to which information, and how those officials are to be authenticated, can become quite complex. Greater complexity means a higher likelihood of mistakes.

Finally, the public-facing portions of a consumer product benefit from free security audits from “white hat” security experts like our own Bill Zeller. If a publicly-facing website, cell phone network or other consumer product has a security vulnerability, the company is likely to hear about the problem first from a non-malicious source. This means that at least the most obvious security problems will be noticed and fixed quickly, before the bad guys have a chance to exploit them. In contrast, if an interface is shrouded in secrecy, and only accessible to law enforcement officials, then even obvious security vulnerabilities are likely to go unnoticed and unfixed. Such an interface will be a target-rich environment if a malicious hacker ever does get the opportunity to attack it.

This is an added reason to insist on rigorous public and judicial oversight of our domestic surveillance capabilities in the United States. There has been a recent trend, cemented by the 2008 FISA Amendments toward law enforcement and intelligence agencies conducting eavesdropping without meaningful judicial (to say nothing of public) scrutiny. Last month, Chris Soghoian uncovered new evidence suggesting that government agencies are collecting much more private information than has been publicly disclosed. Many people, myself included, oppose this expansion of domestic surveillance grounds on civil liberties grounds. But even if you’re unmoved by those arguments, you should still be concerned about these developments on national security grounds.

As long as these eavesdropping systems are shrouded in secrecy, there’s no way for “white hat” security experts to even begin evaluating them for potential security risks. And that, in turn, means that voters and policymakers will be operating in the dark. Programs that risk exposing our communications systems to the bad guys won’t be identified and shut down. Which means the culture of secrecy that increasingly surrounds our government’s domestic spying programs not only undermines the rule of law, it’s a danger to national security as well.

Update: Props to my colleague Julian Sanchez, who made the same observation 24 hours ahead of me.

Filed Under: National Security & Surveillance, Privacy & Security

Google Threatens to Leave China

January 13, 2010 by

The big news today is Google’s carefully worded statement changing its policy toward China. Up to now, Google has run a China-specific site, google.cn, which censors results consistent with the demands of the Chinese government. Google now says it plans to offer only unfiltered service to Chinese customers. Presumably the Chinese government will not allow this and will respond by setting the Great Firewall to block Google. Google says it is willing to close its China offices (three offices, with several hundred employees, according to a Google spokesman) if necessary.

This looks like a significant turning point in relations between U.S. companies and the Chinese government.

Before announcing the policy change, the statement discusses a series of cyberattacks against Google which sought access to Google-hosted accounts of Chinese dissidents. Indeed, most of the statement is about the attacks, with the policy change tacked on the end.

Though the statement adopts a measured tone, it’s hard to escape the conclusion that Google is angry, presumably because it knows or strongly suspects that the Chinese government is responsible for the attacks. Perhaps there are other details, which aren’t public at this time, that further explain Google’s reaction.

Or maybe the attacks are just the straw that broke the camel’s back — that Google had already concluded that the costs of engagement in China were higher than expected, and the revenue lower.

Either way, the Chinese are unlikely to back down from this kind of challenge. Expect the Chinese government, backed by domestic public opinion, to react with defiance. Already the Chinese search engine Baidu has issued a statement fanning the flames.

We’ll see over the coming days and weeks how the other U.S. Internet companies react. It will be interesting, too, to see how the U.S. government reacts — it can’t be happy with the attacks, but how far will the White House be willing to go?

Please, chime in with your own opinions.

[UPDATE (Jan. 13): I struck the sentence about Baidu’s statement, because I now have reason to believe the translated statement I saw may not be genuine.]

Filed Under: Censorship & Filtering Tagged With: , , ,

Cyber Détente Part I: A Security Dilemma?

January 11, 2010 by

Late last year the Obama administration reopened talks with Russia over the militarization of cyberspace and assented to cybersecurity discussion in the United Nations First Committee (Disarmament and National Security). My intention in this three-part series is to probe Russian and American foreign policy on cyberwarfare and advance the thesis that the Russians are negotiating for specific strategic or diplomatic gains, while the Americans are primarily procedurally invested owing to the “reset” in Russian relations and changing perceptions of cyberwarfare.

This first post rebuts the Russians’ purported rationale for talks: avoiding a security dilemma.

——————————

The Russians seek a cyberwarfare arms control instrument ostensibly to avoid a security dilemma and arms race, in the vein of past arrangements for nuclear weapons (i.e. SALT I/II, START I/II, and SORT) and anti-ballistic missile technology (ABM), among others. This basis for negotiations does not withstand scrutiny.

A security dilemma may arise where a state has the opportunity to develop a game-changing new weapons system, even if for purely defensive purposes. For fear of strategic disadvantage other powers may elect to develop the weapon – an arms race – resulting in none gaining a strategic advantage and all bearing a significant cost. Alternatively, technologically incapable of matching or unable to afford the development, other states may take destabilizing offensive steps. Arms control treaties resolve this form of security dilemma by committing states to not developing certain weapons.

Cyberwarfare lacks necessary elements of a security dilemma. First and foremost, cyberwarfare capabilities defy quantifiability. Consider the Cold War nuclear arms race, for example, and the strategic fixation on differences in the number and type of nuclear warheads and delivery systems (the “missile gap”). In the absence of such a metric the two powers have no means of calibrating their activities, and there is no persistent pressure to match or surpass some specific capability the other side maintains.

Intelligence might give each power a rough indication of the other’s cyberwarfare capabilities, but it will be harder to come by than for other military operations. Unlike with other weapons systems, cyberwarfare does not require special installations or resources. There are no centrifuge sites to inspect or uranium shipments to track – just talented programmers and generic computer hardware.

A related issue is that a successful arms control agreement on cyberwarfare would require monitoring and enforcement provisions (“trust but verify”). But as discussed above intelligence on cyberwar capabilities will be harder to come by than for other weapons systems. The Biological Weapons Convention is illustrative of how ineffective an arms control treaty may be without effective monitoring: until a 1989 defection the West was unaware of the scope of Russia’s secret biological weapons program.

Supposing, arguendo, that cyberwarfare capabilities did form an avoidable security dilemma, the negative results that make a security dilemma worth avoiding – excessive expenditures and destabilization – do not arise.

Cyberwarfare is cheap. Developing the F-22 aircraft, for example, cost roughly $65 billion; the annual Air Force cyberspace budget, on the other hand, appears in the low billions and consists primarily of personnel and basing expenditures (Strategic Command Press Release; FY2010 budget).

As for destabilization, there is minimal marginal strategic gain from cyberwarfare capabilities. In the Cold War nuclear arms race there was a perception that if the other side achieved even a slight advantage the bipolar strategic equilibrium would collapse. Cyberwarfare is neither perceived to be – nor is it, in actuality – so effective on the margin. While specific capabilities are not public, it is difficult to imagine cyberattacks will be consistently more effective than conventional strikes. Moreover, given the United States’ enormous strategic advantages in the whole, even significant marginal strategic gains would do little to tip the balance of power to Russia.

Having deconstructed the alleged Russian rationale for talks, the next post in this series will explore alternate viable Russian rationales.

Filed Under: Uncategorized

TV Everywhere: Collusion Anywhere?

January 7, 2010 by

FreePress and the National Cable and Telecom Association (NCTA) are talking past each other about TV Everywhere, a new initiative from the cable TV industry. FreePress says TV Everywhere is the cable industry’s collusive attempt to limit competition; the NCTA says it’s an exciting new product opportunity for consumers. Let’s unpack this issue and see who might have a point, and who is blowing smoke.

We’re at a critical point in the history of television. In recent years, most people have gotten TV shows from a traditional cable or satellite service. Now more and more people are getting shows on the Internet. Cable companies need to adapt, somehow, or become dinosaurs.

Which brings us to TV Everywhere. The idea, according to the NCTA, is for cable companies to offer their residential subscribers online access to the same shows they get at home. Existing consumers get more, at no extra charge — who would complain about that? — but only if they keep buying traditional cable service.

FreePress tells a different story, in which cable industry companies have agreed among themselves that this is their sole Internet distribution strategy. If such an agreement exists, it is problematic — it looks like a classic market division agreement, which is bad for consumers and (as I understand it) presumptively illegal.

To understand why this would be bad, consider an analogy. Suppose there are only two pizza restaurants in Princeton, Alice’s Pizza and Bob’s Pizza, and neither one offers home delivery. Customers want delivery, so both restaurants are considering how to provide it. Alice and Bob meet, and they agree that Alice’s will only deliver to customers east of Nassau Street, and Bob’s will only deliver to customers west of Nassau Street. Alice and Bob have divided the market. Customers suffer because of the lack of competition.

Now obviously Alice and Bob are free to set reasonable limits on where they will deliver. Some customers may be too far away, or too difficult to deliver to for some reason. But customers would rightly complain if Alice and Bob agreed to divide the market. Even if we didn’t have smoking-gun evidence of an agreement, there might be very strong circumstantial evidence, for example if Alice offered to deliver to places five miles away while refusing to deliver to homes directly across the street from her Nassau Street restaurant, or if Alice and Bob’s restaurants were right next to each other but had totally disjoint delivery areas.

Notice too that Alice and Bob can’t get off the hook by pointing out that they are offering a new service — delivery — that they had never offered before. The problem is not that they are offering a new service, but that they have agreed not to offer certain other services.

How does this analogy apply to cable TV? Alice and Bob are like the cable companies, which are considering expanding beyond their traditional service. Home delivery of pizza is like Internet delivery of TV shows. As the cable industry expands to offer TV shows on the Internet, are they open to competing against each other, or have they agreed not to do so? If the cable companies have made an agreement to offer online TV shows only to their own residential customers, that looks like an agreement to divide the market — each company will be offering its product only in the limited geographic areas where it has a cable TV license.

So the key question — really the only one that matters, as far as I can see — is whether the cable companies have agreed not to compete. FreePress says, or strongly implies, that there is such an agreement. NCTA says there is not.

Who is right? Unfortunately the publicly available facts are consistent with either theory. Maybe TV Everywhere is just the first step and the cable companies will soon enough be competing with each other to distribute shows to Internet customers wherever they may be. Or maybe the companies have decided as a group to restrict themselves to TV Everywhere style services within geographic limits (or to otherwise restrict business models or prices).

At this point we can’t tell who is right. FreePress offers indirect but suggestive circumstantial evidence that questionable discussions might have occurred within the cable industry. The NCTA mostly just changes the subject, talking about the complexity of their industry and praising cable companies for offering shows on the Internet at all.

Unfortunately, public discourse about industry structure often confuses issues like this. We often say things like “the cable industry is worried about X” or “the cable industry wants Y”. That could be a kind of shorthand, meaning that the individual companies in the industry, facing competitive pressures, generally tend to worry about X or to want Y — perfectly reasonable market behavior. Or it could reflect an assumption that the industry acts as a unit, which of course is problematic. This ambiguity is especially common in political/policy debates, to our detriment. We’d be better off talking saying things like “cable companies worry about X” or “cable companies want Y”, just to remind ourselves that these are supposed to be independent actors who decide independently what they want.

For now, I’d say the cable companies bear watching. As the companies lay out their Internet strategies and products, I hope the antitrust authorities are watching closely. If the cable companies are really acting as competing companies, this will be obvious from their actions.

Filed Under: Uncategorized Tagged With: , ,

Predictions for 2010

January 6, 2010 by

Here are our predictions for 2010. These are based on input from Ari Feldman, Ed Felten, Alex Halderman, Joseph Lorenzo Hall, Tim Lee, Paul Ohm, David Robinson, Dan Wallach, Harlan Yu, and Bill Zeller. Please note that individual contributors (including me) don’t necessarily agree with all of these predictions.

(1) DRM technology will still fail to prevent widespread infringement. In a related development, pigs will still fail to fly.

(2) Federated DRM systems, such as DECE and KeyChest, will not catch on.

(3) Content providers will crack down on online sites that host unlicensed re-streaming of live sports programming. DMCA takedown notices will be followed by a lawsuit claiming actual knowledge of infringing materials and direct financial benefits.

(4) Major newspaper content will continue to be available online for free (with ads) despite cheerleading for paywalls by Rupert Murdoch and others.

(5) The Supreme Court will strike down pure business model patents in its Bilski opinion. The Court will establish a new test for patentability, rather than accepting the Federal Circuit’s test. The Court won’t go so far as to ban software patents, but the implications of the ruling for software patents will be unclear and will generate much debate.

(6) Patent reform legislation won’t pass in 2010. Calls for Congress to resolve the post-Bilski uncertainty will contribute to the delay.

(7) After the upcoming rulings in Quon (Supreme Court), Comprehensive Drug Testing (Ninth Circuit or Supreme Court) and Warshak (Sixth Circuit), 2010 will be remembered as the year the courts finally extended the full protection of the Fourth Amendment to the Internet.

(8) Fresh evidence will come to light of the extent of law enforcement access to mobile phone location-data, intensifying the debate about the status of mobile location data under the Fourth Amendment and electronic surveillance statutes. Civil libertarians will call for stronger oversight, but nothing will come of it by year’s end.

(9) The FTC will continue to threaten to do much more to punish online privacy violations, but it won’t do much to make good on the threats.

(10) The new Apple tablet will be gorgeous but expensive. It will be a huge hit only if it offers some kind of advance in the basic human interface, such as a really effective full-sized on-screen keyboard.

(11) The disadvantages of iTunes-style walled garden app stores will become increasingly evident. Apple will consider relaxing its restrictions on iPhone apps, but in the end will offer only rhetoric, not real change.

(12) Internet Explorer’s usage share will fall below 50 percent for the first time in a decade, spurred by continued growth of Firefox, Chrome, and Safari.

(13) Amazon and other online retailers will be forced to collect state sales tax in all 50 states. This will have little impact on the growth of their business, as they will continue to undercut local bricks-and-mortar stores on prices, but it will remove their incentive to build warehouses in odd places just to avoid having to collect sales tax.

(14) Mobile carriers will continue locking consumers in to long-term service contracts despite the best efforts of Google and the handset manufacturers to sell unlocked phones.

(15) Palm will die, or be absorbed by Research In Motion or Microsoft.

(16) In July, when all the iPhone 3G early adopters are coming off their two-year lock-in with AT&T, there will be a frenzy of Android and other smartphone devices competing for AT&T’s customers. Apple, no doubt offering yet another version of the iPhone at the time, will be forced to cut its prices, but will hang onto its centralized app store. Android will be the big winner in this battle, in terms of gained market share, but there will be all kinds of fragmentation, with different carriers offering slightly different and incompatible variants on Android.

(17) Hackers will quickly sort out how to install their own Android builds on locked-down Android phones from all the major vendors, leading to threatened or actual lawsuits but no successful legal action taken.

(18) Twitter will peak and begin its decline as a human-to-human communication medium.

(19) A politican or a candidate will commit a high-profile “macaca”-like moment via Twitter.

(20) Facebook customers will become increasingly disenchanted with the company, but won’t leave in large numbers because they’ll have too much information locked up in the site.

(21) The fashionable anti-Internet argument of 2010 will be that the Net has passed its prime, supplanting the (equally bogus) 2009 fad argument that the Internet is bad for literacy.

(22) One year after the release of the Obama Administration’s Open Government Directive, the effort will be seen as a measured success. Agencies will show eagerness to embrace data transparency but will find the mechanics of releasing datasets to be long and difficult. Privacy– how to deal with personal information available in public data– will be one major hurdle.

(23) The Open Government agenda will be the bright spot in the Administration’s tech policy, which will otherwise be seen as a business-as-usual continuation of past policies.

Filed Under: Uncategorized Tagged With: