Category Archives: legislation

California Enacts Blockchain Legislation

As reported on the Blockchain Legal Resource, California Governor Jerry Brown recently signed into law Assembly Bill No. 2658 for the purpose of further studying blockchain’s application to Californians. In doing so, California joins a growing list of states officially exploring distributed ledger technology.

Specifically, the law requires the Secretary of the Government Operations Agency to convene a blockchain working group prior to July 1, 2019. Under the new law, “blockchain” means “a mathematically secured, chronological and decentralized ledger or database.” In addition to including various representatives from state government, the working group is required to include appointees from the technology industry and non-technology industries, as well as appointees with backgrounds in law, privacy and consumer protection.

Under the new law, which has a sunset date of January 1, 2022, the working group is required to evaluate:

  • the uses of blockchain in state government and California-based businesses;
  • the risks, including privacy risks, associated with the use of blockchain by state government and California-based businesses;
  • the benefits associated with the use of blockchain by state government and California-based businesses;
  • the legal implications associated with the use of blockchain by state government and California-based businesses; and
  • the best practices for enabling blockchain technology to benefit the State of California, California-based businesses and California residents.

In doing so, the working group is required to seek “input from a broad range of stakeholders with a diverse range of interests affected by state policies governing emerging technologies, privacy, business, the courts, the legal community and state government.”

The working group is also tasked with delivering a report to the California Legislature by January 1, 2020, on the potential uses, risks and benefits of blockchain technology by state government and California businesses. Moreover, the report is required to include recommendations for amending relevant provisions of California law that may be impacted by the deployment of blockchain technology.

New IoT legislation bans shared default passwords

In an attempt to make it harder for bots to take over the myriad of connected devices sold in California, the state legislators have pushed through and California Governor Jerry Brown signed into law SB-327. The new law The bill is to be enacted on January 1, 2020, and applies to device manufacturers, whether they do it themselves or contract with another person to manufacture the device on their behalf. It requires manufacturers of internet-connected … More

The post New IoT legislation bans shared default passwords appeared first on Help Net Security.

The Future of Voice, Fraud, and the Impact to CX | A Recap

Voice is growing out of the call center, out of your telephone and is growing into the next interface. In previous years, we have released fraud reports revolving around the call center, but with the expansion of voice, and the fraud that follows, we have shifted our perspective to voice intelligence – after all, voice is everywhere: your digital assistant, your latest kitchen appliance, and even your car.

The eras of economies have passed us by, first characterized by digitalization, then the wave of mobile devices, and now by voice – paving the way to the conversational economy. These economies are accompanied by their own collection of problems – and fraudsters are not letting up. There has been a 350% increase from 2013 to 2017 in phone fraud, and a 47% increase from last year. Banks and the insurance industry are experiencing a higher level of fraud, with a 20% and 36% increase in fraud year over year respectively.

So how did we get to these increased fraud rates?

There have been an increasing amount of data breaches year over year; last year, there were 1,300 data breaches. These breaches make it easy for criminals to commit fraud – ultimately feeding into the $1.5 trillion cybercrime market. Additionally, a lot of enterprises rely heavily on KBAs, or knowledge-based authentication questions, which function as secrets for security. These “secrets” can be easily hacked through social engineering or through the black market.

The arrival of the omnichannel has not helped with containing fraud – consumers want to be able to contact a business through any channel, with the expectations for the experience to remain consistent. However, there are consequences for the omnichannel – it allows fraudsters to use resources from one channel to access an individual’s details in another channel. Lastly, as we build more tools to stop fraud, fraudsters are evolving quickly and learning how to combat these security measures.

Overall, fraud is the ultimate impact to customer experience – your customers have expectations for who they do business with, and if they expect their data to be safe with you, this should be upheld. We’re living in a world where consumers are likely to switch who they do business with if their customer experience expectations are fulfilled.

For more information on the future of voice, fraud in the voice channel, and the impact it has on customer experience, tune into our on-demand webinar here.

The post The Future of Voice, Fraud, and the Impact to CX | A Recap appeared first on Pindrop.

APEC Cross-Border Privacy Rules Enshrined in U.S.-Mexico-Canada Trade Agreement

On September 30, 2018, the U.S., Mexico and Canada announced a new trade agreement (the “USMCA”) aimed at replacing the North American Free Trade Agreement. Notably, the USMCA’s chapter on digital trade recognizes “the economic and social benefits of protecting the personal information of users of digital trade” and will require the U.S., Canada and Mexico (the “Parties”) to each “adopt or maintain a legal framework that provides for the protection of the personal information of the users[.]” The frameworks should include key principles such as: limitations on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation and accountability.

In adopting such a framework, Article 19.8(2) directs the Parties to consider the principles and guidelines of relevant international bodies, such as the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, and Article 19.8(6) formally recognizes the APEC Cross-Border Privacy Rules (the “APEC CBPRs”) within their respective legal systems:

Art. 19.8(6) Recognizing that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote compatibility between these different regimes. The Parties shall endeavor to exchange information on the mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangements to promote compatibility between them. The Parties recognize that the APEC Cross-Border Privacy Rules system is a valid mechanism to facilitate cross-border information transfers while protecting personal information.

In addition, Article 19.14(1)(b) provides that “the Parties shall endeavor to… cooperate and maintain a dialogue on the promotion and development of mechanisms, including the APEC Cross-Border Privacy Rules, that further global interoperability of privacy regimes.”

The APEC CBPRs were developed by the 21 APEC member economies as a cross-border transfer mechanism and comprehensive privacy program for private sector organizations  to enable the accountable free flow of data across the APEC region. Organizations must be certified by a third-party APEC recognized Accountability Agent to participate in this system. The CBPRs are binding and enforceable against participating companies.

The USMCA must still pass the U.S. Congress, the Canadian Parliament, and the Mexican Senate.

California Enacts New Requirements for Internet of Things Manufacturers

On September 28, 2018, California Governor Jerry Brown signed into law two identical bills regulating Internet-connected devices sold in California. S.B. 327 and A.B. 1906 (the “Bills”), aimed at the “Internet of Things,” require that manufacturers of connected devices—devices which are “capable of connecting to the Internet, directly or indirectly,” and are assigned an Internet Protocol or Bluetooth address, such as Nest’s thermostat—outfit the products with “reasonable” security features by January 1, 2020; or, in the bills’ words: “equip [a] device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure[.]”

According to Bloomberg Law, the Bills’ non-specificity regarding what “reasonable” features include is intentional; it is up to the manufacturers to decide what steps to take. Manufacturers argue that the Bills are egregiously vague, and do not apply to companies that import and resell connected devices made in other countries under their own labels.

The Bills are opposed by the Custom Electronic Design & Installation Association, Entertainment Software Association and National Electrical Manufacturers Association. They are sponsored by Common Sense Kids Action; supporters include the Consumer Federation of America, Electronic Frontier Foundation and Privacy Rights Clearinghouse.

CIPL Submits Comments on Draft Indian Data Protection Bill

On September 26, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Indian Ministry of Electronics and Information Technology on the draft Indian Data Protection Bill 2018 (“Draft Bill”).

CIPL’s comments on the Draft Bill focus on several key issues that are of particular importance for any modern-day data protection law, including increased emphasis on accountability and the risk-based approach to data processing, interoperability with other data protection laws globally, the significance of having a variety of legal bases for processing and not overly relying on consent, the need for extensive and flexible data transfer mechanisms, and the importance of maximizing the effectiveness of the data protection authority.

Specifically, the comments address the following key issues:

  • the Draft Bill’s extraterritorial scope;
  • the standard for anonymization;
  • notice requirements;
  • accountability and the risk-based approach;
  • legal bases for processing, including importance of the reasonable purposes ground;
  • sensitive personal data;
  • children’s data;
  • individual rights;
  • data breach notification;
  • Data Protection Impact Assessments;
  • record-keeping requirements and data audits;
  • Data Protection Officers;
  • the adverse effects of a data localization requirement;
  • cross-border transfers;
  • codes of practice; and
  • the timeline for adoption.

These comments were formed as part of CIPL’s ongoing engagement in India. In January 2018, CIPL responded to the Indian Ministry of Electronics and Information Technology’s public consultation on the White Paper of the Committee of Experts on a Data Protection Framework for India.

Senate Commerce Committee Holds Hearing on Examining Consumer Privacy Protections

On September 26, 2018, the U.S. Senate Committee on Commerce, Science, and Transportation convened a hearing on Examining Consumer Privacy Protections with representatives of major technology and communications firms to discuss approaches to protecting consumer privacy, how the U.S. might craft a federal privacy law, and companies’ experiences in implementing the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

After introductory remarks by Senator and Chairman of the Committee John Thune (R-SD) and Senator Bill Nelson (D-FL), representatives from AT&T, Amazon, Google, Twitter, Apple and Charter Communications provided testimony on the importance of protecting consumer privacy, the need for clear rules that still ensure the benefits that flow from the responsible use of data, and key principles that should be included in any federal privacy law. A question and answer session followed, with various senators posing a variety of questions to the witnesses, covering topics such as comparisons to global data privacy regimes, the current and potential future authority of the Federal Trade Commission, online behavioral advertising and political advertising, current privacy tools and issues surrounding children’s data.

Key views expressed by the witnesses from the hearing include:

  • support for the creation of a federal privacy law and a preference for preemption rather than a patchwork of different state privacy laws;
  • agreement that the FTC should be the regulator for a federal privacy law but the authority of the FTC under such a law should be discussed and examined further;
  • concern around a federal privacy law attempting to copy the GDPR or CCPA. A federal privacy law should seek to avoid the difficulties and unintended consequences created by these laws and the U.S. should put its own stamp on what the law should be; and
  • agreement that a federal law should not be unduly burdensome for small and medium sized enterprises.

An archived webcast of the hearing is available on the Senate Commerce Committee’s website.

The hearing marked the first of several as the U.S. debates whether to adopt federal privacy legislation. The next hearing is scheduled for early October where Andrea Jelinek, head of the European Data Protection Board, Alastair MacTaggert, California privacy activist, and representatives from consumer organizations will participate and answer questions on consumer privacy, the GDPR and the CCPA.

CCPA Amendment Bill Signed Into Law

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121 (the “Bill”), which makes limited substantive and technical amendments to the California Consumer Privacy Act of 2018 (“CCPA”). The Bill takes effect immediately,  and delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first. 

We have previously posted about the modest changes that SB-1121 makes to the CCPA. As reported in BNA Privacy Law Watch, the California legislature may consider broader substantive changes to the CCPA in 2019.

New Federal Credit Freeze Law Eliminates Fees, Provides for Year-Long Fraud Alerts

Effective September 21, 2018, Section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) requires consumer reporting agencies to provide free credit freezes and year-long fraud alerts to consumers throughout the country. Under the Act, consumer reporting agencies must each set up a webpage designed to enable consumers to request credit freezes, fraud alerts, extended fraud alerts and active duty fraud alerts. The webpage must also give consumers the ability to opt out of the use of information in a consumer report to send the consumer a solicitation of credit or insurance. Consumers may find links to these webpages on the Federal Trade Commission’s Identity Theft website.

The Act also enables parents and guardians to freeze their children’s credit if they are under age 16. Guardians or conservators of incapacitated persons may also request credit freezes on their behalf.

Section 302 of the Act provides additional protections for active duty military. Under this section, consumer reporting agencies must offer free electronic credit monitoring to all active duty military.

For more information, read the FTC’s blog post.

UK Treasury committee report: regulation is closing in on cryptocurrency

Bitcoin has truly taken off, at a current worth of more than 5,000 euros. Other cryptocurrencies are slowly catching up, but there is one special surprise waiting for investors and exchanges that might hinder their expansion plans. Things are about to get complicated because MPs in the UK want to regulate cryptocurrency, writes The Guardian.

For a while now, governments and institutions operating in the financial services industry have been discussing this aspect, trying to find ways to regulate it on grounds that it is risky and it enables illicit activities such as money laundering.

According to the Treasury committee report consumers are also at risk because cryptocurrency is yet an unregulated “wild-west”-type industry that bypasses banks, so there is no protection from the Financial Conduct Authority should anything happen to their crypto-assets. “Accordingly, investors should be prepared to lose all their money,” the report says.

In response, the FCA “agrees with the committee’s conclusion that bitcoin and similar crypto-assets are ill-suited to retail investors, and as we have warned in the past, investors in this type of crypto-asset should be prepared to lose all their money.”

“Bitcoin and other crypto-assets exist in the wild west industry of crypto-assets. This unregulated industry leaves investors facing numerous risks,” said the committee chair, Conservative MP Nicky Morgan. “Given the high price volatility, the hacking vulnerability of exchanges and the potential role in money laundering, the Treasury committee strongly believes that regulation should be introduced.”

CryptoUK, a trade association that represents companies operating in the digital currency landscape and promotes good conduct in this sector, embraced the report.

“As an industry we have been calling for the introduction of proportionate regulation to improve standards and encourage growth,” said Iqbal Gandham, the chair of CryptoUK. “Self-regulation by the industry was always intended to be a starting point – this must now be matched by government action.”

The committee strongly believes that proper regulation could reduce the number of cyberattacks and could turn cryptocurrency into a business opportunity.

CCPA Amended: Enforcement Delayed, Few Substantive Changes Made

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

Key amendments to the CCPA include:

  • Enforcement:
    • The bill extends by six months the deadline for the California Attorney General (“AG”) to draft and adopt the law’s implementing regulations, from January 1, 2020, to July 1, 2020. (CCPA § 1798.185(a)).
    • The bill delays the AG’s ability to bring enforcement actions under the CCPA until six months after publication of the implementing regulations or July 1, 2020, whichever comes first. (CCPA § 1798.185(c)).
    • The bill limits the civil penalties the AG can impose to $2,500 for each violation of the CCPA or up to $7,500 per each intentional violation, and states that a violating entity will be subject to an injunction. (CCPA § 1798.155(b)).
  • Definition of “personal information”: The CCPA includes a number of enumerated examples of “personal information” (“PI”), including IP address, geolocation data and web browsing history. The amendment clarifies that the listed examples would constitute PI only if the data “identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” (CCPA § 1798.140(o)(1)).
  • Private right of action:
    • The amendments clarify that a consumer may bring an action under the CCPA only for a business’s alleged failure to “implement and maintain reasonable security procedures and practices” that results in a data breach. (CCPA § 1798.150(c)).
    • The bill removes the requirement that a consumer notify the AG once the consumer has brought an action against a business under the CCPA, and eliminates the AG’s ability to instruct a consumer to not proceed with an action. (CCPA § 1798.150(b)).
  • GLBA, DDPA, CIPA exemptions: The original text of the CCPA exempted information subject to the Gramm-Leach-Bliley Act (“GLBA”) and Driver’s Privacy Protection Act (“DPPA”), only to the extent the CCPA was “in conflict” with either statute. The bill removes the “in conflict” qualification and clarifies that data collected, processed, sold or disclosed pursuant to the GLBA, DPPA or the California Information Privacy Act is exempt from the CCPA’s requirements. The revisions also exempt such information from the CCPA’s private right of action provision. (CCPA §§ 1798.145(e), (f)).
  • Health information:
    • Health care providers: The bill adds an exemption for HIPAA-covered entities and providers of health care governed by the Confidentiality of Medical Information Act, “to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information,” as described in the CCPA. (CCPA § 1798.145(c)(1)(B)).
    • PHI: The bill expands the category of exempted protected health information (“PHI”) governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act to include PHI collected by both covered entities and business associates. The original text did not address business associates. (CCPA § 1798.145(c)(1)(A)).
    • Clinical trial data: The bill adds an exemption for “information collected as part of a clinical trial” that is subject to the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) and is conducted in accordance with specified clinical practice guidelines. (CCPA § 1798.145(c)(1)(C)).
  • Notice of right of deletion: The original text of the CCPA stated that a business must disclose on its website or in its privacy policy a consumer’s right to request the deletion of her PI. The bill modifies this requirement, stating that a business must disclose the right to deletion “in a form that is reasonably accessible to consumers.” (CCPA § 1798.105(b)).
  • First Amendment protection: The bill adds a provision to the CCPA, which states that the rights afforded to consumers and obligations imposed on businesses under the CCPA do not apply if they “infringe on the noncommercial activities of a person or entity” as described in Art. I, Section 2(b) of the California constitution, which addresses activities related to the free press. This provision is designed to prevent First Amendment challenges to the law. (CCPA § 1798.150(k)).
  • Preemption:
    • The bill adds to the CCPA’s preemption clause that the law will not apply in the event its application is preempted by, or in conflict with, the U.S. Constitution. The CCPA previously referenced only the California Constitution. (CCPA § 1798.196).
    • Certain provisions of the CCPA supersede and preempt laws adopted by local entities regarding the collection and sale of a consumer’s PI by a business. The bill makes such provisions of the Act operative on the date the bill becomes effective.

The California State Legislature is expected to consider more substantive changes to the law when it reconvenes in January 2019.

California AG Voices Concern About State’s New Privacy Law

On August 22, 2018, California Attorney General Xavier Becerra raised significant concerns regarding the recently enacted California Consumer Privacy Act of 2018 (“CCPA”) in a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. Writing to “reemphasize what [he] expressed previously to [them] and [state] legislative leaders and Governor Brown,” Attorney General Becerra highlighted what he described as five primary flaws that, if unresolved, will undermine the intention behind and effective enforcement of the CCPA.

Most of the issues Attorney General Becerra pointed to were those he claimed impose unnecessary and/or onerous obligations on the Attorney General’s Office (“AGO”). For example, the CCPA requires the AGO to provide opinions, warnings and an opportunity to cure to a business before the business can be held accountable for a CCPA violation. Attorney General Becerra said that this effectively requires the AGO to provide unlimited legal counsel to private parties at taxpayer expense, and creates a potential conflict of interest by requiring the AGO to advise parties who may be violating Californians’ privacy rights.

In a similar vein, Attorney General Becerra noted that the CCPA gives consumers a limited right to sue if they become victims of a data breach, but otherwise does not include a private right of action for consumers to seek remedies to protect their privacy. That framework, Attorney General Becerra wrote, substantially increases the AGO’s need for enforcement resources. Likewise, the CCPA requires private plaintiffs to notify the Attorney General before filing suit. Attorney General Becerra criticized this requirement as both without use, since only courts may decide the merits of a case, and a drain on personnel and administrative resources.

Attorney General Becerra also pointed out that the CCPA’s civil penalty provisions purport to amend and modify the Unfair Competition Law’s civil penalty provision. The latter, however, was enacted by voters through a ballot proposition and thus cannot be amended through legislation. For that reason, Attorney General Becerra argued, the CCPA’s civil penalty provision is likely unconstitutional (the letter noted that the AGO has offered “corrective language” that replaces the CCPA’s current penalty provision with a stand-alone enforcement proposition).

Additionally, Attorney General Becerra took issue with the CCPA’s provision that the AGO has one year to conduct rulemaking for the CCPA. Attorney General Becerra noted that the CCPA did not provide resources for the AGO to carry out the rulemaking nor its implementation thereafter; the Attorney General called the existing deadline “simply unattainable.”

Threat Model Thursday: Architectural Review and Threat Modeling

For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free.

Seattle has a housing and homelessness crisis. The cost of a house has risen nearly 25% above the 2007 market peak, and has roughly doubled in the 6 years since April 2012. Fundamentally, demand has outstripped supply and continues to do so. As a city, we need more supply, and that means evaluating the value of things that constrain supply. This commentary from the local Libertarian party lists some of them.

The rules on what permits are needed to build a residence, what housing is acceptable, or how many unrelated people can live together (no more than eight) are expressions of values and priorities. We prefer that the developers of housing not build housing rather than build housing that doesn’t comply with the city’s Office of Planning and Community Development 32 pages of neighborhood design guidelines. We prefer to bring developers back after a building is built if the siding is not the agreed color. This is a choice that expresses the values of the city. And because I’m not a housing policy expert, I can miss some of the nuances and see the effect of the policies overall.

Let’s transition from the housing crisis here in Seattle to the architecture crisis that we face in technology.

No, actually, I’m not quite there. The city killed micro-apartments, only to replace them with … artisanal micro-houses. Note the variation in size and shape of the two houses in the foreground. Now, I know very little about construction, but I’m reasonably confident that if you read the previous piece on micro-housing, many of the concerns regulators were trying to address apply to “True Hope Village,” construction pictured above. I want you, dear reader, to read the questions about how we deliver housing in Seattle, and treat them as a mirror into how your organization delivers software. Really, please, go read “How Seattle Killed Micro-Housing” and the “Neighborhood Design Guidelines” carefully. Not because you plan to build a house, but as a mirror of your own security design guidelines.

They may be no prettier.

In some companies, security is valued, but has no authority to force decisions. In others, there are mandatory policies and review boards. We in security have fought for these mandatory policies because without them, products ignored security. And similarly, we have housing rules because of unsafe, unsanitary or overcrowded housing. To reduce the blight of slums.

Security has design review boards which want to talk about the color of the siding a developer installed on the now live product. We have design regulation which kills apodments and tenement housing, and then glorifies tiny houses. From a distance, these rules make no sense. I didn’t find it sensible, myself. I remember a meeting with the Microsoft Crypto board. I went in with some very specific questions regarding parameters and algorithms. Should we use this hash algorithm or that one? The meeting took not five whole minutes to go off the rails with suggestions about non-cryptographic architecture. I remember shipping the SDL Threat Modeling Tool, going through the roughly five policy tracking tools we had at the time, discovering at the very last minute that we had extra rules that were not documented in the documents that I found at the start. It drives a product manager nuts!

Worse, rules expand. From the executive suite, if a group isn’t growing, maybe it can shrink? From a security perspective, the rapidly changing threat landscape justifies new rules. So there’s motivation to ship new guidelines that, in passing, spend a page explaining all the changes that are taking place. And then I see “Incorporate or acknowledge the best features of existing early to mid-century buildings in new development.” What does that mean? What are the best features of those buildings? How do I acknowledge them? I just want to ship my peer to peer blockchain features! And nothing in the design review guidelines is clearly objectionable. But taken as a whole, they create a complex and unpredictable, and thus expensive path to delivery.

We express values explicitly and implicitly. In Seattle, implicit expression of values has hobbled the market’s ability to address a basic human need. One of the reasons that embedding is effective is that the embedded gatekeepers can advise, interpret in relation to real questions. Embedding expresses the value of collaboration, of dialogue over review. Does your security team express that security is more important than product delivery? Perhaps it is. When Microsoft stood down product shipping for security pushes, it was an explicit statement. Making your values explicit and debating prioritization is important.

What side effects do your security rules have? What rule is most expensive to comply with? What initiatives have you killed, accidentally or intentionally?

How to Minimize Leaking

I am hopeful that President Trump will not block release of the remaining classified documents addressing the 1963 assassination of President John F. Kennedy. I grew up a Roman Catholic in Massachusetts, so President Kennedy always fascinated me.

The 1991 Oliver Stone movie JFK fueled several years of hobbyist research into the assassination. (It's unfortunate the movie was so loaded with fictional content!) On the 30th anniversary of JFK's death in 1993, I led a moment of silence from the balcony of the Air Force Academy chow hall during noon meal. While stationed at Goodfellow AFB in Texas, Mrs B and I visited Dealey Plaza in Dallas and the Sixth Floor Museum.

Many years later, thanks to a 1992 law partially inspired by the Stone movie, the government has a chance to release the last classified assassination records. As a historian and former member of the intelligence community, I hope all of the documents become public. This would be a small but significant step towards minimizing the culture of information leaking in Washington, DC. If prospective leakers were part of a system that was known for releasing classified information prudently, regularly, and efficiently, it would decrease the leakers' motivation to evade the formal declassification process.

Many smart people have recommended improvements to the classification system. Check out this 2012 report for details.

Why Cameron hates WhatsApp so much

It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks.

It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this:

“In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.”
David Cameron

Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four.

But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them?

The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to.

More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break.

But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before.

WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality.

WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default.

Apple’s iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either.

 

Safe surfing,
Micke

 

PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret.

 

Image by Sam Azgor

Sunset for section 215, but is the world better now?

Section 215 of the US Patriot Act has been in the headlines a lot lately. This controversial section was used by the US intelligence agencies to scoop up large quantities of US phone records, among other things. The section had a sunset clause and needed to be renewed periodically, with the latest deadline at midnight May 31st 2015. The renewal has previously been a rubber-stamp thing, but not this time. Section 215 has expired and been replaced by the Freedom Act, which is supposed to be more restrictive and better protect our privacy. And that made it headline news globally.

But what does this mean in practice? Is this the end of the global surveillance Edward Snowden made us aware of? How significant is this change in reality? These are questions that aren’t necessary answered by the news coverage.

Let’s keep this simple and avoid going into details. Section 215 was just a part in a huge legal and technical surveillance system. The old section 215 allowed very broad secret warrants to be issued by FISA courts using secret interpretations of the law, forcing companies to hand over massive amounts of data about citizens’ communications. All this under gag orders preventing anyone to talk about it or even seek legal advice. The best known example was probably the bulk collection of US phone records. It’s not about tapping phones, rather about keeping track of who called whom at what time. People in US could quite safely assume that if they placed calls, NSA had them on record.

The replacing Freedom Act still allows a lot of surveillance, but aims to restrict the much criticized mass surveillance. Surveillance under Freedom Act needs to be more specified than under Section 215. Authorities can’t just tell a tele operator to hand over all phone records to see if they can find something suspicious. Now they have to specify an individual or a device they are interested in. Tele operators must store certain data about all customers, but only hand over the requested data. That’s not a problem, it is pretty much data that the operators have to keep anyway for billing purposes.

This sounds good on paper, but reality may not be so sunny. First, Freedom Act is a new thing and we don’t know yet how it will work in practice. Its interpretation may be more or less privacy friendly, time will tell. The surveillance legislation is a huge and complex wholeness. A specific kind of surveillance may very well be able to continue sanctioned by some other paragraph even if section 215 is gone. It’s also misleading when media reports that the section 215 intelligence stopped on June 1st. In reality it continues for at least six months, maybe longer, to safeguard ongoing investigations.

So the conclusion is that the practical impact of this mini reform is a lot less significant than what we could believe based on the headlines. It’s not the end of surveillance. It doesn’t guarantee privacy for people using US-based services. It is however an important and welcome signal that the political climate in US is changing. It’s a sign of a more balanced view on security versus basic human rights. Let’s hope that this climate change continues.

 

Safe surfing,
Micke

Image by Christian Holmér