Surveillance State

The Transportation Security Administration is joining the 21st century. Just 5 years after security experts first outlined methods for faking boarding passes (and 2 years after the FBI raided my home for automating the process), TSA is finally testing out technology to neutralize this security threat. The only problem? The new authenticated boarding passes lay the groundwork for a surveillance state, enforceable all-points-bulletins, and most scary of all, data discrimination.

Can TSA be trusted to do the right thing?

A sample secure boarding pass

(Credit: Continental Airlines)

For the last 4 months, Continental Airlines and TSA have been running a pilot project, which permits passengers to pass through security using mobile-phone based boarding passes. After the user checks in online 24 hours before travel, the airline will send a dense 2D bar code to the passenger's mobile phone. The program is open to anyone flying on a non-stop Continental Airlines flight out Houston.

The bar codes contain all of the information that would ordinarily appear on a boarding pass, plus one other important thing: a digital signature.

The system doesn't seem too bad, security wise. The airlines each create a PGP cryptographic key pair, a private key which they use to sign each boarding pass, and a public key which they give to TSA.

When a passenger shows up at a TSA checkpoint, the boarding pass is scanned by TSA agents with a handheld device. The device will verifies the cryptographic signature, and if the boarding pass hasn't been modified, it'll display the passenger's information, which the agent can then compare to the passenger's ID. (Click here to see a picture of the boarding pass being read by the handheld device.)

Privacy safeguards

The [Boarding Pass Scanning System (BPSS)] equipment is a handheld 2-D Bar Code scanning device and should be considered standalone as it will not be connected to any network - via wireless or ethernet connection.....

When [the passenger's] information is collected, it is immediately displayed on the device screen, in order for TSA screeners to screen the passengers against their photo identification. Once this is completed, the information is immediately and permanently deleted from the system....

The BPSS device application does not maintain a transaction log with bar code scan content; the application does not save or store the bar code scan data to a file, database, etc.

As many of my readers may know, I caused a bit of a panic at TSA in 2006, when I created a website that made fake boarding passes. Once the FBI dropped their investigation, and TSA decided not to come after me, the Feds became a lot nicer to me. I've flown out to Washington DC a couple times since to meet with TSA officials, and I know for a fact that a number of people inside DHS have read my research paper. Thus, it's not terribly surprising that the system in trial at Houston airport closely follows the design I outlined.

The authors of the privacy report were even nice enough to give me props, and mention my boarding pass security research as a motivation for the technology in the second paragraph of the document.

The makings of a surveillance state

TSA has clearly done a good job in designing this system, and making sure to include privacy analysis at the early design stages. The main problem though, is that it creates the foundations of a surveillance state. A world where TSA agents will be able to read through your digital dossier in detail as they decide how strictly to prod and probe you. This system, essentially, sets the stage for data discrimination at checkpoints.

When a passenger goes through a TSA checkpoint right now, the agent only has a few bits of information in front of him or her: The passenger's reported name, ID documents and the the physical features of the passenger (race, gender, dress, accent). Yes, it is possible for an airline to flag a passenger (the dreaded SSSS on a boarding pass), if the passenger's name appears on one of the watchlists. However, this is still very little information.

Imagine if, when going through a TSA checkpoint, the agents had a full dossier on each passenger - detailing everywhere you'd ever flown, any past criminal records, credit history, parking tickets and heck, even which books you've been seen reading in the airport. It's not such a wild fantasy, as US Customs Officers already have this information, and look at it when you enter the country.

What if ....

While the pilot program that TSA is using in Houston is privacy preserving, passengers will have no way of knowing if a future administration decides to update the software or hardware of the handheld devices. It would be very easy to add a wireless card to the devices, and no passenger would ever be the wiser. Suddenly, TSA agents would have a wealth of information at their fingertips, information that could help agents "fight the war on terror."

Such a change, if it did happen, would probably not require that TSA notify the public. Moreover, I doubt if it'd even have to tell the entire Congress. It would simply hold a closed briefing for the Intelligence Committees -- including the same gutless "gang of 8" who knew about the NSA's Warrantless Spying program for years, and didn't do anything about it.

To be clear, I'm not accusing TSA of doing anything wrong. All I'm saying is that once agents start scanning in bar codes with hand held devices, we the public will have no way of knowing what happens to the data. TSA is, afterall, rather trigger-happy when it comes to pseudo-classifying data as Sensitive Security Information .

Remember the National Security Letter powers that the FBI was given by the Patriot Act? Congress and the public were assured that there would be safeguards, and that they would be used correctly. Fast forward a few years, and we find out that National Security Letters have been widely abused, time and again.

I don't have an easy solution to recommend here. The current boarding pass system is easy evade, and digitally signed bar codes do solve this problem. However, given that passengers can still refuse to show ID when they fly (and thus totally avoid the watchlists), I'm not really sure what is the main goal of this pilot. Why spend millions to beef up boarding passes, when passengers can still slip through the system with no ID?

Perhaps the real solution, as crazy as it may sound, is for TSA to do their job - and screen passengers. As experts have noted over and over, a valid ID and boarding pass are not proof that someone is not a terrorist. Instead of wasting money and time trying to verify documents and ID cards, why not reallocate these resources to searching bags and patting down old ladies?

Thanks to Adam Shostack for tipping me off to the NYT article on the TSA pilot.

A few weeks ago, I brought you news that Indiana's Governor had signed into law HB 1197, a data breach and encryption bill that I worked on.

What I have not revealed, up until now is the coercion and arm-twisting that accompanied the passage of this bill. While the details may not surprise jaded readers, it certainly gave me a reason to dislike the entire process, as well one particular power-tripping legislator. Now that the bill, albeit a significantly slimmer version, has become law, I'm free to tell the story.

As regular readers of this blog know, I spent a significant amount of time this spring working on an update to Indiana's data breach laws. Along with my local State Representative, I co-wrote a bill that would fix loopholes in the existing rules, as well as designate the State Attorney General as a central reporting body, which would then post a copy of each report to its website.

The bill passed through House Committee without any problems, and was then passed unanimously by the State House of Representatives. Once the bill came up before the relevant Senate Committee, it drew the attention of lobbyists representing AT&T, Microsoft and Lexis Nexis, who flew in from Washington to try and kill the bill.

Eventually, the lobbyists got their way, and the bill was stripped of some of the most pro-consumer provisions. Shortly after this happened, I wrote a blog post on the subject, explaining what had happened, who had voted for the amendment, and which firms lobbied against the bill.

Coercion

After the bill passed through committee, the next step was for it to receive a second reading on the Senate floor. This was scheduled to happen on February 18th. At the end of that day, I went online, and saw that every single bill scheduled to receive its second reading that day had been read, except my bill. Curious as to what had happened, I made a few calls.

And this is where it gets interesting. A well placed source told me that a powerful Republican Senator had taken offense to something I had written on my blog the week before, in which I mentioned that each member of the Senate Committee voting to shred the bill had previously received campaign donations from AT&T. My source relayed a threat from the Senator: Either I had to remove the offending paragraph from my blog, or he would hold up the bill, and it would die in the Senate.

The offending text from the blog post:

AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).

I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.

This put me in a very difficult position. I had worked very hard on this bill, and this was my chance to close what I believed was a serious loophole in Indiana's existing breach laws. If I didn't cave to the Senator's demands, my bill would die, and with it, the chances of getting the law changed.

On the flip side, I hate the idea of censorship. I don't like being told what to write, or being told that I have to take something down. I think this is a feeling that I share with most of the Internet community -- be it cease and desist letters, or lawsuit threats, such attempts at stifling free speech are universally denounced (and usually evaded).

In addition to my own feelings, censorship is something that is not tolerated at CNET. Any edits I make to my own posts after publication must be struck out. Thus, removing an entire paragraph, let alone doing it silently without saying why, totally violated CNET policies, as well as basic journalistic standards.

To make matters worse, my source would only deliver the Senator's threat on the condition that it remain off the record. In later conversations, once I explained the trouble I'd get into with CNET over the silent deletion, he agreed to let me write about what had happened, as long as his name, and the Senator's name, were not revealed.

In the end, I decided to take down the text temporarily. I planned to post the offending text back online as soon as the Governor signed the bill into law. It was not a decision I was completely comfortable with, but I decided that passage of the bill was more important.

In hindsight, I'm not so sure that this was the right move. At the very least, I acknowledge that I let down both CNET, and the trust of my readers. This is something that I sincerely regret.

The day after I removed the paragraph, the bill had its second reading, and then a few days later, was passed unanimously by the State Senate. While he was unethical, the Senator did at least keep his word.

After the dust settled, I received some great advice from one of my mentors:

As a general rule it's difficult to wear two hats simultaneously in the legislative process. Fine to be a good citizen and propose necessary legislation. Fine also to be a whistleblower and call attention to legislative abuse. But very difficult to do both at the same time.

I'm not sure which hat I'll end up wearing for good. The entire process has left me with a fairly unpleasant taste in my mouth, made significantly worse by the fact that I still cannot name the Senator who abused his power.

European regulators sent shock-waves through the search engine industry earlier this week, when they proposed significantly tighter rules for logging data. If the EU adopts the proposed rules, Google, Yahoo and Microsoft will have to significantly reduce the amount of time they keep identifying search logs, and will have to start treating IP addresses as personally identifiable data -- something that Google has been particularly vocal against.

Google has recently engaged in a major public relations effort to try and make a credible argument for keeping log data. The company has trotted out respected employee researchers to try and make the case that deleting such data will hurt search results. When all of their claims are analyzed, however, one thing becomes clear: It's all about the money (and the clicks).

Google has a genuine need to retain detailed log information on one kind of user: Those who click on ads. However, in order to avoid creating a situation where only clickers lose their privacy, the company logs data on all searchers instead. That is, the privacy of millions is threatened, to protect the incentive for users to click on ads.

Over the last few months, a number of Google's engineers have issued public statements on the company's public policy blog to defend its much criticized log data retention policies. The company claims that the data can be used to hunt down malware, to catch people defrauding its advertising system, and can be used to improve search results, especially for localized results.

Google claims that accurate logging data can improve localized searches. This data is then used to intelligently respond to searches, such that a search for "GM" will result in General Motors related information for an American search user, yet someone in France be presented with information on "Guerre Mondiale" (World War).

What Google has done here, is attempt to muddy the waters of the debate. Yes, accurate logging data improves localized searches. However, the company does not need to retain the exact network address (known as an IP address) of each and every search. Instead of tracking my searches by my network address, 129.53.136.23, the company could instead log that I came from San Francisco, California. That, in itself, would be more than enough information in order to help it localize and improve search results.

Avoiding disincentives

Of all the excuses that Google's puppets have presented for retaining search logs, there is only 1 case where Google actually has a legitimate need to store information that identifies the individual user, and network address: advertising clicks.

Google is an advertising company first, and a search engine second. Sometimes, we forget this, but Google has a lot of bills to pay. After all, those free meals and massages for employees have to be paid for somehow.

Google displays text advertisements on all of its web search results pages. Advertisers, for the most part, pay per click. That is, every time a user clicks on one of the ads, Google charges an advertiser a few cents (or dollars, depending on the search term). Because of the amounts of money at play, this tends to attract criminals wishing to defraud the system. Thus, it is not terribly surprising that Google wishes to retain information on the user who clicked.

What is most interesting to note though, is that if a user does not click on one of Google's web advertisements, the only credible reason for retaining detailed search information becomes moot. If a user doesn't click, they can't possibly be engaged in fraud, and thus there is no reason to retain identifying information on the user's search.

Were Google to institute an information needs based logging policy, it would find itself in a curious position: users who clicked on advertisements would have detailed logs retained for months, if not years, while users who didn't click on ads would quickly have any identifying information scrubbed from logs, and replaced with more generalized info.

The obvious problem with such a scenario would be that of incentives, especially once the policy was made public. Users would lose their privacy each time they clicked on an advertisement. Unfortunately for the company, this is exactly the wrong kind of message to send. It wants to encourage users to click on its text ads, not to provide incentives for customers to skip them.

Thus, in order to not create that situation, and to avoid the disincentive to click on ads, Google logs data on every search, by every user. And because of this, we all suffer -- even those users who never even see ads, because they use technologies like AdBlockPlus and CustomizeGoogle.

Disclaimer: In 2006, worked as a summer intern in Google's click fraud team. Shuman Ghosemajumder, Google's "Business Product Manager for Trust & Safety" and the person claiming that search logs prevent fraud worked in the same team.

None of the information in this blog post involves confidential company information.

I was awarded a Google fellowship in both 2006 and 2007, for $5000 each time. Finally, I just returned from a Scholar Retreat in San Francisco, which the company paid for.

Public interest groups, academics and members of the press have hammered Google for its lax privacy policies. The criticism has mostly focused on the log deletion practices and browser cookie policies at the search giant. Google claims that search quality and user privacy are a zero-sum game: deleting log data makes it more difficult to improve search results. Perhaps the company is right. However, there are several other pro-privacy steps that Google could take to significantly protect its customers--which it has not done, and continues to reject.

Over the last few months, a number of Google's engineers have issued public statements on the company's public policy blog to defend its much criticized log data retention policies. The company claims that the data can be used to hunt down malware, to catch people defrauding its advertising system, and can be used to improve search results.

These high-profile Googlers make the case that user privacy and search quality are a zero sum game: deleting logs to protect customer privacy makes it far more difficult to provide a good search experience.

While I personally think this is a load of rubbish, I'm going to give them the benefit of the doubt today, because I want to focus on a different issue. Namely, that Google could take a few easy steps in other areas to protect customers from the prying eyes of AT&T, the NSA, or the pervert next door reading your e-mails sent over a wireless network.

Search terms

Imagine a normal search situation. A user will visit Google.com, type in a few words, "security blogs," perhaps, and click on the search button. From the search results page, a user will click on a link, taking them to www.some-website.com. Due to the way that Google has designed its search engine, Web site owners are given the search terms that brought each Web surfer to their site.

A more technical explanation of this is as follows: Google embeds the search terms that the user issued into the Web URL of the search response page. That is, an example search URL will look like http://www.google.com/search?q=security+blogs . This is known as a HTTP GET request. When a user clicks on one of the search results on that page, the Web site owner will be told the exact address of the referring Web site. Due to the fact that Google embeds the search terms in its results URL, the Web site owner learns which terms lead a user to their page.

Google could very easily stop including the search terms in the URL and thus stop passing on the search terms to the Web sites that users click on from a Google results page. It could do so by requesting that the user's browser send the terms to a Google server in a more discrete way. Many Web sites do this, especially those dealing with private information. Amazon.com and other e-commerce sites do not transmit the customer's credit card information by sending it in the URL--even on a SSL-encrypted Web session. To do so would needlessly endanger the user.

A switch to this more privacy-protecting method of Web data submission, known as a HTTP POST, would be a trivial change for Google's engineers. Furthermore, it wouldn't lead to any additional data processing resources for its vast number of servers. For Google, such a change would cost the company essentially nothing yet it would give its customers an immediate increase in privacy.

The only downside to such a change, would be the loss of information for Web masters. Companies would like to know which search terms drew a customer to their Web site, especially if that visit resulted in a sale. While no doubt useful for marketers, this is not something they deserve to know. Furthermore, Google's responsibility is to the users with the eyeballs. At the very least, if a firm wants to know what people are searching for--let it buy an advertisement from Google. Right now, Google gives this data away to every Web site owner, for free.

Encrypted mail

By default, all Google searches as well as e-mail sent and read via Gmail are transmitted in the open, over an unencrypted session. What that means, is that the data can be seen by anyone with access to the network--anyone else using the Wi-Fi connection at Starbucks, your Internet service provider, or any government agency that has tapped the Internet backbone.

All Web browsers support the SSL encryption standard. Google even offers encrypted access to Gmail users, if they know to ask for it. Users simply need to visit https://www.gmail.com, and their e-mail entire session will be safe from prying eyes.

Unfortunately, encryption is expensive, at least in terms of computing power. Turning SSL on by default for the millions of Gmail users would mean that Google would have to dedicate more computers to the service. Those computers cost money. A Google spokesperson confirmed this, telling me that "we have not made SSL the default due to capacity and latency issues."

Google has made a shrewd business decision: Those users who care enough about their privacy to read the company's FAQ can get a bit of protection for their e-mail, while those users who presumably don't care, are left exposed to hackers and snoops.

Google should change its policies with regard to SSL and e-mail. At the very least, it should mention the secure Web mail option and provide a link on the main Gmail log-in page. This information is currently hidden in one of the help pages. In an ideal world, Gmail would enable SSL by default.

Searches, exposed.

While the company offers encrypted Web mail, it does not do the same for searches. Currently, there is no way to keep your search terms secret from those who might be watching the network. Could the company offer this? Sure, but it has chosen not to. Primarily, because of cost.

Luckily, someone else has taken steps to fill the search privacy gap left by Google.com. A Texas man named Daniel Brandt has created a Google-powered privacy-preserving search engine: Scroogle.org.

Scroogle submits search queries to Google on a user's behalf, scrapes the results, and displays them to the user. Scroogle's search data policies are fantastic: no cookies, no search-term records and all access logs are deleted within 48 hours. The site uses HTTP POST requests by default, which helps to keep the search terms a secret between the user and the search engine. Furthermore, for those users willing to put up with the 1- or 2-second delay required to initiate an SSL connection, encrypted searches are available to users via https://ssl.scroogle.org/.

Over 130,000 searches per day are made through the Scroogle site, 10 percent of which use SSL. In an e-mail conversation, Daniel told me that his "ultimate goal is for Scroogle to survive long enough so that the public sector gets the idea that all major search engines should be treated like public utilities."

Daniel Brandt seems like a great guy. He's doing this for free--and accepts tax deductible donations on the Scroogle site. However, for users who don't trust Daniel's claims, they may wish to use the anonymizing TOR proxy in parallel with Scroogle.

What Daniel's site shows, is that privacy preserving search is possible. While Scroogle doesn't show any ads, if Google offered this service, they could still make a buck on it. Imagine that--making money, while not being evil.

Disclosure: I'm paid as a technology policy fellow by the Electronic Privacy Information Center, a public interest group that has repeatedly criticized Google for its privacy policies. Furthermore, I interned for Google in 2006, and have received a $5,000 fellowship from the company, both in 2006 and 2007.

Hackers have turned their attention to Facebook's hundreds of independent applications. The results are not terribly surprising, but do not tell a good tale: app developers don't seem to know a thing about basic security, and are putting private user information at risk. As a result, malicious hackers are able to access and change what should be private user data managed by the application providers.

Just a few months after this blog brought you exclusive news of privacy problems in Facebook's application system, we are now already seeing the consequences of Facebook's decision to pass the buck on on application security and privacy. Facebook shares user data with a large number of third-party application developers (without user consent), who then leave the data open to hackers due to nonexistent security and privacy protections. We at Surveillance State would be lying if we said we didn't see this coming.

Third-party developers

As I mentioned in a blog post back in January, Facebook permits application developers to get access to large amounts of sensitive data, all without clear user consent. Simply put, whenever a user installs a Facebook app, the developers of that application get access to data on every person who that user is Facebook 'friends' with, as well as most of the people in that user's network. While Facebook makes it perfectly clear when users install an application that developers will get access to their data, it doesn't do anything at all to warn users that the same data sharing occurs when their friends install apps.

Facebook has its legal bases covered though, as its Terms of Service clearly state that the company is in no way responsible for anything that the developers do with user data. It further notes that the company does nothing at all to verify that developers are doing anything at all to protect user data, or that they are not storing data beyond the time needed to process the application request (a strict no-no). The terms of service state:

"[each application] has not been approved, endorsed, or reviewed in any manner by Facebook...we are not responsible for...the privacy practices or other policies of the Developer. YOU USE SUCH DEVELOPER APPLICATIONS AT YOUR OWN RISK."

Flaws in apps, users at risk

According to a recent article in 2600, the Hacker Quarterly, many popular Facebook applications are vulnerable to trivial attacks, which permit a nefarious person to both set and read the data associated with that app. The 2600 article uses apps Moods, Free Gifts, and Super Wall to prove its point.

Quite simply, the developers have no authentication mechanism in place on their own servers when processing queries issued by a Facebook application. The developers rely instead, on the Facebook app itself playing by the rules. A nefarious hacker merely needs to intercept the Web request issued by the app, and replace his/her own Facebook ID with that of a potential victim.

While the 2600 article is not online, a reader of the Consumerist blog summarized it online:

In all three of those applications, User A can very easily modify User B's data by intercepting a form and modifying the uid (Facebook user ID) before transmission. In addition, with some applications, User A can gain access to stored application data (e.g. history, etc.) for any User B, whether they are friends or not. Such applications blindly trust form data that can easily be tampered with, which is very clearly a bad idea.

The Moods application allows unauthorized users to view the mood histories of non-friends, and with Firebug, anyone with the app can intercept their own mood change form before submitting it, change the uid in the form, and change someone else's mood.

Super Wall has a similar vulnerability that allows someone to intercept the form in a similar way and spoof messages from ANYONE to ANYONE (even a non-friend) just by changing the to and from uid's.

This is not rocket science, but far closer to computer security 101. Microsoft's Larry Osterman has written about these kinds of flaws on his own blog, describing his effort to educate Microsoft's programmers:

It takes a special mindset to think like a bad guy. Not everyone can switch into that mindset. For instance, I can't think of the number of times I had to tell developers on my team "It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code."

On Wednesday, I spoke with Adrienne Felt, the University of Virginia researcher whose report first highlighted the excessive and dangerous data sharing that happens between Facebook and its Application developers. When asked for her thoughts on the lack of authentication and security at major Facebook apps, Adrienne told me that, "sadly i am not surprised at all" as "apps are written by people who just barely know anything about coding."

For those of you interested in learning more, someone has taken the time to record a screencast of the attack in action. All that's needed is a Facebook account, the Firefox browser, and the Firebug browser add-on.

Google's terms of service, while ignored by the vast majority of users, contain a pretty shocking clause: Under 18's are not permitted to use any of Google's Web properties. That's right, kids--no search, YouTube, Gmail, news, or images.

Under 18s wishing to watch YouTube videos of skateboarding dogs, or perform research for a school project will have to go elsewhere--Ask.com or Microsoft's Live.com search, perhaps. The message from Mountain View seems clear: We don't want your (underage) business.

Google's terms of service, thick with legalese, state that:

"You may not use ... Google's products, software, services and web sites ... and may not accept the Terms if ... you are not of legal age to form a binding contract with Google.

The problem with this, of course, is that all 50 states in the United States require that someone be at least 18 years old to form a binding contract. As for what happens when a person under 18 attempts to agree to a click-through contract, the jury is still out on that one.

When contacted about the matter, a Google spokesperson initially told me that "users need to be at least 13 years old to use Gmail."

However, when I pointed out that the language in the company's terms of service contradicted her statement, she clarified her remarks, stating that: "We require users to be able to form a legally binding contract in order to use our services. The actual age required to form a legally binding contract may differ based on jurisdiction."

When I asked what the company would do if it found out that someone under 18 were using search, or Gmail, the spokesperson told me:

"We're not in a position to verify the age or legal status of any user, given the tremendous number of users accessing Google services. That said, when we become aware of a user who is violating our Terms of Service, including not being of proper age to accept the Terms of Service, we take appropriate action, which could include the termination of the user's Google Account."

After first seeing Google's no-kids policy in the company's terms of service, any rational person would assume that it's just standard legalese that all companies are required to include. However, it turns out that Google's dot-com competition is far more kid friendly.

Facebook's terms of service state:

"This Site is intended solely for users who are thirteen years of age or older, and users of the Site under 18 who are currently in high school or college."

What about MySpace?:

"By using the MySpace Services, you represent and warrant that ... you are 14 years of age or older."

As for Microsoft's Live.com search engine and Ask.com, their terms of service don't mention age at all.

To this outside observer, it seems a little bit strange that 13+ year-olds can use social-networking sites like Facebook and MySpace, where many users post their gender, sexuality, religion, and a large number of potentially embarrassing photos. Yet, those same teenagers are forbidden from conducting a Web search. Surely things should be the other way around.

Conflicting messages
Google is currently running a Doodle 4 Google contest, in which K-12 students take a shot at designing a Google company logo. The winner will receive $10,000 and their art will appear on Google's home page for a day.

When viewed in light of the "no kids here" policy in the terms of service, Google's school outreach seems rather strange. Ironically, the winner of the contest will be forbidden from viewing his or her artwork on the main Google page, unless a parent types in the URL for them.

This is hardly Joe Camel territory, but it is still very strange. Why has the company gone out of its way to write up a terms of service that bans kids, yet at the same time, is engaged in kid-friendly promotions? Why does the site include anti-kid legalese that none of its competitors has opted to include?

The answer, for now, will remain unknown. Google's PR people toe the company line, and its lawyers, well, remain lawyers.

With a stroke of the Governor's pen on Monday, Indiana became one of the few states in the country to provide strong incentives for businesses to encrypt sensitive customer data. Unlike many of the laws that pass through state legislatures - this one was not ghost written by lobbyists or special interests. It was co-written by a tech-savvy state legislator, and a blogger constituent .... me.

One of the biggest problems in the hundreds of data breach and data loss incidents that have been reported over the past few years is that so little of the data is encrypted. If a laptop containing sensitive medical information is stolen, the thief merely needs to turn it on to read through a goldmine of personal data.

Some government agencies have taken action following particularly heinous incidents. After the state of Ohio lost backup tapes containing 160,000 social security numbers that were kept in a summer intern's car, the state purchased McAfee disk encryption software for every state employee. Likewise, after the hugely embarrassing data loss incident at the Department of Veterans Affairs in 2006, the Bush Administration issued new standards mandating encryption for all federal agencies.

Laptop password loophole

Indiana passed a data breach reporting law in 2006. However, the law had a number of problems. The biggest of these involved laptop passwords.

Many state data breach laws are written in a way to incentivize businesses into protecting their customer data. It would be exceedingly difficult to pass a law forcing all businesses to encrypt their data, and so states opt for the carrot and the stick.

Businesses are given a choice: If you protect your customers' data, and you lose a laptop containing sensitive information, you won't have to spend the money and suffer the reputation hit by telling the public. That is, as long as you've protected the data sufficiently.

Indiana's law created this incentive by narrowly defining a data breach incident. The giant loophole in the law stated that businesses would not have to report an:

"Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed."

As a computer security researcher, the problems in this sentence immediately jumped out at me. A password doesn't mean encryption, it merely means a password. Windows login passwords would satisfy the law, even if they did nothing to protect the data on the disk. An attacker could start up the device with a recovery CD, or use one of many software tools to break the Windows password -- which will take just a few seconds to do.

Changing the law

In mid 2007, I contacted my State Representative Matt Pierce and asked him to look into fixing the law. He liked the idea, and asked me to compile a list of the problems in the existing rules and suggested fixes.

In January 2008, Representative Pierce submitted a bill to committee that fixed the data encryption flaw, as well as requiring the attorney general of the state to post a copy of every data breach incident impacting 1 or more Indiana residents to an official website.

The bill passed through committee, and then passed unanimously through the Democratically controlled House, 94-0. Unfortunately, once the bill arrived in the state Senate, it had attracted the attention of lobbyists - some of whom flew in from Washington DC specifically to oppose the website reporting provision in the bill. The experience was eye-opening, and gave me a rapid education in the influence of money in politics. Sadly, the lobbyists from AT&T, Microsoft, and Lexis Nexis got their way.

In the end, the Republican controlled Senate stripped out a number of portions of the proposed law. The bill that came out of the Senate, which included the laptop encryption fix, passed unanimously 46-0.

Finally, on Monday the 25th of March, Governor Mitch Daniels signed the bill into law.

As of July 1 2008, Indiana's data breach law law will be amended, such that a companies will not have to report the:

"Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:

(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device."

I am confident that Indiana's new law will provide an extremely strong incentive to businesses in the state. Either, they can start using encryption to protect customers' data, or when they do lose a laptop, they can pay the financial and reputation costs of having to send out hundreds of thousands of letters to consumers.

No business is being forced to do anything - but the smart ones will most likely start taking additional steps to protect customer data.

All the credit and thanks for this effort should go to Representative Matt Pierce, who fought the good fight, and waged battle against big money lobbyists. While the perfect bill did not pass, the change to the law is positive, and it would not have happened without Pierce's hard work.

Facebook launched a bunch of new privacy controls today, and has received a significant amount of positive press as a result. The praise is perhaps not so deserving--as the new privacy controls can be easily evaded.

The new privacy settings allow users to customize which friends can view specific details in their own profile. Users can lock down specific bits of information to their friends, friends of friends, or even particular individuals.

Facebook's new privacy controls

There is, however, a significant design flaw present in this new feature. Facebook users can select which types of strangers can view their profile. That is, a student at Stanford University can decide to allow other undergrads to view their profile, while specifically forbidding staff and professors who have not been made a friend from viewing it.

This sounds like a great idea, and should be a significant benefit to those students who find that their Facebook-advertised parties were busted by police who found out about the events through the social-networking site.

The primary problem is that Facebook has no way of determining what someone's university status is. The company is only able to verify that the user has a valid .edu e-mail address, which could mean that the person is a student, staff member, professor, or alumni. As a result, Facebook asks users to self-report this information.

Given an example situation where a student doesn't wish for the Facebook-using professors at their university to be able to view their profile, it would be trivially easy for a professor to log in, and change his or her own status to that of an undergrad.

To test this out, I changed my own status at Indiana University to that of an undergrad, a staff member, and an alumni before switching back to being a graduate student. Facebook's system didn't complain once, and I was able to verify that the updated status was indeed reflected on my own profile.

Changing status in Facebook

This is a fairly significant security flaw in Facebook's fancy new privacy controls, and frankly, there isn't too much the company can do to fix it. In the real world, it's perfectly possible for an administrative staff member to go back to school (and thus become an undergrad), or for a grad student to become a professor. The status controls need to be modifiable.

At least under the old controls, Facebook users (in theory) knew that their profiles could, by default, be viewed by any other Facebook user at the same university. This new system provides little in the way of real additional protection, yet may give users a false sense of security, leading the millions of users to post even more stupid and embarrassing things to the site than they currently do.

I spoke with a Facebook spokesperson shortly before press time, who told me that she could not comment on the specific issues I raised.

Disclosure: I am a part-time technology policy fellow at the Electronic Privacy Information Center, where one of my projects involves social-networking privacy issues.

Update at 10:10 a.m. PDT: The titles for Tessa Sproule and Guinevere Orvis have been tweaked.

Following closely on the heels of Norway, Canada's public broadcasting service is adopting DRM-free BitTorrent distribution for a major prime-time show.

On March 24, CBC will use BitTorrent to distribute this year's broadcast of Canada's Next Great Prime Minister. This will make Canada the first country in North America to release high-quality, DRM-free copies of a prime-time show using the popular P2P file-sharing technology.

(Credit: CBC)

Canada's Next Great Prime Minister, an annual competition in which young adults propose ways to improve the country in hopes of winning 50,000 Canadian dollars, attracted more than 1 million viewers in 2007. While broadcast shows in the United States regularly reach more than 8 million viewers, for a Canadian broadcast program, 1 million is a huge success.

Tessa Sproule, the CBC manager in charge of the show's digital outreach, is a regular reader of the BoingBoing blog, which earlier this month highlighted the use of BitTorrent by Norway's public broadcaster for one of its most popular shows. Sproule was inspired by the Norweigan experiment and pushed for something similar at CBC.

While plenty of TV networks have experimented with offering shows online for free, it is CBC's use of DRM-free BitTorrent downloads that is the most interesting. Guinevere Orvis, one of the interactive producers on the show, told me that the motivation for this choice was their desire for the "show to be as accessible as possible, to as many Canadians as possible, in the format that they want it in." As for DRM, she said: "I think DRM is dead, even if a lot of broadcasters don't realize it." She added that "if it's bad for the consumers, it's bad for the company."

Michael Geist, a copyright guru and law professor at the University of Ottawa, hailed CBC's move, writing on his blog that "this development is important not only because it shows that Canada's public broadcaster is increasingly willing to experiment with alternative forms of distribution, but also because it may help crystallize the net neutrality issue in Canada."

Rogers Cable, one of Canada's largest Internet providers, has adopted Comcast-style BitTorrent filtering, so CBC's use of the technology is sure to heat up the debate.

CBC is conducting the entire BitTorrent effort in-house. The show will be encoded into multiple formats (including an iPod-friendly version), Orvis said, and the BitTorrent server will be running on a CBC server.

The BitTorrent version will be available for download to anyone in the world, which is a significant change from previous online TV efforts. The iPlayer platform made by England's BBC is only available to consumers with U.K. network addresses. Similarly, Hulu, the joint effort between Fox and NBC, blocks Net users who are outside the United States. Orvis told me that BitTorrent made the global distribution possible, as it meant that Canadian taxpayers were not subsidizing the cost of delivery to foreign viewers.

Sadly, here in the U.S., TV networks are nowhere nearly as enlightened. NBC and Fox have some of their shows available for free via low-quality streams online. Comedy Central, seemingly tired of sending take-down letters to YouTube, made its entire archive of The Daily Show and The Colbert Report available online, via low-quality, free streams. Even PBS provides streams for some of its content.

The only way for U.S. consumers to download high-quality shows is, unfortunately, via iTunes, which charges $1.99 for a DRM-locked copy of the show. Linux users need not apply.

Of course, Net users can always turn to BitTorrent for DRM-free, high-quality downloads. It's is easy to use--easier than iTunes in many cases--and offers a wider selection. However, it remains, for now, illegal.

When will U.S. broadcasters get a clue, ditch DRM, ditch iTunes, and adopt BitTorrent?

Google is now the first of the major search engines and e-mail providers to make a firm statement on the issue of the National Security Agency's wholesale surveillance of Internet content.

Google has stated it didn't help the NSA search your e-mails. More specifically the company denies participating in the NSA's Terrorist Surveillance Program. But the company's carefully worded denial might not be enough to reassure savvy readers.

The Wall Street Journal recently revealed the true extent of the NSA's surveillance system:

"According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic e-mails and Internet searches."

This builds on what we learned the previous week, when The Washington Post revealed that the primary motivation for the White House's wiretapping immunity demands is to protect those firms that assisted with illegal, mass-scale surveillance of e-mail traffic.

Google has now taken the interesting step to become the first major Internet company to deny helping the NSA. In an on-the-record e-mail with a company spokesperson on Friday, I was told that:

"Google was not part of the NSA's Terrorist Surveillance Program."

Is that enough to reassure you?

If Google was obligated to give up search/e-mail records, it is likely that this request would be made via a Patriot Act authorized National Security Letter. A recent Journalarticle confirmed as much, stating that the information gained from National Security letters ended up in the gigantic NSA databases. But recipients of those letters may not be allowed to tell anyone about it, and may in fact be forced to lie.

The owner of an ISP who received one of these secret orders explained the significant restrictions placed upon him in a letter to The Washington Post back in 2007.

Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case--including the mere fact that I received an NSL--from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. When clients and friends ask me whether I am the one challenging the constitutionality of the NSL statute, I have no choice but to look them in the eye and lie.

If this poor gentleman had to lie to his girlfriend and family, it's possible that Google, if it did receive a FBI National Security Letter, might be placed in a similar position.

Careful wording
My original question to Google was, "Is Google sharing 'huge volumes' of search records with the government?" I never asked about the NSA's Terrorist Surveillance Program specifically.

As Salon's Glenn Greenwald has explained, the Bush administration has been very careful with its use of the term "Terrorist Surveillance Program." Many snooping activities, some of which were clearly illegal, do not come under this definition. Simply put, Google could have handed over a copy of every search request and every e-mail sent by a Gmail user to the U.S. government and it would still be able to quite correctly deny participating in the Terrorist Surveillance Program.

In any case, on January 17, 2007, Attorney General Alberto Gonzales announced that the Terrorist Surveillance Program would not be reauthorized by the president, but would be subjected to quasi-judicial oversight. So the Terrorist Surveillance Program, at least by that name, no longer exists, and Google could be actively handing over millions of e-mails, while the statement made by its PR people would be completely true.

What if Google's PR people are telling the truth? What if Google really didn't help the NSA, and that the spooks are collecting millions of search records via wiretaps placed on the Internet backbone?

It's worth pointing out that Google has stood up to the feds when they demanded search records a couple years back--but this was the DOJ, not the NSA.

The problem remains that Google is not doing a single thing to protect its customers from this kind of large-scale surveillance. While the company supports SSL-encrypted Webmail sessions, it does little to advertise it, and has taken no steps to turn it on by default.

However, the biggest problem is search. Google offers no way for its customers to search the Internet without an evil ISP (such as AT&T) from snooping in on the traffic. Google could very easily enable SSL search sessions, but has not taken any steps to do so.

When asked about the webmail security problem, and which steps customers should take to protect their search traffic from snooping Internet service providers, Google's spokesperson directed me to the company's much ridiculed YouTube Privacy channel.

I spent a few minutes browsing through the channel, but couldn't find any specific advice on protecting myself from illegal wiretaps and government surveillance. YouTube seems to be a great place to find videos of skateboarding dogs, but not such a great source of privacy tips.

For those of you who care more about your privacy than cute YouTube videos, I highly recommend the Tor anonymous web proxy, as well as the Customize Google Firefox browser extension.