Surveillance State

The MySpace suicide case concluded last week, with the jury finding Lori Drew guilty of three misdemeanor counts of gaining unauthorized access to the popular social-networking site.

While most of the press attention has been focused on the specifics of the case, the more important issue is the potential impact this could have on the Internet in general.

Web site terms of service, which end users universally ignore, suddenly have teeth: violating them is a federal hacking offense, punishable with jail time. The days of being able to freely lie on the Web could be coming to an end. This could mean serious trouble for people who lie about their age, weight, or marital status in their online dating profiles.

Bad cases and bad laws
The specifics of the Lori Drew case are messy and emotional. The important fact is that there is no federal cyberbullying statute, so the U.S. attorney in Los Angeles turned to a novel interpretation of existing computer hacking laws to try to punish the woman. The general idea is that in creating terms of service, a Web site owner specifies the rules of admission to the site. If someone violates any of those contractual terms, the "access" to the Web site is done without authorization, and is thus hacking.

Unfortunately for Internet users everywhere, a jury bought the theory last week and found Lori Drew guilty of three misdemeanor violations of the Computer Fraud and Abuse Act, punishable with up to one year in a federal prison and a $100,000 fine for each of the three counts.

Horrible terms of service
Until the Drew case is overturned, terms of service would appear to have the power of federal hacking laws to back them up, at least in cases where an ambitious federal prosecutor is interested in making a name for himself.

Back in March, I wrote about Google's insane terms of service--which forbid the use of the site's search engine, free e-mail service, or any of its other offerings by people under the age of 18. The site's terms state:

"You may not use...Google's products, software, services and Web sites...and may not accept the Terms if...you are not of legal age to form a binding contract with Google.

Under the Department of Justice's current interpretation of hacking laws, every high schooler who uses Google to do homework is in theory a criminal.

However, it gets even better than that. As the Electronic Frontier Foundation noted in its amicus brief to the court, the dating site Match.com prohibits married persons from using the Web site to cheat on their spouses:

"You must be at least eighteen (18) years of age and single or separated from your spouse to register as a member of Match.com or use the Website."

Dating site eHarmony takes this even further, forbidding its users from lying in their online profiles:

"You will not provide inaccurate, misleading or false information to eHarmony or to any other user. If information provided to eHarmony or another user subsequently becomes inaccurate, misleading or false, you will promptly notify eHarmony of such change.

All those people who have lied about their age or weight in an eHarmony profile would now appear to be computer hackers. Oh, and if you gain 30 pounds after posting your profile and don't promptly update your profile--yep, jail for you.

Silver lining...a weapon against RIAA
Back in the early days of the Digital Millennium Copyright Act, activists discussed the creative use of terms of service to keep agents of the RIAA and MPAA from visiting their sites, and collecting evidence for later trials. In a few minutes of searching, I was able to find at least one Web site whose terms of service still forbid such activity.

Notice to RIAA & MPAA and affiliated contractors: Pursuant to DMCA statutes, you are forbidden from accessing or reproducing any content on this site, due to a violation of our terms of service. This is not a matter for discussion. You must exit this Website now.

These amateur click-wrap agreements didn't seem to hold much weight back then. Could the precedent set by the Lori Drew case provide ammunition to pirates, activists, and the thousands of other Internet users who have an anti-RIAA ax to grind?

Parry Aftab, a lawyer and executive director of an anti-cyberbullying group hailed the court case as a victory, telling the Associated Press that the "verdict has made it very clear if you use the Internet as a weapon to hurt others, especially young, vulnerable teens, you're going to have to answer to a jury. This is not acceptable."

For those of us who see the over 30,000 lawsuits filed by the RIAA as an abuse of the legal system and an organized shakedown of vulnerable high school and college students who know little about the law, perhaps this warning will hold true.

Update at 9:30 a.m. PST: Video audience figures have been updated.

President-elect Barack Obama has now posted his second weekly address to YouTube, and it has already gotten more than 411,000 views. A week ago, I criticized the use of YouTube by Obama's transition team, calling it a no-bid giveaway to the Google-owned video-sharing site.

The solution I called for then--the adoption of BitTorrent as the official distribution platform for Change.gov--was, admittedly, a pipe dream.

In this post, I'll explain why the government needs to step up and host its own videos and why it is simply improper to rely on YouTube to foot the bandwidth bill for Obama's messages to the people. I will also make the case that the use of YouTube and Google Analytics by the Obama transition team violates the privacy of Web site visitors and possibly even violates federal rules banning the use of permanent tracking cookies on government sites.

YouTube as the platform of choice
The announcement a couple weeks ago of Obama's decision to use YouTube for his weekly addresses led to headlines across the world. The president-elect's use of streaming video technology was hailed as revolutionary or, as one transition team rep gushed, "just one of many ways that he will communicate directly with the American people and make the White House and the political process more transparent."

Obama's team uploaded his first video address to YouTube (928,000+ views), AOL (220+ views), Yahoo (8,400+ views), and MSN (545+ views)--all figures as of Monday morning.

In keeping with the spirit of this posting, the above video is not embedded.

(Credit: YouTube)

For his second weekly video, the Obama team seems to have ditched AOL and only uploaded the video to YouTube, Microsoft's MSN, and Yahoo. Web 2.0 start-ups such as Veoh, Vuze, Revver, and Blip.tv have not gotten any love.

While the transition team should be commended for uploading the video to multiple sites (albeit all owned by multibillion-dollar tech titans), the difference in the number of views is rather startling. Without access to accurate stats (which are not public), it is tough to know how many YouTube views came from people viewing the video embedded into the Change.gov site, searching YouTube, or watching a copy embedded into a personal blog or other news site.

However, I do think it is fairly reasonable to assume that a decent percentage of those nearly 1 million views came from people visiting Change.gov, the taxpayer-funded, official site of the Obama transition team. It is those hundreds of thousands of viewers who clicked the play button to load and stream a video embedded from YouTube's servers that are the focus of this post.

Privacy risks
YouTube, like many other sites, uses persistent cookies to track repeat visitors. Thus, when a regular YouTube user views a video embedded in a blog or other third-party site, the user's cookie is automatically sent to YouTube's servers--even without the user clicking the play button. Given the widespread use of embedded videos, this gives Google, which owns YouTube, an even better idea of the surfing habits of millions of people around the world.

And even if you believe Google's "do no evil" motto, it seems at least a little bit creepy for the company to track each time someone visits Change.gov--especially when that person doesn't actually press the play button to watch Obama's latest message to the people.

The privacy risks associated with the widespread use of embedded videos is something that has caused significant concern for privacy activists--enough for the folks at the Electronic Frontier Foundation to develop the privacy-preserving MyTube tool for Webmasters. If the Obama team insists on sticking with YouTube embeds, perhaps it will at least consider deploying MyTube to protect the privacy of citizens who visit the official transition site.

The privacy risks aren't just limited to YouTube.

Just a week ago, Dan Goodin at The Register criticized the use of the Google Analytics Web-tracking code in the Change.gov site--which also sets a permanent tracking cookie. Although he mostly focused on security risks, and not privacy-related threats, he blasted Obama's Web design team, stating that:

The failure of Obama's Webmasters to follow anything remotely like best practices is more than a little troubling because it suggests they don't fully grasp the security realities of living in a Web 2.0 world.

Eight years ago, the issue of cookies tracking users on government sites was a fairly big issue in tech policy circles, drawing the attention of those in Congress. Eventually, the Office of Management and Budget issued a directive that forbid the use of persistent cookies on federal agency sites.

The Obama team's use of both YouTube and Google Analytics raises serious privacy concerns and likely clashes with the OMB directive.

If Obama's transition team can afford to lease a jet for the president-elect and to pay for staff salaries, BlackBerrys, and hotel rooms, why can't it also pay for a few Web servers capable of serving up Flash video?

(Credit: Change.gov)

To be clear, Change.gov is not creating or requesting its own persistent cookies. However, due to the embedding of YouTube videos and Google Analytics Web-tracking code in the site, visitors will be transmitting cookies to Google's servers. Since the YouTube cookies are not set directly by the Change.gov servers, it is unclear whether the Google cookies violate the specific OMB directive. Even if they do not, they clearly violate the intention of the rule--which was created in the days before embedded videos or third-party-hosted Javascript.

The official privacy policy listed at Change.gov makes no mention of cookies, nor of the collection of visitor information by Google's servers. The privacy policy does, however, pledge "not to make personal information available to anyone other than our employees, staff, and agents." At best, the Obama team copied a boilerplate privacy policy from somewhere else and overlooked the use of YouTube and Google Analytics. At worst, it seems pretty deceptive.

When reached for his thoughts, Marc Rotenberg, executive director of the Electronic Privacy Information Center told me:

On the upside, the transition people have done a good job with the ethics in government rules for transition team members. Now they need to revise the Change.Gov Web site and respect the rights of citizens who are seeking information about the new administration.

Lots of traffic
The low-quality video YouTube video embedded into the Change.gov blog is 7MB. When multiplied by more than 900,000 views, we find out that Obama's first video led to the consumption of over 6 terabytes of bandwidth. If the Obama team had to pay for the data, instead of getting it for free from YouTube, it would have cost nearly $1,000, at least if it used Amazon.com's S3 cloud-hosting service.

While YouTube did not serve any advertisements within or around Obama's chat, each of those 900,000+ viewers did see YouTube's name prominently placed within the Change.gov site (as a watermark in the bottom corner of the video). Once the three-minute video is over, viewers are given the ability to watch other related videos (which might have advertisements) or, with one click, to navigate directly to the Google-owned video-sharing site, which certainly has advertisements.

Furthermore, I'm sure that Google's PR team was absolutely overjoyed with the thousands of newspaper articles that flatteringly tied the president-elect to the video-sharing platform. While all press is good press, it is likely such Obama-related press is even better.

Defaults matter
The Obama team's uploading of its weekly videos to YouTube is fine--providing, as it currently does, that it also uploads the videos to a few other places too. As the videos are not copyrighted, members of the public are free to redistribute them via other platforms (as the LegalTorrents P2P site has done), and even mash them up. This is great, and I support this embrace of Internet distribution by the president-elect's team of geeks.

I do, however, have a problem with the use of YouTube-hosted embedded videos on the official Change.gov site.

The transition team has a budget of over $12 million. If it can afford to lease a jet for Obama and to pay for staff salaries, BlackBerrys, and hotel rooms, why can't it also pay for a few Web servers capable of serving up Flash video? Isn't it a bit tacky for the federal government to be relying on Google to host its videos?

It's as if the entire Obama transition team has adopted Hotmail's free e-mail service for its daily communications--with each e-mail sent by an Obama adviser followed by a signature pitching one of Microsoft's products: "See how Windows Mobile brings your life together--at home, work, or on the go."

Obama raised half a billion dollars through online donations during his campaign. His was the first presidential campaign to employ a chief technology officer (a computer geek formerly at the travel site Orbitz). These guys know what they're doing when it comes to technology; they design beautiful, interactive sites and have relied upon complex data-mining algorithms to profile and target individual voters and donors. If they wanted to, they'd have no problem installing a few dozen Adobe Systems Flash streaming servers. However, since YouTube will gladly foot the bill, the Obama team hasn't felt the need.

During his campaign for the presidency, Obama didn't call for a Web 2.0 government, but for a Google government--something that CEO Eric Schmidt, who is now serving as one of Obama's economic advisers, was probably very happy to hear. While I love conspiracy theories as much as the next guy, I don't really see one here. However, given the close connection between Obama and several higher-ups at Google, it is better to avoid the appearance of a conflict of interest.

Thus, it is time to bring an end to embedded YouTube videos on Change.gov. By all means, use streaming video to reach the masses, but let the bits flow from government-owned servers (preferably without privacy-invading cookies). If bloggers wish to embed YouTube videos of the speech on their own sites, that is fine. But Obama shouldn't.

Disclosure: I was a technology fellow at the Electronic Privacy Information Center in spring 2008 where I worked on social-networking-related issues. I also worked for Google as a summer intern in 2006, received two Google fellowships, and currently use Google Analytics tracking tool for my personal site.

How far does President-elect Barack Obama take his commitment to transparency? Is it a serious pledge to shake up Washington, to apply sunlight to the often shadowy depths of the executive branch, or is it merely a very good marketing campaign?

In the past few days, the public has received some seriously mixed signals on the issue--his decision to use YouTube to speak to the American people, and then press reports indicating that he may give up e-mail as president to avoid oversight.

On Saturday morning, Obama's first video address to the people was posted to YouTube. A copy of the video was embedded into the Change.gov blog, and has since received over 650,000 views. In describing the new YouTube effort, an Obama spokesperson told The Washington Post that:

"This is just one of many ways that he will communicate directly with the American people and make the White House and the political process more transparent."

Contrast that bit of hype to the news that the president-elect will likely be giving up his prized Blackberry, and like previous presidents, giving up e-mail the moment he takes office, due to the fact that e-mails can be subpoenaed by Congress, or later end up in the presidential library. As The New York Times reported:

In addition to concerns about e-mail security, [Obama] faces the Presidential Records Act, which puts his correspondence in the official record and ultimately up for public review, and the threat of subpoenas. A decision has not been made on whether he could become the first e-mailing president, but aides said that seemed doubtful.

The real issue here is not one of keeping the president's in-box safe from Chinese hackers, but keeping it safe from Congressional investigators.

If the National Security Agency, Central Intelligence Agency, and a number of other spy agencies can provide e-mail access to their tens of thousands of employees, then the president's e-mail can be kept safe and secure. The U.S. government has classified networks, over which classified data flows, and for obvious reasons, these are not connected to the general purpose Internet. And for the spy on the go who needs real-time access to top secret information? The NSA has its own smartphones made for handling classified data.

It is important to note that no one from the Obama administration has gone on record to speak about this issue yet, and so while it is certainly worth discussing, it is still too early to pass judgment upon President-elect Obama's e-mail policy.

In the meantime, the press has reached out to members of past administrations to share their thoughts on the clash between Obama's stated commitment to transparency and a natural desire for privacy. On this issue, former Bush Press Secretary Scott McClellan told the Associated Press:

"While he has pledged an open and transparent government, I doubt the president-elect is interested in subjecting his own personal communications to that standard." He added, "He will have to think very hard about whether he wants to make his own words that subject to open records by having his own e-mail and his own BlackBerry."

If the next president opts to use e-mail, it will almost certainly become part of the public record at some point. However, that lack of e-mail privacy is far more a feature than a bug.

Without being able to follow the paper trails, and see what is being said by whom in the White House, how can real oversight be achieved? The willingness of the next president to use e-mail (and even a smartphone), even with the knowledge that his messages might later be subpoenaed by Congress, will be the best way for him to demonstrate his belief in the importance of sunlight.

As for the issue of Obama's right to privacy--remember that we are not talking about the president's personal Hotmail account, but his ability to use e-mail for work purposes. Americans generally have little to no legal rights to privacy relating to their use of Internet at work--at least with regard to their employer. Bosses have the right to install Web filters, monitoring software, and to read through specific e-mails.

With that in mind, consider that Obama is a public servant who works for us. We, the public, are his collective boss, and so why should he have any privacy rights over the e-mails he sends on our time? If the White House is the People's House, then its e-mail servers are the People's Servers, and we have a right to see every bit of text that gets sent through them at our expense.

Finally, if the president is serious about transparent government, perhaps he'll pledge to not allow his staff to hide behind executive privilege once Congressional investigators come calling (as I am sure they eventually will). Sure, this will be more unpleasant and potentially embarrassing than merely throwing a few carefully scripted videos up on YouTube. However, such a commitment would actually be transparency we can believe in.

Calling for the separation of Google and State.

The news that President-elect Barack Obama will be using YouTube to distribute his weekly "radio" address has been met by general fanfare among the digerati.

This might seem like a bold move--and compared with the relatively boring podcast MP3s of Bush's weekly speech hosted at Whitehouse.gov, it is. However, putting President-elect Obama's video podcasts on YouTube is hardly Change We Can Believe In.

By exclusively hosting his videos at YouTube, the Google-owned dominant player in the user-generated video industry, the Obama campaign has effectively issued its first no-bid giveaway of the next administration.

If Obama really wants to demonstrate his Web 2.0 bona fide intent and prove that he's actually interested in shaking things up, he'll use BitTorrent, the disruptive file-sharing tool that arguably dwarfs YouTube in popularity.

Let's explore a few reasons why Obama should ditch his YouTube plans and switch to BitTorrent:

• As demonstrated by the recent flood of constituent complaints to the House and Senate during the banking bailout, the .gov network simply can't deal with lots of traffic.
• It's not the government's role to pick industry winners and losers. Sure, YouTube has millions of users, but I'm sure that the other Silicon Valley-based user-submitted video sites would love to draw the eyeballs of Obama's podcast subscribers. What about Veoh, Vuze, Hulu, Revver, and Blip.tv?

• While it's awfully nice of Google-YouTube to volunteer the hundreds of gigabytes of bandwidth necessary to host Obama's video content, is it really appropriate to further expand the link between Google and the Obama Whitehouse?
  
  Google CEO Eric Schmidt already has Obama's ear as a member of his economic advisory board; the Obama campaign has likely paid hundreds of thousands of dollars to Google for AdWords advertising during the campaign; and Google.org's Sonal Shah has landed a key key role on Obama's transition committee. Simply put, things are already close enough between Change.gov and the Google Gang.
• There are no copyright issues--since the videos will be made by the federal government, they are automatically in the public domain. Thus, it is perfectly OK for them to be shared via peer-to-peer technologies.
• It'd give Obama a reason to care about Net neutrality. Some on the left are already voicing fears that Obama will soften on his commitment to the Net neutrality cause. Once his weekly addresses are hosted via BitTorrent, he'll have a vested interest in keeping the pipes tamper free. In such a scenario, any antifile-sharing shenanigans by Comcast or other ISPs would directly impact Obama's ability to speak to the people.

• The Canadians already do it: CBC--Canada's version of PBS--has had highly successful trials of BitTorrent as a low cost, high-throughput method of distributing video content. Since we're hopefully going to copy the Canadian's obviously better health care system, why not similarly learn from their use of file sharing?

The time is right for the U.S. government to adopt BitTorrent. Mr. Obama, be bold, be brave, and upload to The Pirate Bay.

A tip of the hat to Aaron Shaw, who inspired this blog post in a conversation earlier today.

So much for change.

Telecom policy circles are a buzz with the news of Barack Obama's pick to head the Federal Communications Commission transition team. Obama is reported to have chosen lawyer and DC insider Henry Rivera, a former Democratic FCC commissioner, lobbyist, and currently a partner at communications law firm Wiley Rein.

Henry Rivera

(Credit: Wiley Rein LLP)

Rivera is not currently registered as a lobbyist, but according to the Center for Responsive Politics, he lobbied for the Catholic Television Network in 2001. In his capacity as a lawyer, he has represented major wireless carriers, a local exchange carrier, and a major airline in FCC-related matters.

Rivera's law firm is also the former home of Kevin Martin, the current FCC chairman, and is arguably one of the schmooziest lobbyist telecom legal firms in Washington. It employs several former FCC commissioners as well as a significant number of former FCC employees. Of course, Rivera and the other lawyers at Wiley Rein are not the only people at the FCC to leave government for high-paying lobbyist gigs--the practice is widespread.

According to the Center for Responsive Politics, more than 100 former FCC employees have also worked in the private sector. At least 50 percent of them have lobbied on issues related to telecom, communications, and broadcast at some point in their careers. In fact, the FCC is the agency with the third-highest number of employees who have shuffled between the public and private interests focused on the federal government, behind only the White House and the House of Representatives.

This is not to say that Rivera is a bad guy. Art Brodsky, the communications director at public interest group Public Knowledge, described him as "one of the best FCC commissioners ever." However, the selection does seem to suggest that Obama's pick to replace Martin as current FCC chairman will likely be another Washington insider. For public interest groups and technology firms hoping for pro-consumer rules on spectrum and broadband policy, this choice of someone so chummy with the established telecom interests could be bad news.

Question: You're a multibillion dollar tech giant, and you've launched a new phone platform after much media fanfare. Then a security researcher finds a flaw in your product within days of its release. Worse, the vulnerability is due to the fact that you shipped old (and known to be flawed) software on the phones. What should you do? Issue an emergency update, warn users, or perhaps even issue a recall? If you're Google, the answer is simple. Attack the researcher.

With the news of a flaw in Google's Android phone platform making The New York Times on Friday, the search giant quickly ramped up the spin machine. After first dismissing the amount of damage to which the flaw exposed users, anonymous Google executives then attempted to discredit the security researcher, Charlie Miller, who's a former NSA employee turned security consultant. Miller, the unnamed Googlers argued, acted irresponsibly by going to The New York Times to announce his vulnerability instead of giving the Big G a few weeks or months to fix the flaw:

Google executives said they believed that Mr. Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized.

What the Googlers are talking about is the idea of "responsible disclosure," one method of disclosing security vulnerabilities in software products. While it is an approach that is frequently followed by researchers, it is not the only method available, and in spite of the wishes of the companies whose products are frequently analyzed, it is by no means the "norm" for the industry.

Another frequently used method is that of "full disclosure"--in which a researcher will post complete details of a vulnerability to a public forum (typically a mailing list dedicated to security topics). This approach is often used by researchers when they have discovered a flaw in a product made by a company with a poor track record of working with researchers--or worse, threatening to sue them. For example, some researchers refuse to provide Apple with any advanced notification, due to its past behavior.

A third method involves selling information on the vulnerabilities to third parties (such TippingPoint and iDefense)--who pass that information on to their own customers, or perhaps keep it for themselves. Charlie Miller, the man who discovered the Android flaw, has followed this path in the past, most notably when he sold details of a flaw in the Linux kernel to the U.S. National Security Agency for $50,000 (PDF).

Google's poor track record
First, consider the fact that security is a two-sided coin. If Google wants researchers to come to it first with vulnerability information, it is only fair to expect that Google be forthcoming with the community (and the general public) once the flaw has been fixed. Google's approach in this area is that of total secrecy--not acknowledging flaws, and certainly not notifying users that a vulnerability existed or has been fixed. Google's CIO admitted as much in a 2007 interview with The Wall Street Journal:

Regarding security-flaw disclosure, Mr. Merrill says Google hasn't provided much because consumers, its primary users to date, often aren't tech-savvy enough to understand security bulletins and find them "distracting and confusing." Also, because fixes Google makes on its servers are invisible to the user, notification hasn't seemed necessary, he says.

Second, companies do not have a right to expect "responsible disclosure." It is a mutual compromise, where the researchers provide the company with advanced notification in exchange for some form of assurance that the company will act reasonably, keep the lines of communication open, and give the researcher full credit once the vulnerability is fixed.

Google's track record in this area leaves much to be desired. Many top-tier researchers have not been credited for disclosing flaws, and in some cases, Google has repeatedly dragged its feet in fixing flaws. The end result is that many frustrated researchers have opted to follow the full-disclosure path, after hitting a brick wall when trying to provide Google with advanced notice.

I can personally confirm this experience, after I discovered a fairly significant flaw in a number of commercial Firefox toolbars back in 2007. While Mozilla and Yahoo replied to my initial e-mail within a day or so and kept the lines of communication open, Google repeatedly stonewalled me, and I didn't hear anything from them for weeks at a time. Eventually, Google fixed the flaw a day or two after I went public with the vulnerability, 45 days after I had originally given the company private notice. As a result, I have extreme sympathy for those in the research community who have written Google off.

A rather unimpressive vulnerability
Once we actually look into the details of the vulnerability, and Miller's disclosure, the situation looks even worse for Google.

A known vulnerability: The Android platform is built on top of more than 80 open-source libraries and programs. This particular flaw had been known about for some time and already fixed in the current version of the open-source libraries. The flaw in Google's product only exists because the company shipped out-of-date software, which was known to be vulnerable.

Advanced notice: While the anonymous Google executives criticized Miller for not following responsible disclosure practices, it is worth noting that the researcher did provide Google with early notice--informing the company on the 20th of October. It is also important to note that Miller and his colleagues have yet to actually provide full information on the vulnerability or a working proof-of-concept exploit to the security community. Thus, it can hardly be said that Miller followed the full-disclosure path.

If Google can criticize Miller at all, it cannot be for not warning the company, but perhaps for not providing them with enough warning. However, given that Google shipped known-vulnerable software to hundreds of thousands of users, and that fixed versions of the vulnerable software packages have been available for some time, it is difficult for this blogger to sympathize with the folks in Mountain View.

Furthermore, given Mr. Miller's previous mercenaryish history of selling software vulnerabilities to the National Security Agency (which presumably used the flaws to break into foreign government computers, and not in order to fix the vulnerable software), we should be happy that he is at least now sharing the existence of this flaw with the public. At least this way, developers have a good chance of finding and fixing it.

Disclosure: In the summer of 2006, I worked as an intern for the Application Security Team at Google. Furthermore between 2003-2005, I was a student at Johns Hopkins University and was advised by Prof. Avi Rubin, who is one of the founders of Independent Security Evaluators, the company that employs Charlie Miller. A couple of my former colleagues also now work for ISE. I have not spoken with them (or anyone at Google) about this article.

When criminals turn to disk encryption to hide the evidence of their crimes, law enforcement investigations can hit a brick wall. Where digital forensics software has failed to recover encryption passwords, one tried and true technique remains: violence. It is is this more aggressive form of good cop bad cop behavior which the Turkish government is alleged to have turned to, in order to learn the cryptographic keys of one of primary ringleaders in the TJ Maxx credit card theft investigation.

The 2005 theft of tens of million credit card numbers from an unsecured wireless network run by TJ Maxx stores has lead to over 150 million dollars in damages for the company. The two gentlemen behind the heist sold the pilfered credit card information to others online. Eventually, the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and, according to media reports, a "major figure in the international sale of stolen credit card information."

Mr Yastremskiy was later arrested in 2007, while on vacation in Turkey. The US government has formally requested that Yastremskiy be extradited, and has charged him with a number of crimes including aggravated identity theft.

According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.

Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.

The Turkish interrogation seemed to have worked as Mr Cox was even able to share Yastremskiy's encryption password with the audience.

Mr Cox, the Assistant Deputy Chief for the DOJ's Computer Crime and Intellectual Property Section, made the comments during his keynote talk at an invitation only event for academic and industry experts focused on phishing related crimes. This blogger has spoken to four sources, each in independent interviews, who claim to have witnessed Mr. Cox making such statements. However, due to the closed-door nature of the event, and fearing that coming forward publicly would lead to them being blackballed from future information sharing sessions, no one would go on the record to make their claims.

If Mr Yastremskiy is successfully extradited to the United States, it is unclear if the evidence from his encrypted disk could be used against him in court. It also remains an open question as to how much the US knew about the alleged beating of Yastremskiy by the Turkish authorities, and when.

If Mr Cox's alleged comments are indeed true, this is alarming news. The majority of cryptographic tools in use today are designed around the general assumption that an end-user can refuse to disclose his or her key if the computer is seized. While password discovery via torture is something that has been discussed in the academic literature for a number of years (it is commonly known as rubber-hose cryptanalysis), it has for the most part remained a theoretical threat. A few tools, such as TrueCrypt, are designed to resist such attacks, and thus use deniable encryption -- that is, making it impossible for someone to examine a computer and be able to determine if there is anything encrypted on the disk. Some tools even allow for multiple deniable encrypted folders, each with a different password.

Of course, Truecrypt and other tools that have adopted deniable cryptography do not stop government agents from torturing a suspect. It just means that they cannot be sure when to stop the beatings, as there could always be one additional hidden file on the disk.

Multiple requests for comment, by both phone and email to Howard Cox and the DOJ Office of Public Affairs have been ignored. Similarly, the Turkish embassy in Washington DC had not responded to a request for comment by press time.

A Freedom of Information Act request has been submitted for the slides and notes for Mr Cox's speech, however, this could take months or years before any information is returned.

Disclosure:

Mr Cox presented at a closed-door session at the Anti-Phishing Working Group e-Crime summit. I presented at the same conference the next day, at a session open to the general public. My hotel and airplane ticket were paid for by the APWG, as part of a scholarship program for graduate students.

In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.

Finally, due to the fact that the Turkish government is involved, it is worth mentioning that I am 50% Armenian by blood. Several generations ago, a number of my family members died at the hands of the Ottoman Empire (now Turkey). I do not have an axe to grind in this area, but in the interest of honest disclosure, I thought it should be mentioned here.

John McCain's presidential campaign has discovered the remix-unfriendly aspects of American copyright law, after several of the candidate's campaign videos were pulled from YouTube.

McCain has now discovered the rights holder friendly nature of the Digital Millennium Copyright Act, which forces remixers to fight an uphill battle to prove that their work is a "fair use."

However, instead of calling for an overhaul of the much hated law, McCain is calling for VIP treatment for the remixes made by political campaigns.

McCain's proposal: complaints about videos uploaded by a political campaign would be manually reviewed by a human YouTube employee before any possible removal of the remix. The process for complaints against videos uploaded by millions of other Americans would stay the same: instant removal by a computer program, and then possible reinstatement a week or two later after the video sharing site has received and manually processed a formal counter-notice.

With 11 homes and 13 cars, it's not terribly surprising that McCain is calling for special treatment for the YouTube videos of politicians. As for the "fair use" claims of the poor starving masses: Let them eat cake.

On Tuesday, the McCain campaign sent a formal letter to YouTube asking for this two-tier system for "fair use" complaints. Copyright-guru Larry Lessig called it a "fantastic letter", adding "bravo to the campaign" in a post to his blog. Since then, the technology press has been pretty supportive, although the focus of the coverage seems to mainly be along the lines of "McCain realizes that fair use claims are uphill battle." This is the wrong message to send, and as much as I respect Professor Lessig, I have to call him out here. He is wrong. McCain should be criticized for his attempt to get special treatment, and Google/YouTube need to treat all users the same way.

All claims of fair use are equal--yet some claims are more equal than others.

The only way we will get an effective overhaul of copyright laws will be by forcing politicians to suffer along with the masses. The minute a special set of rules are made for those in Congress, the incentive to fix the system will disappear. To drive this point home, consider the following:

During the confirmation hearings for Judge Robert Bork, the Washington City Paper obtained a copy of the Republican nominee's video rental records. Alarmed at the possibility that their own rental histories would be revealed by the press, members of Congress jumped to pass comprehensive privacy legislation for the video rental records of all Americans. Up until the Bork fiasco, there had been no real incentive to fix anything, but once the risk to their own records was made clear, Congress acted. As a result, we are now all protected by the 1988 Video Privacy Protection Act.

Compare this to the horrible situation at airports. Americans are routinely harassed, prodded, poked and humiliated by employees of the Transportation Security Administration. While we stand in line like sheep, congressmen get to skip through the security lines, avoiding the entire process. Given the fact that they don't have to suffer at the hands of TSA, it's not terribly surprising that they have little incentive to fix the problems faced by the rest of us.

These two examples should make it clear--we cannot allow politicians to receive special treatment in copyright and fair use disputes. If anything, campaign videos should receive substandard treatment. McCain's videos deserve to rot in purgatory at the back of the DMCA queue, behind videos of toddlers, skateboarding dogs, Starwars Kid remixes, and the hundreds of clips of the dramatic chipmunk. Perhaps then, the senator will throw his weight behind comprehensive copyright reform that'll result in real benefits for the rest of the remix-population.

How popular can a piece of software get before being in "beta" is no longer a legitimate excuse for known software flaws? Or, to put it another way, is it responsible to allow hundreds of thousands of people to install your product, when you know ahead of time that doing so opens them up to attack?

The software visionaries at the Mozilla Corporation, which makes the popular Firefox web browser, have taken the approach that creativity and functionality is king--even if security has to take a backseat. Case in point: The widely praised "Ubiquity" software add-on, which brings an amazingly rich and extensible new form of interaction to the Firefox Web browser.

The technology press has showered praise upon the developers of this software tool. However, in prioritizing functionality over security, Mozilla Labs punted complex trust choices to end users--the vast majority of whom are ill-equipped to make such decisions. The end result is that the hundreds of thousands of users of Ubiquity face a significant risk of browser hijacking by attackers, which could result in the theft of e-mail and online banking account information.

Mozilla's Ubiquity in Action

Updated:This post originally contained incorrect information about Sentinel's products. That has been corrected (see below).

Attorneys general from a number of states have given their support to a collection of weak and ineffective age verification technologies, all of which aim to protect children on the Internet. At a meeting of the Internet Safety Technical Task Force at Harvard University on Tuesday, the consensus seemed to be that while none of the technologies actually work, doing anything at all was better than nothing. Simply put, no one wants to be blamed for inaction against online child predators.

Kicking off the meeting, Richard Blumenthal, the Connecticut attorney general, summed up the general expectation of the other 48 state attorneys general involved in the effort: "If we can put a man on the moon, we can make the Internet safe (for children)." Unfortunately, while the federal government sunk billions of R&D dollars into NASA's space efforts, the AGs have yet to cough up any research funds, and seem to expect industry to come up with their own solutions.

Won't someone think of the children?
Given the intense political pressure to do something about child safety online, and a complete lack of proven, peer-reviewed, and abuse-resistant technologies available on the market, a number of private companies have stepped in to fill the void--with products that can at best be described as ineffective, and at worst as snake oil.

Several age verification solutions were presented at the task force meeting, from companies that included Aristotle, IDology and Sentry. All of the companies seem to do pretty much the same thing--collecting information from public records, and then prompting users to enter some of this info when they wish to log in to an "age restricted" Web site. One example of this is the rated R movie trailers of many Hollywood movie studios, which require a user to enter in his or her name, ZIP, and date of birth before playing the trailer.

This form of verification has been repeatedly criticized as "laughable" by security experts. As a test, I was able to successfully view the trailer for Sony's new thriller movie, Quarantine, by giving the name, date of birth, and ZIP code of vice presidential candidate Sarah Palin, all of which were available on the politician's Wikipedia page. Sony Pictures uses an age verification service from Sentinel (another company which presented at the task force meeting), which seems to only protect the fragile eyeballs of technologically unsavvy youngsters who have not yet learned how to use a search engine.

During the question and answer sessions following their presentations, each of the age verification and other child safety technology vendors admitted that their products are neither bullet proof nor even that difficult to evade. However, they all generally preached a belief in the security benefits of "raising the bar" and providing a "bump in the road."

Speak softly and carry a big stick
With companies and politicians falling over themselves to prove how much they are doing to keep children safe, it is worth taking a look at the incentives and motivations of this industry.

First, the politicians: Attorneys general from 49 states have been focusing on this issue for some time, culminating in an agreement signed with MySpace back in February of this year--the only state to reject the deal was Texas, whose AG felt that the deal didn't go far enough. This is an issue that carries a lot of weight with voters, and as New York AG Andrew Cuomo's recent strong-arming of ISPs over their Usenet news feeds has demonstrated, easy political wins can be gained with little to no pushback from the tech industry.

Second, the social-networking sites: Facebook and MySpace, the 500-pound gorillas of the industry don't seem to be too keen to adopt any of the existing solutions pitched by vendors--primarily because the technology doesn't do much, won't stop abuse, and will cost the companies money. While News Corp's MySpace certainly has deep pockets and could easily pay a couple million for age verification software, the company appears to be resisting calls to do so primarily out of an urge to avoid a slippery slope. That is, if the social-networking site can be pressured into forcing its user base to jump through one level of inconvenient and burdensome verification, other demands will soon follow.

Third, the "solution" vendors: This collection of companies rely upon fear to sell their products--not so much fear of the abuse of children by predators, but the fears of companies and politicians that they will be accused of not doing anything. These firms are not selling complete solutions to the problem of age verification (since one does not exist)--but are selling excuses. That is, if social-networking sites purchase their products, and children are later groomed or abused online, the companies will at least be able to claim that "we've purchased and used the best age verification products that industry offers. Don't blame us--we've at least tried to do something."

The not so thinly veiled threat aired at the event was that if the industry didn't police itself, the various state AGs might have to push for regulation. The fact that the technology isn't effective doesn't seem to be a major cause for concern. All that really seems to matter, at least for the policy makers, is that the industry do something, which can then be sold to voters back home as a success in protecting little Jane or Johnny.

The offshore problem
The elephant in the room in this debate is the issue of foreign Internet companies. That is, if American social-networking sites are forced to implement oppressive and burdensome age verification rules, teens may ditch MySpace and head to a Chinese, Brazilian, or Indian Web company, where a user's age is not verified.

Internet users are a fickle bunch--that is, they are not particularly loyal to brands, and if a company's product ceases to be cool, users will leave in droves. As an example, just look to Friendster, which was at one point the most popular social-networking site on the Internet. Once MySpace offered a better, more enjoyable experience, Friendster turned into a cyber-ghost town. While the network effect is indeed a powerful and sticky force, a lame user experience will be more than enough to make users leave for greener pastures.

Now, as another example, consider the case of Napster, the first peer-to-peer file-sharing company. Remember that for a time, Napster was the most popular file-sharing tool on the Internet, with tens of millions of users. As an American company, once Congress got wind of the file-sharing phenomenon, it was able to hold hearings, and force the CEO of Napster to appear before the Senate Judiciary Committee.

Fast forward a couple years: Napster had been sued into financial oblivion, and America's teens had moved on to a significantly more legislation-resistant file-sharing platform--Kazaa. This file-sharing company, designed by three men from Sweden, developed by programmers in Estonia, headquartered in Australia, and incorporated in the south pacific island nation of Vanuatu, was global in scale, and for the most part, completely beyond the reach of America's laws.

Whatever you think of file-sharing, there is one thing that is beyond debate: Due to a change in the legal environment, Americans abandoned, en-masse, an American company's P2P offerings, and instead signed up for the services offered by a foreign company whose CEO could never be hauled before the U.S. Congress. Furthermore, while Napster was primarily a service offering free music downloads, the Kazaa platform offered easy access to music, movies, pirated software, and pornography (of both legal and illegal varieties)--all from the same easy to use graphical interface. That is, by chasing file-sharing underground, we completely gave up any possibility of lightly regulating it.

No one present at Tuesday's Task Force meeting had any solutions to this problem, nor were they too keen to discuss it. It would be cruelly ironic if in an effort to protect America's youth online, those same children were chased into the hands of unscrupulous foreign firms with little incentive to protect their users from predators and other forms of harm.

Update: The original version of this blog post included Sentinel in the list of companies who push weak age verification software to social networks. In fact, Sentinel has voluntary withdrawn its age verification products from the social networking market, although it continues to supply the easy-to-evade product to Hollywood movie studios.

Disclosure: I am a paid student fellow at the Berkman Center at Harvard University, which participates in and hosted the meeting of the Internet Safety Technical Task Force. In particular, professor John Palfrey, the chair of the Task Force, is also the Faculty co-director of the Berkman Center, where I work. I have neither consulted with Palfrey, nor any of my other colleagues at Harvard with regard to this blog post. It reflects my own opinions, and certainly not those of Harvard or any of the other people associated with the Berkman Center.