That’s my Slaw post for today. It reads as follows:
I was reading my usual RSS feeds this morning, partly to see if I could find some inspiration for my Slaw post for today, and found the following post on Techdirt. I couldn’t agree more – and since this is one of those “like he said” [...]
With just days to go before the BitTorrent piracy case involving Aussie ISP iiNet goes to court, anti-piracy group AFACT has made a second significant legal retreat. The group, which represents Hollywood movie studios, has now dropped its claims that iiNet engaged in primary acts of copyright infringement.
The Supreme Judicial Court of Massachusetts recently held that officers may not place GPS tracking devices on cars without first getting a warrant. The case, Commonwealth v. Connolly, was decided under the state corollary to the Fourth Amendment, and its reasoning may influence pending GPS tracking cases, including United States v. Jones, where EFF is an amicus.
Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control and use of the defendant’s vehicle to track its movements interferes with the defendant’s interest in the vehicle notwithstanding that he maintains possession of it.” Thus, the court held this interference with the owner’s possessory interest requires a warrant.
Interestingly, Connolly did not hold that it was a violation of the state constitution to use GPS technology to track suspects as they drive. The court merely acknowledged two 1970s era U.S. Supreme Court cases that had found that the Fourth Amendment did not regulate the use of primitive beeper technology that helped officers follow a suspect’s public movements, before moving on to the question of whether the installation was a seizure. Another recent state court case, People v. Weaver in the State of New York, has held that because modern GPS devices are far more powerful than beepers, police must get a warrant to use the trackers, even on cars and people traveling the public roads.
Massachusetts and New York are in the forefront of protecting their citizens’ right to location privacy against technological encroachment. Federal courts should do the same under the Fourth Amendment. For the Constitution to have continued relevance in a technological world, it should protect the privacy that individuals reasonably anticipate as we move through the world, and that means no pervasive, remote, suspicionless, wholesale tracking by GPS or other device.
Yesterday, Newark, N.J. Mayor Cory Booker jokingly placed Tonight Show host Conan O’Brien on the “Newark New Jersey Airport No-Fly List,” after the comedian poked fun at the city on his late night television show. Mayor Booker’s joke about O’Brien’s potential barring from flying out of New Jersey is very funny. Maybe O’Briens across the country [...]
Today’s New York Times included an excellent editorial on the Obama Adminstration’s new policy toward the state secrets privilege. Echoing EFF’s disappointment in the new procedures, the editorial explains:
The other day, Attorney General Eric Holder Jr. issued new guidelines for invoking the state secrets privilege in the future. They were a positive step forward, on paper, but did not go nearly far enough. Mr. Holder’s much-anticipated reform plan does not include any shift in the Obama administration’s demand for blanket secrecy in pending cases.
EFF’s lawsuit against the government over the National Security Agency’s warrantless wiretapping program, Jewel v. NSA, is one of those pending cases. As the editorial continues,
Nor does [the new policy] include support for legislation that would mandate thorough court review of state secrets claims made by the executive branch…. In any event, while more stringent self-policing of executive branch secrecy claims is welcome, it is hardly a total fix. Senator Russ Feingold, a Wisconsin Democrat, noted that without a clear, permanent mandate for independent court review of the administration’s judgment calls, Mr. Holder’s policy “still amounts to an approach of ‘just trust us.’”
If the Obama team is sincere about wanting to end state secrets abuses, it will support the State Secrets Protection Act sponsored in the Senate by Patrick Leahy, the Judiciary Committee chairman, and in the House by Representative Jerrold Nadler, a Democrat of New York. The measure contains safeguards to ensure protection of legitimate secrets. But before ruling on a secrets claim, and possibly dismissing a lawsuit, judges would be required to review the documents or evidence in question instead of just accepting assertions in government affidavits.
The White House’s continuing silence about pending legislation to reform the state secrets privilege has caused the issue to stall in Congress. Even though State Secrets Protection Act legislation was introduced in both the House and the Senate this past spring, Congress have been wary of considering those bills without knowing the White House’s position. Hopefully, this editorial from the New York Times will convince President Obama that now is the time to take a strong position in favor of those bills’ reasonable limits on government secrecy.
(Originally posted to The Hill’s Congress Blog.)
As the end of the year approaches, Congress is facing a looming deadline: three sections of the infamous USA Patriot Act are due to sunset on December 31. Since it was rushed through Congress just 45 days after September 11, the Patriot Act has paved [...]
Today, seven colleagues and I released a new paper, “Defeating Vanish with Low-Cost Sybil Attacks Against Large DHTs“. The paper’s authors are Scott Wolchok (Michigan), Owen Hofmann (Texas), Nadia Heninger (Princeton), me, Alex Halderman (Michigan), Christopher Rossbach (Texas), Brent Waters (Texas), and Emmett Witchel (Texas).
Our paper is the next chapter in an interesting story about the making, breaking, and possible fixing of security systems.
The story started with a system called Vanish, designed by a team at the University of Washington (Roxana Geambasu, Yoshi Kohno, Amit Levy, and Hank Levy). Vanish tries to provide “vanishing data objects” (VDOs) that can be created at any time but will only be usable within a short time window (typically eight hours) after their creation. This is an unusual kind of security guarantee: the VDO can be read by anybody who sees it in the first eight hours, but after that period expires the VDO is supposed to be unrecoverable.
Vanish uses a clever design to do this. It takes your data and encrypts it, using a fresh random encryption key. It then splits the key into shares, so that a quorum of shares (say, seven out of ten shares) is required to reconstruct the key. It takes the shares and stores them at random locations in a giant worldwide system called the Vuze DHT. The Vuze DHT throws away items after eight hours. After that the shares are gone, so the key cannot be reconstructed, so the VDO cannot be decrypted — at least in theory.
What is this Vuze DHT? It’s a worldwide peer-to-peer network, containing a million or so computers, that was set up by Vuze, a company that uses the BitTorrent protocol to distribute (licensed) video content. Vuze needs a giant data store for its own purposes, to help peers find the videos they want, and this data store happens to be open so that Vanish can use it. The million-computer extent of the Vuze data store was important, because it gave the Vanish designers a big haystack in which to hide their needles.
Vanish debuted on July 20 with a splashy New York Times article. Reading the article, Alex Halderman and I realized that some of our past thinking about how to extract information from large distributed data structures might be applied to attack Vanish. Alex’s student Scott Wolchok grabbed the project and started doing experiments to see how much information could be extracted from the Vuze DHT. If we could monitor Vuze and continuously record almost all of its contents, then we could build a Wayback Machine for Vuze that would let us decrypt VDOs that were supposedly expired, thereby defeating Vanish’s security guarantees.
Scott’s experiments progressed rapidly, and by early August we were pretty sure that we were close to demonstrating a break of Vanish. The Vanish authors were due to present their work in a few days, at the Usenix Security conference in Montreal, and we hoped to demonstrate a break by then. The question was whether Scott’s already heroic sleep-deprived experimental odyssey would reach its destination in time.
We didn’t want to ambush the Vanish authors with our break, so we took them aside at the conference and told them about our preliminary results. This led to some interesting technical discussions with the Vanish team about technical details of Vuze and Vanish, and about some alternative designs for Vuze and Vanish that might better resist attacks. We agreed to keep them up to date on any new results, so they could address the issue in their talk.
As it turned out, we didn’t establish a break before the Vanish team’s conference presentation, so they did not have to modify their presentation much, and Scott finally got to catch up on his sleep. Later, we realized that evidence to establish a break had actually been in our experimental logs before the Vanish talk, but we hadn’t been clever enough to spot it at the time. Science is hard.
Some time later, I ran into my ex-student Brent Waters, who is now on the faculty at the University of Texas. I mentioned to Brent that Scott, Alex and I had been studying attacks on Vanish and we thought we were pretty close to making an attack work. Amazingly, Brent and some Texas colleagues (Owen Hoffman, Christopher Rossbach, and Emmett Witchel) had also been studying Vanish and had independently devised attacks that were pretty similar to what Scott, Alex, and I had.
We decided that it made sense to join up with the Texas team, work together on finishing and testing the attacks, and then write a joint paper. Nadia Heninger at Princeton did some valuable modeling to help us understand our experimental results, so we added her to the team.
Today we are releasing our joint paper. It describes our attacks and demonstrates that the attacks do indeed defeat Vanish. We have a working system that can decrypt Vanishing data objects (made with the original version of Vanish) after they are supposedly unrecoverable.
Our paper also discusses what went wrong in the original Vanish design. The people who designed Vanish are smart and experienced, but they obviously made some kind of mistake in their original work that led them to believe that Vanish was secure — a belief that we now know is incorrect. Our paper talks about where we think the Vanish authors went wrong, and what security practitioners can learn from the Vanish experience so far.
Meanwhile, the Vanish authors went back to the drawing board and came up with a bunch of improvements to Vanish and Vuze that make our attacks much more expensive. They wrote their own paper about their experience with Vanish and their new modifications to it.
Where does this leave us?
For now, Vanish should be considered too risky to rely on. The standard for security is not “no currently demonstrated attacks”, it is “strong evidence that the system resists all reasonable attacks”. By updating Vanish to resist our attacks, the Vanish authors showed that their system is not a dead letter. But in my view they are still some distance from showing that Vanish is secure . Given the complexity of underlying technologies such as Vuze, I wouldn’t be surprised if more attacks turn out to be possible. The latest version of Vanish might turn out to be sound, or to be unsound, or the whole approach might turn out to be flawed. It’s too early to tell.
Vanish is an interesting approach to a real problem. Whether this approach will turn out to work is still an open question. It’s good to explore this question — and I’m glad that the Vanish authors and others are doing so. At this point, Vanish is of real scientific interest, but I wouldn’t rely on it to secure my data.
[Update (Sept. 30, 2009): I rewrote the paragraphs describing our discussions with the Vanish team at the conference. The original version may have given the wrong impression about our intentions.]
The Federal Bureau of Investigation has released a heavily censored version of its controversial Domestic Investigations and Operations Guidelines (DIOG), which became effective on December 1, 2008. EFF requested public disclosure of the guidelines under the Freedom of Information Act in December and, after more than six months passed with no response, we filed suit against the Department of Justice in June 2009. In response to the lawsuit, the Bureau agreed to answer EFF’s disclosure request no later than October 13, and the court ordered it to do so. The FBI’s partial release of the DIOG complies with the court’s order to respond to our request.
The 258-page document implements the Attorney General’s Guidelines for Domestic FBI Operations, the most recent version of which was issued late last year by former Attorney General Michael B. Mukasey. For 33 years, the FBI’s domestic surveillance activities have been conducted according to a set of guidelines promulgated and revised by successive Attorneys General. Initially crafted by Edward Levi in 1976, the first set of guidelines were put into place to curb the invasive techniques of the FBI’s Counterintelligence Programs (“COINTELPRO”) of the 1960s and 1970s.
The Mukasey guidelines, among other things, gave the FBI the authority to open investigative “assessments” of any American without any factual predicate or suspicion. Such “assessments” allow the use of intrusive techniques to surreptitiously collect information on people suspected of no wrongdoing and no connection with any foreign entity. These inquiries may include the collection of information from online sources and commercial databases, and the use of grand jury subpoenas to obtain telephone and email subscriber information.
In light of the invasive techniques that can be used as part of an “assessment,” it is disturbing that large portions of Section 5 of the DIOG, which governs the conduct of “assessments,” has been blacked out by the FBI in the publicly accessible version of the guidelines. The withholding of this information is particularly troubling when the Bureau concedes in a released portion of the DIOG that “assessments” are undertaken with “no particular factual predication,” a standard which the agency itself admits is “difficult to define.” It is also notable that the FBI has withheld virtually all of the section of the DIOG (Section 16) that governs “undisclosed participation” by FBI agents and informants in political and civic organizations.
The extensive withholding of critical parts of the DIOG conflicts with public assurances made by FBI and Justice Department officials. In a letter to Senate Select Committee on Intelligence Chairman John D. Rockefeller IV, dated December 15, 2008, Valerie Caproni, the General Counsel of the FBI, noted that “we understand that the expansion of techniques available . . . has raised privacy and civil liberties concerns [but] we believe that our policies and procedures will mitigate those concerns.” Ms. Caproni stated that the FBI will “reassess the policy judgments made in the DIOG in one year.” She stated that the reassessment will be “informed by our experience in the coming year, as well as by comments and suggestions received from Congress and interested parties.” More recently, in an interview about the DIOG posted on the FBI website, Ms. Caproni said, “to the extent that the public has comments and concerns, they should let us know because nothing is written in stone and we hope we’ve gotten it right but if we haven’t gotten it right, our goal is to make it right.” Similarly, Assistant Attorney General for National Security David S. Kris promised in his confirmation hearing that “input from Congress and the public” would play an important role in the reassessment of the DIOG that is scheduled to occur at the end of this year.
EFF agrees that the DIOG – the blueprint for the FBI’s use of invasive techniques – should be the subject of a full and informed public debate. To that end, we plan to continue to pursue our pending FOIA litigation to challenge the FBI’s decision to withhold substantial portions of the document.
Last week TorrentFreak reported that the Canadian Pirate Party had established its own BitTorrent tracker. The Pirates hope to show that BitTorrent is not a threat, but a great tool for artists to promote their work. Record label Thorny Bleeder agrees and is now offering free music via the tracker.
I’m pretty sure I can struggle my way out. First I’ll just reach in and pull my legs out, now I’ll pull my arms out with my face. – Homer J. Simpson, The Simpsons, Bart Gets An Elephant, 1F15
Weaseling out of things is important to learn. It’s what separates us from the animals! . . . except the weasels. – Homer J. Simpson, The Simpsons, Boy Scoutz ‘N the Hood, 1F06
I provide these quotes because I can only assume that ACORN has retained Homer Simpson as its general counsel (R.I.P. Lionel Hutz) in what may be the most ill-considered lawsuit of all time. The cartoon patriarch doesn’t know when to quit and thinks that responsibility can always be shirked. After learning of ACORN’s decision to sue James O’Keefe, Hannah Giles, and breitbart.com for wiretapping, I concluded that the disgraced community organization shares Homer’s sensibilities.
Background: The Association of Community Organizations for Reform Now (ACORN) is an amalgam of several organizations and non-profits that serve low- and middle-income populations. ACORN’s support of Democratic candidates and Left-leaning policies, as well as allegations of financial and electoral misconduct, have earned ACORN the ire of conservatives.
Hannah Giles and James O’Keefe, two such conservatives with the backing of breitbart.com, punk’d ACORN by posing as a prostitute and pimp in need of housing and tax (evasion) advice. Giles and O’Keefe secretly videotaped their visits to several ACORN offices. In these tapes, employees appear to aid or at least not to object to the pimp’s trafficking of underage sex workers.
The filmmakers released the tapes; employees were fired; the Republicans howled; and the Democrats, in a bid to steal some of the GOP’s thunder, defunded ACORN with surprising quickness.
Now, ACORN has filed suit against the filmmakers and their patron in the Circuit Court for Baltimore, alleging violations of Maryland wiretapping law. Md. Cts. & Jud. Proc. Code § 10-410 creates a civil cause of action for violations of Md. Cts. & Jud. Proc. Code § 10-402, which makes it unlawful for any person to:
(1) Wilfully intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;(2) Wilfully disclose, or endeavor to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subtitle; or
(3) Wilfully use, or endeavor to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subtitle.
To which I say, ACORN have you lost your mind? This proceeding cannot make you whole and can only hurt you. Have you never heard of the Streisand effect? Expansive discovery? Public fundraising? Diversity jurisdiction? I feel like I’m taking crazy pills!
So let’s start off by marking the few factors in ACORN’s favor.
Now to touch on all the reasons why this suit is a bad idea:
The Streisand Effect: ACORN cannot help but look like a bully in this action. Media coverage will be enormous. The Internet hoards love an underdog and commentators adore the “another example of out of control lawsuits” angle. All this suit will do is draw attention to ACORN and its (possible) misconduct. This little fact dovetails nicely into the next reason ACORN should drop this suit. . .
Expansive Discovery: The American system allows for liberal discovery requests for the parties in civil litigation. Now recall that ACORN has been the subject of numerous controversies, including claims of embezzlement and voter registration fraud. And the other parties in this case are FILMMAKERS and an ONLINE MEDIA OUTLET. Does ACORN really have nothing to hide? No document that might make it look bad? Why oh why would it risk all this exposure for a few million dollars?
Public Fundraising: Maybe ACORN thought the filmmakers would immediately fold. But (predictably) the whole episode has become a cause célèbre and the Right has rushed in to support the filmmakers. See e.g., Sean Hannity’s call for help. So, the defense will be well funded. And even if ACORN prevails, O’Keefe and Giles will become fundraising magnets for the Republican party, attracting donations and political participation from concerned individuals who root for free speech, individualism, and the American way (cue flag in the background).
Diversity Jurisdiction: This suit isn’t going to remain in Baltimore Circuit Court. O’Keefe is from New Jersey, Giles is from Florida, and Breitbart.com is based in California. According to its complaint, ACORN is an Arkansas corporation with its principal place of business in Louisiana, and the two individual plaintiffs are from Maryland. Because there is diversity of citizenship (that means the parties are all from different states), and the plaintiffs are asking for more than $75,000 in damages, the defendants can (and will) remove the case to federal court. There goes your Baltimore advantage. And if and when it comes time to appeal, now you are in the 4th Circuit, one of the most conservative courts in the United States. Super.
So yes, ACORN should just leave well enough alone and fade into the shadows for a little while.* If it feels compelled to respond, it could release reenactments of the meetings emphasizing the humor/ironic angle. Or ACORN could make a well-reasoned harms-reduction argument that criminalizing prostitution only serves to drive the practice underground and to endanger prostitutes. But the courtroom is not where ACORN wants to fight this battle.
*Note: Silence is a perfectly cromulent strategy and a well thought out response could even serve to embiggen ACORN. As it stands, if ACORN continues on its present course, it might draw Judge Snyder and upset the Stonecutters.
(Andrew Moshirnia is a second year law student at Harvard Law School. When he grows up he wants to become Chief Justice of the Supreme Court or a sleazy male stripper. Or maybe both . . . like the late Earl Warren. )