India’s Electronic Voting Machines Have Security Problems

A team led by Hari Prasad, Alex Halderman, and Rop Gonggrijp released today a technical paper detailing serious security problems with the electronic voting machines (EVMs) used in India.

The independent Electoral Commission of India, which is generally well respected, has dealt poorly with previous questions about EVM security. The chair of the Electoral Commission has called the machines “infallible” and “perfect” and has rejected any suggestion that security improvements are even possible. I hope the new study will cause the EC to take a more realistic approach to EVM security.

The researchers got their hands on a real Indian EVM which they were able to examine and analyze. They were unable to extract the software running in the machine (because that would have required rendering the machine unusable for elections, which they had agreed not to do) so their analysis focused on the hardware. They were able to identify several attacks that manipulated the hardware, either by replacing components or by clamping something on to a chip on the motherboard to modify votes. They implemented demonstration attacks, actually building proof-of-concept substitute hardware and vote-manipulation devices.

Perhaps the most interesting aspect of India’s EVMs is how simple they are. Simplicity is a virtue in security as in engineering generally, and researchers (including me) who have studied US voting machines have advocated simplifying their design. India’s EVMs show that while simplicity is good, it’s not enough. Unless there is some way to audit or verify the votes, even a simple system is subject to manipulation.

If you’re interested in the details, please read the team’s paper.

The ball is now in the Election Commission’s court. Let’s hope that they take steps to address the EVM problems, to give the citizens of the world’s largest democracy the transparent and accurate elections they deserve.

Ethics of downloading something you’ve already paid for – Techdirt

Techdirt has a post that’s worth a read that talks about a debate sparked by the NY Times and Computerworld about the ethics of downloading something you have already paid for.  Its an issue worth considering, especially in light of an expected new copyright reform bill in Canada.   It ties into issues about format shifting [...]

”Child Pornography Is Great,” Anti-Pirates Say

It is no secret that pro-copyright lobbyists are exploiting child pornography to get file-sharing sites pulled offline. They have done so for years. Their ultimate goal is to use child porn as an excuse to impose a global Internet filter, and with a new directive being presented in the EU their strategy seems to be paying off.

ALDE Hearing on ACTA in Brussels

Earlier this month, I had the opportunity to participate in a hearing on ACTA in Brussels sponsored by Members of the European Parliament Alexander Alvaro and Marietje Schaake.  Other participants included Luc Devigne, the head of the European ACTA delegation, and representatives from eBay and EuroISPA.  The full video of the hearing is posted below.  My presentation begins just after the 5:00 minute mark.

Privacy Takes Step Towards Global Enforcement

My weekly technology law column (Toronto Star version, homepage version) notes that last week the talk of the privacy world was news that 10 privacy and data protection commissioners – led by Canadian Privacy Commissioner Jennifer Stoddart – had released a public letter to Google CEO Eric Schmidt, expressing concern that the Internet giant was forgetting its privacy responsibilities.  

The letter, also signed by the heads of privacy agencies from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, focused on the recent introduction of Google Buzz, a service that offered new social media capabilities.  It attracted the wrath of users and privacy advocates after Google automatically assigned users a network of "followers" from among people with whom they corresponded most often on Gmail.  Google quickly altered the offending features, but the damage was clearly done, as privacy commissioners from around the world used the incident as the basis for a shot across the company’s bow.

Stoddart's role in the letter is instructive.  Fresh off last year's successful showdown with Facebook, in which the popular social media site agreed to alter some of its policies for its more than 400 million users based on a single Canadian complaint, her office has jumped on the technology bandwagon, actively blogging, twittering, and engaging on Internet related issues.

Business reaction to the letter was decidedly mixed, however.  Some argued that it foreshadowed potential regulatory action against Google and other major Internet companies. Others were more skeptical, noting that a closer reading of the letter revealed that the commissioners had few specific complaints remaining about Google Buzz, given the changes implemented by the company weeks earlier.  Moreover, when asked about the status of the case, Stoddart admitted that there had not been a formal investigation into the matter.

As experts debated the importance of the letter, the longer-term impact may come not from specific actions against a company such as Google (there does not appear to be much likelihood of imminent action) but rather from the realization that the joint effort may represent a major step toward the globalization of privacy enforcement.

The difficulties associated with cross-border privacy enforcement has long been viewed as a particularly thorny issue in a world where data moves effortlessly across borders and private companies retain massive databases containing a myriad of personal information.

The European Union has attempted to address the issue by establishing restrictions on the export of data, requiring that data transfers be limited to those countries with "adequate" privacy protections.  Canada has adopted a different approach, eschewing restrictions on data exports but holding organizations accountable for the data they collect, regardless of its location.

Despite efforts to assure the public that these regulatory systems offered effective privacy protections, the reality has been that privacy rules are purely domestic creatures that end at the border.  Indeed, only a few years ago, Stoddart's office maintained that it could not even investigate a case involving a foreign-based company.

The joint letter signals a new approach to privacy enforcement, one based on greater cooperation and mutual recognition of common privacy principles.  While the specifics of privacy laws may vary, the underlying principles are remarkably similar across jurisdictions. As privacy and data protection commissioners work together on issues with a global impact, they create a new layer of enforcement that could lead to joint investigations and parallel enforcement actions.  After years of grappling with the challenges of borderless privacy concerns in a bordered world, that is a development worth buzzing about.

ACTRA on Canadian Heritage Minister James Moore

This week ACTRA's Stephen Waddell appeared before the Standing Committee on Canadian Heritage.  A discussion on the private copying levy led to a testy exchange about Canadian Heritage Minister James Moore with Waddell stating: "I really don't understand why our minister, the minister who should, as you say, be defending artists in this country, is attacking them and proposing to take money out of artists' pockets."  Parliamentary Secretary Dean Del Mastro responded later in the session, calling the comments reprehensible.

Next ACTA Negotiation Round Details Leaked

Information on the next round of ACTA negotiations has leaked out with reports that it will be held in Lucerne, Switzerland from June 28 – July 2, 2010.

FCC Workshop on Open Internet

Yesterday I appeared as a panelist in an FCC Open Internet workshop in Seattle.  Media coverage of the event here.  My comments should be available soon via the FCC Open Internet site.

Gizmodo Editor Chen Entitled to a Little First Amendment Respect

In yesterday’s post, we asserted that the REACT high tech task force search of Gizmodo editor Jason Chen’s home and seizure of his computers and other property as part of their investigation of that blog’s reporting on the iPhone 4G prototype was almost certainly illegal. That claim caused some to question whether the California shield law and the federal Privacy Protection Act (PPA) apply if the reporter himself is suspected of criminal activity.

Both statutory provisions likely apply here, and for good reason. The First Amendment does not excuse illegal activities, but it certainly provides safeguards to ensure that free speech interests are not trampled along the way.

Regarding the PPA, as we said in our original post, “[t]he PPA includes an exception for searches targeting criminal suspects (which Chen may or may not be), but that exception does not apply ‘if the offense to which the materials relate consists of the receipt, possession, communication, or withholding of such materials or the information contained therein.’” If Chen’s property was seized under the theory that he or Gizmodo might be guilty of, say, receiving stolen property for taking possession of the iPhone about which the blog reported, even if he had reason to believe that it was stolen, then the seizure likely violated Chen’s PPA rights because the alleged crime would be one covered by the federal statute.

The California law is more stark. Penal Code section 1524(g) says sets forth that “no warrants shall issue” for unpublished “notes, outtakes, photographs, tapes or other data of whatever sort” if that information was “obtained or prepared in gathering, receiving or processing of information for communication to the public.” There is no statutory exception for cases in which the journalist is the one under investigation. If the California legislature intended such an exemption, it could easily have included one, as it did in another part of the same Penal Code section 1524, subdivision (c), which prohibits search warrants targeting physicians, psychotherapists, and members of the clergy, with an explicit exception if they are “reasonably suspected of engaging or having engaged in criminal activity related to the documentary evidence for which a warrant is requested.” (For a review of the respective histories of Penal Code subsections 1524(c) and (g), see PSC Geothermal Services Co. v. Superior Court, 25 Cal. App. 4th 1697, 1705 (Cal. Ct. App. 1994).)

Notwithstanding the clear language of the statute, some observers have pointed to the case of Rosato v. Superior Court, 51 Cal.App.3d 190 (1975), arguing that it stands for the proposition that California’s state shield law “wouldn’t apply to subpoenas or searches for evidence of such criminal activity.” The Rosato decision, however, addresses whether a constitutional right (in that case the right to receive a fair trial) could trump the Evidence Code under certain circumstances. One problem with relying on Rosato is that the reporter’s privilege is now a constitutional and not merely a statutory right, having been overwhelmingly approved by voters in 1980 (after the Rosato decision). See, e.g., Liggett v. Superior Court (Gregerson), 260 Cal. Rptr. 161 (Cal. App. Ct. 1989) (“The purpose of adding the shield law to the Constitution was ostensibly to trump the reasoning of Rosato and Farr and to further insulate the shield law from judicial tampering.”) (vacated on other grounds). If the reporter’s privilege is to give way to a competing right, that right must be constitutional in nature, as the California Supreme Court noted in Miller v. Superior Court, 21 Cal. 4th 883, 898 (Cal. 1999):

[T]here is nothing illogical in interpreting “the people['s] … right to due process” not to include the right to compel the press through the sanctions of contempt-incarceration and substantial fines-to supply unpublished information obtained in the newsgathering process. The fact that the assertion of this immunity might lead to the inability of the prosecution to gain access to all the evidence it desires does not mean that a prosecutor’s right to due process is violated, any more than the assertion of established evidentiary privileges against the prosecution would be a violation.

A bigger problem is that Rosato had nothing to say about the warrant restrictions Penal Code section 1524(g) sets forth to ensure that police investigations involving reporters do not disturb the confidentiality of sources or other unpublished information.

Protections for journalists implicate not only the journalist’s right to speak but also the public’s interest in obtaining information. That is why the First Amendment protects reporters who publish truthful information, even when it was illegally gathered. See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 527-28, 533-35 (2001) (First Amendment barred imposition of civil damages under wiretapping law for publishing contents of conversation relevant to matter of public concern); Smith v. Daily Mail Pub. Co., 443 U.S. 97 (1979) (First Amendment barred prosecution under state statute for publishing name of a juvenile defendant). These protections apply even when the reporter has arguably stolen commercial trade secrets or otherwise violated the law. See, e.g., Proctor & Gamble Co. v. Bankers Trust Co., 78 F.3d 219 (6th Cir. 1996) (overturning an injunction preventing Business Week from publishing information about a court case even though the District Court had found that the magazine had “knowingly violated the protective order” by obtaining the documents that necessarily reflected “trade secrets or other confidential research, development or commercial information….”); CBS Inc v. Davis, 510 U.S. 1315 (1994) (permitting broadcast of footage of a meat-packing operations obtained through “calculated misdeeds.”).

To be sure, if Gizmodo or Chen did break the law, the First Amendment will likely not affect their potential civil or criminal liability. (The police have as of yet not identified what crime was allegedly committed, who allegedly committed that crime, and what evidence supports such an allegation.) But even in instances in which a reporter may have violated the law, and could be subject to criminal or civil liability for that violation, the First Amendment still applies, as do the procedural safeguards in California law and the federal PPA. Simply put, while a court may conclude that under particular facts and circumstances that a reporter must divulge sources or unpublished materials, or that he is liable for his misdeeds, police may not decide on their own to ignore free speech protections for journalists merely by claiming that the reporter may have committed a crime.

Facebook’s Eroding Privacy Policy: A Timeline

Since its incorporation just over five years ago, Facebook has undergone a remarkable transformation. When it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target ads.

To help illustrate Facebook’s shift away from privacy, we have highlighted some excerpts from Facebook’s privacy policies over the years. Watch closely as your privacy disappears, one small change at a time!

Facebook Privacy Policy circa 2005:

No personal information that you submit to Thefacebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.

Facebook Privacy Policy circa 2006:

We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about.

Facebook Privacy Policy circa 2007:

Profile information you submit to Facebook will be available to users of Facebook who belong to at least one of the networks you allow to access the information through your privacy settings (e.g., school, geography, friends of friends). Your name, school name, and profile picture thumbnail will be available in search results across the Facebook network unless you alter your privacy settings.

Facebook Privacy Policy circa November 2009:

Facebook is designed to make it easy for you to share your information with anyone you want. You decide how much information you feel comfortable sharing on Facebook and you control how it is distributed through your privacy settings. You should review the default privacy settings and change them if necessary to reflect your preferences. You should also consider your settings whenever you share information. …

Information set to “everyone” is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The default privacy setting for certain types of information you post on Facebook is set to “everyone.” You can review and change the default settings in your privacy settings.

Facebook Privacy Policy circa December 2009:

Certain categories of information such as your name, profile photo, list of friends and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings. You can, however, limit the ability of others to find this information through search using your search privacy settings.

Current Facebook Privacy Policy, as of April 2010:

When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.

Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it’s slowly but surely helped itself — and its advertising and business partners — to more and more of its users’ information, while limiting the users’ options to control their own information.

« go back — keep looking »

Categories

• copyright
• CyberLaw
• Free speech
• Internet
• Technologies
• Uncategorized

Blogroll

• brīvība.info
• Freedom.lv
• hooed.com
• xlt photo
• xlt's blog
• xlt.lv

Ads and partners

Search for:

Recent Posts

• Pirate Bay Ban Rockets Pirate Party Website Into The Big Time
• Don’t let this sticky wicket overshadow Internet freedom
• File-Sharing Is Linked to Depression, Researchers Find
• In Congress Today: Testifying in Support of Geo-Privacy
• With New Privacy Policy, Twitter Commits to Respecting Do Not Track

Tags

acta Announcement anonymity anti-counterfeiting trade agreement anti-piracy Anti-Piracy Gangs Censorship clement Commentary copycon Copyright Issues Counterfeit Counterfeiting crtc Defamation DVDrip facebook First Amendment General google Hot Off The Press Internet & Society In the press Legal Analysis Legal Issues LGBT Rights net neutrality News News Update Opinion P2P and Filesharing Pirate Talk Politics and Ideology privacy RIAA Security Slaw social media the pirate bay Torrent Sites Torture & Abuse twitter Une - Asie - 1 Une - Europe - 1 United States