Archive for the ‘ privacy ’ Category

Freedom and Control

Cory Doctorow is an entertaining speaker and is one of the few orators that can express coherently the issues of privacy and personal freedom in our increasingly digital times. Below is a recent talk he gave in which he says:

As a member of the Walkman generation, I have made peace with the fact that I will require a hearing aid long before I die, and of course, it won’t be a hearing aid, it will be a computer I put in my body,” Doctorow explains, “So when I get into a car – a computer I put my body into – with my hearing aid – a computer I put inside my body – I want to know that these technologies are not designed to keep secrets from me, and to prevent me from terminating processes on them that work against my interests.

Transportation Safety Administration

The U.S. House of Representatives has the following to say about the TSA:

Since its inception, TSA has hired over 137,000 employees, grown into a mammoth bureaucracy
of 65,000 employees, spent almost $57 billion, yet has failed to detect any major terrorist threat
since 9/11, including the Shoe Bomber, the Underwear Bomber, the Times Square Bomber, and
the Toner Cartridge Bomb Plot. Congress created TSA to be a lean organization that would
analyze intelligence and set risk-based security standards for the U.S. transportation system.
Today, TSA suffers from bureaucratic morass and mismanagement. The agency needs to
properly refocus its resources on assessing threats and intelligence, instituting appropriate
regulations, and auditing and adjusting security performance. TSA cannot do this effectively as
a massive human resources agency.

Today, TSA‘s screening policies are based in theatrics. They are typical, bureaucratic responses to failed security policies meant to assuage the concerns of the traveling public.

The full report can be had HERE.

The report is great for those who did not already know its findings, so their education is important. However, I hope people will understand that the TSA is not a “safety” endeavor at its core. It is a planed desensitization of the people to an ongoing and increasing attempt at the removal of our rights. Don’t be fooled by the reports ulterior motive to distract you from the true cause of the TSA.

Legal Tender. Not in Louisiana.

There is new legislation in Louisiana that in certain cases prevents citizens from trading “legal tender” (specifically cash) for goods.

shall not enter into any cash transactions in payment for the purchase of junk or used or secondhand property

This will undoubtedly make its way through the federal court system and it will be interesting to follow, particularly in that the legislation applies to lawful transactions. There is no question to the lawfulness of the transaction, the law simply makes unlawful the trade of cash for goods in certain lawful transactions.

Read the article by Thad D. Ackel, Jr. Esq.

In addition to stifling business, the law includes a tangible attack on privacy. From the article liked above:

For every transaction a secondhand dealer must obtain the seller’s personal information such as their name, address, driver’s license number and the license plate number of the vehicle in which the goods were delivered.

There is a theme that this legislation adheres to which is making its way into many aspects of our lives (think airport security). It seems Uncle Sams’ believes it best to treat everyone as a criminal because someone is a criminal.

Situations like these always seem to bring me back to the simplicity of our founding fathers ideas of government. At the inauguration of Thomas Jefferson in 1801 he said:

a wise and frugal Government, which shall restrain men from injuring one another, shall leave them otherwise free to regulate their own pursuits of industry and improvement, and shall not take from the mouth of labor the bread it has earned. This is the sum of good government, and this is necessary to close the circle of our felicities.

I love how simple that is and how it exposes our distance from it today. I corresponded briefly with Thad Ackel and promised I’d make this post and promote his efforts to see this legislation corrected.

The case for privacy in the electronic age.

This is likely the finest case for electronic privacy I have encountered and is worth reading.

A Cypherpunk’s Manifesto

by Eric Hughes

Privacy is necessary for an open society in the electronic age. Privacy is not secrecy. A private matter is something one doesn’t want the whole world to know, but a secret matter is something one doesn’t want anybody to know. Privacy is the power to selectively reveal oneself to the world.

If two parties have some sort of dealings, then each has a memory of their interaction. Each party can speak about their own memory of this; how could anyone prevent it? One could pass laws against it, but the freedom of speech, even more than privacy, is fundamental to an open society; we seek not to restrict any speech at all. If many parties speak together in the same forum, each can speak to all the others and aggregate together knowledge about individuals and other parties. The power of electronic communications has enabled such group speech, and it will not go away merely because we might want it to.

Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction. Since any information can be spoken of, we must ensure that we reveal as little as possible. In most cases personal identity is not salient. When I purchase a magazine at a store and hand cash to the clerk, there is no need to know who I am. When I ask my electronic mail provider to send and receive messages, my provider need not know to whom I am speaking or what I am saying or what others are saying to me; my provider only need know how to get the message there and how much I owe them in fees. When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself.

Therefore, privacy in an open society requires anonymous transaction systems. Until now, cash has been the primary such system. An anonymous transaction system is not a secret transaction system. An anonymous system empowers individuals to reveal their identity when desired and only when desired; this is the essence of privacy.

Privacy in an open society also requires cryptography. If I say something, I want it heard only by those for whom I intend it. If the content of my speech is available to the world, I have no privacy. To encrypt is to indicate the desire for privacy, and to encrypt with weak cryptography is to indicate not too much desire for privacy. Furthermore, to reveal one’s identity with assurance when the default is anonymity requires the cryptographic signature.

We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy out of their beneficence. It is to their advantage to speak of us, and we should expect that they will speak. To try to prevent their speech is to fight against the realities of information. Information does not just want to be free, it longs to be free. Information expands to fill the available storage space. Information is Rumor’s younger, stronger cousin; Information is fleeter of foot, has more eyes, knows more, and understands less than Rumor.

We must defend our own privacy if we expect to have any. We must come together and create systems which allow anonymous transactions to take place. People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes, and couriers. The technologies of the past did not allow for strong privacy, but electronic technologies do.

We the Cypherpunks are dedicated to building anonymous systems. We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.

Cypherpunks write code. We know that someone has to write software to defend privacy, and since we can’t get privacy unless we all do, we’re going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. Our code is free for all to use, worldwide. We don’t much care if you don’t approve of the software we write. We know that software can’t be destroyed and that a widely dispersed system can’t be shut down.

Cypherpunks deplore regulations on cryptography, for encryption is fundamentally a private act. The act of encryption, in fact, removes information from the public realm. Even laws against cryptography reach only so far as a nation’s border and the arm of its violence. Cryptography will ineluctably spread over the whole globe, and with it the anonymous transactions systems that it makes possible.

For privacy to be widespread it must be part of a social contract. People must come and together deploy these systems for the common good. Privacy only extends so far as the cooperation of one’s fellows in society. We the Cypherpunks seek your questions and your concerns and hope we may engage you so that we do not deceive ourselves. We will not, however, be moved out of our course because some may disagree with our goals.

The Cypherpunks are actively engaged in making the networks safer for privacy. Let us proceed together apace.

Onward.

Eric Hughes <hughes@soda.berkeley.edu>

9 March 1993

Dropbox – Terms of Service


Do you use Dropbox? Have you read their new recently changed TOS? The following quote is from their “Your Stuff & Your Privacy” section and seems to me to have some far reaching implications that could cause some users major legal trouble. Particularly the last sentence of the quote. Think about that and the stuff you have in your folders. Additionally, the bulk of the statement regarding granting them sublicenseable rights undoubtedly relates to them making your data visible to you and those you share your information with. I suspect that this is with the best of intentions and results in broad language recommended by lawyers but, it is not restricted in any way. So the result is that it matters not what their intentions for your “stuff” are. They can do what they want with it. Just imagine if Facebook buys Dropbox at some point.

My opinion is, be informed and be cautious. It’s ok to use these services but only once you understand the consequences of doing so.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.

Cloudburst cont…

How anyone trusts these services to important information can only be chalked up to ignorance.

http://www.informationweek.com/news/security/vulnerabilities/231000111

FreedomBox project.

I like this. I particularly like the idea of this being able to form a mesh. In my opinion it will be the mesh network that we will eventually rely on for the free dissemination of information. There are many other projects out there that can be aggregated to form the mesh. I mentioned the mesh-potato in the past. There are also many consumer grade wireless routers that can be adapted to the mesh task with freely available custom firmware. I use the WRT54GL and Tomato at home now. Its brilliant.

Here are some other mesh network related sites:

SSH usage, multiple private keys.

There is no doubt that SSH stands as one of the greatest system administration tools ever. I use it many times a day manually and many more through scripts for sysadmin stuff. Sometimes, like today I needed to do something that I have never needed to do before. And of course SSH is capable.

Due to a new network topology at the office I needed to be able to have SSH source more that one private key for authenticating to a remote host. There is more that one way to do this. I used the first solution as it was the most basic.

In the ~/.ssh folder create a file named “config” and chmod it to 600. Add the following line: “IdentityFile ~/.ssh/id_rsa.keyA” and add a subsequent line for the other private keys you want to use. For example you can have “id_rsa.keyA” “id_rsa.keyB” and so on. Make sure that those references actually match the names of your private keyfiles, if not, rename them. Thats it. From now on, when you attempt an ssh key exchange, all those keys will be sourced.

The second solution is more refined. This is what your ~/.ssh/config file might look like for this method.
Host *.home
IdentityFile ~/.ssh/id_rsa.home
Host *.office
IdentityFile ~/.ssh/id_rsa.office
Host *.wan
IdentityFile ~/.ssh/id_rsa.wan

In this case the host you are connecting to will determine the key that will be presented rather than presenting all keys like the first example.

Thanks to Karanbir Singh and his post for helping me with this.

More privacy related thoughts.

Our governments abuse of its power is nothing new and it will not end. It is in the nature of any large governing bureaucracy be it corporate, civil or federal. Clearly the frenetic pace which technology has advanced over the last couple of decades has afforded the government an opportunity to take advantage of a gap in the public’s understanding of the true nature of these technologies and the potential consequences of their use. Because I’m a bit if a geek it’s clear to me on a daily basis how little people understand about the technology they use and depend on on a daily basis. It may not be so important to understand the workings of your refrigerator but when it comes to the way you share and communicate all aspects of your life you really need to understand whats going on. Most of us are voluntarily contributing to a massive information store that is the result of such daily activities as using cell phones, texting, internet phone calling, emailing, credit cards, grocery store discount cards, movie rentals, online purchases, ATM withdrawals, DMV auto inspections, EZ-Pass toll payments, airline/train travel and more. Some of these situations seem benign, however all of them result in some amount of data being collected, transmitted and stored on a computer in a database somewhere. Do you know who knows every item you purchased at Shop Rite for the last 5 years you’ve been using your membership savings card there? Did you even know that someone has that information? Perhaps you don’t care, after all its only a grocery list. But take all the databases for all the activities I mentioned and start putting them together and your life story is suddenly patent knowledge. What you read, what you eat, how much gas you put in your car and where you go, how much cash you tend to have in your purse and the people you talk to most on weekly basis, how much money you owe and how much you drink, what kind if driver you are and how long you have owned your home. Such is the way we exist to lesser or greater degrees but we do live is a digital world and digits are very cheap to store and very valuable depending on the end user. Life with these amenities is quite nice. It affords many conveniences and efficiencies. The problem is that we trade our privacy for convenience and often without the understanding that we are doing so. When was the last time you agreed to a terms of service by clicking that “I Agree” button? Did you actually read the entire “Terms of Service” document? Never. Try it sometime, you will be shocked at what you are agreeing to. The truth is, in most cases, we don’t control or even own any of this information and we have expressly given away all rights to it forever.

In this recent article by the EFF there are some examples of how privacy can be violated by the government and your service providers. The article focuses on abuses but what strikes me most is that much of the abuse is facilitated by what I hope is the general misunderstanding of the tech we use every day rather than a blatant disregard for our own privacy as a citizenry.

This portion of the report referenced in the article caught my eye and highlighted my concern.

In over half of all NSL violations reviewed by EFF, the private entity receiving the NSL either provided more information than requested or turned over information without receiving a valid legal justification from the FBI. Companies were all too willing to comply with the FBI’s requests, and — in many cases — the Bureau readily incorporated the over-produced information into its investigatory databases. For example, in a violation reported in 2006, the FBI requested email header information for two email addresses used by a U.S. person. In response, the email service provider returned two CDs containing the full content of all emails in the accounts. The FBI eventually (and properly) sequestered the CDs, notified the email provider of the overproduction, and re-issued an NSL for the originally requested header information; but, in response to the second NSL, the email provider again provided the FBI with the full content of all emails in the accounts.

The failure in the bureaucratic process outlined in this example here is completely preventable, not by a more lawfully compliant FBI or a more adept service provider but a more informed and better equipped citizen. Like Uncle Ben told Peter, “with great power comes great responsibility”, the information age is our superpower. Let’s not destroy ourselves with it.

Cloudburst

I’ve never felt comfortable about the so-called cloud and the concept of it being the new home to all of my data. For anyone who questions authority or has any interest in privacy the cloud is extremely questionable but when it comes to data security and stability it is even more so. I can’t see any scenario at this time that is better than having physical possession and total control over your own data.

I think Cringely states a great case HERE.