stack.fm

The European Commission is considering new Internet regulations that would make online services legally liable for their users’ bad actions, meaning that services like Youtube, Facebook, and the comments section of your favorite website would have to somehow review everything that users post before making it public, assessing all user-submitted material for its legal compliance with a bewildering array of international guidelines.

It’s a proposal that would provide full employment within the EU, once every single European was retrained as an Internet lawyer – and they still wouldn’t be able to make a dent in the user-submitted material posted to the net every second of every minute of every day.

The Commission has posted an online survey in which you can comment on this, but as you might expect (if you’ve had experience with the Commission), it’s an insanely baroque, one-sided affair, nearly impossible to fill in without professional guidance, and designed to allow people who like the idea of expanded liablity with lots of space to make their case, and no comparable amount of space for people who don’t want the Internet wrecked.

The Copia Institute, a thinktank started by Techdirt, has posted a step-by-step guide to the Commission’s form, with the intention that you can keep it open in one tab and the form open in another, and replace the army of professionals that the Internet’s wreckers employ to give the Commission the veneer of democratic respectability with a people-powered campaign that lets us all cooperate to get our opposition into the record, despite the Commission’s best efforts to the contrary.

The Commission’s form is terrible, and you should fill it in anyway. It’s vital to the future of the net.

Home Secretary Theresa May has introduced the long-awaited, frequently assayed Snoopers’ Charter, and it is a complete disaster.

In the new bill, May says that she will ban products that use end-to-end encryption, whereby the company that made the product can’t tell how it’s being used. She seems to think that all this will require is orders to Facebook, Apple, Google and perhaps a couple of smaller players to get them to re-engineer their products so that all messages get decrypted at their data-centres, re-encrypted and passed on to their recipients.

She is wrong.

End-to-end encryption can be accomplished with literally thousands of products, many of them free/open source software that can be downloaded from tens of thousands of websites, including websites like Github that are indispensable to UK industry and cannot be blocked without crippling the economy. Even the Chinese government was unable to block Github.

This means that anyone who wants to communicate in a way that cannot be intercepted needs only to go on using the tools that they use presently. It means that anyone who wants to communicate in a way that the government can’t intercept can download software from any of many, many, many sites and they’re home free.

It also means that law-abiding people who lack technical sophistication will have infinitely large troves of sensitive communications captured and retained by Internet companies. When those companies have a security breach (this is a when, not an if), those innocent and technologically naive Britons will have all of their sensitive, personal information ashley-madisoned all over the Internet.

It gets worse. The Snoopers’ Charter also legalises the security services’ practice of creating and deploying cyberweapons, which means that they will be accelerating their practice of both introducing and hoarding security flaws in the technology that Britons use. Because these flaws are and will continue to be independently discovered and weaponised by foreign spies, criminals, voyeurs, etc, all of the services that comply with UK law by banning end-to-end encryption and by retaining sensitive personal information will be even more vulnerable.

The government is insisting that every service provider stockpile massive quantities of unstable toxic personal information, and simultaneously taking measures to make those stockpiles much, much less secure.

The government also admitted that MI5 had been spying on Britons for more than a decade without proper legal authorisation, and then used this as a pretense for the Snoopers’ Charter, arguing that what was needed here was an expansion of spying power to legalise the practice, rather than an inquiry into why they were doing it in the first place.

Historically, US companies have been able to get around the (relatively stringent) European data-protection rules thanks to a “Safe Harbor” agreement between the US and the EU – but Max Schrems, an Austrian privacy activist, has successfully argued that the NSA’s mass surveillance programs violate European law and invalidates the Safe Harbor.

The crux is the European legal right to see and know about the data that’s been collected about you. The NSA’s Prism program and other programs that exfiltrate data from private companies’ databases is shrouded in strict secrecy – until the Snowden revelations in 2013, the mere existence of these programs was a closely guarded secret – and so the court ruled that US companies may no longer automatically move Europeans’ data to US-based servers.

Two important facts about the ruling: first, this doesn’t mean that Europeans’ data may not be stored in the US, it just means that the storage can’t be automatic – it must be reviewed on a case-by-case basis.

Second, and more important: this doesn’t mean that Europeans won’t be subjected to mass surveillance, including mass surveillance by the NSA.

Many European countries have spying legislation that mirrors the US principle that foreigners can be spied on with impunity, and also its attitude that since there’s no way to tell whether you’re intercepting your own citizens’ data or foreigners’ data, you can just spy on everyone, including your own nationals while they’re within your own borders. The UK has long embraced this principle, and France is now adopting it, too.

Meanwhile, European spy agencies work closely with the NSA, and even trade the right to surveil their own countries in exchange for access to their own populations – some of the biggest EU member-states are all over this: the UK, Germany, and France (and many others).

So the real losers here are the big tech companies, not the spy agencies. They’ll have to do stylized dance-routines to comply with the ruling and the inevitable tightening of the movement of data between servers. But the NSA, GCHQ and other spy agencies will target data-centers wherever they are, and the spy agencies of European nations will surveil their own populations and foreign populations, covertly and overtly harvesting Europeans’ data from the data-centers in their own borders, and, often, handing it straight to the NSA, who’ll move it to its US data-centers likethe titanic facility in Bluffdale, Utah.

If the European Court of Justice wants to end mass surveillance of Europeans, it can only do so by banning mass surveillance – by ruling that laws that treat foreigners’ data as fair game are unconstitutional. If US tech giants want to get loose from a farcical, expensive, and pointless exercise that continues to treat them as adjuncts to the world’s spy agencies, they need to lobby the US government to change the laws under which it treats foreigners as fair game.

Since the Snowden revelations, the market for privacy-oriented services has only grown – indeed, it’s likely that it will keep growing. We’re not at peak surveillance, but we’re way past peak indifference to surveillance.

Running a privacy service comes with two distinct technical challenges: the cryptographic challenge of making messages secure in transit and at rest on your server; and the legal challenge of keeping your promises to your customers intact when a government wants to spy on them.

These two problems are intimately entwined, and so are their solutions.

The cost of getting it wrong is high. Take Lavabit, the privacy-oriented email provider used by Edward Snowden to communicate with journalists when he was planning his leak: a few months after the Snowden revelations, nearly two years ago, Lavabit mysteriously shut its doors, its website replaced with a message saying that owner Ladar Levinson took the action rather than “being complicit in crimes against the American people.”

Later, it emerged that the NSA had secretly demanded that Lavabit insert a “backdoor” into its system so that it could potentially spy on all of Levinson’s customers. Rather than betray their trust, Levinson folded up his business altogether (braving arrest threats) a process he likened to “putting a beloved pet to sleep.”

Shortly after, Silent Circle, a major Lavabit competitor, pre-emptively shut the doors on its email service, apparently believing it was next in line for an NSA order. Groklaw, an investigative news site, also shut down, worried that it would have to secretly turn over information on its sources.

Since 9/11, governments around the world have created spying legislation that allows them to demand that companies cooperate in surveillance operations while being sworn to perpetual secrecy on pain of criminal prosecution. In response, companies created dead man’s switches, or “warrant canaries.”

Here’s how those work: companies periodically publish “transparency reports,” listing the number court orders they’ve received and whether and how they’ve complied with them. The first of these reports has a line like “Number of secret, gag-ordered surveillance warrants: 0”. If a company receives a secret warrant, it omits the line from its next transparency report. Eagle-eyed watchers note the omission and conclude that the service is compromised and may no longer be trusted. The service folds.

The idea of warrant canaries is not to voluntarily go out of business: it’s to make business-destroying secret warrants useless. “Serve us with one of your secret warrants,” they imply, “and everyone you wish to spy upon will automatically stop using this service, making the whole thing pointless.” This only works if you are based in a territory where the government can’t compel you to lie (that is, to go on publishing a transparency report that puts the number of secret warrants at zero, even when it’s non-zero).

Many US constitutional scholars believe that while a government could gag a business in the name of security without falling afoul of the first amendment, ordering it to utter falsehoods would not pass muster. Other countries are less protective of free expression: in Australia warrant canaries are now themselves illegal. Warrant canaries also only work if they’re published before the first snooping order arrives (that’s why the Electronic Frontier Foundation published an all-zeroes transparency report months before launching its new Let’s Encrypt certificate authority service).

Warrant canaries are a kind of Ulysses pact – a contract where one party begins negotiations by limiting their own choices (named for Ulysses, who tied himself to the mast to prevent himself from jumping in the sea when he heard the sirens’ songs). But as Ulysses pacts go, it’s a weak one: when it comes down to it, how many business owners are willing to shut the doors rather than tell one teeny-tiny lie on their transparency reports?

Security, that is, opsec, and social media don’t mix. The gangbangers who post heavily on Instagram, Facebook and Twitter, just like normal teenagers are finding that the police are using this data as evidence in, eg RICO cases.

Normal activities for normal people, sharing pictures of hanging out with friends, or location updates, and so on are fatal opsec mistakes for those engaged in underground activity. If you sell drugs and shoot people, you engage in underground activity. Do not create a treasure trove of link analysis data and incriminating evidence.

The police are learning to exploit the surveillance capabilities enabled by modern social media. This might be a golden age for policing. The police predominantly solve crimes one way: someone tells them who did it. Now with social media and smartphone technology tracking everyone, that “someone” can be a database compelled by a warrant.

Canadian Heritage Minister James Moore made headlines last month when he called opponents of his US-style copyright bill “radical extremists” and urged his supporters to “confront them” at every turn.

Now the Minister is declining requests from his local mainstream press to defend his own bill, which ignores the results of his own public consultation, wherein an overwhelming majority of Canadians were against protecting “digital locks” on ebooks, movies, games, and music: “Moore, who besides being heritage minister is also the Conservative MP for Port Moody-Westwood-Port Coquitlam, refused to comment on Bill C-32.”

Chicken.

Pirate MEP’s copyright reforms voted in by Europarl with “Right of Panorama” intact 

German MEP Julia Reda’s brilliant recommendations for reforming EU copyright have passed the European Parliament, and the dastardly attempt to make it illegal to take “commercial” photos in public places has been killed.

Included in Reda’s successful recommendations are the creation of a single European territory without geoblocking for videos and music. And as mentioned, it enshrines the “freedom of panorama,” which affirms the right of photographers to take and use photos of public places, even if those photos include copyrighted imagery, such as posters, t-shirt logos, or even (in some EU states) building facades.

Reda’s success coincided with a EU Parliament rejection of a plan to give newspaper publishers the right to tax links to their articles.

Cryptographers and security experts gathered on the Hill yesterday to tell Congress how stupid it was to ban crypto in order to make it easier to spy on “bad guys.”

The Electronic Frontier Foundation’s roundup on the day’s events has five key takeaways from the testimony:

1. Lawmakers are willing to throw the Constitution under a bus if it helps them fight the War on Terror. For example, here’s John McCain: “    I’ve heard my colleagues, with all due respect, talking about attacks on privacy and our constitutional rights et cetera, et cetera, but it seems to me that our first obligation is the protection of our citizenry against attack, which you agree is growing. ”

2. Companies don’t want to have to leave a key to their crypto under the doormat for “legitimate” spies to use. If the companies that handle your email and sensitive data are holding onto a key that lets them look at your stuff without your knowing it, they’ll never be able to promise that your data is genuinely private.

3. Free/open source software is the elephant in the room. When crypto-deniers talk about banning strong crypto, they’re inevitably talking about forcing companies to leave your data insecure. But much of the best in security comes from the free/open source world, and no one has any idea what to do about amorphous global collectives who make and maintain tools that would be untouchable by such a ban.

4. Cops and spies have no evidence that they need a crypto ban. Despite scare stories about criminals “going dark” through crypto, no one was able to present any hard evidence about criminals getting away with it because they were using unbreakable crypto. None. According to one DA, encrypted phones account for 0.1%  of all phones seized in the course of criminal investigations – and he didn’t testify that this got in the way of a conviction.

5. James Comey believes in sorcery. The hearings involved some bizarre moments for FBI Director James Comey, who is, weirdly enough, a cryptography denier: that is, he believes that cryptographers are lying when they tell him that they don’t know how to make a security system that works against criminals, voyeurs and foreign spies, but that will let him and his pals in when they want to peek at our communications.

Some of Comey’s choice remarks: “A whole lot of good people have said it’s too hard… maybe that’s so. But my reaction to that is: I’m not sure they’ve really tried.” Also, “Maybe the scientists are right. Ennnh, I’m not willing to give up on that yet.”

“Google released another legal disclosure notice related to the United States government’s ongoing grand jury investigation into WikiLeaks,” Kevin Gosztola writes at Firedoglake.

Google recently told Jacob Appelbaum, who has worked with WikiLeaks, that Google was ordered  by the U.S. government to provide data from his account to federal investigators.

From Firedoglake:

On April 1, the government apparently determined there was some information that could be disclosed to Appelbaum.

The government seems to confirm in legal documents that it does not consider WikiLeaks to be a journalistic enterprise. It also writes, “The government does not concede that the [redacted] subscriber is a journalist,” referring to Appelbaum.

Nevertheless, the government broaches the issue and insists “newsmen” may be subject to grand jury investigations of this intrusive nature.

“Google Reveals It Was Forced to Hand Over Journalist’s Data for WikiLeaks Grand Jury Investigation” [Firedoglake]

Applebaum’s tweets on Google’s disclosure follow.

Many congresscritters don’t have public email addresses – instead, they have hard-to-locate webforms that slow down activist email campaigns and make it harder for constituents to get in touch. EFF and the Sunlight Foundation has fixed this, giving every member of Congress her or his own email address – an address that you can send to that will be automatically forwarded through the appropriate webform.

Sunlight has some spam-checking to stop this from being abused, and gathers some of the other information the forms collect so that they can be fully populated by the scripts. Once you’re setup in the system, you can email “[email protected]” and your message will automatically be forwarded on to you senators and house reps.

88% of Congressional staffers say that their bosses’ decisions are affected by constituent email. The data and scripts are up on Github for you to build on.

Trevor Timm, executive director of the Freedom of the Press Foundation  says, “We just helped the Project of Government Oversight (POGO) install SecureDrop. As you may have seen, they were just subpoenaed for over 700 whistleblower records related to the Veteran’s Affairs scandal, which they have been critical to uncovering.”

POGO has said they will go to jail if it comes to it rather than give up any documents.

Trevor writes today:

Apple has announced that it will spoof the MAC addresses emitted by its wireless devices as an anti-tracking measure, a change that, while welcome, is “an umbrella in a hurricane” according to a good technical explainer by the Electronic Frontier Foundation’s  Jeremy Gillula and Seth Schoen.

One notable and sad irony here is that MAC spoofing was held up as evidence of criminality in the indictment of Aaron Swartz: the US prosecutors characterized changing your MAC address as the sort of thing that only criminals do. Either this is proof that “when privacy is criminalized, only criminals will have privacy” or that federal prosecutors are lying assholes. These are not mutually exclusive possibilities.