Corante

About this Author
Ernest Miller Ernest Miller pursues research and writing on cyberlaw, intellectual property, and First Amendment issues. Mr. Miller attended the U.S. Naval Academy before attending Yale Law School, where he was president and co-founder of the Law and Technology Society, and founded the technology law and policy news site LawMeme. He is a fellow of the Information Society Project at Yale Law School. Ernest Miller's blog postings can also be found @
Copyfight
LawMeme

Listen to the weekly audio edition on IT Conversations:
The Importance Of ... Law and IT.

Feel free to contact me about articles, websites and etc. you think I may find of interest. I'm also available for consulting work and speaking engagements. Email: ernest.miller 8T gmail.com

Amazon Honor System Click Here to Pay Learn More

The Importance of...

Category Archives

« RSS | Security | Telecomm »

July 11, 2005

July 05, 2005

June 23, 2005

June 22, 2005

June 21, 2005

June 15, 2005

June 10, 2005

June 09, 2005

June 04, 2005

May 31, 2005

May 30, 2005

May 29, 2005

May 27, 2005

May 26, 2005

May 24, 2005

Mere Presence of Encryption on PC Relevant to Criminal Acts

Email This Entry

Posted by Ernest Miller

C|Net News reports that the Minnesota State Court of Appeals has upheld a ruling in which the presence of an encryption program on a computer was relevant to a criminal child sex abuse case (Minnesota Court Takes Dim View of Encryption).

The case, Minnesota v. Levie, involves the uncle of a nine-year-old girl who sought to have her pose nude for his digital camera. The Court upheld his conviction on two counts of solicitation of a child to engage in sexual conduct.

In his appeal, Levie challenged, among other things, the introduction of evidence that he had a file encryption program on his computer.

He [retired police officer Brooke Schaub] also testified that he found an encryption program, PGP, on appellant’s computer; PGP “can basically encrypt any file;” and, “other than the National Security Agency,” he was not aware of anyone who could break such an encryption. But Schaub also admitted that the PGP program may be included on every Macintosh computer that comes out today,...
The judge found this relevant:
After closing arguments and an adjournment, the court explained its findings orally, noting that: ... the “evidence tends to show that an encrypting capability was employed by the Defendant;”
Which led to Levie's argument on appeal:
Appellant first argues that he is entitled to a new trial because the district court erred in admitting irrelevant evidence of his internet usage and the existence of an encryption program on his computer. Rulings involving the relevancy of evidence are generally left to the sound discretion of the district court. And rulings on relevancy will only be reversed when that discretion has been clearly abused. “The party claiming error has the burden of showing both the error and the prejudice.”

Appellant argues that his “internet use had nothing to do with the issues in this case;” “there was no evidence that there was anything encrypted on the computer;” and that he “was prejudiced because the court specifically used this evidence in its findings of fact and in reaching its verdict.” We are not persuaded by appellant’s arguments. The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him. [citations omitted]

I can see that this evidence wasn't clearly prejudicial, and thus not meriting throwing out the conviction, but I really don't see why it was relevant. What, exactly, is the presence of an encryption program supposed to be relevant for? There was no evidence, apparently, that Levie used the encryption for anything related to the crime.

As Techdirt notes sarcastically, the rules seems to be "if you had nothing to hide, why would you encrypt it?" (Because Only Criminals Use Encryption).

Comments (2) + TrackBacks (0) | Category: Civil Liberties | Cryptography | Security

MS to Lock Up Office Documents, Lock In Customers

Email This Entry

Posted by Ernest Miller

C|Net News reports on a couple of initiatives by Microsoft to bring more security into the workplace (Facing 'New World of Work,' Microsoft Locks Up Office). Apparently Microsoft will be adding new forms of DRM to their popular office suite so that companies have more control over where their internal documents can go. Strangely, the article never bothers to ask whether this technology will have an open protocol or will be used to lock in customers as it locks up documents.

The article also discusses a new, corporate form of IM that is subject to centralized control by the corporation:

"What happened is the dynamic of IM changed when people knew it was being logged," Greifeld said. But both Capossela and Greifeld said that the change is not necessarily a bad thing.

"For us, the value of instant messaging isn't the sideshow where people get to have private conversations," Capossela said. "The value of instant messaging is the ability to connect with somebody absolutely real-time and to have that quick burst back and forth."

Privacy is such an antiquated concept.

Comments (0) + TrackBacks (0) | Category: Digital Rights Management | Open Standards | Privacy | Security

May 20, 2005

May 15, 2005

May 13, 2005

March 28, 2005

July 28, 2004

P2P Problem or Security Issue?

Email This Entry

Posted by Ernest Miller

C|Net News is running a very interesting story about a new blog that is posting military and military-related information supposedly found on P2P filesharing networks (Are P2P networks leaking military secrets?). The blog is See What You Share on P2P. The purpose of the site is explained here: Why This Site Exists.

A few months ago, I downloaded some military briefings from the Gnutella Network. The briefings were zipped and the file contained 21 documents with classifications ranging from For Official Use Only to Secret/NO FORN. Shocked at my discovery, I notified an agency on a nearby military installation. When nothing happened, I notified another agency. I continued this course because no action was taken and for a nation at war, I was concerned for the safety of our soldiers.

It may appear that I am picking on certain institutions. This is true. I want everyone to know that we can be our own worst enemies when we don’t understand the full power of our technology. I want every military and government agency to see first hand what is being shared with anyone who has a computer. Since a picture is worth a thousand words, I can save myself some talking.

This is not surprising. Nor, I'm sure, is the information inadvertantly shared solely related to military and emergency services. There are probably a number of corporations that would be surprised what files are available for the downloading.

This is a real problem. However, it is properly a computer security issue, not a P2P issue, as the website's owner misleadingly claims, "Technology often outruns legislation. So is the case with Peer 2 Peer networks. Many people obtain P2P software so they can download music or movies. A large number of those people do not have any idea what they are sharing." Note the reference to legislation. Of course, the RIAA, among others, often makes this point and requests more regulation, such as the Inducing Infringement of Copyrights Act (IICA, née INDUCE Act). However, is it really the technology so much as unfamiliarity with the security issues involved?

I remember some of the earlier days of email and how people would accidentally "reply all" or forward to mailing lists information they shouldn't. Still happens, actually. Does that mean we need more regulation of email? The default settings for certain operating systems leave plenty of security holes for accessing information on a network-connected computer. Do we need operating system regulation?

See What You Share on P2P is doing a fine service alerting people (and especially gov't officials) to the security problems their networks have. However, to characterize it as a P2P problem, as opposed to a security problem, is incorrect. We all need to be more familiar with the means and necessity of protecting certain types of information on our computers.

Want to know more about the INDUCE Act?
Please see LawMeme's well-organized index to everything I've written on the topic: The LawMeme Reader's Guide to Ernie Miller's Guide to the INDUCE Act.

Comments (1) + TrackBacks (0) | Category: File Sharing | INDUCE Act | Security

June 28, 2004

End-to-End Must Die So that National Security May Live

Email This Entry

Posted by Ernest Miller

Prof. Susan Crawford has been breaking and following some monumentally important stories recently. Her latest regards one of my favorite federal agencies, the FCC, and the huge power grab it is considering exercising with regard to the internet. This is no joke, the FCC is considering regulating everything that uses the IP protocol (Nethead/Bellhead -- Noticing DHS). If you think this is just about the big telecoms, you're wrong:

"[National Security/Emergency Preparedness] NS/EP considerations provide a compelling rationale for applying a certain amount of regulation to IP-enabled services. The purpose of such regulation would be to ensure the prioritized availability of certain communication services to Federal, state, and local officials and first responders in times of emergency or national crisis."
Crawford is quoting from the Department of Homeland Security filing in the IP-related services proceeding (In the Matter of FCC Review of Regulatory Requirements for IP-Enabled Services: Comments of the Department of Homeland Security [PDF] The fun part of this document is that it won't let you copy/paste).

How much regulation is necessary?

"In the event of crisis, NS/EP national leadership must receive end-to-end priority treatment over other users. . . . NS/EP traffic must be identified with its own class of service -- above and beyond "best effort."
This, of course, would mean the end of end-to-end as IP providers would have to check packets to see if they were specially marked by the government (which would require all sorts of checks so that we could be sure the packets hadn't been spoofed and what not). Basically, we would have to build into the internet a smart network. Once you've done that, all sorts of other regulations become possible.

As Crawford notes, all of this would be done in the name of national security. You're not against national security, are you?

Comments (2) + TrackBacks (0) | Category: Civil Liberties | Internet | Security | Telecomm

March 23, 2004

RSSTV Emergency Broadcatching System

Email This Entry

Posted by Ernest Miller

On Saturday, Andrew Grumet announced the release of RssReader 0.4d (RssReader 0.4d). In Andrew's words, "RssReader is TiVo-resident software that displays the contents of an RSS feed on your television." Of course, who the heck really wants to read RSS feeds on television? Sounds like one of those dotcom-era WebTV-like monstrosities. Instead, Andrew notes that "More interestingly, RssReader can schedule recordings from syndication feeds containing RSSTV extensions. This means you can subscribe your TiVo to a community-evolved ToDo list, such as the feed generated by Program My TiVo!" Absolutely, and something I think has amazing potential (RSS for TV, Music).

However, I also think that there is not only a desire for at least some RssReader functionality on television, but important reasons to make it happen. Indeed, perhaps a grant from Homeland Security to Grumet would be in order.

Imagine an RSS feed that would scroll at the bottom of your television display while you watched any other channel, a news ticker if you will. It would be just like the scrolling feeds on the news and financial networks, but would be overlayed on top of whatever you are currently watching. Most importantly, the content would come from an RSS feed.

...continue reading.

Comments (2) + TrackBacks (0) | Category: Broadcatching/Podcasting | File Sharing | RSS | Security | Telecomm

March 15, 2004

A Race the FBI Can't Win: The Increasingly Asymmetric Costs of Wiretap Surveillance vs. Wiretap Avoidance

Email This Entry

Posted by Ernest Miller

LawMeme briefly summarizes and collects a number of articles on several law enforcement agencies' (FBI, DOJ and DEA) recent petition to the FCC to expand government wiretap capability (FBI seek to expand the system-formerly-known-as-Carnivore).

C|Net News reports that the petition "aims to give police ready access to any form of Internet-based communications" (FBI adds to wiretap wish list):

Legal experts said the 85-page filing includes language that could be interpreted as forcing companies to build back doors into everything from instant messaging and voice over Internet Protocol (VoIP) programs to Microsoft's Xbox Live game service. The introduction of new services that did not support a back door for police would be outlawed, and companies would be given 15 months to make sure that existing services comply.

That's just wonderful. And I suppose only the US government will have access to these backdoors?

The Washington Post (reg. req.) talks to one of the leading experts on wiretapping, CDT's James X. Dempsey (Easier Internet Wiretaps Sought):

But privacy and technology experts said the proposal is overly broad and raises serious privacy and business concerns. James X. Dempsey, executive director of the Center for Democracy & Technology, a public interest group, said the FBI is attempting to dictate how the Internet should be engineered to permit whatever level of surveillance law enforcement deems necessary.
"The breadth of what they are asking for is a little breathtaking," Dempsey said. "The question is, how deeply should the government be able to control the design of the Internet? . . . If you want to bring the economy to a halt, put the FBI in charge of deploying new Internet and communications services."

Dempsey is right. The amount of intervention in technology development necessary for the FBI and DOJ to accomplish what they want with regard to wiretapping is enormous. The costs will be both direct (money out of consumer's pockets) and indirect (loss of innovation). However, that is only half the picture. Unfortunately for the FBI, the costs to defeat the wiretapping are relatively small and will continue to decrease. We have here an asymmetric situation that will only grow more asymmetric as time goes on.

The problem is with the underlying architecture of the internet. Advances in technology along with the end-to-end/layers principle mean that it will always be cheaper to add encryption to the edges of the network than to increase the amount of surveillance at the center of the network. How much does it cost to write an encrypted VoIP app? Not much. How much does it cost to build the surveillance mechanism and conduct the surveillance across all possible ISPs? A heck of a lot more.

Ok. Now that the first encrypted VoIP app is compromised ... how much will it cost to build another encrypted layer on top of the first one? How much will it cost to conduct surveillance on this new layer? Hmmmm, if this progression continues, as we add additional layers of encryption and surveillance, the costs will increasingly diverge. Not a game you can win ultimately. In fact, it doesn't make much sense to even start. The FBI should be happy with what they've got.

Nor should we forget how darn cheap computing is getting. I wish my first computer had the power of a Treo 600. How hard is it to write voice encryption software for Treos and all the follow-on smart phones? How hard will be to add additional layers to the communications stack especially given all the various options for communication being made available through ubiquitous grid-network wireless?

If I were the FBI, I wouldn't waste my time on a battle I ultimately couldn't win and instead would concentrate my efforts on the place where I could still achieve my goals - the ends. You want to know what someone is up to online? I would recommend, for example, key loggers, "real" spyware, and social engineering. It ain't gonna be easy, but you have a chance of winning in the long term. The sooner you quit a race you can't win, the faster you can enter a race where you have a chance.

Bonus FBI Inanity: Sunday, March 14th was the 54th birthday of the FBI's "Top Ten Most Wanted Fugitive List." What better way to celebrate than with a humorous quiz? For example,

5. What Bible-carrying female impersonator was captured in 1964 while working as "Bobo the Clown" with a traveling carnival?
ANSWER: Leslie Douglas Ashley. And for extra credit, Isaie Aldy Beausoleil [apparently another man] was arrested in 1953 dressed as a woman...acting v-e-r-y suspiciously in a Chicago ladies' restroom.
7. Who was arrested in Japan, extradited to the U.S., and in Honolulu presented FBI Agents--in all seriousness--with [sic] a Monopoly "Get Out of Jail Free" card?
ANSWER: James Robert Ringrose, arrested in 1967.
And this one is really a laugh riot, har-d-har-har:
4. What Top Ten terrorist who was apprehended in 1995 said at his trial in New York City, "I am a terrorist, and I am proud of it"?
ANSWER: Ramzi Ahmed Yousef, who masterminded the 1993 World Trade Center bombing in New York and planned the bombing of an American airplane in the Far East, an act that was prevented. Judge Kevin Thomas Duffy of Manhattan's Federal District Court called him "an apostle of evil [who] wanted to kill for the thrill of killing human beings."

Bonus FBI Inanity 2: A Strengthened Partnership to Protect Children: Name that Sexual Predator! - That's the real name for the page - no foolin'. Frankly, I am somewhat disturbed when law enforcement agencies turn child abuse into a game.

UPDATE

Brother Dana has some observations here: Following The Chinese Way

Comments (3) + TrackBacks (0) | Category: Civil Liberties | Cryptography | Cybercrime | Internet | Privacy | Security | WiFi

October 29, 2003

Blogger Fired for Security Violation

Email This Entry

Posted by Ernest Miller

According to his blog, until this past Monday, Michael Hanscom was a temporary employee in Microsoft's Copy/Print shop, reporting to a Xerox supervisor. Michael worked there until he was fired for a security violation for a blog post (Of blogging and unemployment). The original blog post that resulted in the firing contains a photo of a number of Power Mac G5s being unloaded from a truck at the receiving dock on the Microsoft facility in Redmond (Even Microsoft wants G5s).

I've only had the chance to read one side of the story (and I doubt MS Security will comment), but it seems to me that Microsoft has overreacted (though it is within their rights to fire). Couldn't this have been handled with a discussion and some more training about security issues? Is the employee manual so clear on security issues? I'm also sort of curious as to how this came to Microsoft's attention. Do they monitor employee's private websites?

What this does show, however, is that companies probably should add an "acceptable blogging policy" regarding company-related posts to their employee manuals.


via Metafilter

Comments (1) + TrackBacks (0) | Category: Blogging and Journalism | Freedom of Expression | Security

October 27, 2003

Poor Traffic Light Engineering Practices

Email This Entry

Posted by Ernest Miller

The Detroit News has a story on special infrared transmitters that can can broadcast a signal to receivers on traffic lights, turning the light from red to green (Gadget may wreak traffic havoc). The purpose of the devices is to ease the way for emergency vehicles. However, now civilian knock offs are being sold, allowing the average citizen to clear their own traffic path. The traffic headaches this can cause will be enormous, not to mention the problems it will cause for emergency vehicles. The consumer devices themselves are probably legal to sell currently.

Educated Guesswork notes how easily this could have been prevented with some simple cryptography (Remote traffic light control).

Ed Felten notes how poor engineering practices might result in poor law: banning transmitters and thus creating a black market (Remote Controls for Traffic Lights).

Comments (0) + TrackBacks (0) | Category: Cryptography | Security

October 21, 2003

1) Respond to Nonexistent Threat; 2) ... ; 3) Profit!

Email This Entry

Posted by Ernest Miller

Tim Oren has an interesting post on his Due Diligence blog concerning the intersection of security and business concerns in the design of systems (What's Your Threat Business Model?). He uses SSL as an example of how business models and security models can interact in odd ways.

Comments (0) + TrackBacks (0) | Category: Cryptography | Security