Risking Communications Security: Potential Hazards of the Protect America Act

A new US law allows warrantless wiretapping whenever one end of the communication is believed to be outside national borders. This creates serious security risks: danger of exploitation of the system by unauthorized users, danger of criminal misuse by trusted insiders, and danger of misuse by government agents

Lawful Hacking: Using Existing Vulnerabilities for Wiretapping on the Internet

For years, legal wiretapping was straightforward: the officer doing the intercept connected a tape recorder or the like to a single pair of wires. By the 1990s, however, the changing structure of telecommunications—there was no longer just “Ma Bell” to talk to—and new technologies such as ISDN and cellular telephony made executing a wiretap more complicated for law enforcement. Simple technologies would no longer suffice. In response, Congress passed the Communications Assistance for Law Enforcement Act (CALEA) which mandated a standardized lawful intercept interface on all local phone switches. Since its passage, technology has continued to progress, and in the face of new forms of communication—Skype, voice chat during multiplayer online games, instant messaging, etc.—law enforcement is again experiencing problems. The FBI has called this “Going Dark”: their loss of access to suspects’ communication. According to news reports, law enforcement wants changes to the wiretap laws to require a CALEA-like interface in Internet software. CALEA, though, has its own issues: it is complex software specifically intended to create a security hole—eavesdropping capability—in the already-complex environment of a phone switch. It has unfortunately made wiretapping easier for everyone, not just law enforcement. Congress failed to heed experts’ warnings of the danger posed by this mandated vulnerability, and time has proven the experts right. The so-called “Athens Affair,” where someone used the built-in lawful intercept mechanism to listen to the cell phone calls of high Greek officials, including the Prime Minister, is but one example. In an earlier work, we showed why extending CALEA to the Internet would create very serious problems, including the security problems it has visited on the phone system. In this paper, we explore the viability and implications of an alternative method for addressing law enforcements need to access communications: legalized hacking of target devices through existing vulnerabilities in end-user software and platforms. The FBI already uses this approach on a small scale; we expect that its use will increase, especially as centralized wiretapping capabilities become less viable. Relying on vulnerabilities and hacking poses a large set of legal and policy questions, some practical and some normative. Among these are: (1) Will it create disincentives to patching? (2) Will there be a negative effect on innovation? (Lessons from the so-called “Crypto Wars” of the 1990s, and in particular the debate over export controls on cryptography, are instructive here.) (3) Will law enforcement’s participation in vulnerabilities purchasing skew the market? (4) Do local and even state law enforcement agencies have the technical sophistication to develop and use exploits? If not, how should this be handled? A larger FBI role? (5) Should law enforcement even be participating in a market where many of the sellers and other buyers are themselves criminals? (6) What happens if these tools are captured and repurposed by miscreants? (7) Should we sanction otherwise illegal network activity to aid law enforcement? (8) Is the probability of success from such an approach too low for it to be useful? As we will show, these issues are indeed challenging. We regard the issues raised by using vulnerabilities as, on balance, preferable to adding more complexity and insecurity to online systems

Identifying the limits of governmental interference with on-line privacy

This thesis addresses the issue of on-line privacy, in an effort to identify the limits of governmental interference with this kind of right. Traditional privacy has been a well accepted and legally recognized human right for many years now. However, the exposure of privacy to the Internet has created new threats that mould the nature of 'on-line privacy': a user is less aware of the dangers faced in cyberspace, due to the instinctive feeling of being alone when in front of a computer; the distinction between private and public places is blurred, cyberspace looks like a public space, but is actually an aggregation of privately owned digital spaces, open to public access. Taking this as a basis, the thesis explores the route to be followed in order for a well-balanced interference with on-line privacy to be designed. First, an analysis of computer-related crime, the major reason (or excuse) on which governments base the need to interfere and delimit privacy in the on-line environment. On¬ line delinquency may be a serious problem, but it has to be examined closer than it has been up to present if it is to choose effective measures to combat it. Second, the thesis analyses the legal reasons justifying governmental interference with on-line privacy. National security, public safety and the economic well being of a country are the most popular reasons appearing in laws regulating interference with an otherwise protected right, and they will play a prominent role in justifying interference with privacy in cyberspace; an approach on the meaning, use and difficulties met in their application can be a starting point in an effort to avoid the same problems in the on-line environment. The European Convention of Human Rights, being one of the most complete and effective legal forums for human rights protection, is then used to show how the legally acceptable justifications for interference with privacy are being implemented. The thesis goes on to examine cryptography: being one of the most valuable tools for the protection of on-line privacy, regulating its use and dissemination is a way of governmental interference. An approach of the efforts made to limit the use and dissemination of strong encryption shows how on-line privacy has been affected. It is further suggested that restrictions in the use of strong encryption have a much more detrimental effect for legitimate users than for those using it to conceal illegal activity. The effectiveness of these measures is, therefore, under question. Next, the UK Regulation of Investigatory Powers Act 2000 is analysed, mainly those parts that affect on-line privacy. RIPA regulates the use of investigatory powers in the on-line environment such as interception of communications, acquisition of communications data and governmental access to keys. Being one of the few examples of such legislation, a lot can be learnt from the mistakes made. Last, the thesis explores the threat posed to on-line privacy by systems of covert governmental surveillance. The Echelon and other major international surveillance systems is probably the most real threat for privacy in the on-line environment

Content Moderation as Surveillance

Technology platforms are the new governments, and content moderation is the new law, or so goes a common refrain. As platforms increasingly turn toward new, automated mechanisms of enforcing their rules, the apparent power of the private sector seems only to grow. Yet beneath the surface lies a web of complex relationships between public and private authorities that call into question whether platforms truly possess such unilateral power. Law enforcement and police are exerting influence over platform content rules, giving governments a louder voice in supposedly “private” decisions. At the same time, law enforcement avails itself of the affordances of social media in detecting, investigating, and preventing crime. This Article, prepared for a symposium dedicated to Joel Reidenberg’s germinal article Lex Informatica, untangles the relationship between content moderation and surveillance. Building on Reidenberg’s fundamental insights regarding the relationships between rules imposed by legal regimes and those imposed by technological design, the Article first traces how content moderation rules intersect with law enforcement, including through formal demands for information, informal relationships between platforms and law enforcement agencies, and the impact of end-to-end encryption. Second, it critically assesses the degree to which government involvement in content moderation actually tempers platform power. Rather than effective oversight and checking of private power, it contends, the emergent arrangements between platforms and law enforcement institutions foster mutual embeddedness and the entrenchment of private authority within public governance

US export controls on encryption technology

Includes bibliographical references (p. 111-118).Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Political Science, 2004.(cont.) effort that eventually paid off in 1999. Interest group politics also factors into the actions of the national security establishment as they also lobby the Presidency and Congress to maintain restrictive encryption regulations. The study uses organizational culture to explain the motivations and some of the actions of the NSA, particularly with regard to its preference for secrecy, its placement of national security above other values, and its efforts to maintain control over all cryptology, whether government or civilian.This thesis seeks to explain why the U.S. government export controls on encryption technologies instituted during the 1970s remained in place until 1999 even though the widespread availability of similar products internationally had rendered the regulations largely without national security benefit by the late 1980s and early 1990s. The second part of the thesis explores the processes and reasons behind the eventual liberalization of encryption policies in 1999. Underlying the study is a values tradeoff between national security, economic interests, and civil liberties for which the relative gains and losses to each value shift through the three decades of the study as a result of technological advances in commercial and civilian cryptography, the growing popularity of electronic communications, the rise of the computer software industry, and the end of the Cold War. The explanation rests upon a combination of political science and organization theories. Structural obstacles to adaptation within the legislative process and interest group politics help account for some of the inertia in the policy adaptation process. In particular, regulatory capture of the Presidency and critical Congressional committees by the National Security Agency helped lock in the NSA's preferred policies even after technological advancements in the commercial sector began to cut into the national security benefits resulting from export controls. Interest group politics also helps explain the rise and eventual success of the lobby for liberalization of encryption regulations. A combination of the software industry and civil liberties activists intent on preserving the right to privacy and First Amendment allied to lobby Congress to change encryption regulations, anby Shirley K. Hung.S.M

Privacy and Security in the Cloud: Some Realism About Technical Solutions to Transnational Surveillance in the Post-Snowden Era

Since June 2013, the leak of thousands of classified documents regarding highly sensitive U.S. surveillance activities by former National Security Agency (NSA) contractor Edward Snowden has greatly intensified discussions of privacy, trust, and freedom in relation to the use of global computing and communication services. This is happening during a period of ongoing transition to cloud computing services by organizations, businesses, and individuals. There has always been a question of inherent in this transition: are cloud services sufficiently able to guarantee the security of their customers’ data as well s the proper restrictions on access by third parties, including governments? While worries over government access to data in the cloud is a predominate part of the ongoing debate over the use of cloud serives, the Snowden revelations highlight that intelligence agency operations pose a unique threat to the ability of services to keep their customers’ data out of the hands of domestic as well as foreign governments. The search for a proper response is ongoing, from the perspective of market players, governments, and civil society. At the technical and organizational level, industry players are responding with the wider and more sophisticated deployment of encryption as well as a new emphasis on the use of privacy enhancing technologies and innovative architectures for securing their services. These responses are the focus of this Article, which contributes to the discussion of transnational surveillance by looking at the interaction between the relevant legal frameworks on the one hand, and the possible technical and organizational responses of cloud service providers to such surveillance on the other. While the Article’s aim is to contribute to the debate about government surveillance with respect to cloud services in particular, much of the discussion is relevant for Internet services more broadly