A Lot More than a Pen Register, and Less than a Wiretap

In June 2013, through an unauthorized disclosure to the media by ex-NSA contractor Edward Snowden, the public learned that the NSA, since 2006, had been collecting nearly all domestic phone call detail records and other telephony metadata pursuant to a controversial, classified interpretation of Section 215 of the USA PATRIOT Act. Prior to the Snowden disclosure, the existence of this intelligence program had been kept secret from the general public, though some members of Congress knew both of its existence and of the statutory interpretation the government was using to justify the bulk collection. Unfortunately, the classified nature of the Section 215 metadata program prevented them from alerting the public directly, so they were left to convey their criticisms of the program directly to certain federal agencies as part of a non-public oversight process. The efficacy of an oversight regime burdened by such strict secrecy is now the subject of justifiably intense debate. In the context of that debate, this Article examines a very different surveillance technology—one that has been used by federal, state and local law enforcement agencies for more than two decades without invoking even the muted scrutiny Congress applied to the Section 215 metadata program. During that time, this technology has steadily and significantly expanded the government’s surveillance capabilities in a manner and to a degree to date largely unnoticed and unregulated. Indeed, it has never been explicitly authorized by Congress for law enforcement use. This technology, commonly called the StingRay, the most well-known brand name of a family of surveillance devices, enables the government, directly and in real-time, to intercept communications data and detailed location information of cellular phones—data that it would otherwise be unable to obtain without the assistance of a wireless carrier. Drawing from the lessons of the StingRay, this Article argues that if statutory authorities regulating law enforcement surveillance technologies and methods are to have any hope of keeping pace with technology, some formalized mechanism must be established through which complete, reliable and timely information about new government surveillance methods and technologies can be brought to the attention of Congress

An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government

Today, when consumers evaluate potential telecommunications, Internet service or application providers – they are likely to consider several differentiating factors: The cost of service, the features offered as well as the providers’ reputation for network quality and customer service. The firms’ divergent approaches to privacy, and in particular, their policies regarding law enforcement and intelligence agencies’ access to their customers’ private data are not considered by consumers during the purchasing process – perhaps because it is practically impossible for anyone to discover this information. A naïve reader might simply assume that the law gives companies very little wiggle room – when they are required to provide data, they must do so. This is true. However, companies have a huge amount of flexibility in the way they design their networks, in the amount of data they retain by default, the exigent circumstances in which they share data without a court order, and the degree to which they fight unreasonable requests. As such, there are substantial differences in the privacy practices of the major players in the telecommunications and Internet applications market: Some firms retain identifying data for years, while others retain no data at all; some voluntarily provide government agencies access to user data - one carrier even argued in court that its 1st amendment free speech rights guarantee it the right to do so, while other companies refuse to voluntarily disclose data without a court order; some companies charge government agencies when they request user data, while others disclose it for free. As such, a consumer’s decision to use a particular carrier or provider can significantly impact their privacy, and in some cases, their freedom. Many companies profess their commitment to protecting their customers’ privacy, with some even arguing that they compete on their respective privacy practices. However, none seem to be willing to disclose, let alone compete on the extent to which they assist or resist government agencies’ surveillance activities. Because information about each firm’s practices is not publicly known, consumers cannot vote with their dollars, and pick service providers that best protect their privacy. In this article, I focus on this lack of information and on the policy changes necessary to create market pressure for companies to put their customers’ privacy first. I outline the numerous ways in which companies currently assist the government, often going out of their way to provide easy access to their customers’ private communications and documents. I also highlight several ways in which some companies have opted to protect user privacy, and the specific product design decisions that firms can make that either protect their customers’ private data by default, or make it trivial for the government to engage in large scale surveillance. Finally, I make specific policy recommendations that, if implemented, will lead to the public disclosure of these privacy differences between companies, and hopefully, create further market incentives for firms to embrace privacy by design

Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era

Over the last few years, consumers, corporations and governments have rushed to move their data to “the cloud,” adopting web-based applications and storage solutions provided by companies that include Amazon, Google, Microsoft and Yahoo. Unfortunately the shift to cloud computing needlessly exposes users to privacy invasion and fraud by hackers. Cloud based services also leave end users vulnerable to significant invasions of privacy by the government, resulting in the evisceration of traditional Fourth Amendment protections of a person’s private files and documents. These very real risks associated with the cloud computing model are not communicated to consumers, who are thus unable to make an informed decision when evaluating cloud based services. This paper will argue that the increased risk that users face from hackers is primarily a result of cost-motivated design decisions on the part of the cloud providers, who have repeatedly opted to forgo strong security solutions already used in other Internet based industries. With regard to the intrusion upon user privacy performed by government agencies, fault for this privacy harm does not lie with the service providers; but the inherently coercive powers the government can flex at will. The third party doctrine, which permits government agents to obtain users’ private files from service providers with a mere subpoena, is frequently criticized by privacy scholars. However, this paper will argue that this doctrine becomes moot once encryption is in use and companies no longer have access to their customers’ private data. The real threat to privacy lies with the fact that corporations can and have repeatedly been forced to modify their own products in ways that harm end user privacy, such as by circumventing encryption

Caveat Venditor: Technologically Protected Subsidized Goods and the Customers Who Hack Them

This paper explores the issues surrounding the subsidization of a technology based durable good and on the delicate dance between the producer trying to protect their profit, competitors trying to to create and sell aftermarket goods, and innovative customers who attempt to use the goods in completely unplanned, and unprofitable ways. A number of case studies are presented that highlighted the ease with which customers can tinker with subsidized products. These include Microsoft's Xbox, Netpliances' i-Opener, the Sony AIBO, and the general problems of the prepaid phone industry. A number of legal cases are also presented, although these focus more on the issue of other firms attempting to make competing aftermarket products for subsidized primary goods. The difficult question of what can a company do is explored. The question of who the company can go after for infringement, be it the reverse engineering programmer, or the college student sharing such information on her homepage, is also examined. Finally, this paper examines the moral issues involved when consumers hack these items

Manipulation and abuse of the consumer credit reporting agencies

This paper will present a number of loopholes and exploits against the system of consumer credit in the United States that can enable a careful attacker to hugely leverage her (or someone else's) credit report for hundreds of thousands of dollars. While the techniques outlined in this paper have been used for the personal (and legal) profit by a small community of credit hackers, these same techniques could equally be used by more nefarious persons --- that is, criminals willing to break the law, engage in fraud, and make o with significant sums of money. The purpose of this paper is to shed light on these exploits, to analyze them through the lens of the computer security community and to propose a number of fixes which will greatly reduce the effectiveness of the exploits, by both those with good and ill intentions