Category: Legal

The Punch Line Goes at the End

The Black Hat conference in Las Vegas always has its share of drama. This year, it’s happened a month before the conference opens. The researcher Barnaby Jack had to cancel his talk. gives an account of this; his talk was to make an Automated Teller Machine spit out a “jackpot” of cash, in the style of a slot machine.

According to reports, the manufacturer of the ATM pressured Jack’s employer, Juniper, to pressure him to withdraw the talk.

I certainly roll my eyes at this. It doesn’t do a lot of good to pressure someone to withdraw their talk.

But even more so, if you’re giving a talk, it behooves you to save the showmanship for the stage. I mean, come on.

Last year, the big cancellation was the team of MIT students who broke the Boston MBTA Charlie Card system. There was a legal injunction put against them that spoilt their presentation. The fault, in my opinion went to them for naming their talk, “How To Get Free Subway Rides For Life.”

Imagine that you are a judge who is interrupted from an otherwise pleasant Saturday by panicky people who want an injunction against a talk with such a dramatic name, you’ll at least listen to them. You decide that sure, no harm to society will come from an injunction from Saturday ’til Monday, and you’d be right. No harm came to society, DefCon was merely a little less interesting.

Now imagine that you are the same judge and you’re asked for an injunction against the talk, “A Practical Cryptanalysis of the Mifare Chip as Implemented in the MBTA.” That one can wait until Monday, and the talk goes on.

In a similar gedanken experiment, imagine that you are the VP of Corporate Communications for the XYZ ATM Corp. You learn that in a few weeks, someone is going to do “ATM Jackpot” with one of your ATMs in some show in Vegas. Despite the fact that someone else in the company approved it, what do you? You pressure them to cancel. Duh. If you don’t, then you’re going to spend most of August reassuring people about your products, your boss is going to be really ticked at you (after all, isn’t it the job of Corporate Communications to control these things?), and it’s just going to be no fun. This is also why you’re paid the big bucks, to make embarrassments go away.

This is why if you are a researcher, you do not name your talk, “ATM Jackpot” you name it “Penetration Testing of Standalone Financial Services Systems.” It is only on stage that you fire up the flashing lights and clanging bells and make the ATM spit out C-notes for minutes on end. That would get you all the publicity for your talk that you want, and you actually get to give it.

Remember, do as I say, not as I do. If you have a flashy Black Hat talk, put the punch line at the end of the joke.

Need ID to see Joke ID card

A bunch of folks sent me links to this Photography License, which also found its way to BoingBoing:

photography license

Now, bizarrely, if you visit that page, Yahoo wants you to show your (Yahoo-issued) ID to see (Matt’s self-issued) ID.

It’s probably a bad idea to present a novelty version of a DHS document to law enforcement.

It’s a worse idea to live in a country where someone sees enough harassment of photographers to design such a thing so well.

The very worst idea, however, is to discover pressure to send the whole thing down the memory hole.

Who should be punished for torture?

Normally, I try to post funny bits over the weekend, but I can’t let this week’s news slip by.

I have deeply mixed feelings about how to handle those who tortured. On the one hand, they were only following orders. On the other hand, they were following orders which clearly required contortions to see as legal. Soldiers also have a duty to disobey manifestly illegal orders.

  • The OLC Memos” by Gerard Magliocca analyses the analysis, and finds it wanting. (Concurring Opinions)
  • A History of Coercive Interrogation” is Will Levi’s summary of his forthcoming Yale Law Journal article on “Interrogation’s Law.” From the abstract: “Conventional wisdom [is] U.S. authorization of coercive interrogation techniques, and the legal decisions that sanctioned them, constitute a dramatic break with the past. This is false.”
  • At Obsidian Wings, Hilzoy makes “The Obvious Comparison” for one newly revealed technique.
  • Torture and “laying blame for the past”” is Sonja Starr’s analysis of the Convention Against Torture, which seems to require prosecution. By this analysis Obama’s dichotomy of “reflection, not retribution” is the wrong one. The correct one is “do we start obeying the laws we passed, or not?” (Concurring Opinions)
  • The Unreleased Torture Memo by David Luban has a quite cutting response to the “second-guessing argument” at Balkinization.

As I said, I have mixed feelings about the perhaps legally required prosecution of those who tortured. My feelings about those who authorized it are more varied..they range from hanging to extraordinary rendition under the standards they claimed as legal.

Please keep comments as civil as is reasonable for the topic.

Mo-mentum on centralized breach reporting?

A Missouri state bill requiring notification of the state attorney general as well as of individuals whose records have been exposed just took a step closer to becoming law.
As reported in the St. Louis Business Journal on April 1:

Missouri businesses would be required to notify consumers when their personal or financial information is compromised in security breaches, under a bill that received initial approval Wednesday from the Missouri Senate.
f the personal information of more than 1,000 Missourians has been breached, companies would be required to notify the state attorney general’s office, which would have the authority to seek civil penalties up to $150,000 per security breach, under the bill.
The legislation needs a second vote of approval before moving to the House for similar consideration.

St. Louis Business Journal
Should the bill become law, Missouri would become one of several states requiring centralized notification to state authorities for at least some breaches.

Torture is a Best Practice

I was going to title this “Painful Mistakes: Torture, Boyd and Lessons for Infosec,” but then decided that I wanted to talk about torture in a slightly different way.

The Washington Post reports that “Detainee’s Harsh Treatment Foiled No Plots” and [UK Foreign & Commonwealth Office] Finally Admits To Receiving Intelligence From Torture. From the Post story:

When CIA officials subjected their first high-value captive, Abu Zubaida, to waterboarding and other harsh interrogation methods, they were convinced that they had in their custody an al-Qaeda leader who knew details of operations yet to be unleashed, and they were facing increasing pressure from the White House to get those secrets out of him.

The methods succeeded in breaking him, and the stories he told of al-Qaeda terrorism plots sent CIA officers around the globe chasing leads.

In the end, though, not a single significant plot was foiled as a result of Abu Zubaida’s tortured confessions, according to former senior government officials who closely followed the interrogations.

The torture committed in our names undermines our claim to moral superiority. It doesn’t demolish it completely. Intentional mass murder of civilians is worse, but in war, you don’t want to have such arguments. You want to clearly have a right side and a wrong side, and torture usually sets you on the wrong side. Boyd laid out conflict as happening in a moral-mental-physical atmosphere, with moral being the most important. If you don’t have a moral claim to rightness, then your side’s mental willingness to fight for the cause is subject to alienation through propaganda. (This is why Al Qaeda shows so many videos of Guantanamo, Abu Ghraib, etc.) More on this in Chuck Spinney’s When Strategic “Genius” is Mortal Blunder.”

So why do people commit acts of torture? It’s because they believe that it works, and under the ticking time bomb theory, it’s the lesser evil. That what counts is “why the President thinks he needs to do that.”

There are two arguments against torture, the moral and the practical. Both are outlined in the articles cited at the top. I’d now like to turn back to the idea of best practices.

Best practices are ideas which make intuitive sense: don’t write down your passwords. Make backups. Educate your users. Shoot the guy in the kneecap and he’ll tell you what you need to know.

The trouble is that none of these are subjected to testing. No one bothers to design experiments to see if users who write down their passwords get broken into more than those who don’t. No one tests to see if user education works. (I did, once, and stopped advocating user education. Unfortunately, the tests were done under NDA.)

The other trouble is that once people get the idea that some idea is a best practice, they stop thinking about it critically. It might be because of the authority instinct that Milgram showed, or because they’ve invested effort and prestige in their solution, or because they believe the idea should work.

The next time someone suggests something because it’s a best practice, ask yourself: is this going to work? Will it be worth the cost?

Double-take Department, Madoff Division

The Daily Beast has a fascinating article that is a tell-all from a Madoff employee. I blinked as I read:

The employee learned the salaries of his colleagues when he secretly obtained a document listing them. “A senior computer programmer would make $350,000, where in most comparable firms they would be getting $200,000 to $250,000….”

Senior programmers getting a quarter-mil in “comparable firms”? Comparable in what way? Other multi-billion Ponzi schemes that stole from rich suckers and charities alike? Is this another thing to be angry at AIG for? (Cue rimshot.)

I know it’s a tell-all, but tell more, tell more. Another intriguing morsel can be found in:

The employee was part of a trading group, which was able to break a security code that he says led them to a site that was supposed to be seen only by the Madoff family. It showed the profits and losses of the legitimate businesses.

The group broke the code? The person broke the code? And do tell more. Perhaps the author, Lucinda Franks, has some more details for us. Or maybe she’s saving them for a second Pulitzer.

What Should FISA Look Like?

wiretap america.jpg
Jim Burrows is working to kick off a conversation about what good reform of US telecom law would be. He kicks it off with “What does it mean to “get FISA right”?” and also here.

To “get it right”, let me suggest that we need:

  1. One law that covers all spying
  2. Require warrants when the US spies on
    1. Anyone in the US
    2. US persons (citizens and resident aliens) anywhere
  3. Allow the intelligence agencies to spy freely on foreigners oversees, even if the taps are in the US
  4. Require Executive, Judicial and Congressional oversight when protected and unprotected communications are entangled.
  5. Criminalize violation of the Constitution.

I think we need a law which works cross medium, and addresses both content and routing information. It should lay out broad principles of privacy protection for Americans and people in America, and the times when spying is acceptable in ways that enable debate and discussion. We also need to address the very real abuses of past wiretapping statues, perhaps with increasing oversight as time goes by.

This is a hard area, and I encourage you to join in the discussion here, on Jim’s blogs, or on your own.

I hit post to soon, I’d meant to explain the image. I picked the image because I believe that listening to phone calls is sometimes something we should allow a government to do. If we do it right, it’s a valuable tool. If we do it wrong, it becomes an intrusion and a betrayal of our values. To date, we are doing it wrong, with secret courts rubber stamping requests under complex laws that few can understand. The result is that legitimate wiretapping is harder than it needs to be. Getting FISA right includes restoring public trust.

Image: Dr. Bulldog & Ronin.

More on Privacy Contracts

Law Prof Dan Solove took the A-Rod question I posted, and blogged much more in depth in A-Rod, Rihanna, and Confidentiality:

Shostack suggests that A-Rod might have an action for breach of contract. He might also have an action for the breach of confidentiality tort. Professor Neil Richards and I have written extensively about breach of confidentiality. The tort is recognized in most states, and it provides for liability whenever one owes a duty of confidentiality and breaches that duty. We observed, however, that the tort has remained “relatively obscure and frequently overlooked” in American law. In contrast, in England, the tort is robust and applies quite broadly. We suggested in our article that the American tort could develop more along the lines of the English tort, and it is, in fact, already beginning to head in that direction. See Neil M. Richards & Daniel J. Solove, Privacy’s Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007).

Lots more very interesting analysis. Check it out!

Don't put Peter Fleischer on Ice

Peter Fleischer is Google’s chief privacy counsel. I met Peter once at a IAPP event, and spoke pretty briefly. We have a lot of friends and colleagues in common.

He’s now threatened with three years of jail in Italy. Google took under 24 hours to remove a video which invaded the privacy of someone with Down Syndrome. See law firm Proskauer Rose’s “Google Execs Face Privacy Related and Other Criminal Charges for Taunting Video” for or Dan Solove’s “Criminalizing Google’s YouTube in Italy” for background.

A small part of me is happy to see enforcement of privacy laws. This is clearly a sit up and take notice moment for many executives around privacy, and that might be for the good.

I think much more, it’s to the detriment of much of what’s good about the internet, and not even good for privacy. On the scale of privacy invasions, this one isn’t like publishing someone’s medical records, their financial records, or their diary. It’s three minutes of bullying. I’m not trying to universalize my values, but it’s hard to understand 191 seconds of bullying as justifying three years in jail. The executive ‘takeaway’ from this is likely to be “we need to get those laws fixed.”

Google claims that 200,000 videos are uploaded to Google Video daily. There’s all sorts of good–people are enthralled, and choose to spend a tremendous amount of time watching that crap. No, really, 99% of it’s crap, but 1% is great, and we all differ on which video is which. It’s chaotic. The value of Google Video emerges from hundreds of thousands of people providing video, and Google making it available to others.

If Peter Fleischer goes to jail, that will stop. Not just at Google, but at other companies (not speaking for my employer–I have no knowledge of plans.) No executive will say this is worth jail time. The chilling effect would be massive, and also ineffective.

Video on the internet will move to a peer to peer system, just like music has. The ability to remove content will fall away, as will searchability. What’s more, we won’t gain much in privacy (except, perhaps, with regards to how much Google can observe). New business will be hesitant to step into these areas, and we’ll give up all the good which might emerge.

Ironically, Google’s aggressive tracking (with 3 domains worth of cookies and 2 Flash LSOs) offer up a perfect “more speech” opportunity. There are logs of who viewed the original video. It would be easy (if an apology video existed) to show it to each person who viewed the original video, and to measure what fraction had seen it.

None of this is aided by a threat of jail time for Peter Fleischer.

A-Rod had a privacy contract, and so did you

urine sample.jpg

In 2003 the deal was simple: The players would submit to anonymous steroid testing, and if more than 5 percent tested positive, real testing with real penalties would begin in 2004.

But in 2003, the tests were going to be (A) anonymous and then (B) destroyed. Those were the rules of engagement, and in any civilized contest, the rules of engagement are critical. Everything has rules of engagement, even something as life-or-death as war. Ever heard of the Geneva Convention? Those are rules of engagement, and it’s something we are expected to follow — even against a war-time enemy we literally want to kill.

Somebody broke the rules of engagement with A-Rod. Baseball and the union were supposed to destroy the tests in 2003. If there was a master list linking each test to a specific player, that list was supposed to be destroyed, too. This was serious stuff, this confidentiality, and only because it was so serious did players like Alex Rodriguez submit to it. (“A-Rod should sue sinister system that snagged him,” CBS Sports)

So there’s an obvious violation of the contract, which may or may not have specified damages. Are there other torts here?

It seems that given the nature of the literally irreparable harms to reputation that privacy invasions can entail, the law may or may not have reasonable remedies here. (Note that I said irreparable, not un-compensatable or even of great magnitude. Even if it turns out that the tests were flawed, A-Rod’s reputation will be permanently sullied by those who remember the initial burst of news.)

There’s also a tie to Facebook’s latest changing and re-changing of their privacy rules.

The idea that your privacy contract is fungible and flexible inhibits the creation of a real market differentiation around privacy. If a company can change the rules at any time, why bother reading what they say today?

What should the law say about this?

Image: StockXpert.

[Update: Dan Solove has very interesting follow-on analysis in “ A-Rod, Rihanna, and Confidentiality.”]