Bookmarked Rethinking Encryption (Lawfare)

We all need to deal with reality. And in my experience, that’s what the people who have dedicated their lives to protecting all of us—such as the employees of the FBI—usually do best. How else do you stop the bad guys but by living in reality and aggressively taking the fight to them based on an accurate assessment of the facts? I am most certainly not advocating surrender, but public safety officials need to take a different approach to encryption as a way to more effectively thwart our adversaries, protect the American people and uphold the Constitution in light of the existential cybersecurity threat that society faces. If law enforcement doesn’t want to embrace encryption as I have suggested here, then it needs to find other ways to protect the nation from existential cyber threats because, so far, it has failed to do so effectively.

Jim Baker takes a deep dive into the world or security, encryption and zero-trust networks. He touches on the current confusion over the law, that the government can request access, but there is nothing to say that such access should not be encrypted:

Put differently, the legal problem for law enforcement is not the Fourth Amendment. Investigators and prosecutors can and do obtain warrants to authorize searches, seizures and surveillance of encrypted digital evidence. The problem is that there is no law that clearly empowers governmental actors to obtain court orders to compel third parties (such as equipment manufacturers and service providers) to configure their systems to allow the government to obtain the plain text (i.e., decrypted) contents of, for example, an Android or iPhone or messages sent via iMessage or WhatsApp. In other words, under current law, the most the government can do with respect to encrypted systems where the manufacturer or service provider does not hold the encryption keys is to demand that companies provide it with an encrypted blob for which they have no mechanism to decrypt.

One suggested workaround is better use of metadata to support crime enforcement:

If, in fact, governments more aggressively support encryption, they will have to focus even more on collecting and analyzing noncontent metadata, increasingly aided by advanced data analytics driven by machine learning and other artificial intelligence tools. I know full well that obtaining noncontent metadata, while useful, is not the same as collecting the full content of communications and documents. It is hard to use metadata, for example, to prove criminal intent or to understand exactly what a spy or a terrorist is plotting. But we are in a world where content is increasingly unavailable and there is a wealth of metadata. So, the government should focus on collecting the right data and developing or buying top-notch analytical tools. In doing so, of course, it needs to make sure that such metadata collection and analysis is consistent with the Fourth Amendment. Admittedly, that will be more complicated in light of the U.S. Supreme Court’s decision in Carpenter v. United States. And it will be harder to do all this in the face of efforts by some companies to further anonymize public internet metadata. Nevertheless, this is where law enforcement finds itself since it has not persuaded Congress to act.

However, what this all highlights is that every country has a different set of rules, therefore this is a debate that needs to be had in a number of places.

Listened Security vs privacy – who wins? Chips with Everything podcast from the Guardian

Ministers from several countries have written an open letter to the Facebook CEO, Mark Zuckerberg, asking him not to fully encrypt all of the company’s messaging services. This week, Jordan Erica Webber talks to The Guardian’s tech reporter Julia Carrie Wong and security expert Alan Woodward about the implications of restricting end-to-end encryption

Jordan Erica Webber unpacks the push by some governments to limit end-to-end encryption and the impact this would have on privacy and security. Cory Doctorow also discusses this on the Bitcoin Podcast, while Edwina Stott explores this topic on the Future Tense Podcast.
Liked Your phone is a crimewave in your pocket, and it’s all the fault of greedy carriers and complicit regulators (Boing Boing)

Insider attackscell-site simulatorsSIM-swap attacksthriving markets in super-cheap, fine-grained location datarobocallsfictitious coverage maps, and more: does the fact that all this terrible shit keeps happening, and only gets worse, mean that mobile companies and the FCC just don’t give a fuck if your mobile phone is a crime wave you carry around with you on your pocket?

Bookmarked #Domains19: Minority Report – One Nation Under CCTV (MASHe)

As the creator of TAGS privacy and surveillance often sit at the back on my mind. From the beginning TAGS was designed to help show people the amount of data we personally share and how easy it is for anyone to access. We all know that technology is not neutral and whilst there is a long list of people using TAGS for positive purposes by its nature there are some who turn to the darkside.

In a keynote for Domains19, Martin Hawksey takes a look at privacy and security. He shares a number of experiments (Domain Invaders and They Live) designed to highlight what is possible. It is interesting to consider all this alongside Kin Lane’s sentinelization of APIs. I wonder if it is about being informed?
Bookmarked Do You Trust Your VPN? Are You Sure? by an author (Slate Magazine)

Virtual private networks are now a must-have privacy tool. But good luck figuring out which ones will actually make you safer.

Will Oremus explores the world VPNs. He explains the differences between free and paid subscriptions, as well as who owns the company and why it is not always possible to know.

Marginalia

One of the only definitive takeaways, besides “steer clear of free VPNs,” is that your choice of VPN should depend on what you’re using it for. If you’re just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that’s clear about both who owns it and how it treats your data. If your goal is to torrent pirated files, view blocked content, assassinate an ambassador, or otherwise evade the long arm of your government (or the governments it shares intelligence with), one based offshore might be a better bet—provided you’re quite sure it doesn’t have secret ties to the government you’re trying to evade.

via Ian O’Byrne

Liked Phone Numbers Were Never Meant as ID. Now We’re All At Risk (WIRED)

So if you’re looking for an alternative to the phone number, start with something more easily replaceable. Hardjono suggests, for example, that smartphones could generate unique identifiers by combing a user’s phone number and the IMEI device ID number assigned to every smartphone. That number would be valid for the life of the device, and would naturally change whenever you got a new phone. If you needed to change it for whatever reason, you could do so with relative ease. Under that system, you could continue to give out their phone number without worrying about what else it might affect.

Replied to Too Long; Didn’t Read #163 (W. Ian O’Byrne)

I’ve talked about two factor authentication (2FA) in the past. Basically when you log in to a site/service, you need to give another proof of identity. In this case, you would insert the USB stick, or click the bluetooth sensor on your keychain.

This reminds me, I got given a Kubikey and never got around to setting everything up.
Bookmarked B-Tags, Photos, Technology & Surveillance (W. Ian O’Byrne)

These technologies provide amazing opportunities to provide real services to our lives. I experienced this first hand as we enjoyed our time in this road race, and will look forward to the next one together. I was impressed by the use of technology as I was interacting with these sources and signals. At the same time, I was still plagued by a number of questions as I was thinking about these tools, and other possible uses. In our current and future societies, we need to examine these uses and think about how or why we use these solutions.

Ian O’Byrne reflects on the use of ChronoTrack B-Tags consisting of two stickers that contain RFID antennas to track participants in a fun run. This is used to monitor participants, but also connect them with commercial opportunities. Along with facial recognition and smart badges, this is another example of the continual evolution of the surveillance state.

📓 Privacy vs Security

Ian O’Byrne provides a comparison between privacy and security:

Privacy is often defined as the right of an individual to keep his/her individual information from being disclosed. This is typically achieved through policies and procedures. Privacy encompasses controlling who is authorized to access your information; and under what conditions information may be accessed, used and/or disclosed to a third party.Security is defined as the mechanism in place to protect the privacy of information. This includes the ability to control access to information, as well as to safeguard information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls. source

Doug Belshaw visually represents this to get the point home:

Mike Caulfield discusses the future of privacy and suggests that there is work that needs to be done in regards to participatory culture:

I’m sure that the powers that be in Silicon Valley believe in “the end of privacy”, just like they believe in technocratic meritocracy. The most attractive thing for any programmer to believe is that new technologies will render the messiness of social relations obsolete. But this idea, that privacy is antiquated, will lead to institutional and organizational collapse on a massive scale, which is why a transparency organization like Wikileaks is the favorite tool of dictators.source

Lizzie O’Shea explains how Mark Zuckerberg’s call for increase in privacy fails to capture the agency associated with it all:

A better understanding of privacy will not be limited to design concepts generated by highly profitable social media platforms. It needs to encompass how privacy is an essential component of our agency as human beings. Agency, to be explored and expressed fully, requires that we have space outside the influence of capitalism—to have freedom from market forces seeking to manipulate our unconscious. Privacy demands that human emotions like shame, joy, guilt, and desire be explored without someone seeking to profit from the process without us noticing.source