Earlier this month, an inmate in Texas was denied access to computers and an electronic messaging system because he ordered a copy of the information security handbook Hacking Exposed. Does simply ordering a copy of an information security handbook render an individual a threat to the safe, secure, and orderly operation of a federal prison? Almost certainly not.
Hacking Exposed was written by three well-respected information security professionals, two of whom work at McAfee, and is intended to educate infosec professionals about the threat landscape. But the warden of the prison, and subsequently a federal district court, found that just by ordering the book, Reginald Green constituted a substantial enough threat to the orderly running of the prison to ban him from accessing the TRULINCS electronic messaging system or using computers for the rest of his incarceration. Could the exploit information contained within Hacking Exposed be misused in the right environment? Sure, but so could lots of other things, like the hammers in the prison workshop or the weights in the prison gym.
This is an unfortunate, aggressive reaction to the social concept of "the hacker," without pausing to consider the facts of the case. If the book had been called "Offensive Information Security" instead of "Hacking Exposed," would it have been confiscated, or Mr. Green deemed a threat? We've seen many examples of security researchers and others calling themselves hackers and falling under undue and aggressive legal scrutiny because their motives and actions were misconstrued. This is in part because the term "hacker" can, in general parlance, mean anything from a DIY enthusiast building portable chargers in Altoids tins to a hardcore cybercriminal selling stolen credit card numbers on a deep web message board. Individuals either calling themselves hackers or dubbed so by the media have been repeatedly targeted for publishing information on how to jailbreak your own devices. For example, Sony sued members of the hacker group fail0verflow after they revealed at CCC that they'd mathematically calculated the keys Sony uses to ensure only approved code runs on the PS3. In the same suit, Sony also sued George Hotz, better known as GeoHot, jailbreaker of theiPhone, for publishing the PS3 root key, even though he made clear he didn't do so to enable people to run pirated games. People have also been targeted for offering jailbreaking services commercially. For instance, prosecutors brougth criminal charges against Matthew Crippenfor modding XBOX 360s to run DRM-free games, which were ultimately dismissed.
Whether you call them hackers, makers, tinkerers, or information security researchers, people on the hacking spectrum have been a boon to society for decades. They power innovation in all sectors and operate as a valuable check on the security and stability of the technology that forms the basis for our modern society. Their curiosity drives our economy and challenges entrenched corporate and governmental interests. However, the word “hacker” has changed since its origins in creative prank culture and innovative computing at MIT, and is now popularly used, more often than not, as a pejorative one that encourages fear-based knee-jerk reactions. Hackers are used as go-to villains by policy makers, who wave the nightmare scenario of rampant cybercrime and imminent cyberwar to justify legislative proposals that threaten to encroach on your digital civil liberties.
What is being attacked here is the ability of individuals to pursue technical knowledge. Rather than evaluating the actual threat posed by Mr. Green having ordered the Hacking Exposed book, the warden in this case appears to have latched onto the word "hacking" and overreacted.
In recent years, online tracking companies have begun to monitor our clicks, searches and reading habits as we move around the Internet. If you are concerned about pervasive online web tracking by behavioral advertisers, then you may want to enable Do Not Track on your web browser. Do Not Track is unique in that it combines both technology (a signal transmitted from a user) as well as a policy framework for how companies that receive the signal should respond. As more and more websites respect the Do Not Track signal from your browser, it becomes a more effective tool for protecting your privacy. EFF is working with privacy advocates and industry representatives through the W3C Tracking Protection Working Group to define standards for how websites that receive the Do Not Track signal ought to response in order to best respect consumer's choices.
The following tutorial walks you through the enabling Do Not Track in the four most popular browsers: Safari, Internet Explorer 9, Firefox, and Chrome.
On the menu bar at the top of your screen, click on Preferences.
Select the Advanced preferences panel, shown in the screenshot below.
Check the box at the bottom of the menu labeled "Show Develop menu in menu bar."
On the menu bar at the top of your screen, click on Develop, shown in the screenshot below.
Click on "Send Do Not Track HTTP Header."
Congratulations. You have enabled Do Not Track on your Safari browser.
Internet Explorer 9
On the menu bar at the top of your screen, click the Tools button, which is shaped like a gear.
Point to Safety, and then click Tracking Protection, shown in the screenshot below.
Go to the Manage Add-on dialog box, shown in the screenshot below.
Click Tracking Protection List, and then click the Enable button in the lower right-hand corner of the box, shown in the screenshot below.
Congratulations. You have enabled Do Not Track on your Microsoft Internet Explorer 9 browser.
On the menu bar at the top of your screen, click on Preferences.
Select the Privacy tab, shown in the screenshot below.
At the top of this menu, check the box labeled "Tell websites I do not want to be tracked."
Congratulations. You have enabled Do Not Track on your Firefox browser.
To enable Do Not Track in Chrome, you will need to install the Do Not Track browser extension.
On the menu bar at the top of your screen, click on Window.
In the Window menu, click on Extensions.
Chrome will display a control panel which shows all of the extensions you have installed on your browser, shown in the screenshot below.
If you do not have any extension installed, click the Browse the gallery, shown above. If you have extensions installed already, scroll to the bottom of the control panel and click the Get more extensions link. These links will take you to the Chrome Web Store, shown in the screenshot below.
In the search box in the upper left hand corner, type "Do not track."
Select the Do Not Track extension. EFF recommends the extension written by Jonathan Mayer and click "Add to Chrome."
In the drop down menu, shown in the screenshot below, click "Add."
Congratulations. You have installed the Do Not Track extension on your Chrome browser.
EFF has been monitoring governmental proposals for national identification schemes, with an eye toward evaluating the privacy implications of these new systems. In Japan, where an existing program issues unique ID numbers to citizens at the municipal level and shares information on a national network, a bill is under consideration that would create a new ID framework. Submitted by the Japanese Cabinet in February of 2012, the “My Number Bill” would issue new unique ID numbers to participating citizens. The stated purpose is to streamline information sharing between governmental bodies administering tax, social security, and disaster mitigation programs. If the law is enacted, the My Number system will begin operating in 2015.
So far, there are no signs that Japan's government will follow the increasingly common trend of requiring citizens to submit biometric data, such as fingerprint or iris scans, in order to enroll. Nevertheless, it’s clear that data submitted by participating citizens will be subject to greater information sharing than under the prior system. This planned expansion gives rise to serious questions about whether individuals’ personally identifiable information will be adequately protected. While the existing ID framework is highly controversial due to privacy concerns, this proposal will disseminate personal data farther and wider, making it even harder for individuals to exercise control their own information.
Japan’s current unique ID system
Under the mandatory Basic Resident Register program, every Japanese citizen must provide his or her name, birthdate, gender and physical address to municipal governments. With the implementation of the Resident Basic Register Network System in 2002, these four types of information began to be fed into a nationwide computer network, the Juki-net, set up to share data between government agencies. The new system combined the resident registration databases of 3,200 municipal governments, and assigned every Japanese citizen an ID number.  Under this framework, citizens may also opt to obtain ID cards, which contain integrated circuit chips.
When an individual moves to a new city, or changes his or her name following marriage or divorce, the informational updates are logged in the Juki-net. The practice of logging such updates afforded government for the first time the ability to instantly obtain information about personal histories and to track individuals' movements over the course of multiple years, according to the analysis of Midori Osagawara, a former journalist who reported on the Juki-net for national Japanese newspaper Asahi Shimbun. “In the past, [a government] official could barely track [an individuals’] data by looking at the paper-based Resident Basic Registry, because the registry was discretely stored in the municipal office,” Osagawara noted in her thesis on Japan ID systems. “By removing the constraint of a stored location, the government could transcend the constraint of time, too. Now, personal data on Juki-net are automatically updated with references to the past.”
The Juki-net became a major source of controversy in Japan when it was launched. A newspaper opinion poll conducted just before implementation found that 86 percent of respondents were afraid of data leakage or improper use of information, while 76 percent thought implementation should be postponed. Several lawsuits challenged the new system, charging that it constituted a violation of the right to privacy guaranteed by Article 13 of the Japanese Constitution. Protests were mounted as well; 70 municipal assemblies and 29 mayors passed resolutions demanding the government postpone Juki-net’s implementation. In one city, whose mayor made it possible for citizens to opt out, 839,539 citizens went to city offices to register for non-participation. Following a Supreme Court ruling that found Juki-net to be constitutional, the citizens who’d requested to opt out were enrolled anyway.
In 2008, the Juki-net withstood a legal challenge when Japan’s Supreme Court ruled that it was constitutional, reversing a lower court’s 2006 ruling that the system violated privacy rights guaranteed by Article 13 of the Japanese Constitution.
Plaintiffs had argued that Juki-net illegally subjected citizens to risks of personal information leakage, and that it infringed upon rights guaranteed under Article 13 of the Japanese Constitution, which states, “all of the people shall be respected as individuals. Their right to life, liberty, and the pursuit of happiness shall, to the extent that it does not interfere with the public welfare, be the supreme consideration in legislation and in other governmental affairs.” Yet the court rejected these arguments when it found the Juki-net system did not violate Article 13.
The court determined that there was a low risk that information could be leaked due to the technical system design, and highlighted the absence of a centralized database that would enable consolidated control over personal information by any single governmental agency. It also found that the nature of the collected data was not highly confidential.
While Japan’s decision to prevent the creation a centralized database places it ahead of the curve on privacy when compared with many other countries that have implemented national ID systems, it’s important to remember that any digital collection of personal information opens the door to potential data breaches. Meanwhile, the court’s assertion that the data is not of a highly sensitive nature fails to take into consideration the fact that reliable inferences can be made about highly sensitive data by building upon multiple categories of non-sensitive data. For instance, Carnegie Mellon researchers Alessandro Acquisti and Ralph Gross published an article in 2009 demonstrating how social security numbers could be easily predicted by combining various kinds of widely available data, such as individuals’ birthdates and places of birth.
Expanded information sharing
The My Number Bill would essentially take the Juki-Net a step farther, by generating new unique ID numbers and allowing information sharing between the agencies that administer social security, tax, and disaster mitigation programs. The newly generated unique ID numbers would be used as a "key" to link records of individuals' income and payments, and benefits for pensions, health care and other services.
The My Number Bill also seems to be envisioned as a first step toward an increasingly networked system that would integrate highly sensitive information and could be opened up to private-sector use.
The bill was drafted based on a policy outline that won Cabinet approval in June of 2011. The policy outline hints at plans to formulate special statutes around highly confidential personal information, such as medical records. It also describes the possibility of linking unique ID numbers to medical data for research purposes, as long as patients’ anonymity is maintained. Yet this sets a dangerous precedent; researchers Arvind Naravayan and Vitaly Shmatikov, among others, have shown that attempts at “de-identification” are not always effective.
Under the bill, the lack of a centralized database is designed to prevent single governmental body from storing personal information, and an independent monitoring body will be created to ensure personal information is adequately protected. Nevertheless, these measures against data leakage can never be guaranteed to be 100 percent effective.
According to the policy framework paper, the program would be launched in January 2015 in the spheres of social security, tax, and disaster mitigation; by around 2018, the government will evaluate progress and consider expansion to other areas, such as the medical field. Taking into account political controversy currently surrounding Japan’s consumption tax increase, which is tangentially linked to the unique ID proposal since the program aims to streamline tax administration and processing, it’s still too early to say whether the My Number Bill will win approval.
Reactions from the Japanese public
The Japan Federation Bar Association has publicly opposed the My Number Bill, criticizing the program for failing to respect the right to control one’s own personal information.
A number of nongovernmental organizations, such as Japan’s Privacy Action and the Anti Ju-Ki Net Association, also came out against Japan’s proposed unique ID system in public comments submitted to the Cabinet Secretariat in July and August of 2011. They argued that the national ID isn’t really necessary to reform social security and tax programs, and that human rights and personal privacy will be jeopardized no matter what, since it’s impossible to guarantee 100 percent safety when it comes to technology and the potential for human error or active exploitation. Others argued that statutory protections of personal information are ineffective, and that not enough consideration has been given to the shortcomings of the Ju-ki Net. Some NGOs expressed doubts that the ID system would protect citizens’ rights, and called for a cost-benefit analysis prior to implementing the new program.
The Japan Medical Association has voiced concerns about the idea of linking unique ID numbers to medical records. At a press conference in March, the organization noted that highly sensitive patient information could be leaked.
Osagawara, the Japanese journalist and surveillance scholar, offered a sharp critique of the Juki-net, focusing on the expanding requirements for information sharing. “Even in a short-term observation, Juki-net’s development shows how a computer network inevitably expands for data sharing,” she wrote. “Once it is established, it increases the scope of data, engages in multiple tasks, and escapes from legal constraints and democratic transparency.”
We have concerns that the unique ID proposal seems to be moving Japan in a worrisome direction of expanded information sharing that is more sensitive in nature. As we have seen in places such as the UK, where leaks of everything from medical histories to criminal records were attributed to the very government agents entrusted with overseeing a database administered by the UK government’s Department for Work and Pensions, serious challenges arise when digital records of sensitive personal information are created and incorporated into a national network.
DHS’s Office of Inspector General (OIG) recently released a report (pdf) detailing multiple problems with the drones used to patrol US borders. This report, combined with the Federal Aviation Administration’s lack of openness about its drone authorization program and failure to disclose the true number of entities flying drones, shows that the federal government is moving far too quickly in its plans to dramatically expand the number of domestic drones flying in the United States over the next few years.
The DHS OIG report, which reviewed the drone program run by Customs & Border Protection (CBP), noted several serious problems with the program, including lack of appropriate equipment and staff to fly the drones safely and lack of processes or procedures to prioritize requests for drone flights. This is especially troubling, given the agency has been flying drones since 2004.
CBP currently has nine unarmed Predator drones in its arsenal, each purchased at a cost of $18 million dollars. The drones cost $3,000 per hour to fly, and, according to the OIG report, the agency spent over $55 million (pdf) to operate and maintain the drones between 2006 and 2011. Despite these costs, CBP never made a specific budget request to Congress for the funds, and has thus far failed to seek compensation from the other federal and state agencies it loans its drones to. Instead, the agency diverted $25 million from other programs to cover these costs.
This lack of adequate planning and oversight is concerning, given the government’s push to quickly expand the number of domestic drone flights (see the timeline1above and linked) and the little we know so far about drones currently flying in the US. As we’ve written previously, despite our FOIA lawsuit and significant public interest, the FAA has yet to release any information on the number and types of drones public entities are currently flying in the United States. On top of this, the FAA has failed to account for the discrepancies between the numbers of public entities flying drones as listed on a July 2011 “Fact Sheet” (pdf) (90 entities) and the list it released to EFF this April (60 entities).2
Despite all this, there are a few bright spots in the recent drone news. Congressman Austin Scott from Georgia just introduced a bill before the House that’s designed to “protect individual privacy against unwarranted governmental intrusion” from drones. The bill would require federal agents to get a warrant before using a “drone to gather evidence or other information pertaining to criminal conduct or conduct in violation of a regulation.” Senator Rand Paul introduced a similar bill in the Senate. While both bills have some drawbacks (the Scott bill doesn’t appear to apply to state or local law enforcement, and both bills seem to have large loopholes for border searches and terrorist-related investigations), they are good first steps toward regulating police use of drones.
If you’re concerned about the lack of transparency and adequate legal procedures for drone use in your area, we encourage you to support Congressional efforts to develop a law that would place restrictions on the use of drones for surveillance. We also encourage you to help EFF find out how your local police agency is using drones by contacting your local agency and reporting back to us. We will continue to monitor and report on domestic drone flights here.
2. The FAA later quietly updated this list on its website (pdf). According to a discussion with the FAA’s attorney, the FAA employee who created the “Fact Sheet” no longer works at the agency, so the FAA doesn’t really know how he arrived at the numbers on the Sheet. The attorney later clarified that “some agencies on the list released to EFF have ‘sub-layers’ that were counted as separate proponents for purposes of the Fact Sheet,” however, the FAA was tightlipped on what these “sub-layers” were.
Nominations are now open for EFF’s 21st Annual Pioneer Awards, to be presented this Fall in San Francisco. EFF established the Pioneer Awards in 1992 to recognize leaders on the electronic frontier who are extending freedom and innovation in the realm of information technology. Nominations will be open until Monday, August 6th. Nominate the next Pioneer Award winner today!
What does it take to be a Pioneer? There are no specific categories, but nominees must have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications. Their contributions may be technical, social, legal, academic, economic or cultural. This year’s pioneers will join an esteemed group of past award winners that includes World Wide Web inventor Tim Berners-Lee, security expert Bruce Schneier, open source advocate Mozilla Foundation, and privacy rights activist Beth Givens.
Remember, nominations are due no later than midnight on Monday, August 6th! And after you nominate your favorites, we hope you will join us on September 20th in San Francisco to celebrate the work of this year’s winners. Tickets are available now.
With weeks left to go on our third annual fundraising contest, supporters have already raised over $4,000 in donations to help support EFF and the Coders’ Rights Project! Our thanks to The Holy Handgrenades leading the pack at $1,410.78, with last year’s Grand Prize Winners InfoSec Daily Podcast (ISDPodcast) at $801, followed closely by the dc404 crew at $675. You’re doing great!EFF’s annual D(EFF)CONtest helps fund tireless legal defense, activism, counseling, and community education for professional security researchers and tinkerers alike. Through these donor-supported efforts, EFF stands behind everyone who values knowledge and the freedom to innovate.
You can help by donating to EFF through one of the D(EFF)CONtest teams listed below, or by starting your own team today! Fabulous prizes await the winners including a weekend stay at the Rio Hotel and Casino, DEF CON Human Badges, Ninja Party badges, passes to theSummit party, the iSEC Partners party, and EFF swag including our exclusive DEF CON 20 Script Kitty T-Shirt. Contestants unlock a Script Kitty Trophy at every $250 and one of the new shirts at $500!
So if you can't go to Las Vegas this summer, get your limited edition DEF CON 20 Script Kitty T-Shirt online when you join or renew at the Gold Membership Level or higher. You can even reserve a spot at theSummit party with Vegas 2.0 and a host of security research luminaries. Start by visiting one of the D(EFF)CONtest team pages and clicking the "Donate Now" button:
Thanks, everyone! Find more detalis about the contest at https://www.eff.org/DEFCON or email us at email@example.com. The D(EFF)CONtest ends after 11:59:59 PDT on July 4, 2012, so there is still time to sign up and win. Go 1337 or Go Home!
Syrian blogger and human rights activist Razan Ghazzawi, who in December was charged with, among other things, "weakening national sentiment" for her work with the Syrian Center for Media and Freedom of Expression, received the Front Line Defenders' human rights defenders at risk award last week. EFF extends our utmost congratulations to Ghazzawi, whose work we have defended.
Ghazzawi was first arrested in December, then released along with other members of her organization, only to be re-arrested in a raid on their office in February (and released again shortly after). She still faces charges of "possessing prohibited materials with the intent to disseminate them."
Dlshad Othman of the Syrian Center for Media and Freedom of Expression accepted the award in Dublin on behalf of Ghazzawi, who remains in Syria. A video compilation of Ghazzawi is available here.
Internet shutdowns, content filtering, arrests of bloggers, and online surveillance in North Africa have been headline news for the past year and a half, but internet issues in the rest of the African continent haven’t received quite as much press coverage. This silence is partly because there is simply less internet penetration south of the Sahara, but there may also be a paralyzing current of opinion whereby stories that highlight human rights issues or a lack of democracy in the region are either dismissed as old news or written off as paternalistic.
Ethiopia sometimes gets particularly little coverage in Western or international media because the political situation there is not nearly as dramatic as it is in other countries in sub-Saharan Africa. The government is nominally structured as a parliamentary democracy and it has good relations with the United States and Europe. Still, the ruling Ethiopian People's Revolutionary Democratic Front tightly controls the country’s electoral politics and media representation.
Internet censorship and content filtering are well-established in Ethiopia. The state owns and manages the country’s sole Internet service provider, Ethiopian Telecommunication Corporation (Ethio-Telcom). While Ethiopian Internet penetration is only about 1%, there is still a vibrant, tightly-knit community of bloggers whose websites, blogs, and Facebook pages have been blocked by the government. The blocks themselves look innocuous to Ethiopian Internet users, because the browser will simply notify users that the server request has timed out.
This error-message block is similar to what users have experienced in China when trying to access censored websites or use restricted search terms. It figures, then, that the Ethiopian and Chinese governments have conducted joint workshops on “mass media institution” management and Internet management. Inexpensive Chinese technology has also replaced American technology for building Ethiopian Internet infrastructure.
EFF recently reported on a new Telecom Service Infringement Law that includes explicit content-filtering provisions that protect “national security.” The law criminalizes online speech that may be construed as defamatory or terrorist, and holds the website or account owner liable even if the speech is posted as a comment by a third party on their website. These speech-chilling stipulations are hidden deep within a licensing bill that would, on the surface, seem to simply clarify Ethio-Telecom’s power to regulate Internet services such as VoIP.
Aggressive content regulation through secret filtering and legal restrictions is just the beginning of Ethiopia’s draconian Internet policy. Ethio-Telecom has recently begun deep packet inspection of all Internet traffic in the country. Engineers at the Tor Project discovered this when Tor stopped working in Ethiopia weeks ago. They determined that the Internet service provider had figured out how to fingerprint and subsequently block Tor requests encrypted through TLS. Bridge-configuration, the ordinary way to get around Tor blocks in other countries, failed to work in Ethiopia until a workaround was subsequently developed. An engineer at Tor later hypothesized, “My guess is that they are only blocking Tor because whatever device (probably from an outside firm) they have came with a block-Tor-plugin.” At this time, the only other countries that actively block access to Tor are China and Iran.
Why does Ethiopia keep company with some of the most restrictive Internet regimes in the world if the country has so little connectivity and few users? The country’s Internet policy continues to develop in the broader context of an equally restrictive press freedom environment. During the last general election in 2005, many journalists, election observers, and opposition party leaders were detained. UNESCO hosted a World Press Freedom Day event in Addis Ababa, the national capital, about a year ago. Ironically, the government forcibly replaced several independent journalists on the agenda with pro-government speakers.
Like the former Soviet republics of Belarus, Uzbekistan, Azerbaijan, Tajikistan, Georgia and Kazakhstan, the Ethiopian government may be ratcheting up its Internet censorship regime in response to fears sparked by the Arab Spring. EFF will continue to keep a close eye on development as politically sensitive milestones, such as the Ethiopia’s general election, near.