Over the weekend, there was an odd story about people using AT&T's wireless network trying to log in to Facebook, and suddenly finding themselves logged in to somebody else's Facebook account. What could have caused such a strange phenomenon to occur? What does it tell us about the innards of the mobile web, and what lessons might it convey for network and application design?
Ars Technica had a good post documenting some of the possibilities, and AT&T has now made some publicstatements containing a few key clues about the problem. We have a few things to add.
[Warning - this post gets fairly technical]
1. Facebook. Facebook needs to start using HTTPS for everything! Without HTTPS and secure cookies, the private and sensitive information in their users' accounts is vulnerable to being mixed up by ISPs' proxy servers, logged, eavesdropped or pilfered by hackers.1 Google now uses HTTPS by default for every interaction with Gmail, and there's no excuse for Facebook not to do the same.
2. AT&T. Here, the story is more complicated, but the short summary is that AT&T (and all other ISPs) really need to migrate away from using proxy and gateway servers to perform complicated software tasks.
The problem at the ISP's end appears to have been a manifestation of an engineering hangover from WAP 1.0, which was the first attempt to bring the Web to mobile phones. WAP made a number of design decisions intended to work around the limitations of 1990s-era cell phones, including tiny storage space, limited bandwidth, and small keypads. In retrospect, some of those design decisions appear to have been unwise. A relevant example was the decision to involve the wireless carrier in website authentication. Where the normal HTTP Web stores authentication cookies on users' computers, early versions of WAP specified that cookies should be stored on proxy servers called WAP gateways, operated by wireless carriers.2 Another practice was to try to avoid ever having to make the user type a username and password with only a numeric keypad, by circulating URLs that contained automatic authentication parameters.
It was this WAP tradition of getting ISPs intimately involved in authentication that led to a situation today where a malfunction on AT&T's proxies could let one user log in to another's Facebook account. This situation is bad for the privacy and security of mobile web users, and it carries some important lessons about the division of responsibility between ISPs and web and application providers.
Wherever possible, ISPs should try to avoid solving complicated problems — like web authentication — by using proxy and gateway servers on their network. Inevitably, having an extra machine in the loop raises the complexity of the solution and increases the number of possible points of failure. If this had been a problem with a website smaller than Facebook, the chances are that it would have remained undiagnosed and unfixed for much longer.
There is a lot of engineering controversy about whether it's ever appropriate for complex application functions to be performed by proxies, gateways or transcoders operated by ISPs. One key argument is that if the ISPs pick a poor solution, or don't all implement exactly the same thing, then developers and users will be worse off than if the ISP had done nothing at all.
Whether or not this is true in all cases, it's clear, at the very least, that ISPs need to be extremely cautious in this space. They need to only deploy a proxy-type solution when it is certain that clients and servers can't solve the problem for themselves. They need to be transparent: follow well-established standards, clearly document their practices, and answer technical questions promptly. Lastly, they should offer users and application providers a standardised way to opt-out of the proxies if they might cause technical or security problems.
Even as mobile phones and mobile browsers are approaching the sophistication of desktop PCs, many mobile carriers are continuing to play strange and undocumented tricks with subscribers' data communications.
And AT&T in particular still has a way to go with respect to transparency. Their public statements indicated that they had deployed some new security measures in the wake of the Facebook affair. When we asked them what those measures were, their spokesperson's response was:
In terms of the new security measures AT&T has put into place, due to security sensitivity, we aren't providing specifics.
AT&T's disappointing response is to retreat to security through obscurity. But long experience teaches that security through obscurity is usually no security at all.
2. In practice, this made cookie authentication unusable in WAP, because the way that WAP gateways were implemented and configured was insufficiently standardized, and because many developers realised that it was unacceptable to trust carriers' gateway servers with so much of their authentication housekeeping. This meant that websites had to fall back to a practice known as "URL rewriting" or "URL decoration", which meant adding an authentication token to every URL. In practice, this is frequently equivalent to putting the user's password in the URL.
Today, the DOJ's Office of the Inspector General issued a long awaited report on the FBI's use of 'exigent letters' to obtain phone records. While the report has many interesting and shocking revelations, three issues jumped out at us: Post-it note process; a secret new legal theory; and the need for accountability for the telecoms.
Post-it notes. Seriously.
While we had known since 2007 that the FBI improperly sought phone records by falsely asserting emergency circumstances, the report shows the situation inside the FBI's Communications Analysis Unit (CAU) degenerated even further, sometimes replacing legal process with sticky notes.
Employees of three telecoms worked directly out of the CAU office, right next to their FBI colleagues. According to the report, even exigent letters became too much work: an FBI analyst explained that "it's not practical to give the [exigent letter] for every number that comes in." Instead, the telecoms would provide phone records pursuant to verbal requests and even post-it notes with a phone number stuck on the carrier reps' workstations.
At the time, the Electronic Communications Privacy Act allowed a telecom to provide records based on an actual emergency, where the carrier had a "reasonable belief" that "an emergency involving danger of death or serious physical injury to any person requires disclosure without delay." The bare assertion of exigent circumstances in the FBI's letters is not enough to provide the basis for a reasonable belief, let alone a telephone number on a yellow slip of paper.
In March 2006, the relevant ECPA provision was changed from "reasonable belief" to "good faith belief." It appears that the telecoms were worried that the bare assertions in exigent letters were not enough, because they "expressed concern to [Congress] that the [reasonably believes] standard was too difficult for them to meet." However, even after the change, there is no way the telecoms could have formed a good faith belief, when they were never provided any basis to do so.
New Legal Theory to Allow Phone Record Disclosure
The OIG report discusses, in heavily redacted form, discusses a new legal theory that the FBI now asserts allows telecoms to divulge phone records without legal process. Despite the Obama Administration's alleged commitment to openness and transparency, the OIG report redacts the basis for this legal theory, even redacting the statutory section number on which the FBI says it can rely.
According to the report, the DOJ's Office of Legal Counsel issued an opinion agreeing with this theory on January 8, 2010. The DOJ's “Principles to Guide the Office of Legal Counsel” states that “OLC should publicly disclose its written legal opinions in a timely manner, absent strong reasons for delay or nondisclosure.” Nevertheless, the opinion is not publicly available. We urge the Obama Administration to release this memo.
We Need Accountability for AT&T and Verizon
The ECPA is one of the cornerstones of our protection against government overreaching, providing a critical check on the power of government officials. However, since government investigations are typically secret, it only works if the telecoms hold up their end of the bargain, and refuse to violate the law when asked. Instead, one embedded telecom employee opined "it wasn't my place to police the police." This is the opposite of what the law requires.
So how can we have accountability? Rather then call out the telecoms who failed to fulfill their roles as a check on government power, the report is cagey about which telecoms were involved, cryptically referring to Companies A, B and C.
However, it is not hard to figure out the telecoms' identities. In sworn testimony to Congress, right after the initial March 2007 OIG report, FBI General Counsel Valerie Caproni testified that the three companies were AT&T, Verizon and MCI. Verizon later acquired MCI. Caproni confirmed that these were the only companies under contract to provide phone record information to the FBI.
We also know that Company A was AT&T. In 2007, Verizon and AT&T wrote to Congress to explain their role in unlawful spying, including exigent letter. Verizon said it did not have 'community of interest' information. The OIG report says that Companies B and C did not have 'community of interest' information, meaning that B and C were Verizon and its subsidiary MCI, and thus Company A is AT&T.
We urge Congress to investigate both the FBI and telecoms, including asking the hard questions to AT&T and Verizon about their complicity in an illegal program to obtain phone records with post-it notes.
Last week the MPAA and RIAA submitted their comments in the FCC's net neutrality proceeding. As anticipated in EFF's comments, the big media companies are pushing for a copyright loophole to net neutrality. They want to be able to pressure ISPs to block, interfere with, or otherwise discriminate against your perfectly lawful activities in the course of implementing online copyright enforcement measures.
Of course, the MPAA and RIAA couch this in language intended to sound inoffensive. The RIAA says "the perfect should not be the enemy of the good" and "justice often takes too long." The MPAA chimes in that "it is essential that government policies explicitly permit—and encourage—ISPs to work with content creators to utilize the best available tools and technologies to combat online content theft."
But here's how it would work in practice. The proposed FCC net neutrality principles include a loophole for "reasonable network management," which is defined to include "reasonable practices employed by a provider of broadband Internet access service to...(iii) prevent the transfer of unlawful content; or (iv) prevent the unlawful transfer of content." That means that so long as your ISP claims that it's trying to prevent copyright infringement, it's exempted from the net neutrality principles and can interfere with your ability to access lawful content, use lawful devices, run lawful applications, or access lawful services.
This is not about protecting copyright infringers—the FCC's proposed net neutrality principles expressly do not apply to unlawful content or unlawful transmissions. So you don't need a "reasonable network management" loophole to go after illegal conduct. The loophole that the RIAA and MPAA are after is about giving the green light to overbroad copyright enforcement measures that inflict collateral damage on innocent conduct.
Allowing ISPs to jeopardize perfectly legal activities in the name of "copyright enforcement" is a bad idea. Let the FCC know that you oppose any copyright loophole that would allow the RIAA and MPAA to pressure ISPs into catching your "dolphins" in their poorly designed fishing nets.
Of all the bands experimenting with the Internet and its role in enriching their creativity and commerce, OK Go has become one of the canonical success stories, having produced two low-budget, immensely successful viral videos ("A Million Ways" and "Here It Goes Again" in 2006) that together drew more than 50 million views and broadened their fan base considerably. With their status as the de facto princes of the viral music video, imagine the fans' surprise in seeing OK Go's new video branded with this handy instruction to anyone interested in spreading the word: "Embedding disabled by request."
In a revealing rant detailing the modern woes of a band under the thumb of a major label, OK Go singer Damian Kulash writes:
And, voilá: four years after we posted our first homemade videos to YouTube and they spread across the globe faster than swine flu, making our bassist's glasses recognizable to 70-year-olds in Wichita and 5-year-olds in Seoul and eventually turning a tidy little profit for EMI, we're – unbelievably – stuck in the position of arguing with our own label about the merits of having our videos be easily shared. It's like the world has gone backwards.
In the letter, Kulash articulates a winding response to fans' complaints about the inability to embed the OK Go video on their own sites, as well as complaints from some international users who simply aren't allowed to view the video. His explanation contains threads that should be familiar to anyone paying attention to the music industry and its contortionate attempts to cope with the Internet. Labels are desperate for any opportunity to make money, and because they only make money when videos are viewed on YouTube (and not when embedded elsewhere), OK Go's label is adamantly exerting controls to force users to view it on YouTube.
The flailing of stubborn major labels against anything associated with the Internet hurts plenty of regular people, but it's particularly stinging to see them holding artists back -- the very people whose creativity they exist to support. When Warner Music Group pulled the plug on their YouTube videos over a revenue spat, a significant body of Death Cab for Cutie's videos hosted on the site and embedded elsewhere went dark as well -- collateral damage in Warner's crusade for a bigger piece of the pie. With drama like this, it's no wonder that top artists like Trent Reznor, Radiohead, and othernotables have made headlines for selling and distributing music sans label, and that the market for tools to help artists manage marketing and distribution independently (Topspin or Bandcamp, for example) is growing as well. These shifts are just the most up-to-date notes in a dirge for major label-artist relations that's been sung for years.
At the end of the letter, Kulash provides the embed code for video sharing from Vimeo, then closes on a bum note, resigned to the limitations imposed by EMI:
So, for now, here's the bottom line: EMI won't let us let you embed our YouTube videos. It's a decision that bums us out. We've argued with them a lot about it, but we also understand why they're doing it. They're aware that their rules make it harder for people to watch and share our videos, but, while our duty is to our music and our fans, theirs is to their shareholders, and they believe they're doing the right thing.
So, the next time you see the music labels pressing for Internet-wide copyright filtering or three strikes laws in the name of protecting the artists, remember OK Go's reaction to their label's methods: "It's like the world has gone backwards."
The Washington Postreported today that the "FBI illegally collected more than 2,000 U.S. telephone call records," using methods that FBI general counsel Valerie Caproni admitted "technically violated the Electronic Communications Privacy Act when agents invoked nonexistent emergencies to collect records."
This issue first came to light in a March 2007 report by the DOJ's Office of the Inspector General, which revealed that the FBI's Communications Analysis Unit (CAU) had routinely been using “exigent letters” to obtain customer information from telecommunications companies, including Verizon and AT&T.
“Exigent letters” are informal requests (i.e., not subpoenas, warrants, court orders, or other statutory requests) that ask telecoms to provide “call detail records” about particular subscribers, and, in some letters, illegally asking telecoms to disclose the subscriber's “community of interest" (friends of friends' phone records).
A follow up Office of the Inspector General (OIG) report, released early last year, found hundreds of illegal letters, while today's report uncovered thousands. The 2009 OIG report determined "that by issuing exigent letters the FBI circumvented the NSL statutes and violated the Attorney General’s Guidelines and internal FBI policy." Courts have agreed, concluding that the emergency exception is reserved for voluntary disclosures in response to specific and urgent emergencies. Since the FBI has kept secret whose records were subject to these illegal letters, the victims will be unable to seek redress in court.
In a press release today, the FBI contends that the misuse stopped in 2006, and that it now has "numerous systems to ensure compliance with all the legal requirements associated with their requests for telephone records."
This is a song we've heard before. Former Attorney General Gonzales told Congress in 2005 and 2007 that there were no problems with National Security Letters, when documents would later show that Gonzales was well aware of problems. A high-profile misuse of a National Security Letter went unreported for two years, even though the matter received the personal attention of FBI Director Robert S. Mueller III, as well as officials with the FBI Office of the General Counsel. These misuses came to light as a result of EFF's FOIA Litigation for Accountable Government (FLAG) Project.
Likewise, the exigent circumstances letter problem persisted for years, unreported and unremedied. Reform did not happen when the FBI Office of the General Counsel first learned of the illegal practice in 2004. Only after public disclosure in March 2007 did the FBI begin reform efforts.
Nor did NSL misuse problems stop in 2006, as the FBI might have you believe. An August 2007 FBI legal memorandum asserted an extremely broad view of the NSL statute, which the DOJ later determined (in November 2008) was incorrect.
Openness and transparency is the only solution to keeping the misuse of investigative powers in check. Through our FLAG Project, EFF continues to pursue a Freedom of Information Act case against the government, seeking more records of the misuse of National Security Letter authority. The violations revealed today were not disclosed by the FBI during the course of our pending lawsuit, and we intend to raise that issue with the court.
(The Streisand Effect describes the phenomenon by which an attempt to suppress information results in faster, broader dissemination of that information. Roughly explained, attempted censorship -- particularly by a famous or well-known entity -- can flag the information as more interesting.)
Last October, we launched the Takedown Hall of Shame to highlight the most egregious attempts to silence speech online with bogus intellectual property complaints. Today, we’re inducting four more would-be censors into the pantheon of speech bullies. They are:
Peabody Energy, for issuing outstandingly spurious trademark claims against a spoof site criticizing their "clean coal" group;
Yahoo, for an impressive attempt to return a cat to the bag after a leak of its guide to snooping services for law enforcement was posted to a whistleblower site;
Perez Hilton and the Miss Universe Organization for endeavoring to stop a non-profit from airing an ad commenting on a public same-sex marriage controversy initiated by their videos; and
Universal Music Group, for attempting to muzzle online criticism of the rapper Akon.
The antidote for speech you disagree with is more speech -- not overreaching legal threats. Hopefully, we'll see companies exercise more discretion and transparency when dealing with speech they dislike, instead of reaching for the nearest blunt legal instruments.
It will be a long time before we understand all the ramifications of Google's decision to cease censoring their Chinese services — and the cyber-attack on their corporate and user data that prompted that change of heart. The story is still confusing in parts (Sky Canaves at the WSJ clarifies some of the more muddled reports). Nonetheless some intriguing new details have emerged since the initial announcement — but they raise as many questions as they answer.
Securityexperts have longwarned that systems designed to make compliance with lawful interception more convenient can also create security vulnerabilities of their own. By providing an attractive one stop shop for outside attackers, surveillance compliance systems by their very nature often override the secure compartmentalization of data.
Security breaches that involve lawful interception systems are not new (see the Greek mobile eavesdropping scandal in 2005), and we're sure it will happen again. When a security conscious company like Google can get hit, it is a wake up call to all corporations about the dangers of hosting systems designed to snoop of their customers. What would the agent of a foreign power do with full access to Sprint Nextel's convenient live web interface for GPS location data on its fifty million subscribers?
We know that Google was not the only company targeted by this attack: other names mentioned have included Yahoo, Symantec, Juniper, Northrop Grumman and Dow Chemical. We don't know whether those attacks obtained proprietary information or personal user data. But users of these companies' products are rightfully concerned and we'd hope and expect more public statements that clarify this important difference.
If China were attempting to block the import of American tires, instead of American Internet media, would Americans applaud Goodyear and Congress for not putting up a fight against blatant WTO violations?
Reuters also reports that lawmakers are using the Google announcement as impetus for a proposed US law that, among other measures, would require Internet companies to keep records of requests for information from violating countries, and report them to the State department.
Will more United States government involvement in online free speech issues lead to greater international pressure on censorious countries like China? Or will it serve to aggravate US allies who have their own less visible systems of censorship, which as Rebecca MacKinnon notes, now includes traditional allies like France and Italy?
Today marks the deadline for the first round of comments to the FCC regarding its proposed "net neutrality" regulations. Here's a quick summary of what EFF had to say in its comments to the Commission:
While the question of how to best protect the openness of the Internet is a timely and important one, EFF believes the FCC currently lacks the statutory authority to issue the broad regulations on ISPs that it has proposed. The "ancillary jurisdiction" that the FCC has asserted as a basis for the regulations is legally insufficient and would, if accepted, give the FCC potentially unbounded power to regulate the Internet however it likes. In other words, if the FCC wants to issue net neutrality regulations, it needs to wait until Congress passes a net neutrality bill.
If the Commission nevertheless chooses to forge ahead with the regulations proposed, EFF urges it to make the following revisions designed to protect the free speech and privacy interests of Internet users, and to foster competition and innovation.
First, in order to protect the free speech interests of Internet users, the Commission should reject copyright enforcement as "reasonable network management." Copyright enforcement has nothing to do with the technical business of network management. Moreover, the proposed regulations, by their terms, already exclude "unlawful content," making any exception for copyright enforcement unnecessary. Should ISPs want to deploy copyright enforcement technologies that inflict collateral damage on lawful content, those ISPs should be required to submit any such technologies to the Commission for pre-deployment review as part of a transparent public waiver process.
Second, in order to protect the privacy interests of Internet users, the Commission should clarify that the law enforcement exception applies only to an ISP’s legal obligations to address the needs of law enforcement. Because the six proposed neutrality principles do not, by their terms, apply to unlawful content or activities, a general exception for law enforcement is unnecessary. Should ISPs want to voluntarily deploy technologies that would block lawful activity in the course of addressing the needs of law enforcement, those ISPs should be required to submit any such technologies to the Commission for pre-deployment review as part of a transparent, public waiver process.
Third, in order to protect the privacy interests of Internet users, the Commission should make it clear that its proposed regulations do not reach noncommercial providers of broadband Internet access service, whether they are individuals who operate open Wi-Fi networks at home, or public-minded entities that provide free Internet access in their local communities. The Commission should avoid the specter of federal regulation looming over noncommercial, public-spirited network providers. Federal regulation of these initiatives is not necessary to vindicate the openness, competition, innovation, and free expression goals of this proceeding.
Fourth, in order to foster competition and innovation, EFF urges the Commission to make it clear that the proposed "transparency" principle is not subject to an exception for "reasonable network management." As exemplified by the Commission’s ruling against Comcast regarding its discriminatory treatment of BitTorrent traffic, it is precisely when ISPs invoke the need for "reasonable network management" that the principle of transparency becomes most vital. Only if ISPs are required to adequately disclose their network management practices will consumers, competitors, innovators, and the Commission be able to evaluate whether the practices are, in fact, "reasonable."
Fifth, in order to foster competition and innovation, the Commission should require wireless ISPs to allow "tethering" as a form of device interconnection. This requirement is a necessary corollary to the principle that consumers should be entitled to use any lawful device or application that does not harm the network. Tethering facilitates interoperability, competition, and openness. Furthermore, tethering blocks some troubling practices that are already emerging in the marketplace.