26 September 2009
I've often written about the risks of unbridled wiretap or "data tap" technology, whether it is escrowed key cryptography or back doors in phone switches. Now, though, there is an arrest in what appears to be a very serious attempted terrorism incident, and the investigation was aided by computer searches. Was I naive? Or is the subject — and my views — far more complex and nuanced than yes or no? I submit that the latter is the case. (Note: we do not know all of the facts in this case yet. The NY Times article notes that frequently, "senior government officials have announced dozens of terrorism cases that on closer examination seemed to diminish as legitimate threats". The facts as recited by the government, and for that matter as seen on store surveillance videos are pretty damning — but again, we've only heard one side of the story.)
Wiretaps are inherently intrusive. This is recognized by Federal law, which must "be conducted in such a way as to minimize the interception of communications not otherwise subject to interception". Taps are only authorized for certain serious crimes (though the list has been expanding over the years). Other methods of investigation must be found to be infeasible or too dangerous. But what are the rules for computer searches?
Computer searches have the potential to be far more intrusive. Indeed, a recent decision by the United States Court of Appeals for the Ninth Circuit imposed strict rules on how such searches can be conducted. But we know nothing of the criteria being used today.
We do not know if remote search techniques were used. The government's detention memo speaks of a "lawfully-authorized search" of Zazi's laptop, apparently after his car was towed for a parking violation. But the memo also notes that "Zazi transferred the bomb-making instruction notes onto his laptop and/or accessed the notes on his laptop in June and July 2009". Learning when a file was created or last modified is relatively straight-forward. Many computer systems will record when a file was last read, but any subsequent reads of the file will overwrite that date. To assert that a file was "accessed" in June or July solely from a search in September seems implausible, unless the file was never read in the interim. Did Zazi memorize the 9 pages of instructions? Print them out? Copy them to another file? All of these are possible; none seem especially likely to me.
Questions like this will no doubt be resolved at trial; the legal and technial issues, though, are far broader than any one case. Technical surveillance measures carry their own risks: the entry pointed used by law enforcement can be abused by others. Even if Zazi were planning to bomb transportation facilities (and I commute to campus by commuter rail and subway, so I take this very personally), the preconditions for remote search to work may be worse. Imagine if hackers affiliated with a nation-state or terrorist group successfully attacked the power grid during a Chicago winter. The CIA claims that extortionists have already done things like this in other countries.
It is certainly possible that some of the actual techniques used for remote search would be endangered if the details were revealed. That said, there are questions that can and should be asked — and answered — in public, for the sake of the Constitution and public safety.
- Is remote search a technique that is lawfully used by the FBI and other law enforcement agencies? (We do know that the FBI has a "computer and Internet Protocol address verifier" (CIPAV), which apparently is an executable that they can introduce onto a suspect's computer.)
- What are the legal and procedural criteria for such warrants? How do they compare to the restrictions on wiretaps?
- How often are such searches done?
- What are the risks if the next Robert Hanssen were to disclose the necessary techniques, tools, or passwords to, say, Al Qaeda? (If it seems improbable that an FBI agent would betray secrets to Al Qaeda, remember that Hanssen was a devout Catholic who nevertheless aided a country that was avowedly atheist.)
21 September 2009
I'm curious what mailers people are using on Macs. For assorted reasons, I'm using MacOS more these days, and I don't really like Mail.App very much. Any better suggestions? (Requirements include good support for IMAP with SSL, and preferably include support for local MH mailboxes as well. Client-side certificate support is useful. I need robust auto-sorting, including the ability to move incoming messages to folders belonging to other mailboxes. I need it to operate offline, which in turn implies a need for local copies of IMAP mail. It has to be able to cope with a large number of folders, some of them quite large. It must be able to operate well on relatively slow links.)
15 September 2009
A few days ago, I posted an entry questioning some provisions of Skype's End User License Agreement. I'm happy to report that they've contacted me to report a change to the agreement. The new text in 3.2.4:
You hereby grant to Skype a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable and transferable licence to: (i) reproduce, modify and publish any Content that you Use on the publicly accessible areas of the Skype Website (e.g. Skype forum, blogs) for the purpose of displaying and distributing such Content on the Skype Website for such time as You continue to Use such Content on the Skype Website; and (ii) distribute and/or display through the Skype Software any Content that You provide or make available using the Skype Software for the sole purposes of making the Skype Software and the Products available to You.answers my objections completely.
12 September 2009
You hereby grant to Skype a non-exclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable and transferable licence to Use the Content in any media in connection with the Skype Software, the Products and the Skype Website.And what is "Content"? According to Section 1, it
means any and all content consisting of text, sounds, pictures, photos, video and/or any type of information or communications.People have to give Skype a license to use what they say via its service? People want Skype to transmit sound and images, not use it "in any media".
Perhaps I'm being too cautious here. Section 3.3 of their Terms of Service states that
Skype does not control, or have any knowledge of the content of any communication(s) spread by the use of the Products.Certainly, Skype has always claimed that they can't peek through their own encryption to hear what is said on Skype-to-Skype calls. But what about voice mail? SkypeOut and SkypeIn, which permit connections — obviously, unencrypted — to the regular phone network. Are they truly asserting they have license to use what is said on such calls "in any media"?
Possibly, their lawyers were too cautious or drafted the agreement inartfully. Maybe the intent is to give Skype permission to relay your calls over whatever channels are needed to deliver your communications. "In any media in connection with the Skype Software, the Products and the Skype Website" might mean they can use the Internet, the phone network, etc., to deliver your calls. On the other hand, "media" can refer to the press, and their own PR could certainly be seen as "in connection with the Skype Software, the Products and the Skype Website".
I hope I'm being too paranoid…