Archive for the ‘Google’ Category

REAL ID UPDATE: Border states Texas, New Mexico and other southwestern states are actively increasing public discourse on terms of immigration policy and whether or not federal legislation will perform or deliver terms of relief promised to put limits on undocumented migrants seeking work.  North Carolina seems to be reinforcing terms to reduce federal spending on Real ID; while a Youngstown, NC legislator seeks to move legislation prohibitive of federalizing local drivers licenses.  A Real ID compliant discourse is stirring Nevada two years after the state passed a local resolution requesting that the federal law be repealed.   States are expected to be federally compliant with the law by May 11th, 2011.  More opinion here and here.

D.I.Y. Accountability: Send a message to Google and Facebook: Protect Our Privacy!

Here’s second life for news that matters:

US Bill Would Prohibit Internet ‘kill Switch’

Decentralizing the Internet So Big Brother Can’t Find You

FBI pushes for surveillance backdoors in Web 2.0 tools

Patriot Act Extension Lands on Obama’s Desk

SENDING OUT AN S.O.S….Clinton delivers speech to support nonviolent dissent on the web, as Ray McGovern arrested, brutalized. Analysis of the content of Clinton’s speech here.

DISCUSSION: The Internet and Social Media: Tools of Freedom or Tools of Oppression?

TSA agents admit to stealing $160,000 from bags at JFK Airport

HBGary -Anonymous- WIKILEAKS : @arstechnica @ggreenwald

WHAT DO YOU THINK?  Do-Not-Track bill facing criticism 
Add comments! RE: DoNotTrack

BTC – This blog’s hosting technology goes through Google. This lead came in from friend of the blog, JP of NCard who sends us stuff all the time. He’s a long time, sure footed opponent of the National ID card.

“The hackers got access to the coding in the password system that controls millions of users’ access to many Google services.”

A vast amount of info in one place

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in one place, a single breach can lead to disastrous losses.

The theft began with a single instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition he not be identified. ::: MORE HERE:::

BTC – Fox guarding henhouse? Sure thing. The corporations’ idea of regarding privacy looks and sounds like this.

c/o ABA Journal

As malicious cyber attacks apparently are occurring more frequently and with more sophistication than ever before, a search engine giant has turned to a United States spy agency for help in dealing with a major suspected China-based hacking effort in December.

But the move by Google Inc. to work with the National Security Agency to address the claimed intrusion into its computer network–as well as those of some 30 other companies–has raised concerns about unwanted government knowledge of individual users’ personal information, according to the New York Times.

“Google and NSA are entering into a secret agreement that could impact the privacy of millions of users of Google’s products and services around the world,” says executive director Marc Rotenberg of the Electronic Privacy Information Center. His Washington-based policy group sued the NSA today, seeking information about the agency’s role in cybersecurity-related surveillance.

The pact between Google and NSA was earlier reported by the Washington Post. The Post says the agreement, which is still being negotiated, calls for the NSA to help analyze what happened with the goal of successfully defending against future cyber attacks.

Senior counsel Greg Nojeim of the Center for Democracy & Technology tells the Post there is statutory authority for companies to share information with the United States government in order to protect their property rights.

According to the Times, the cooperative research and development agreement between Google and the NSA is authorized by the Federal Technology Transfer Act of 1986. It permits the government to enter into a written agreement to work with a private company on a specific project intended to promote the commercialization of government-developed technology.

c/o Julian Sanchez for The Nation

In a major speech on Internet freedom last week, Secretary of State Hillary Clinton urged American tech companies to “take a proactive role in challenging foreign governments’ demands for censorship and surveillance.” Her call to action followed a series of dazzlingly sophisticated cyberattacks against online giant Google and more than thirty other major technology companies, believed to originate in the People’s Republic of China. Few observers have found the Chinese government’s staunch denials of involvement persuasive–but the attacks should also spur our own government to review the ways our burgeoning surveillance state has made us more vulnerable.

The Google hackers appear to have been interested in, among other things, gathering information about Chinese dissidents and human rights activists–and they evidently succeeded in obtaining account information and e-mail subject lines for a number of Gmail users. While Google is understandably reluctant to go into detail about the mechanics of the breach, a source at the company told ComputerWorld “they apparently were able to access a system used to help Google comply with [US] search warrants by providing data on Google users.” In other words, a portal set up to help the American government catch criminals may have proved just as handy at helping the Chinese government find dissidents.
In a way, the hackers’ strategy makes perfect sense. Communications networks are generally designed to restrict outside access to their users’ private information. But the goal of government surveillance is to create a breach-by-design, a deliberate backdoor into otherwise carefully secured systems. The appeal to an intruder is obvious: Why waste time with retail hacking of many individual targets when you can break into the network itself and spy wholesale?

The Google hackers are scarcely the first to exploit such security holes. In the summer of 2004, unknown intruders managed to activate wiretapping software embedded in the systems of Greece’s largest cellular carrier. For ten months, the hackers eavesdropped on the cellphone calls of more than 100 prominent citizens–including the prime minister, opposition members of parliament, and high cabinet officials.

It’s hard to know just how many other such instances there are, because Google’s decision to go public is quite unusual: companies typically have no incentive to spook customers (or invite hackers) by announcing a security breach. But the little we know about the existing surveillance infrastructure does not inspire great confidence.

Consider the FBI’s Digital Collection System Network, or DCSNet. Via a set of dedicated, encrypted lines plugged directly into the nation’s telecom hubs, DCSNet is designed to allow authorized law enforcement agents to initiate a wiretap or gather information with point-and-click simplicity. Yet a 2003 internal audit, released several years later under a freedom-of-information request, found a slew of problems in the system’s setup that appalled security experts. Designed with external threats in mind, it had few safeguards against an attack assisted by a Robert Hanssen-style accomplice on the inside. We can hope those problems have been resolved by now. But if new vulnerabilities are routinely discovered in programs used by millions, there’s little reason to hope that bespoke spying software can be rendered airtight.

Of even greater concern, though, are the ways the government has encouraged myriad private telecoms and Internet providers to design for breach.

The most obvious means by which this is happening is direct legal pressure. State-sanctioned eavesdroppers have always been able to demand access to existing telecommunications infrastructure. But the Communications Assistance for Law Enforcement Act of 1994 went further, requiring telephone providers to begin building networks ready-made for easy and automatic wiretapping. Federal regulators recently expanded that requirement to cover broadband and many voice-over-Internet providers. The proposed SAFETY Act of 2009 would compound the security risk by requiring Internet providers to retain users’ traffic logs for at least two years, just in case law enforcement should need to browse through them.

A less obvious, but perhaps more serious factor is the sheer volume of surveillance the government now engages in. If government data caches contain vast quantities of information unrelated to narrow criminal investigations–routinely gathered in the early phases of an investigation to identify likely targets–attackers will have much greater incentive to expend time and resources on compromising them. The FBI’s database now contains billions of records from a plethora of public and private sources, much of it gathered in the course of broad, preliminary efforts to determine who merits further investigation. The sweeping, programmatic NSA surveillance authorized by the FISA Amendments Act of 2008 has reportedly captured e-mails from the likes of former President Bill Clinton.

The volume of requests from both federal and state law enforcement has also put pressure on telecoms to automate their processes for complying with government information requests. In a leaked recording from the secretive ISS World surveillance conference held back in October, Sprint/Nextel’s head of surveillance described how the company’s L-Site portal was making it possible to deal with the ballooning demand for information:

“My major concern is the volume of requests. We have a lot of things that are automated, but that’s just scratching the surface…. Like with our GPS tool. We turned it on–the web interface for law enforcement–about one year ago last month, and we just passed 8 million requests. So there is no way on earth my team could have handled 8 million requests from law enforcement, just for GPS alone. So the [L-Site portal] has just really caught on fire with law enforcement. They also love that it is extremely inexpensive to operate and easy, so, just the sheer volume of requests…. They anticipate us automating other features, and I just don’t know how we’ll handle the millions and millions of requests that are going to come in.”
Behold the vicious cycle. Weakened statutory standards have made it easier and more attractive for intelligence and law enforcement agencies to seek information from providers. On top of the thousands of wiretap and so-called “pen/trap” orders approved each year, there are tens of thousands of National Security Letters and subpoenas. At the ISS World conference, a representative of Cricket, one of the smaller wireless providers, estimated that her company gets 200 law enforcement requests per day, all told; giants like Verizon have said they receive “tens of thousands” annually. (Those represent distinct legal demands for information; Sprint’s “8 million” refers to individual electronic requests for updates on a target’s location.)

Telecoms respond to the crush of requests by building a faster, more seamless, more user-friendly process for dealing with those requests–further increasing the appeal of such tools to law enforcement. Unfortunately, insecurity loves company: more information flowing to more legitimate users is that much more difficult to lock down effectively. Later in his conference, the Sprint representative at ISS World speculated that someone who mocked up a phony legal request and faxed it to a random telecom would have a good chance of getting it answered. The recipients just can’t thoroughly vet every request they get.

We’ve gotten so used to the “privacy/security tradeoff” that it’s worth reminding ourselves, every now and again, that surrendering privacy does not automatically make us more secure–that systems of surveillance can themselves be a major source of insecurity. Hillary Clinton is absolutely right that tech companies seeking to protect Internet freedom should begin “challenging foreign governments’ demands for censorship and surveillance.” But her entreaty contains precisely one word too many.

About Julian Sanchez
Julian Sanchez is a research fellow at the Cato Institute and a contributing editor for Reason magazine.