Police Powers in the Workplaces (Protection from Protesters) Bill

by ,

Today the Tasmanian Liberals tabled a bill in parliament targeting protesters. Anyone who’s been awake sometime in the last few years will realise that is just a new bit of the battle between the Liberals and the Greens. One side tries to keep the forestry industry chugging away while the other tries to prevent environmental damage using protests and pickets and the like. Expect to hear the usual disagreements in the news over the next week.

Even if you don’t care about any of those things it’s still worth sitting up and taking notice of this bill. It has some nasty bits. It would be a great shame if they were missed amongst all the partisan bickering.

In this respect it’s much like the Vicious Lawless Association Disestablishment Bill in Queensland – just because you don’t care about bikies doesn’t mean it’s a good idea, and it doesn’t necessarily mean that it won’t affect you.

Let’s have a look at Part 3 of the bill which concerns Police Powers. Section 11 part 1 reads:

A police officer who reasonably believes that a person has committed, is committing, or is about to commit, an offence against a provision of this Act may require the person –
(a) to state the person’s name and date of birth; and
(b) to state the address at which the person ordinarily resides; and
(c) to give to the officer any evidence of the person’s identity that the person has in his or her possession.

Furthermore if you the officer reasonably believes that you are not complying with part (c) they are allowed to search you.

Reasonably believes” is an interesting wording. So is “about to commit”.

Suppose you are attending a peaceful and lawful protest. A police officer reckons that you’re going to impede business activities shortly and asks to see your identification. How are they supposed to know that? You feel that this is bullshit and say so. Would that kind of disagreement set you up for a frisking? It probably depends on who you are and what you’re protesting.

Perhaps identification isn’t a big deal to you. You’d be willing to do that if it means troublesome protesters can be rooted out and dealt with. Let’s read on to section 12 part 2:

A police officer may direct a person who is in a business access area in relation to business premises to leave the business access area without delay, if the police officer reasonably believes that the person has committed, is committing, or is about to commit, an offence, against a provision of this Act, on or in relation to –
(a) the business premises; or
(b) a business access area in relation to the business premises

Not only can you be asked for identification, but you can be forced to leave the protest area just because the police officer believes that you might commit an offence in the future. Is that likely to happen? It probably depends on who you are and what you’re protesting.

Also you have to stay out of the business for 4 days afterwards or you get a big fine.

This bill is highly problematic. You can be penalised for or prevented from doing nothing more than peaceful lawful protest if police discretion goes against you.

Normally it has to be proven beyond reasonable doubt that you committed a crime before you are penalised. That has been flipped around in this case. Why? Of course we make exceptions to this rule – if somebody is planning a mass-murder we don’t wait around for them to do it because we recognise that they’ll do massive irreparable damage. In this case we’re talking about impeding a bit of legitimate business. Is that worth inverting our usual process of justice for? Why not simply document evidence and charge people who protest unlawfully after the fact?

Furthermore, if the police are demanding IDs, searching people, and dispersing any unfavourable protest without any particularised or evidenced reason, how many people will say “no” and fight it in court? Not many. How many will show up to protest in the first place? Probably fewer. This has a chilling effect on any kind of protest but particularly those of minorities or those who disagree with the current government. If police are required to make important calls like these they can become the bad guys in the eyes of protesters. This is well worth avoiding.

Will this bill promote peaceful protest and deter unlawful protest? It probably depends on who you are and what you’re protesting.

Idiots on the hunt for hotties

by ,

So, about this idea of setting up a webpage where we share and compare photos of attractive students on our university campus. It’s not exactly an original one. By now just about everyone knows about Mark Zuckerberg’s early website for comparing the “hotness” of students, Facemash. He was nearly expelled from Harvard for it. A great shame he wasn’t.

The concept lives on, naturally enough, on Facebook. A search for “hotties university” will quickly bring up plenty of relevant results.

Today one appeared for my alma mater. Sigh.

Sexual empowerment is a feature of this day and age. If someone wants to put their own saucy photo online for all to see, good for them. If instead a creepy Facebook friend trawls through their friend-only photos for the most salacious then publishes them publicly along with personal details, is that empowering or disempowering? Let’s be honest, that “friend” is not doing them any favours.

To anybody with an ounce of common sense and a modicum of online experience, creating this kind of forum is a singularly bad idea. People will source photos from inappropriate places (not asking permission), pass horrid judgements on people’s appearance and generally make life hell for people who are deemed not to understand a bit of “harmless fun” when they see it.

I am fairly certain that the person who created the page means no harm. I’m sure the same applies to the majority of people who “like” it. They might well view it as a tongue-in-cheek celebration of the good-looking folk they pass in the corridors every day. Either that or as a sordid source of stimulation. I’ll never know and I sincerely hope not to.

For those who feel humiliated being held up as a sexual object—and for those who can’t help but take personally comments about how ugly they are—it’s a much more serious situation. And they have no control over it. At best they can try to laugh it off. The worst doesn’t need explaining. That’s what happens when you set these things up on a laissez-faire American social network.

It calls for ethical judgement from everybody involved. Just because you can “like” a Facebook page doesn’t mean that it’s the right thing to do. Just because you can post a photo of a fellow student without getting caught doesn’t mean that you should. It is an unfortunate reality that the least empathetic amongst us have the same opportunity to create and moderate a Facebook Page as anybody else.

I make a simple request: please don’t participate.

Just how much of a shock can you get from a MacBook charger?

by ,

Here in Australia I am fortunate that electrical devices usually have the metal parts earthed. I was therefore shocked, in both senses of the word, when I found out that the short plugs for MacBook power supplies don’t have an earth pin. Under the conditions of my living room using this short plug means that I get a nice tingle when I touch the metal case of the MacBook Air.

MacBook Charger PlugsWhat’s more, it triggered my Fluke volt stick (something like this). Usually this is something I use at work to tell me that I shouldn’t touch a metal object because it has potentially lethal AC voltages—and this charger with the unearthed plug was setting it off. I was quite alarmed.

Likewise the effect has caused widespread consternation around the web. There are conspiracy theories of an Apple-orchestrated cover-up along with dubious bits of advice to reset various functions on your laptop or get your electrical outlets checked.

Amongst the noise I found some well-informed comments by a chap called Dave Heap, who claims extensive electrical experience and knowledge of Australian standards. He examined the charger and noted a surprisingly high voltage: “there is 120V AC 50Hz with respect to mains earth present at the case of the computer!”

Despite this scary-looking number he also determined that the maximum leakage current would be “around 0.2 mA … well below the specified limit of 1 mA.” In other words even if you grab onto your laptop and hold on, not very much is going to happen.

This left me wondering how much of a belt you can get from the laptop when you first touch it. It’s one thing to say that it can only push 0.2 milliamps continuously but what if it stores up a chunk of energy and delivers it to you in one hit?

I borrowed an oscilloscope and high impedance probe (thanks Tim!) and probed the metal tip of the unearthed charger, relative to mains earth. This gave me the steady state waveform below, ticking away at 50 Hz as you would expect.

Steady State charger waveform

It isn’t exactly the nice 120 VAC that Dave found—more like +120 to -220—and I won’t pretend to know why. Clearly though there is a high voltage present and that’s why my volt stick activated. The real question is how much oomph there is behind that voltage.

To test that I put a 385 kΩ resistor in parallel with my probe. This gives the charged energy somewhere to go. (Coincidentally, this is a similar resistance to a dry human.) I then touched the probe against the tip of the charger and measured the voltage as I did so. Here’s a nice example of the result:

Clear spike from macbook chargerClearly the voltage starts out high and decreases exponentially. In other words, it looks exactly like a capacitor discharging energy.

I would be lying if I said the results were consistent. See below for a few samples. I tried it a number of times and picked the one I did as it was reasonably “big”. In this context, a big spike has a high starting voltage and stays high for a longer period of time. The conclusion to make here is that you’re not going to get exactly the same result every time you poke your laptop with your finger.

Various waveforms

If we mark on the voltages and times it’s straightforward to calculate the size of the capacitor we’re dealing with.

Waveform markingsIn this case we have a time constant of 0.560 ms, giving us a capacitance of 1.45 nF. In the context of power supply that’s pretty tiny. Another calculation shows that if such a capacitor is charged to 268 V it will contain a total energy of 52 µJ. That is another small number.

More interesting is the current that flows when you first touch it. With the 385 kΩ resistor the initial current will be 0.687 mA. If your hands are damp your resistance might be more like 60 kΩ, which will have an initial current of 4.5 mA.

So is it safe? I dare not make any conclusions of my own as I am hopelessly unqualified to do so. For the purpose of discussion though let’s pop these results against some numbers I found on the Internet:

Discharge energy: 0.052 mJ
Maximum static discharge from consumer products (IEC 60065 via Wikipedia): 350 mJ
Direct serious risk to human health (IEC 479-2:1987 via Wikipedia): 5000 mJ

Initial current: 4.5 mA
Minimum current that can be felt (AC) (via Wikipedia): 1 mA
Minimum current that can be felt (DC) (via Wikipedia): 5 mA
Minimum current to cause ventricular fibrillation (AC) (via Wikipedia): 30 mA

Copyright history isn’t all that rosy

by ,

EFA posted this on Facebook this evening:

efa_copyright

(linking to this article)

I get a little nervous about that kind of accusation. In his essay Misinterpreting Copyright, Richard Stallman argued persuasively that the role of copyright is a “bargain” in which the general public gives up their right to copy in exchange for more nice literature being created. It sounds wonderful but he starts with the same premise – that this bargain is fundamentally what copyright is about.

Indeed that might be true from the perspective of the United States. RMS quotes the Constitution…

[Congress shall have the power] to promote the Progress of Science and the useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

That sounds pretty good. And Fox Film Corp. v. Doyle, a 1932 case in the US Supreme Court:

The sole interest of the United States and the primary object in conferring the [copyright] monopoly lie in the general benefits derived by the public from the labors of authors.

If we go back a little further to when the concept of copyright originated in Britain we have a slightly less wonderful picture. The regulation of print started with the Licensing of the Press Act 1662. This was primarily censorship legislation. Every publication had to be registered with the private Stationers’ Company of London.

[It] is matter of Publique care and of great concernment especially considering that by the general licentiousnes of the late times many evil disposed persons have been encouraged to print and sell heretical schismatical blasphemous seditious and treasonable Bookes Pamphlets and Papers … endangering the peace of these Kingdomes and raising a disaffection to His most Excellent Majesty and His Government For prevention whereof no surer meanes can be advised then by reducing and limiting the number of Printing Presses (full text)

We got copyright more like we know it today with the Statute of Anne in 1710. This copyright was vested in the author of the work and it lasted for 14 years. Copyrighted works still had to be registered with the Stationers’ Company. This legislation was eventually passed because of complaints about the censorship monopoly of the Stationer’s Company and authors getting a raw deal. It is important to note that the masses were not screaming out for a bargain that would allow them to buy more cool books.

This legislation described as “a historic moment in the development of copyright” was in fact created to protect content creators.

When the copyrights granted to works published before the Statute began to expire in 1731, the Stationers’ Company and their publishers again began to fight to preserve the status quo. Their first port of call was Parliament, where they lobbied for new legislation to extend the length of copyright, and when this failed, they turned to the courts.

That is, publisher monopolies have been trying to extend the copyright period since before the US Constitution was even drafted. Hooray.

I really like the idea of copyright as a bargain. Stallman’s essay is great explanation of the idea. I think we’re kidding ourselves though if we think that it was like this in the “good old days”.

NSA Phone Metadata Collection: constitutional or not?

by ,

If you’ve been following the news headlines recently you could be forgiven for being a little confused. A couple of weeks ago: NSA phone surveillance program likely unconstitutional, judge rules. Then a couple of days ago: NSA phone records spying is constitutional, judge says. They are two separate cases although they cover very similar things.

The first is Klayman v. Obama. The plaintiffs are seeking a preliminary injunction preventing the Government from collecting their phone records and to delete past records. Judge Richard Leon did not uphold all aspects of the complaint but has granted this injunction on Fourth Amendment grounds. He has stayed his order pending appeal. I discussed some interesting parts of this ruling in a previous post. (Ruling PDF)

The second is ACLU v. Clapper. The plaintiffs are seeking a preliminary injunction preventing the Government performing future mass collection of phone records or using any queries associated with the plaintiffs. Judge William Pauley has dismissed essentially all arguments supporting this complaint, which were based on statutes and the First and Fourth Amendments. (Ruling PDF)

Obviously the two courts have some disagreements. Here are some of the main ones.

Smith v. Maryland

Both rulings consider Smith v. Maryland closely and this is probably the most important difference as it goes to the heart of whether the NSA’s program violates the Fourth Amendment (hence the dramatic headlines). To recap, without a warrant, police placed a pen register on Smith’s phone line to record what numbers he dialled. Back in 1979 the Supreme Court found that this did not amount to a search as defined by the Fourth Amendment so this surveillance did not impinge on constitutional rights. The argument came down to reasonableness—Smith’s reasonable expectation of privacy did not extend to the numbers that he dialled because he knowingly and voluntarily transmitted them to the phone company.

Leon refused to be bound by this precedent on the grounds that circumstances are substantially different—particularly the enormous quantities and indiscriminate nature of the NSA’s collection, the amount of historical data kept (five years), modern analysis to gain insights into people’s lives using the data, the changed relationships between governments and telecommunications companies, and the changed relationships between people and their phones.

Pauley ruled that Smith applies because the important factors have not changed. He states that “While people may ‘have an entirely different relationship with telephones than they did thirty-four years ago,’ [citing Klayman] this Court observes that their relationship with their telecommunications providers has not changed…” Because the kinds of data being collected now—phone numbers, time of call, duration of call, IMSI, IMEI, etc.—are not substantially different from the data recorded by the pen register, Pauley argues that the collection is much the same thing: “The collection of breathtaking amounts of information unprotected by the Fourth Amendment does not transform that sweep into a Fourth Amendment search.”

Pauley also adds that “the business records created by Verizon are not ‘Plaintiffs’ call records’”. He stands by the Smith conclusion that you forfeit the right to privacy for records that you voluntarily provide to your phone company. In one footnote he describes many examples from case law in which the individual surrenders their reasonable expectation of privacy, such as bank records, information given to an accountant, information given to a confidant, information given to a false friend, subscriber information given to an ISP and information from a home computer that is transmitted over the Internet.

Reasonableness of search

Leon ruled that the “plaintiffs have a significant expectation of privacy in an aggregated collection of their telephony metadata covering the last five years”. He then balanced this against the Government’s need for the data to maintain national security. He was not satisfied by the Government’s evidence that they needed the bulk telephony data to solve any problems that they would have been unable to solve otherwise. Thus he ruled that on balance the reasonableness tipped in favour of the privacy rights of the individual.

Pauley ruled that the plaintiffs had no reasonable expectation of privacy and also upheld the Government’s need for the data. He summarised three cases in which the telephony data explicitly assisted with counterterrorism investigations. He accepts that the Government is collecting virtually all telephone records in the United States and defends this: “without all the data points, the Government cannot be certain it connected the pertinent ones…all telephony data is ‘necessary’ to permit the NSA…to do the algorithmic data analysis to determine ‘connections between known and unknown international terrorist operatives.’”

Pauley rejects the ACLU’s claims that the quantity of data collected, particularly of irrelevant innocent people, reflects poorly on the collection program. He explains that courts routinely subpoena enormous amounts of data, only a small amount of which is relevant for a case and rules that this type of data collection is the same sort of thing as a grand jury subpoena. If there were other bits of metadata being included that were truly unnecessary then this argument might have traction but he is satisfied that all of the metadata currently being collected is relevant.

Compliance and oversight

Leon presented a negative picture of the Government’s compliance with FISC orders to minimise the amount of data they queried. “Judge Reggie Walton of the FISC concluded that the NSA had engaged in ‘systematic noncompliance’ with FISC-ordered minimization procedures… As a consequence, Judge Walton concluded that he had no confidence that the Government was doing its utmost to comply with the court’s orders…”.

Pauley’s view was a much more positive one. He made particular note of the iterative and consultative processes that occurred between the Government and the FISC to ensure that their activities under section 215 of the PATRIOT Act would be approved. “The iterative process Judge Bates describes is routine and demonstrates the FISC does not ‘rubberstamp’ applications for section 215 orders.” He paints a happy picture of the NSA reporting its own noncompliances on several occasions and then working with the FISC to implement remedial measures and ensure future compliance.

Pauley does note that the FISC is inherently less effective because of its ex parte nature (that is, there is no representative of “an American citizen” to argue against the government): “Its ex parte procedures are necessary to retain secrecy but are not ideal for interpreting statutes. This case shows how FISC decisions may affect every American—and perhaps, their interests should have a voice in the FISC.”

Queries and the three hops rule

Leon understands fully the quantities of data that can be received from a single query when you apply the three-hops-from-seed rule—he discusses how a single query could return records for potentially millions of numbers or more, depending on whether a pizza shop is included. This could allow the NSA to retrieve enormous amounts of data from the database even with only 300 authorised search terms in a year. He disregards the claim that the records returned by queries are “a very small percentage of the total volume of metadata records”, simply on the grounds that the total volume is probably extremely large.

Pauley rules that the controls on the NSA’s access to the database are appropriate. He is satisfied that the database is only being accessed lawfully: “First, without additional legal justification…the NSA cannot even query the telephony metadata database.” He views the three hops rule as a useful restriction: “Second, when it makes a query, it only learns the telephony data of the telephone numbers within three ‘hops’ of the ‘seed’.” He also considers the impact of this particular program in isolation: “Third, without resorting to additional techniques, the Government does not know who any of the telephone numbers belong to. In other words, all the Government sees is that telephone number A called telephone number B”.

I would add a couple of points of my own here. Ultimately we would like to reconcile the potentially enormous amounts of data under the three-hop rule with the Government’s claim that only a “small percentage” of the data is returned in queries. It makes a big difference if a “very small percentage” is 0.1% or 10%, and whether this percentage is spread out evenly geographically and demographically. Because of this uncertainty I take this claim with a hefty grain of salt.

Pauley’s claim that the government does not know the names of phone account holders is completely disingenuous. It has already been reported from the Snowden leaks that the NSA is collecting enormous numbers of electronic address books. What else is it going to use these for, other than to match up names, phone numbers and email addresses with superb accuracy?

Conclusion

For those of us hoping the courts would find that the NSA has crossed the line, Judge Pauley’s ruling is sobering. Although I think he relies on some misconceptions, he puts up some convincing arguments that this type of metadata collection may well be constitutional despite its enormous scope.

Perhaps the case will go to the US Supreme Court and it will rule that mass telephony data collection is constitutional. In this case it is important to remember that just because an activity is lawful does not mean that it is the best solution to a problem. It simply means that changes will need to be directed by legislation via Congress rather than the courts.

What’s more, these are lawsuits based on the very first of the Snowden leaks—the order forcing Verizon to hand over phone records on an ongoing daily basis. It’s could well be that other parts of the NSA’s conduct are unconstitutional. They are not being tried in these cases.

Highlights from Judge Leon’s ruling on phone metadata collection

by ,

Judge Richard Leon delivered a pretty severe smackdown to the NSA last week. He has ruled in favour of granting a preliminary injunction to Larry Klayman and Charles Strange to prevent the US federal government from collecting any of their phone record metadata, and to force the government to delete any existing records concerning them. He believes that the plaintiffs have a reasonable chance of successfully arguing that the bulk collection and analysis is unconstitutional under the Fourth Amendment.

Leon’s 68-page memorandum opinion is fascinating (if somewhat heavy) reading. The plaintiffs’ arguments fall short in some ways but he has used the Government’s own defence to plug those gaps. He explicitly rejects some of the traditional arguments used to justify this type of collection. He presents some interesting background describing NSA’s inability to comply with regulations, which was only declassified post-Snowden. The case also provides some insights into the ways that the US Government defends its programs.

Ignoring the more procedural and US-centric parts, here are some parts I found most interesting.

Collecting enormous amounts of data with the three-hop rule (p17)

The Foreign Intelligence Surveillance Court (FISC) orders specify that metadata records can only be accessed for counter-terrorism purposes. There has to be a “reasonable, articulable suspicion” (RAS) that the search term is associated with a foreign terrorist organisation. These terms have to be approved by one of a number of (non-judicial) officers before they can be used. It is claimed that fewer than 300 unique identifiers met this standard in 2012.

For each of these terms, query results are limited to three hops away from the starting point. This means if they search for a phone number of a suspect they will receive:

  1. For that suspect, records of all incoming and outgoing phone calls in the last five years
  2. For all the suspect’s contacts, records of all their incoming and outgoing phone calls in the last five years
  3. For all the suspect’s contacts’ contacts, records of all their incoming and outgoing phone calls in the last five years

Leon does some very rough maths to suggest that if each person has 100 contacts over the last five years, a single query will return records for perhaps one million numbers (assuming no overlap). He also suggests that if the suspect has called a local pizza shop, suddenly the second and third hops will cover incredible numbers of people. Furthermore, once a search term is authorised they can use it again and again to obtain new data.

Once they have this enormous block of data they are free to place it in an unrestricted database which they can query without specific justification. It seems to me that if they choose their numbers carefully they could “incidentally” capture the phone records of pretty much everybody in the United States.

Non-compliance with restrictions on querying metadata (p21)

To make matters worse the NSA does not even comply with the rules. Leon quotes a report by a FISC judge in 2009. This report was only declassified by the Obama administration after the backlash following the Snowden leaks.

The Government has nonetheless acknowledged, as it must, that failures to comply with the minimization procedures set forth in the orders have occurred. For instance, in January 2009, the Government reported to the FISC that the NSA had improperly used an “alert list” of identifiers to search the bulk telephony metadata, which was composed of identifiers that had not been approved under the RAS standard… After reviewing the Government’s reports on its noncompliance, Judge Reggie Walton of the FISC concluded that the NSA had engaged in “systematic noncompliance” with FISC-ordered minimization procedures over the preceding three years, since the inception of the Bulk Telephony Metadata Program, and had also repeatedly made misrepresentations and inaccurate statements about the program to the FISC judges.

So the NSA lies not only to Congress, but also to the secret courts. Marvellous.

Every phone customer has a reasonable expectation that their privacy is being violated (p38)

At the preliminary injunction hearing the plaintiffs were asked if they had any “basis to believe that the NSA has done any queries” involving their phone numbers. Their response was inadequate – Mr Klayman had been experiencing strange behaviour with sent and received messages but the court found that this held no bearing on whether the NSA had analysed his phone metadata. In spite of this Leon stated:

The Government, however, describes the advantages of bulk collection in such a way as to convince me that plaintiffs’ metadata—indeed, everyone’s metadata—is analyzed, manually or automatically, whenever the Government runs a query using as the “seed” of a phone number or identifier associated with a phone for which the NSA has not collected metadata

This is based on the idea that your records are searched every time the government uses a foreign phone number as a starting point. Leon refers to a government declaration stating that if they have the phone number of an al Qaeda safe house in Yemen, they would be able to use the metadata to find people who had contact with that number. Leon argues that since the government would not have access to the Yemeni records, they would be required to search all of the US customer data in order to find those people who had called the foreign number. This would constitute a search of every US citizen whose data they possessed.

To me this seems like a very important finding – that having your data queried for a term, even if it comes up negative, counts as a Fourth Amendment search.

Distinguishing between opaque and transparent data (p41 footnote)

In its response the government referred to a previous case (Horton v. California) concerning whether seizure of a container amounted to a search of it. They claimed that acquiring an item without examining it contents (i.e., collecting metadata without subjecting it to a query) “does not compromise the interest in preserving the privacy of its contents”. Leon specifically rejects this similarity:

Horton involved the seizure of tangible items under the plain view doctrine… In the case of the bulk telephony metadata collection, there is no analogous “container” that remains sealed; rather, all of the metadata is handled by the Government, at least to the degree needed to integrate the metadata into the NSA’s database…

Telephony data is not kept in an unmolested, opaque package that obscures it from the Government’s view.

I find this interesting because it leaves open the possibility of collecting either encrypted data or data which is never processed or analysed in any way. The fact that the data from each provider must be processed to match their metadata database seems to be an important factor in his decision.

Rejecting the Smith case that you have no reasonable expectation of privacy for numbers dialled (p44)

Leon describes a famous case Smith v. Maryland (1979) which discussed police putting a pen register on Smith’s telephone line without a warrant, allowing them to monitor which numbers were dialled over a period of days.

The Supreme Court held that Smith had no reasonable expectation of privacy in the numbers dialed from his phone because he voluntarily transmitted them to his phone company, and because it is generally known that phone companies keep such information in their business records. The main thrust of the Government’s argument here is that under Smith, no one has an expectation of privacy, let alone a reasonable one, in the telephony metadata that telecom companies hold as business records; therefore, the Bulk Telephony Metadata Program is not a search. I disagree.

He then launches into a long and passionate argument why this case is substantially different in many ways. These reasons include the number of phones in use, the way we use our phones now, ongoing vs targeted collection and changes in society’s reasonable expectation of privacy. None of these are unfamiliar but it is great to see a judge putting them forward as serious considerations.

The phone metadata has not been shown to be useful (p61)

Leon says that the searches are likely to be found unreasonable because the government is not able to demonstrate that they are actually useful. The main argument they presented in favour of the bulk collection was the speed with which they were able to respond to emergent threats.

Yet, turning to the efficacy prong, the Government does not cite a single instance in which analysis of the NSA’s bulk metadata collection actually stopped an imminent attack, or otherwise aided the Government in achieving any objective that was time-sensitive in nature.

Conclusion

In this opinion Judge Leon strode boldly into the key issues that we’re facing today – what is legal and illegal collection of metadata, and what is it that ordinary people would find reasonable? It is of immense help to the plaintiffs that they have the Fourth Amendment to lean upon, a benefit we lack here in Australia. We should observe the case closely, both for its eventual outcomes and also the arguments put forward by both sides in the inevitable appeal.

Twitter Blocks: Aspirations vs Reality

by ,

Today we witnessed all the excitement of Twitter’s brief-lasting new blocking policy. They changed blocking so that instead of making someone unable to see your tweets, you simply couldn’t see any of theirs.

There’s a trade-off to be made here and in my opinion they ultimately made the right decision by reverting to the original behaviour. On one hand, the existing system was a useful tool for deterring low-level harassers. On the other, Twitter was concerned about retaliatory behaviour when a user blocks someone. Judging by the resulting furore, the former was more important than the latter so they changed it back. A happy ending.

A great many harsh things were tweeted today that aren’t really fair. From one side there were claims that this is what is happens when straight white male programmers who’ve never been harassed online make decisions about cyber-safety. On the other side there was the patronising black and white assumption that because most people’s tweets are public anyway the blocking doesn’t make any difference.

The remarkable aspect to me is how deeply Twitter users care about this change. To me there does not seem to be an enormous difference between the proposed and existing blocking systems. It almost doesn’t fall in the category of cyber-safety – the kind of people who are not merely annoying but are actually going to threaten your safety won’t be significantly deterred by a block. Then again, I am very used to blocking-by-ignoring. It has long been the traditional way to deal with annoying people online. Only more recently with services like Facebook and Steam have people come to have identifiable accounts that cannot be simply discarded, making punishment more effective.

I think that those who are finding themselves really angry about this kind of change need to reconsider whether they should use Twitter. Yes I am advocating blaming the victim here. I think they have possibly strayed outside their social media comfort zone.

On the face of it this is absurd. Why should you be forced off a popular Internet service or forced to make your profile private because some other person wants to make your life difficult or stalk or harass you? Obviously it’s not your fault and the harassers should be held to account as much as possible. The “as much as possible” is where it gets tricky.

“Social media” (to use the term very loosely) can be put on a rough scale. Toward one end we have rough-and-tumble anything-goes completely-anonymous completely-public discussion with minimal oversight. 4chan’s /b/ is pretty much the epitome of this. On the opposite end we have something like Facebook. You need to surrender your real name, email address and phone number to sign up. You are locked in to your particular account by the network of friendships you need to see posts. Facebook puts a lot of effort into moderating content. You can report users for harassment and Facebook staff have the tools, capability and desire to do something about it.

social_media_comparison

Twitter is interesting because it is both incredibly popular and significantly closer to the 4chan end of the scale. You only need an email address to create an account. Anybody can get a throwaway email address. This is why Twitter has such difficulties with spam.

The important point is this: each of these services was specifically designed to occupy that spot on the scale.

Facebook is designed to be a tightly networked safe space with accounts tied very closely to real people. /b/ is designed to be the wild west. Twitter is designed to be somewhere in the middle where anybody with an email address can sign up, follow whomever they like without permission, and tweet at anybody they like.

We are free to criticise the policy decisions that these services make. We still need to keep in mind their context and what it is we signed up for.

If you post a picture of yourself on /b/ and suffer harassment (pretty much inevitable) any attempt to get help from a moderator would only open you up to further ridicule. Similarly if you posted pornographic content on Facebook you’re not going to get very far saying “it’s a free internet and I’m an adult”. You’d be smacked down with the terms of service.

So it is fairly clear that things get rougher the further you move to the left. Twitter provides much less control than other social media. The real question is: what do we do about it?

It would be really nice to say “Nobody should have to suffer harassment on the Internet no matter which service they use”. There are two ways we can do this. The first is to achieve world peace and happiness and create great global educational programs that teach all kids from a young age to be respectful online. The second is to eliminate sites like 4chan from the internet and put much stronger controls on sites like Twitter; in other words, make it so that the only services that exist are the ones at the right-hand side of the scale.

The world peace idea is obviously a work in progress and unlikely to be completed any time soon. Some people have had a go at the second by proposing internet filtering schemes, licences to use the internet, banning encryption and so on. Unfortunately these things damage freedom of speech, freedom of association, democracy and whistleblowing to counter corruption and abuse of power. So I don’t want to do that either.

In the end we’re simply left with taking some personal responsibility for choosing services that match our values and desires. Is this victim-blaming? Yes. Is it always this rigid? No.

Social networks can and will respond to market forces. Twitter did exactly that today. If they didn’t, a competitor would spring that up that provides the most popular balance. But they didn’t really have to shift that far.

At the end of the day, Twitter is what it is. It’s never going to be a utopia of people who are always respectful. In fact, it was clearly never designed to be one.

Why the ORP1 isn’t raising any money

by ,

The ORP1 is a gadget to provide Torified internet access and VPN access to a home network. They’re hoping to achieve $200k of funding with Indiegogo to get into a manufacturing run.

They’re not getting much money. Why? Because Australians still don’t give a toss what their intelligence agencies do. Most of them have never heard of open source.

I don’t wish to get on my moral high-horse here. Australians genuinely have lots of very important shit to worry about that doesn’t involve PRISM and fibre-optic taps and DSD collaboration and whatnot. There is a segment of the community (myself included) who feels differently but we are reasonably detached. The ORP is just another example of that.

I put the ORP in the same category as CryptoParties. These would be extremely popular in some fictional world where people are scared of their government, worried that they’re living under some new-age Stazi and need the geeks to save them.

It just isn’t true. If you go outside the Twitter and Reddit bubbles and talk to some ordinary people about these leaks and revelations they simply don’t care. They’re probably not going to care until something clearly unfair happens to someone due to over-zealous metadata collection or the like.

  1. This is not anybody’s fault.
  2. The onus is on us to constructively argue why things will be different from the way they are now.
  3. The time is not yet here for products or services that rely on Australians feeling intimidated into not doing certain things on the internet.

For what it’s worth, the ORP1 looks like a cool bit of gear in a similar vein to what the FreedomBox project hopes to produce.

As a community who cares about the privacy of individuals online, we need to be focusing our efforts on raising awareness about the dangers. When the zeitgeist arrives, then products like the ORP1 will shine.

Vicious Lawless Collection of Metadata

by ,

Another day, another leak that gives us a tantalising glimpse. Perhaps soon we’ll be able to answer an important question: just how much metadata do our agencies collect about us?

We know they collect address books. We know they collect “medical, legal or religious” profile information. Since a warrant is currently not required to access metadata the door is wide open for agencies to also put our phone locations, SMS records and websites we visit into a gigantic database. Until more information is leaked we can’t know. Australian intelligence agencies are exempted from reporting the number of telecommunications interceptions they perform each year.

If any non-authoritarian Australian wants to see why this is a massive problem they need look no further than Campbell Newman, the glorious premier of Queensland. In case you missed it, his Vicious Lawless Association Disestablishment Bill 2013 stipulates that if you commit any of a long list of crimes in the course of participating in an “association”, you have to spend 15 years in prison on top of whatever the judge would ordinarily sentence you. The burden of proof is placed on the defendant that it is not a purpose of the association’s members to commit these crimes. Crikey.

The most relevant problem is that associations can be pretty much anything. By my non-lawyer reading of the bill, if you form a drinking group with a few mates and go out two weeks in a row, bam, you’re an association. While you’re out drinking you’re participating in that association. Hmm.

Let’s put the pieces together and see what could happen if we combine extensive metadata collection with the kind of law that Queensland comes up with.

Suppose you head off to university and try to make some new friends. You hang out with a group for a while. One of them sells you a really cheap laptop. You decide you don’t like their vibe so you go on your way. A few months later you participate in a student protest against live animal exports and are identified among the crowd. A government officer decides they don’t like you so they have a close look at your phone records. They notice that you spent a lot of time located with a group who were later caught disposing of stolen property. The police visit you and find the stolen laptop. They use the amount of time you spent with the group (“90.4 hours within 30 metres!”) to argue that you must have known they were dodgy. They charge you under the Criminal Code Act 1899 (Qld) section 433 and hit you with the association sentence as well.

Suppose you sometimes buy cannabis and your dealer gets busted. The police find out all of his clients. The prosecution doesn’t like you because you’re a member of a certain political party. They find cannabis at your house, charge you under the Drugs Misuse Act 1986 (Qld) section 9 and go digging. It turns out you’re Facebook friends with a bunch of guys who have also been caught smoking weed. You’ve been at the same parties before and appear in some of their photos. Oh dear – that sounds awfully like an association of people who like to consume illegal drugs together.

Would a Queensland government really use statutory power to silence people they didn’t like? Well, 1977 wasn’t all that long ago.

VLAD is effectively a serious penalty that can be arbitrarily applied to people the government doesn’t like. The current provisions apply most naturally to motorcycle gangs but already tattoo parlours are also coming under suspicion. What other authoritarian legislation will appear?

Huge repositories of metadata amplify this problem tremendously. Not only is there a massive punishment for an arbitrary reason; deciding whom you’re going to target to find dodgy associations can be arbitrary too. That’s far more power than I’ll trust with any government.

Why you should consider Syme over Facebook

by ,

A new version of Syme has now been published for Google Chrome. You may know that this is a new social network designed to be so private that your posts can’t even be read by the people who run the network. They’ve also released a whitepaper explaining why their system is novel.

In my opinion Syme is special because it’s really easy to use but still manages to set up true end-to-end encryption. Other tools like PGP are much more complicated. Even if you don’t know anything about cryptography you can use Syme.

If you are one of these people who doesn’t know about cryptography, I wrote this post for you. I want to explain how Syme is special and why it’s better than, say, Facebook. Definitely give it a go, perhaps even before reading the rest of this.

Understanding how you maintain your privacy isn’t so hard. You simply need to follow some logic about what is and isn’t encrypted and who has the passwords.

Before we begin - a little bit of theory

We need to quickly look at two different ways of encrypting a message, both of which are used by Syme. These methods are called symmetric and public-key encryption.

Symmetric encryption is the sort where you lock up a message using a password. You take a message that you want to encrypt, come up with a password like “banana”, do some calculations and receive an encoded version that makes no sense on its own. Anybody who knows that the password is “banana” can take the code and convert it back to the original message.

Symmetric Encryption

 

Public-key encryption is what you use when you want to send a secret message to one specific person only. Suppose your friend wants to send a secret message to you. First you need to create some sort of digital identity that’s unique to you. You ask your computer to generate a keypair. This comes in two parts – a private key and a public key. Imagine these as two small files on your hard drive containing data that looks like gibberish (sometimes they are stored this way). You keep the private key to yourself. This is your identity that represents you. You give the public key to your friend – or just post it on the Internet. Anybody can have your public key.

Public Key Generation

 

Your friend types his secret message into a piece of software and also gives it your public key. It spits out encrypted data that can only be decrypted by the person who has the corresponding private key – that’s you. That’s why it’s very important to keep the private key to yourself.

Public Key Encryption

 

Armed with these two techniques we can explain the most interesting parts of Syme: how your posts are protected, and how you can keep all your data on the Syme server without them being able to read it.

It’s not about money…

When you log in to Syme you are presented with a list of groups. Each group looks and works much like a Facebook page. You can post text messages, photos, videos and files. You can create new groups and join existing ones if you’re invited.

In Syme a group is an encrypted conversation between its members. Nobody else can read the posts, including the people who run the Syme servers. All group members have the ability to invite new people, who can then see all the old posts and add their own.

Suppose Alice is in a group with Bob and Charlie. Alice has a private key that she uses for that group. She has already given the public key to Bob and Charlie. This means Bob and Charlie are each able to send her encrypted messages.

Bob transmits a new message to the Syme server and Alice wants to read it. Bob has encrypted segments of the messages in different ways. These are the relevant parts:

Syme Message Format

 

The message is encrypted with symmetric encryption. Alice needs to know what the password is (a much longer and more complicated version of “banana”). We’ll call this password the message key. So how does she get the message key?

What Alice Needs

 

Alice’s computer looks through the attached keys to find one that’s addressed to her. This is the message key she needs, but it is itself encrypted. It has been encrypted using Alice’s public key. Alice can use her private key to perform the decryption:

Decrypting the Message Key

 

So in total Alice has to do two steps of decryption. First she decrypts the message key using her private key. Then she uses the message key to decrypt the message.

Full Message Decryption

 

You can see that the only people who can possibly read this message are Alice, Bob and Charlie. Bob encrypted keys for Alice and Charlie and also for himself. As soon as Bob sent the message he deliberately forgot the message key. If he logs on somewhere else he will want to be able to re-download his old post and be able to see what he wrote.

Syme stores this message on their server. They can see who is involved, when the message was sent, roughly what size the message is, the internet addresses of each person, and when each recipient received the message – but they cannot read the message itself.

Now we start to appreciate what Syme can and cannot do. It is not anonymous and it does nothing to hide your communications with particular people. It does however provide encryption such that if the NSA forced Syme to hand over all their computers they would still not know what you actually said.

If the NSA wanted to get the unencrypted contents of a group, their easiest option would probably be to get someone already in the group to invite an account controlled by an NSA operative. Alternatively they could break into one of group members’ computers, apparently not a difficult task.

This is perfectly good for, say, friends or colleagues sharing stuff with each other. We’re getting essentially the same level of security as encrypted email, except much easier to use for everybody involved.

On the other hand this is completely insufficient if you are a journalist trying to protect the confidentiality of your sources. If you were sent messages or documents their contents would be obscured but there would almost certainly be some sort of trail leading back to the sender.

Unfortunately there remains a pretty fundamental gap in our understanding. We assumed that Alice would have her private key right there ready to go. This is okay if you can save your private keys on your hard drive but Syme is meant to work across multiple computers and on your phone or tablet if you have one. If you jump on a new device and type in your username and password how can it possibly decrypt any messages?

Keeping your keys handy

Every time you create or join a group you create two new keypairs to use in that group – one for encryption (that’s the one we were talking about before) and one for signing (we ignored that one). If you’re in 5 groups you have 10 different private keys to keep track of, plus everybody else’s public keys. That’s a lot of keys. The good news is that Syme is happy to store all of this on their server for you in what they call a keyfile.

However, you don’t want Syme to know your private keys. You have to encrypt your keyfile before you send it off. This raises a tricky question – what password do you use to encrypt it?

Suppose you’re logging on using a fresh computer. You only have your email address and your password. You don’t have any private keys on hand. You want to achieve two things:

  • Convince Syme that you are who you say you are and log on. You can then download your encrypted keyfile and all the encrypted posts.
  • Decrypt that keyfile so you can access all your lovely private and public keys.

That’s two separate tasks you need to achieve with one password. Happily they have come up with a solution.

Essentially your computer will do some maths on your password (it’s called a key derivation function) to make a much bigger version of it, with the special feature that it’s impossible to calculate backwards and find out what the original password was.

This enlarged result is chopped neatly in half. The first half is used as your “actual” password to log on to Syme and get your keyfile. The second half is used as a symmetric password to encrypt and decrypt that keyfile.

Login Process

 

The Syme server never ever sees the password you typed in, nor the keyfile encryption password. You can save keys in your keyfile, encrypt it, upload it to the Syme server and be confident that they won’t be able to read them.

…Or can you? If you download an app from Syme, how can you know that it’s actually doing all this stuff rather than just sending your password and your keys straight to them?

Pass the source

As with any software, you have to trust it to some degree. Syme so far is releasing the source code for the parts of their software that relate to encryption and key management. The theory is that if you can read the code that does the encryption you can check to make sure that it’s doing the right thing.

In practice it’s a little murkier. If you’re running it on an Android or Apple phone there are myriad exploits already used by black hat hackers and law enforcement to take over your phone. If you have a well-resourced adversary you simply don’t want to be typing anything important into your phone. You have to trust processes like Apple’s App Store to deliver the product to you from Syme without malicious modifications.

If Syme gains traction I expect that 100% open source projects will start up to independently implement Syme encryption and protocols. More paranoid folks might prefer to use these instead. It remains to be seen how this would fit into Syme’s as-yet-unexplained business model.

Conclusion

This has been a brief tour of how Syme keeps your posts private. There is of course a lot more to it, particularly when it comes to inviting new people to groups and verifying the other person’s identity.

Syme has demonstrated that it is possible to build a pretty and user-friendly social network that prioritises your security – more sophisticated systems will certainly follow.

A couple of closing thoughts:

This service is probably going to cost money. Facebook makes all of its money by targeting ads at you and selling data about your connections and interests. Syme will probably have to charge some sort of subscription fee to hold an account, perhaps beyond a certain number groups. If this comes to pass I would advise that it’s well worth paying a few bucks. The network should be the product – not you.

Finally, this is all very early days for Syme. Holes may yet be revealed in their cryptography or in the software they’ve written. Nonetheless I’m much more excited now and will certainly be following to see where they go from here. I suggest you do too.