security


The ABA is having a conference on Computing and the Law June 25th and 26th. Here’s the schedule (pdf). I’ll be speaking on the 26th about the future of law and the internet. Looks like it should be an interesting event.
Will Bioterror Fears Spawn Science Censorship?

My latest Wired News column revisits an issue I wrote about in a law review article a few years ago for the Yale International Journal of Communications Law and Policy, Migraine
The Price of Restricting Vulnerability Publications. In that article I compared proposals to limit the publication of computer security holes with the best practices in the natural sciences, buy
including microbiology. Acceptable restriction guidelines were very, viagra
very narrow, and totally voluntary. Recently, however, a new task force organized under the National Security Act is proposing more restrictive guidelines, and while the proposal speaks in voluntary terms, the board reports are clearly resigned to the inevitability of future federal regulation of scientific publications. This bodes ill for advancement in science, and by analogy, computer security. In the column, I point to some other ways we can mitigate the risk that scientific research will be misused by criminals and terrorists.

News: In a great article (download here (pdf) —I’m asking for permission to post in full reproduced by permission of Warren Communications News, impotent www.warren-news.com, 800-771-9202) by Louis Trager for Communications Daily, Tracfone is claiming that I received personal favoritism from the Copyright Office. I. Received FAVORITISM. From the COPYRIGHT OFFICE! Stop laughing and keep reading.

Background: Every three years, the Copyright Office holds a rulemaking for exemptions to the Digital Millennium Copyright Act’s anti-circumvention provisions. The statute prohibits circumventing digital locks that control use of copyrighted works. Intended to stop crackers from cracking DRM on music and movies, phone companies were using the statute to stop people from unlocking cell phones they had purchased so that they could use them on other wireless communications providers’ networks. CIS and the Cyberlaw Clinic applied for an exemption for cell phone unlocking on behalf of an individual and a recycling business, The Wireless Alliance. After a long, hard battle, we won, and our exemption was granted. I wrote two Wired News/Circuit Court columns about unlocking, Free The Cell Phone! and Cell Phones Freed! Poor Suffer?.

Following our win, Tracfone sued the Copyright Office, claiming violations of due process, constitutional separation of powers and the Administrative Procedure Act.

Details: Apparently, at a California State Bar conference, Copyright Office General Counsel David Carson criticized Tracfone for filing its objections seven months after the public comment period had closed, and for failing to provide a satisfactory explanation. TracFone attorney Jim Baldinger lashed out at Carson, and then at me. Here’s the quote from Trager’s article:

Baldinger suggested that the Copyright Office went to unusual lengths to accommodate exemption proponent Jennifer Granick, exec. dir. of Stanford Law School Center for Internet & Society, to the extent of flying out to stage one of 2 hearings in the proceeding at the law school. The other was in D.C. Asked how he reconciled suspicions of favoritism with Carson’s having had nothing good to say about Granick’s boss, Prof. Larry Lessig, Baldinger said he couldn’t: “I don’t understand why the Copyright Office did what it did… I’m shocked by the way the whole thing has transpired.”

The fact is, we beat TracFone fair and square. There’s nothing unusual about the Office flying out for hearings. In the previous rulemaking, they held sessions in Los Angeles and D.C.

And, their late submission was not strategic as a piece of advocacy. TracFone basically proved everything we were saying was true, which was that cell phone locks were “technological protection measures” covered by the anti-circumvention statute, that there was a current risk of harm to unlockers, and that the industry was flat out unable to point to any way in which the exemption would promote copyright infringement, the prevention of which is the point of the statute. TracFone proved for us that they were using the DMCA to protect their prepaid business model, which was not what Congress intended or what the Copyright Office is supposed to promote.

I didn’t need and I didn’t get Copyright Office favoritism. I guess Baldinger can’t imagine that a lone clinical teacher with eight students and a small office in the basement of Stanford Law School could beat his big law firm and rich client. But we did.

sildenafil 72819-0.html?tw=wn_index_5″>Wired News: Patently Bad Move Gags Critics

Yesterday, RFID access device company HID Global got IOActive researcher Chris Paget to pull his talk from Black Hat DC because they claimed that demonstrating how to clone RFID cards violated their patents in card readers. Are they nuts? Unfortunately, IOActive, which probably holds several patents of its own and wants to look like an upstanding respecter of intellectual property rights, backed down and the talk went unmade. While I am not a patent lawyer, the claim seems both colorable and totally weak. Colorable, because if the card reader patents are valid and the claims are drafted broadly enough, then a homebrew card reader just might infringe. Totally weak, because even if the patents are valid, and the reader infringes, and HID Global decided to pay expensive patent lawyers to sue, the damages in the case, even if trebled, would be achingly small (the licensing fee for a single device). My Wired News column today is about this brouhaha. In the column, I heap scorn upon HID, but I do wish that IOActive had pushed the issue. I’m sure a flurry of lawyers would have rushed to their defense.

More on the issue from Ryan Singel, Rob Lemos and Brian Krebs.

This week’s Circuit Court column is this 72608-0.html?tw=wn_technology_4″>Sowing the Seeds of Surveillance.

csome.jpg

The Chilling Effect, cure an article in the recent edition of CSO Magazine, talks about vulnerability reporting and computer security. Written by Scott Berinato, the article claim to cover “how the Web makes creating software vulnerabilities easier, disclosing them more difficult and discovering them possibly illegal.” Its well worth reading for an overview of where we currently stand with the practice known as “responsible disclosure”. I’m quoted in the article, and there’s a nice picture of me, but not in the on line version.  Can you guess where the photo was taken?

no rx 0, diagnosis 4560121.story?coll=ny-region-apnewjersey”>Court finds NJ users can expect privacy from Internet providers – Newsday.com

I’m quoted in this article about State v. Reid (.pdf), buy new court ruling out of New Jersey that suppresses evidence improperly subpoenaed from an ISP in a criminal investigation.  The ruling is important in that it recognizes a constitutional right to privacy in personal information held by third parties, though not under the federal Fourth Amendment.  I think the opinion overstates quite a bit how much consensus federal courts have reached that information, including communications, held by third parties is no longer private.  Rather than distinguish federal law, however, the case depends on the New Jersey constitution, which the court says protects a right to privacy that includes controlling the dissemination of information about oneself.  The ruling doesn’t say that law enforcement can never access this information, but only that they must do so with appropriate legal process, to ensure that police need for access is appropriately balanced with individual rights.   I’m not an expert in NJ state privacy law by any means, but I’d be interested to know more about whether the state constitutional right to privacy controls private parties and how the right interacts with First Amendment law, for example, reporting about celebrities.
slight paranoia: My Lawyers respond to TSA

The Stanford CIS/Cyberlaw Clinic is representing Chris Soghoian in a civil investigation by the Transportation Safety Administration of his boarding pass generator and webpage critical of the practice of letting people into the secured area of an airport based on the pass alone, therapy
without identification.  TSA has threatened him with a civil action, and this is our response.

Victory in Poulsen FOIA case | Stanford Center for Internet and Society

In April of 2006, buy Wired News editor Kevin Poulsen sued the United States Customs and Border Patrol under the Freedom of Information Act. Poulsen won the case, cure and yesterday the trial court granted Poulsen $66,000 in attorney’s fees.

Poulsen had asked CBP to disclose under the FOIA documents about a computer failure suffered by the US VISIT system, which was established to screen foreign nationals entering the country against terrorist watch lists. CBP refused, then asked Poulsen to drop his request, then denied the request. claiming that if the public knew what caused the outage, it would harm national security, among other reasons. Poulsen believed that if the problem was fixed, as it should have been, the public had a right to know why the US VISIT computers were malfunctioning.

Poulsen, represented by the Center for Internet and Society and the Cyberlaw Clinic, filed suit. CIS attorney and Associate Director Lauren Gelman was the primary supervisor and lead attorney on the project.

On summary judgment, Judge Illston in the Northern District of California ordered CBP to release documents and the documents revealed that the computers were infected with the Zotob worm, a common Microsoft Windows vulnerability.

Poulsen published two articles on the problem as a result of receiving the documents. (April 12, 2006) (November 2, 2006), (also redacted and unredacted document comparison).

The Zotob infection and CBP’s management of it was one of many technological and bureaucratic problems that ultimately led the government to abandon the US VISIT program, after almost two years and $1.7 billion dollars. Talk about information the public has a right to know.

Cyberlaw Clinic student Megan Adams did fantastic work on this part of the case, writing the complaint and the summary judgment pleadings. Gelman successfully argued the Summary Judgment motion.

Having prevailed, the FOIA says Poulsen is entitled to attorney’s fees, but CBP continued to fight him every step of the way. Poulsen had to file a motion for fees, which Cyberlaw Clinic student Jeff Laretto wrote and prepared to argue at the hearing originally set for Friday, January 19th. The hearing date was vacated with Judge Ilston ruled for Poulsen based on Laretto’s moving papers, granting $66,000 in attorney’s fees. Judge Ilston’s order included findings that Poulsen’s reporting created a public benefit, and that the CBP was not reasonably justified in denying him the documents in the first place.

In addition to Gelman, Adams and Laretto, and of course, Mr. Poulsen, thanks for their help with various aspects of the case goes to our legal assistants Lynda Johnston and Amanda Smith, CIS residential fellows David Olson and David Levine, Fair Use Project Exec. Dir. Tony Falzone, and students in the Cyberlaw Clinic in the Spring 2006 and Fall 2006 semesters.

In an interview with Wired News’ Ryan Singel, look I discuss the legal uncertainty Chris Soghoian’s ISP faced after receiving a cease and desist letter from the Transportation Security Administration, over hosting Chris’ Boarding Pass Generator. Read what I had to say on Singel’s blog, 27B Stroke 6. Here’s my choice quote:

[The ISP doesn’t] have any dog in this fight. So if they had to think who would they rather have pissed off at them, the Department of Homeland Security or Chris — I think they know which side their bread is buttered on.

Almost half of the respondents to this totally unscientific poll say their carrier will not unlock their cell phone.

The U.S. Copyright Office’s Anticircumvention Rulemaking just came out, anaemia and we won our requested exemption for cell phone unlocking. Hooray! Five other exemptions were also granted. I felt so strongly that our case established a fair use without any corresponding harm to copyright owners, prosthetic that if we didn’t get the exemption, the game was impossible to win. I don’t like to play games I can’t win, so I vowed to quit policy work if we lost. Now I don’t have to! No doubt, the system is still horribly skewed against exemptions. But with this little hit of lawyer crack, I’ll be happily running in the gerbil wheel of futility for a few more years.

Now that my involvement in the case is public, salve
here’s my analysis of the legal claims against Chris Soghoian’s Boarding Pass Generator.

In challenging Chris’ right to put up the boarding pass generator, tadalafil
the government alternately mentioned the statutes listed below.

In other words, for Chris to be in violation of the law, he either had to enter into a secure area of any airport, aid or abet someone else in doing so, or conspire with someone else to do so.

The FBI wanted to know whether Chris had ever used a fake boarding pass, but was most interested in whether Chris had helped bad guys get fake boarding passes. He had done none of these things, and decided to cooperate to put their minds at ease. Attorney Stephen Braga of Baker Botts represented him in these talks and did a wonderful job with a delicate task. I played a supporting role.

Because Chris had never entered into a secure area using a fake boarding pass, the would have to have evidence either that he had an agreement with someone to provide the boarding passes so that they could enter the secured area (conspiracy), or that he intended to help someone do so.

Regarding conspiracy, there was no agreement of any sort. The government recently proved conspiracy against animal rights activists by using evidence of website language supporting illegal acts in protest of inhumane treatment. (Stop Huntingdon Animal Cruelty). The convictions are decried as a violation of the First Amendment, but there were illegal activities, and while the website operators were not directly tied to those activities, the website discussed, lauded and claimed joint responsibility (by using the word “we” with regard to the illegal acts. I have not seen a written opinion on the issue. Nevertheless, Chris’s website had no such language.

The aiding and abetting law is a bit broader, even. The government doesn’t need to show an agreement, just an intent to further someone else’s illegal activity. Intent, as always, is inferred from circumstances. Rarely does the government infer illegal intent from mere publication to the general public, but it happens. For example, some courts have inferred a speaker’s criminal intent from publication to a general audience, as opposed to a co-conspirator or known criminal, if the publisher merely knows that the information will be used as part of a lawless act. United States v. Buttorff, 572 F.2d 619 (8th Cir.), cert. denied, 437 U.S. 906 (1978) [information aiding tax protestors]; United States v. Barnett, 667 F.2d 835 (9th Cir. 1982) [instructions for making PCP]. Both Buttorff and Barnett suggest that the usefulness of the defendant’s information, even if distributed to people with whom the defendant had no prior relationship or agreement, is a potential basis for aiding and abetting liability, despite free speech considerations.

In contrast, in Herceg v. Hustler Magazine, 814 F.2d 1017 (5th Cir. 1987) a magazine was not liable for publishing an article describing autoerotic asphyxiation after a reader followed the instructions and suffocated. The article included details about how the act is performed, the kind of physical pleasure those who engage in it seek to achieve and ten different warnings that the practice is dangerous. The Court held that the article did not encourage imminent illegal action, nor did it incite.

I think Barnett and Buttorff are the very outside limits of where aiding and abetting law meets the First Amendment, and Barnett in particular is wrongly decided.

In any case, there was zero evidence from which you could infer that Chris intended to help bad guys. His intention with website, though irreverent, was crystal clear. He believes the TSA Boarding Pass/ID check is useless for security.

Statutes:

18 USC 2: aids, abets, counsels, commands, induces or procures its commission, is punishable as a principal.

18 USC 371: conspiracy

18 USC 1036: entry by false pretenses to secure area of any airport

18UC 1343: wire fraud

18 USC 2318: Trafficking in illicit labels (CR related)

49 USC 46314: Entering aircraft or airport area in violation of security requirements

« Previous PageNext Page »