April 2006

Photo by Jake Appelbaum

I’m attending the Northern California Judicial Conference on Sunday, and speaking on a panel in the morning about privacy and digital technology. Here’s the jist of what I’m going to say:

Two points

1. Privacy laws don’t deal well with special issues of the internet/digital technology.

2. The computer crime laws are so broad that innocent people are getting convicted without necessarily helping security/privacy.

When the federal Computer Fraud and Abuse Act and the Electronic Communications Privacy Act were passed in 1986, most people had a telephone, but that’s about it. Telephone companies kept phone numbers dialed, but didn’t record the calls.

Today people have telephones, cell phones, email, instant messenger, web sites and e-commerce. These activities leave a digital trail, not just of phone numbers, but the contents of communications, what we buy, what we read, even our physical location is revealed by cell phone records.

Additionally, all this information can be stored forever in databases that are easily and cheaply searchable. Normal people think this stuff is private. But companies claim that this information belongs to them, not to the customer, and sell it to companies that aggregate all the data and sell it to direct markers and to the government. The few statutes we have protect people from companies revealing the contents of their emails, but not necessarily the rest of the information. And, it’s not entirely clear that the Fourth Amendment protects any of this information.

The Electronic Communications Privacy Act and the Stored Communications Act provides some protection for electronic communications. Anytime the government or a party is seeking discovery of email, stored files or digital customer records, the ECPA or SCA applies. The statutes are notoriously convoluted. However, in short, the scheme distinguishes between information in transit, and information that is stored, and between the contents of communications and transactional information like email addresses and IP addresses. Information is transit gets greater protection than stored information, and content gets more protection that transactional data.

Why should an email on the fly be more private than an email I’ve already received? Why is data about the books I buy or the web pages I read treated as if its no more private than a phone number I dial? Some courts have begun asking these questions. The Eastern District of New York, for example, considered what the government had to show to get cell phone information that pinpoints a customer’s location. The government sought access to the cell site information through the “Stored Communications Act” (SCA) 18 U.S.C. § 2703, which requires a lower standard for authorization than probable cause: namely a showing of “specific and articulable facts” to demonstrate that the data will be “relevant and material to an ongoing criminal investigation.” The court rejected this argument and held that the Government needs probable cause.

Meanwhile, information companies are able to sell your cell phone records, including the numbers to dial, to any private party that wants them.

Currently, no law prevents this. The SCA says that providers of communications services can’t reveal transactional information to the government without proper legal process, but they can sell the data to anyone else. One question is whether providers can sell that information to data brokers who sell that information to the government without any legal process.

The Fourth Amendment may not help privacy here. Smith v. Maryland , and other cases, say that there’s no reasonable expectation of privacy in information you voluntarily give to a third party, and some have argued that this means the Fourth doesn’t apply to any networked communications.

On the other hand, the hallmark of the Fourth Amendment since Katz is that it protects people, not places or property. The government needs a warrant to pick up sound vibrations from the outside of a phone booth , and to use a heat sensor to capture emanations from a house . When signals, whether sound, heat or electrons, are in a public space, but they let the government infer private details, the government should have to get a warrant.

In earlier days with less technology, a lot of our privacy was latent in physical reality. When I walked down the street, if noone else was there, I could assume I was unobserved, and take the time to fix my lipstick. With video cameras, that’s not true. But with analog video cameras, someone needed to be watching. Now, with digital video cameras, its cheap to store the video forever. Machines can tag the points in the video where someone is moving and help viewers search. Is there a privacy difference between walking down a public street, being recorded on a public street, having that recording saved and searchable, having that recording sold to the highest bidder? I think so. So what should the law do about it?

These examples should demonstrate that analogies don’t answer the question because modern technology is categorically different. modern technology affects privacy by making information collection possible, cheap, easy, searchable, storable and aggregatable.

These are the kinds of questions that courts are going to be asked to answer in the next few years.

One law that’s supposed to protect our data, the Computer Fraud and Abuse Act have been overused in ways that not only fail to protect privacy, but actually interfere with free speech and privacy.

The federal statute and every state prohibits accessing computers or a computer system without authorization, or in excess of authorization. The federal law also has as an element of the offense that the attacker has to have caused $5000 in damage, and damage is defined as interfering with the availability or the integrity of the system.

What does it mean to access a networked computer? Any communication with that computer, whether its simply one computer asking another “are you there”, or downloading trade secrets, transmits electrons to the other machine. Email, web visiting, even port scanning, which is querying a computer as to what programs it’s offering to network users, is access . One case has said that when I send an email, not only am I accessing your email server and your computer, but I’m accessing every computer in between that helps transmit my message.

What does it mean to act without authorization? Authorization comes from the owner of the targeted system. If the owner doesn’t want you to use the system, for whatever reason, its unauthorized. Cases say its unauthorized access to send unwanted email , to visit web pages using a borrowed username and password , to search published price data , to use a service after being notified to stop , or in contravention of the terms of a license agreement . Some courts have even held that accessing information you have permission to access is unauthorized if you are doing it counter to the interests of your employer . The Ninth Circuit says sending a patently invalid subpoena for email information is unauthorized access too.

In the federal law, the plaintiff or prosecutor must also show $5000 of damage. Its trivial to show damage when there’s a computer intrusion, but just a few hours of investigation time is worth $5000. But in privacy cases, since privacy is hard to value, there’s not enough damage. Thus, when people sued the ad company Doubleclick for putting cookies on their machines that tracked users web surfing, the court said that there wasn’t enough damage to meet the $5000 threshhold.

Perhaps state statutes would be more useful here, because most don’t have a $5000 threshold.

As a result of the unbelievable broad definition of computer crimes, Bret McDanel was convicted of violating section 1030 when he emailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company email server by sending emails, that the access was unauthorized, because the company didn’t want this information distributed and that the integrity of the system was impaired because lots more people (customers) now knew that the system was insecure. Despite the fact that this is obviously First Amendment protected speech, the trial court convicted and sentenced McDanel to 16 months in prison, which he served by the time the appeal was resolved. On appeal, the government realized it had done something wrong and voluntarily moved to vacate the conviction. It didn’t agree that McDanel didn’t violate the statute, but it argued that in order to convict, they would have had to show that McDanel distributed the information with the intent that a third party use it to breach the security of the messaging system. This isn’t in the statute, but is based on the government’s reading of First Amendment cases.

There’s a similar case in which the defendant was arraigned in Los Angeles on Friday. In this case, the defendant is a professional computer security expert who noticed that there was a problem with the way the University of Southern California had written its applicant web submission database program, and that problem allows an outsider to get ahold of applicants’ personal information, including social security numbers. For proof, the man copied a few of the personal records and anonymously sent them to a reporter, who notified the school. The school investigated and easily traced the testing back to the defendant. Defendant is said to have caused damage because the school had to spend $140K notifying people in the database that the database was insecure and someone might have accessed their records.

Security professionals are also afraid to use affirmative defense technology to protect their systems. There are tools that, if a computer is attacking you with a certain kind of worm or virus, will access that computer and install software to shut down the attack. This is unauthorized access. And, the attacking computer is most likely a zombie, an innocent person’s machine that is caught up in the worm attack.

In sum, the statutes are too broad, they interfere with computer security reporting, testing and self defense, and they don’t protect privacy.

The podcast of “Making a Revolution” is up!

Today is the 20th anniversary of Chernobyl. I was 16 when it happened, headed for college in the Fall. I took a part time summer job working for FPIRG. The job was advertised as fighting to stop nuclear power, but involved folding flyers into thirds for mailing. Today, most of what I know about Chernobyl is from the wonderful lady who does my eyebrows, who is from Ukraine, and from Martin Cruz Smith’s mystery novel, Wolves Eat Dogs. The paper this morning tells a similar story. A tragic occurrence caused by official inepitude and lack of accountability, compounded by more government lies. Photographs were doctored to hide the radioactive glow. Scientists were forced into the dangerous zone, and contracted radiation poisoning. Most horribly, the government did not tell people about the incident. Instead, it allowed millions of Ukrainians to celebrate May Day outside in towns near the reactor, including Kiev, while radioactive particles floated through the air. A few days later, the government began to acknowledge that there was an accident, then that the accident was dangerous, then that people had died, then that more people would die. There are many legacies of Chernobyl. One that seems particularly worth remembering today is that a secretive government is a dangerous government.

Here’s my latest Wired News column: Making a Revolution. When the podcast is posted, hopefully later today, I’ll link to that.

On Thursday, I went to the oral argument before the Sixth Circuit Court of Appeal in California in the Apple v. Does case. Here’s a picture of the pro-journalist crew hanging in the hallway after the hearing.

granick.com rides again.

The transcript from the Copyright Office hearing at which I pressed for an exemption to section 1201(a) of the DMCA for cell phone unlocking is now available. For other transcripts, visit the Copyright Office site.

I’ll be interested to hear what people think about the hearing.

More information on the anti-circumvention provisions of the DMCA

People say there’s a trade-off between privacy and security. That implies that if we allow greater access to information about ourselves, the government will do a better job at keeping us safe. I believe this assertion is demonstrably false. The visit of China’s President Hu Jintao provides evidence for my claim.

The Chinese government is the target of vigorous protests by supporters of Falun Gong. The protests are suppressed in China, but not here. However, China asked that the U.S. do what it could to keep protestors away from Hu while he was visiting President Bush in Washington. Nonetheless, a reporter with Falun Gong’s newspaper was given a press pass to the welcoming ceremony for Hu. She started shouting during the event, and was eventually taken away. Reporters did a Nexis search which showed that, in 2001, the woman had applied for press credentials, been denied, but nonetheless slipped through a security cordon in Malta protecting former President Jiang and got into an argument with him.

The U.S. Government had all the information it needed to exclude the protestor. It had her name. It knew she was with the Falun Gong newspaper. And public newspaper articles showed that she had made a ruckus protesting Chinese officials within the past five years.

The problem isn’t lack of information. Its what the government does with the information it has.

My granick.com email is down for the count. Please use the jgranick at earthlink.net email until it gets fixed.

Next Page »