From the Department of Pots-Who-Call-the-Kettle-Black…

March 17, 2012

Last December, Secretary of State Clinton delivered a rousing speech to a Conference on Internet Freedom held at the Hague in which she hammered what has become a steady theme for her over the last couple of years:

The United States wants the internet to remain a space where economic, political, and social exchanges flourish. To do that, we need to protect people who exercise their rights online, and we also need to protect the internet itself from plans that would undermine its fundamental characteristics.

Sec. Clinton has used this high-ground sentiment to bash repressive regimes, from China to Iran– all good… as far as it goes.

But beyond noting that the focus on repression is painfully selective (e.g., no criticism of Saudi Arabia), the U.S. government is behaving in just the way that Mrs. Clinton condemns:  even as her rhetoric rings “freedom blue”– State and the rest of the government has pushed repressive treaties like ACTA and domestic legislation like SOPA and PIPA, any/all of which threaten free speech (and promise to retard innovation).

Now, as the dean of intelligence watchers, James Bamford, reports in Wired, our government is adding blanket surveillance into the mix:

…Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.

But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”…

Read the full article– and you should read the full article– here.

The fence is in great shape, but the cattle are starving…

May 27, 2011

via DailyKos; TotH to Jim Fallows (who gave TT an early venue back in the salad days of U.S. News and World Report)

As our mores are manipulated, and our freedoms pre-empted, by the War on Terror (and the related wars on Drugs, Piracy, et al.), the temperature in the pot is rising.  Consider, e.g., Daniel J. Solove’s recent essay “Why Privacy Matters Even if You Have ‘Nothing to Hide’” in The Chronicle of Higher Education (an excerpt from his new book, Nothing to Hide: The False Tradeoff Between Privacy and Security, Yale University Press).

The nothing-to-hide argument focuses on just one or two particular kinds of privacy problems—the disclosure of personal information or surveillance—while ignoring the others. It assumes a particular view about what privacy entails, to the exclusion of other perspectives.

It is important to distinguish here between two ways of justifying a national-security program that demands access to personal information. The first way is not to recognize a problem. This is how the nothing-to-hide argument works—it denies even the existence of a problem. The second is to acknowledge the problems but contend that the benefits of the program outweigh the privacy sacrifice. The first justification influences the second, because the low value given to privacy is based upon a narrow view of the problem. And the key misunderstanding is that the nothing-to-hide argument views privacy in this troublingly particular, partial way.

As Solove goes on to demonstrate, there are lots of reasons to fear the disappearance of our privacy, from the erosion of basic freedoms to the encroachment of commercial manipulation. And there are other, less direct but equally insidious results of the cloud of anxiety and fear that is forming– for example, the counterproductive xenophobia that’s blocking immigration reform.

But for the purposes of this post, I want to flag the simplest of the issues one might raise, the one that goes plainly and simply to cost.

Homeland Security is a big enterprise:  In 2010 the Department of Homeland Security had over 200,000 employees and spent over $56 billion; that was larger than the budgets of the Commerce, Labor and Interior Departments, plus the EPA, combined.  And of course, that doesn’t begin to describe the expense fully:  the Departments of Health and Human Services, Justice, and Energy all have significant Homeland Security responsibilities; the Defense Department has large “coordinated” expenses; corporations pay extra security and incur extra compliance costs, and states and municipalities are also on the hook.  All in, HSRC estimates, 2010 expense was close to $175 Billion.

And Homeland Security is a growth industry.  As the Economics Blog at Lawrence University observes (citing a George Washington University study, pdf here), in real terms (2005$), the Homeland Security budget has more than doubled since the 2000 “pre-9/11 base year,” accounting for more than 40% of U.S. regulatory spending and more than half the personnel as well.  By 2014, total Homeland Security expense is expected to top $200 Billion… over a quarter the (2010) size of Social Security or Defense spending; two-thirds the cost of Medicaid.

source

But while these mammoth numbers raise all kinds of immediate questions, both about how they’re being spent and about what other programs they’re preempting, the deeper concern is their longer-term implications.

Not surprisingly, educators and guidance counselors have taken note of the Security trend.  By 2005, over 80% of the community colleges in the U.S. offered preparatory curricula for Homeland Security work, as do the for-profits (Phoenix, Capella, et al.)– and the course offerings continue to grow…  even as, overall, reduced funding means fewer classes available in more traditional areas that prepare students for careers in health care, business, education or whatever else.  Indeed, high schools are beginning to institutionalize Homeland Security prep (e.g., here).  In a domestic economic environment in which unemployment has rocketed and stayed stubbornly high, Homeland Security has become a rare bright spot, a promising path to a job, a job with a future…

There’s a cautionary tale told in the Southwest: the story of a rancher so concerned with protecting his cattle from rustlers that he invested more and more in fencing… until he’d so diverted his resources that his powerfully-protected herd starved to death.  We in the U.S. are beginning to look all too much like that imprudent rancher, burning more and more of our resources in the overhead of protection… at the risk of starving the very things that we mean to protect.

I was aiming for my foot, but I seem to have shot myself in the thigh…

May 16, 2009

In news from the one of the more active fronts in the ever-astounding war over copyrights and intellectual property protection, this reminder from ReadWriteWeb of just how absurd things have become:

“Once This Hits 4chan, It’s Over:” RIAA/MPAA Privacy/Security Failure

Our good friends over at TechDirt discovered an interesting anomaly and enormous security hole in BayTSP‘s website today.

BayTSP, a Los Gatos, CA-based company, is best known for putting the cease-and-desist smackdown on peer-to-peer copyright violators. The site serves infringement information forms to offending parties on behalf of the copyright holders. Think of them as the online debt collectors of the BitTorrent universe, with all the information security risk that implies.

BayTSP’s process involved sending suspected copyright violators a URL to a “Web Infringement Response System.” These pages were online forms containing fields with infringement notice ID numbers, email addresses, IP addresses, DNS names, and URLs that would identify users by household or even by device.

If the information were secure, this might be fine. However, in some monumental lapse of judgement, the entire site was left open to search spiders and accordingly indexed by Google, allowing anyone with hackerish leanings ample opportunity to create all kinds of mischief.

A Google search for “‘infringement information’ site:baytsp.com” yields distressing results. Some of the pages have been removed, but you can still have a look at the cached versions:

Whoops!

Not only have the forms been online for Google and the waiting world to view; the forms could also be completed and submitted online by just about anyone.

More technically savvy tricksters could send infringement notices of their own. “And, on top of that,” the TechDirt blogger writes, “some have discovered that BayTSP’s site has some scripting vulnerabilities such that you could create a fake complaint and get people to, say, download malware or enter credit card data.”

Although this recent debacle is simply one more PR disaster for the media industries themselves, my first thoughts were echoed by TechDirt commenter Mechwarrior: “Once this hits 4chan, it’s over.”

(Lest the 4Chan reference be obscure, it’s the font-of-all-memes site the members of which recently manipulated Time‘s on-line poll asking users to name the “World’s Most Influential Person” so that “Moot,” 4chan’s reclusive founder, emerged as Number One…  see here and here.)

“‘But I don’t want to go among mad people,’ said Alice. ‘Oh, you can’t help that,’ said the cat. ‘We’re all mad here.’”

– Lewis Carroll