Michael N. Dundas

Another well written article on the lack of privacy in the digital world, how conversations are no longer ephemeral with excellent referenced examples, entitled “Wy Obama Should Keep His Blackberry – but won’t”. Personally I find it quite amazing what people use and transmit via e-mail, SMS messages, IM conversations. Add to that the explosion of wireless devices that do all this, people (myself included) are not careful enough. The article is by security technologist Bruce Schneier.

I wrote about Google Flu Trends the other day. Yesterday, I came across this article discussing if there is a privacy risk with Google Flu Trends, and made a note that I was going to comment on the article. Lauren Weinstein has written a pretty good commentary on the article and I pretty much agree with what he has written.

Google Flu Trends is a result of taking individual personal data and aggregating it. This has the advantage of anonmizing the data as well as providing another tool in the toolbox of mechanisms to track flu outbreaks. This trending could be applied to many other concepts with similar results. I and others like me have done this type of analysis for our clients years now. While I applaude people that monitor privacy violations, attaching privacy violations to this data is incorrect. Privacy should be attached to the methods that Google and others use to track and store data. Associating IP addresses to search terms and unique cookies and keeping that data for extended periods of time as one example. Google and other search sites along with social sites such as Facebook all track detailed data. Facebook for example tracks every profile you look at including date and time, by IP and unique ID. This data can be obtained by interested parties. This is where privacy advocates should be focused.

An article expressing concern that Skype has a backdoor. There may or may not be a backdoor. Regardless it is important that everyone that uses Skype assume there is a backdoor. Why? The client they produce is closed source so the code is not reviewed independently of the company. The protocol they used is encrypted and closed source as well. This protocol is not reviewed by anyone outside the company. The authentication servers are completely under their control. The entire functionality of the Skype system, the clients, servers, data routing, data encryption is all under their control, not yours.

Assuming the above is true, let’s pretend that Skype has inserted a backdoor. Why would they do this? There are several reasons. Testing is the first one that comes to mind. A new version of the client is being developed and the ability to test and analyze for any issues is necessary. A backdoor permits developers and testers to capture calls to check for problems, call quality and anything else that would be necessary to diagnose. Maybe the country where head office is located requires all VoIP providers to have the ability to intercept VoIP calls. If they wish to do business in this county they have no choice but to comply. I have consulted for companies where the government requires that Skype be blocked because it can not be intercepted. If Skype wishes to get presence in these countries it makes sense for it to comply.

If Skype adds interception and monitoring capabilities, and they have competition with other VoIP vendors for market share, it may not make good business sense for them to announce this publically. Especially if they have no legal reason to do so.

This problem is not Skype specific. As more and more online services such as Gmail, Google Docs, CRM vendors, backup vendors and others (this list is not conclusive and it will grow) stop offering systems to purchase and offer a ’service’ where your data is in their possession this is a risk. Companies need to assess this risk. If you choose to put confidential client information on GoogleDocs, or use Gmail for confidential email you should always assume that someone at Google has the ability or can create the ability to extract the data if necessary. The company may state that they will not do this, but if they are ordered to by Government, Law Enforcement or the have a ‘bad’ employee that is willing to do it then you are out of luck.

A perfect example of this happening in the past is with Hushmail. The news article is here. Hushmail was considered a free email service that was ’secure’. They originally sold themselves as using encryption where only you had the password to unlock the data. They stated that even Hushmail and its employees could not unlock the data without your passphrase. Then one day ’surprise’ they provided a bunch of CDs containing unencrypted emails of a Hushmail account to officials when requested. If you think about it, the ability to do this makes complete sense. They offered a Java program where an individual would type in their passphrase which would unlock the encryption key stored on the Hushmail server and permit the java program to decrypt the stored e-mail to display in clear text. It would be trivial to write the code to include a ’switch’ on an account that would send a copy of the passphrase to Hushmail when the user keyed it in. Now on the Hushmail servers is the encrypted secret key and the passphrase to decrypt it. Using this key, they can now decrypt all your email which is stored on the servers and do with it as required.

At any point if a company chooses to store its data off site, use programs or services from third parties that have control of the source code and/or the associated services there is a risk of data being lost or ending up in unintended hands. This is a buisness risk that needs to be evaluated in each case. These type of issues will only increase as more and more services are offered over the Internet.

Today on CBC Search Engine, there was discussion about companies that read employee e-mail, why companies read e-mail and the fact that many have a manual process for accomplishing this task. The company that was interviewed by Search Engine was Proofpoint. They make several automated solutions to accomplish monitoring e-mail. One of the comments made was that they can monitor e-mails via Hyper Text Transfer Protocol (HTTP) or web based e-mail, such as Gmail, Hotmail or other type of web based mail services. This is all true and very possible.

What I find amusing is there are so many simple ways to smuggle out information from a company that monitoring e-mail seems to be a waste of time and money. One could copy the information to a laptop and download it to a computer at home. Copy the information to a USB key, CD or DVD and take it home. One could print the information out on paper (since most companies don’t monitor what is printed). None of these methods require expensive, or complicated technology. If I wanted to get information out of the office and I even suspected that e-mail, IM or transmissions were being monitored these ways are the simplest and least to arouse suspicion. Unless a company plans to manually search you and your belongings every time you enter or exit the building including checks of laptops, USB keys, and other media investment in technology to monitor e-mail I don’t see the point.

Proofpoint stated that it is often used to watch for employees spending too much time on personal versus work related issues. I suppose this is a valid use, but personally I don’t manage that way and I doubt I would ever work for a company that did manage that way. If people are getting their work done then I’m not going to worry if they send personal e-mail, surf the web or decide to take an extra 10 minutes at lunch. I believe it is important that you can trust your employees and they feel a sense of responsibility towards their work. If this is missing then the company has bigger issues that monitoring e-mail or other flows of information will not solve.

The other concern I have with all this “monitoring” going on is that it will increase the adoption rate of encryption and other stealth technologies . Governments, businesses, and law enforcement wanting to monitor people’s e-mail, web surfing, files shared and download will force software and developers to add encryption and other forms of covert data transmission into the software more quickly. Most E-Mail servers for example have encryption (TLS) support now. As encryption becomes more available in e-mail clients and set to be the default mode of communication the encryption will be transparent to the user. Encryption is something that law enforcement is running into more and more. It hampers their investigations. This is bad when you are actually trying to catch the bad people distributing drugs or child pornography. I picture an Internet where all communication is encrypted or obfuscated in different ways to avoid “monitoring.” What will we do then? Probably have discussions about key escrow,outlawing encryption, and other silly conversations we have had in the past and never worked.

In Canada most citizens will have a Soical Insurance Number, commonly referred to as a SIN number. I recall getting mine when I was a teenager and was going to start working. Nowadays, you get one almost as soon as you are born. My daughter obtained one within months of her birth. I recall that, because I was surprised and for some reason I recall it was required. Of course, that immediately triggered thoughts of why do they need to do this now? Tracking? More detailed history of people? These and other conspiracy thoughts went through my mind.

Here is an article about an individual in Ontario, Canada, who was the culprit of identify theft through no fault of his own. The government, unable to properly secure sensitive information had his identity stolen. In the article it is stated:

“I don’t want any money — not a dime,” he said. “I just want a new social insurance number so that I can disassociate myself from the fraud and start my life over again.”

Seman said he has been fighting for a new SIN number in writing, in person and on the telephone for five years, but hasn’t been able to get one.

Unfortunately, very hard. This is very difficult and expensive problem, and even trying to solve it will not guarantee a solution. Today, a SIN number is the one thing that connects you the most. Almost any form you send to the government will have your SIN number. This number will be linked with all medical information on procedures that you have had, doctors you have seen, prescriptions you have been given. Financial corporations require it for financial transactions, bank accounts, mortgages, loans, stock trading. It is the key to your credit rating. Companies you work for require so they can submit income and other financial information to the government. This one number links you throughout the government, throughout the medial and financial worlds both in public and private databases and paper file systems. It really is a ‘key’ to finding out everything about you. And that is exactly how it is used.

In order to offer the ability to change your SIN number, the government would have to have a way to change every record in every database both public and private. It would have to be able to change this number on forms and records that have been filled out that are not electronic. If any mistake is made, then information on you is effectively lost. For example, suppose you were rushed to a hospital unconscious from a car accident. From the Identification on you, a drivers license confirmed your identity, which led them to your SIN number. The SIN number permitted the hospital to pull your medial records. Now suppose you had your SIN number changed, and a major medical procedure you had a few years ago at a medical facility did not change the SIN number. That information is now lost and is not available to the medical staff getting ready to treat you in the current emergency situation. One could argue that they can use name, birth date, and other details to find the required information. Although this is somewhat true, it is not as guaranteed as a SIN number. The SIN number is the best assurance of the accuracy of the linking of the information. Is this a bad thing? Maybe or maybe not.

The risk of giving individuals the ability to have their SIN number changed is not worth the overall risk or not being able to gather information or missing information by government, law enforcement and any one else looking to obtain details about you. That is why the solution is to give you negligible amounts of money, and offer you free credit report checking. It is easier and much less risky. Currently the number of people that have their identity stolen versus those that don’t is small.

Of course identity theft will only increase and this problem will get worse. Eventually, they will be forced to deal with it on a global scale. There are procedures I believe to obtain a new SIN number. Witness protection program and things of that nature, but these are very few scenarios, few people and are manageable.

Today, the problem is expensive to solve, difficult to solve with no guarantees of not having information lost, and it affects a few minor people’s lives. Government response is unfortunate, but logical. Personally, I don’t agree with it, but until it gets more visibility either by many more people being affected or a few very public people having their identities stolen not much will happen beyond the preventative steps you see today.

I recently read a post here and here by EFF on laws that make it a criminal offense to simply access an e-mail server or to test if personal data of yours kept by a third party can be accessed by others. This lead me to an article referred to in the first one with more detail on some of the cases (that article is here).

With respect to the Internet, the court needs to view ‘authorization’ in the same context as the expectation of privacy. When a person is sitting in their home, they have a certain expectation of privacy. They expect that covert cameras are not capturing pictures or movies of them and their family. They expect that their conversations, movements, and actions are not being recorded. This expectation changes when a person leaves their home. Security cameras can and do record them walking down the street. An audio conversation between them and a store clerk could be recorded by store equipment (currently not likely, but I suspect it would be considered legal). This type of activity is expected and assumed. You can not claim that a store you were in or the city you were in did not seek your permission to record you prior to being recorded. Privacy is not assumed in public.

In my opinion the same is true for systems on the Internet. If an entity places a mail server on the public Internet, then it is reasonable to expect that it will be connected to, both for reasons it was intended and reasons it was not. Expectations that a mail server will only be used by individuals to route e-mail or route e-mail that is ‘authorized’ is not the responsibility of individuals on the Internet. It is the responsibility of the owner of the server to ensure this. I send e-mail all the time, and I have no idea what servers are accepting and routing my e-mail to the appropriate destination (yes, I can figure these things out but that is not the point). If an individual directly routes e-mail to a server that should not accept or route the e-mail, the company needs to configure their servers to not accept this. The company needs to configure their servers and networks so that they are not open to attack.

Similarly with a web server. If someone is accessing a server that contains their personal medical information and they notice the URL in the browser is: https://medicalfiles.medi/userProfile.asp?id=1234. The user then changes the URL to https://medicalfiles.medi/userProfile.asp?id=1235 and suddenly they are viewing someone else’s profile information, that is completely the responsibility of the company that owns of the server. The company chose to put the server on the public Internet. The company chose to develop, purchase, or otherwise use a particular application to allow private user information to be displayed. The company chose a set of methods to secure this information and ensure that only the authorized individuals could access specific information. With these choices comes a responsibility and consequences for not living up to that responsibility.

Just as there is no expectation of privacy in public, there should be no expectation of proper or in-proper authorization for a server on the Internet. It is the owners responsibility to configure their servers and network devices correctly to enforce the authorization they desire and failure to do so is their own fault and responsibility, period.

I hope there is more evidence than what is in this story and I hope this evidence is really compelling. If the man is actually guilty of child pornography related offenses then I hope he is charged and convicted to the full extent of the law. I was driving into work and heard this story on the news and it got me thinking about how easy it would be to frame someone with child porn or other incriminating evidence and then just ‘tip’ off the police.

Presently, I am putting the finishing touches on an advanced security course geared toward service providers. Shortly, I will be running this course for a major service provider. In the course we do actual malware deployment and analysis. The malware used is reasonably up-to-date and can be found active on the Internet today. The malware is very easy to use. Much easier than it was even 2 years ago. In some cases the malware uses standard libraries designed to write malware that are available on the Internet. One of the malware samples used for this course includes the ability to write ‘plug-ins’, similar to how you can write a plug-in for a web browser such as Firefox.

I am confident that law enforcement will do a detailed investigation of the suspects computers in the story above. But I’d argue that today it is possible to get malicious code, pictures or any type of incriminating evidence onto a PC leaving minimal to no trace behind. I’d suggest that this has gotten easier over the years and will probably get easier in the future. I and others have worked with malware that doesn’t ever write to storage, but stays resident in memory. Even if there is evidence left on the suspect system, does law enforcement do a detailed analysis for every complaint? I doubt they have the resources for that. For the sake of argument, lets assume that they do have the resources to do a detailed investigation of every system. Lets also assume that the investigation revealed that the evidence was planted externally and the owner had no knowledge of its existence and is innocent. Unfortunately it isn’t over for the owner when the investigation is concluded. There will be issues that will follow them for the rest of their lives. There will be the embarrassment of being suspected of a criminal act. The record of the arrest which can make it difficult to travel in the future even if there is no conviction. Looks and suspicions of others always wondering “Was he really innocent or did he just get lucky and is really guilty?”

I recently did a presentation on anonymous surfing and anonymous emailing for the High Technology Crime Investigation Assocation. HTCIA is a community that has goals to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The membership includes law enforcement, government, and private sector from different countries including Canada and the United States.

One thing I found challenging when creating the presentation was the technical level to target. HTCIA membership includes individuals and groups from many different disciplines. Most members have different levels of knowledge and experience within any given discipline. With that in mind, I tried to create a presentation that would be beneficial to the majority of individuals.

A PPT compressed slideshow of the presentation is here. There is also a PDF that can be found here. I’d recommend the PPT slideshow over the PDF. Animation doesn’t show well in the PDF and as a result some of the slides are covered over with different layers of the animation.

A colleague of mine recently pointed me to a new show on CBC called Spark that started in the fall. All their shows are available via the web which is great.

I just finished the show Unseen connections: New ways that objects and poeple are linked.
Great show. They discuss RFID tags, how they work and examples of their uses today. Casinos use them in chips to stop forgery, how they can be used in consumer products and save information such as product lot number, when, where it was manufactured and other information that can be extracted.

Smart homes were discussed. In the interview they discussed up till recently the hold back to the adoption of smart homes has been compatibility. This has now been overcome by the Amigo Project, an open source project that is supported by most vendors. One of the issues currently being researched by this project is privacy. With your home all connected privacy is naturally a big concern. Lots of information can be generated by a smart homes and the devices in your home; what you purchase, how often you cook, what you watch, what items you take with you, prescription information. This type of personal information is valuable and wanted by marketing and research firms. Privacy is becoming one of the hottest issues on the internet and it only makes sense that this issue is of even more concern in your home as it becomes more and more connected to the outside world. I look forward to the results of their research. Although a smart home is something that really intrigues me, I worry about both security and privacy. If my thermostat was connected to my smart home for example, would it be possible for an external entity to keep tabs on what I set my thermostat temperature at? This doesn’t seem like a big deal, but it is one step towards government stepping in and legislating that we are forcing everyone to keep their dwellings at x degrees for the sake of the nation, betterment of the greater population, or something to that effect. You might think I am paranoid and spreading fear but this was tried recently (although unsuccessful).

Personally, I think any smart home should have an override for the home owner. A switch or detailed configuration screens where under no circumstances can data be extracted or removed without prior authorization — a default ‘deny’ on ingress and/or egress connections. No individual device should be able to override the master control of the house. Even the government should not be able to do it in any circumstance. On the positive side, the project is open-source so even if this is discovered to be possible, someone will patch it quickly.

Great article by Jennifer Granick on mobile phone tracking. We all know that service providers keep the location information in a database for each mobile phone as it moves from tower to tower. I am unaware of the retention time for this data, but it is probably safe to assume forever.

The article focuses on the requirements to legally obtain access to mobile location information. Unfortunately, it appears that it is getting easier not harder. A simple showing of ‘relevance’ is now enough for law enforcement to request mobile location information. This is just one example of many that show the privacy laws in the United States being eroded away slowly, undetectable to the average person. Eventually one day the world will wake up and say “Wait a minute! What happened? We need to do something.” But by then I fear it will be too late.

This of course doesn’t apply to Canada yet, but that is only a matter of time.