Recently in International Category

China's social credit and surveillance system

Great post by Stanley Lubman (Senior Fellow, Institute of East Asian Studies at Berkeley) that provides a consolidated view of reporting and insight on China's social credit platform compiled over the past year. 

Great long-form product from CRS detailing U.S. - EU privacy and data protection history, updates with Privacy Shield and GDPR, as well as forward looking considerations published on May 19, 2016.

Sony hack commentary

Vice has a great interview with Peter Singer. Singer makes some excellent points, especially when it comes to applying the word terrorism to the Sony pictures hack.

The FBI's definition of terrorism is as follows:
18 U.S.C. ยง 2331 defines "international terrorism" and "domestic terrorism" for purposes of Chapter 113B of the Code, entitled "Terrorism":

"International terrorism" means activities with the following three characteristics:

  • Involve violent acts or acts dangerous to human life that violate federal or state law;
  • Appear to be intended (i) to intimidate or coerce a civilian population; (ii) to influence the policy of a government by intimidation or coercion; or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping; and
  • Occur primarily outside the territorial jurisdiction of the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate or seek asylum.*

Calling what happened to Sony terrorism cheapens the idea of terrorism for those who have suffered violence. The 132 children who were recently killed by the Taliban in Pakistan were victims of terrorism. Their families were victims of terrorism. What Sony is suffering from is embarrassment.

NB: Above, I am speaking solely of The Hack. Ensuing threats of violence from the Guardians of Peace certainly fall into the definition. But again, as Singer points out: is there capability to follow through with said threat?

Sony's label of "cyber terrorism" is being echoed by organizations like the MPAA who sent out this gem of a Press Release:
"The FBI's announcement that North Korea is responsible for the attack on Sony Pictures is confirmation of what we suspected to be the case: that cyber terrorists, bent on wreaking havoc, have violated a major company to steal personal information, company secrets and threaten the American public. It is a despicable, criminal act.

Disappointingly, that fact has been lost in a lot of the media coverage of this over the past few weeks. This situation is larger than a movie's release or the contents of someone's private emails. This is about the fact that criminals were able to hack in and steal what has now been identified as many times the volume of all of the printed material in the Library of Congress and threaten the livelihoods of thousands of Americans who work in the film and television industry, as well as the millions who simply choose to go to the movies. The Internet is a powerful force for good and it is deplorable that it is being used as a weapon not just by common criminals, but also, sophisticated cyber terrorists. We cannot allow that front to be opened again on American corporations or the American people" [emphasis added].
Which is it? Terrorists or criminals? These are dangerous waters being waded into in describing the hack. 

Was Sony at fault for this?
An acquaintance recently summed up some philosophical nuances: "...there is an important moral difference between 'creating a situation with a predictable effect they should have foreseen' and 'asking for it' or 'inviting it.' The latter phrases mitigate the immorality of the attackers, as if it makes it less wrong to do something predictably wrong. If you 'invite' or 'ask for' something you are condoning it. If you just stupidly leave yourself open to it, you are responsible for being stupid, but not for the wrong act that results."

DPRK (official according to FBI) is 100% at fault for the morality of their actions, i.e. that they were wrong. Sony is the victim. 

Now, let's talk about the responsibility Sony had.

Sony had a responsibility to their employees and shareholders to protect their personal and intellectual property. They had a responsibility to identify, understand, and operate within their threat environment. Sony failed to uphold that responsibility in an epic and very public fashion. Sony has not acknowledged this failure. "Being a victim is more palatable than having to recognize the intrinsic contradictions of one's own governing philosophy." ? Tom Clancy, The Hunt for Red October

Sony has chosen a response I certainly would not have advised had I been standing in their incident response room. Singer calls this the 'lose our shit' mentality, "[t]he reality is we can either choose a 'lose our shit' mentality, or we can choose a mentality that is far more successful, which is focusing on resilience." 

Perhaps Sony can stop losing their shit and focus on resilience.

EU Data Breach update

EU Commission Regulation No 611/2013 (PDF) outlines measures applicable to data breach notification under the amended 2009 EU e-Privacy Directive 2002/58/EC (PDF) of the European Parliament and of the Council on privacy and electronic communications.

Prepare for Google's Privacy Policy Shift

On Thursday, March 1st, Google's new unified privacy policy goes into effect. Previously, all Google services maintained separate silos of data operating under separate privacy policies. This is no longer the case. Google is now unifying it's data and, ultimately, building rich stores of data about you. Below are a few actions you can take to mitigate the amount and type of data Google will have access to after the policy change goes into effect.

1. Do not perform Google Searches while signed into your account.

This is the simplest way to ensure Google does not capture search history associated with your user ID/profile. As an alternative, keep your Google account signed in on one browser (e.g. Firefox) and use another browser operating under privacy protection mode (e.g. Chrome's Incognito Mode) to conduct searches. This is not fool proof -- google can certainly be smart enough to identify signed in sessions and non-signed in sessions originating from the same IP address...but it's a start.

Please note all steps below assume you are signed into your Google account

2. Remove your Google History

If this is already disabled, you will see two buttons that read "No Thanks" and "Enabled Web History". Simply click "No thanks" and pat yourself on the back for being smart about your search privacy.

If web history is enabled:
  • Click the button says "View History"
  • Click "Remove All Web History"

Doing this automatically stops the future collection of web history. If you ever wish to resume history collection, simply click the "Resume" button.

3. Remove your YouTube History
  • Click on "YouTube" in the toolbar at the top of the page
  • On the right of the page, click your username and select "Video Manager"
  • On the left side of the page, click the "History" button
  • Click the "Clear Viewing History" button, confirm your choice when the pop-up displays
  • Refresh the page/click the "History" button again
  • Finally, click "Pause Viewing History"
4. Disable Google Chat/Talk History
  • In Gmail, click on the cog/wheel in the upper right corner
  • Click Mail Settings
  • Click Chat
  • Ensure "Never save chat" history is enabled

5. Remove old e-mail from Google

Navigate to and look at the date on the e-mails, these are the oldest e-mails stored in your Google Account.Take a walk through memory lane...Scary, huh?

To remove these e-mails from Google Servers:
  • Click the cog/wheel in the upper right corner of Gmail
  • Select "Mail Settings"
  • Select "Forwarding and POP/IMAP"
  • Click "Enable IMAP"
  • Download a mail client such as Thunderbird, Outlook, Apple Mail, etc
  • Follow directions to setup mail client:
    • Using the mail client, create a local email storage file= such as an outlook PST or a Thunderbird local folder
    • Download all e-mails from Google to your local storage
    • Delete all e-mails from Google
    • Repeat this every month, ensuring only the last six months of e-mail stay on Google's Servers

6. Android Phone - Web Browser

  • Open your Web Browser
  • Click the Menu Key on your phone
  • Select "More"
  • Select "Settings"
  • Clear your history, cache, and location access.
  • Suggest disabling "Enabled location" to prevent future websites from accessing your location.

Security Best Practices for your Google Account

While not related to the impending privacy changes, the follow steps are two important functions to enable on your Google account.

7. Google Mail Connection

  • In the Gmail settings, click on the "General" settings tab
  • Ensure "Browser Connection" has "Always use https" enabled

8. 2-Step verification

2-Step verification is similar to what major banking websites are now using. This service provides stronger security protection on your account. The process is very simple: Once activated, you will need to verify the device(s) you frequently sign into your google account from. Your home computer, your work computer, your iPad, etc. To do this, Google will send you an SMS text message with a unique code. You will be required to enter both your password and this code to verify the device you are signing into Google with. This will prevent people from accessing your account from unauthorized devices/computers.

To enable:

A Stuxnet Primer

A fantastic video out of Australia (again...they are good at this) that is a great primer on the Stuxnet virus.

Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

Hello and welcome to day 2 of CFP 2011. Work got in the way this morning and I was forced to watch the morning sessions via webcast while multitasking at the office -- so no blog of the first few sessions. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Technology Behind the Challenge to Locational Privacy

  • Topic One: Geolocation: Risks and Rewards
    James Kasprzak: Professor of Systems Management, National Defense University;
    James Churbuck: Assistant Professor of Systems Management, National Defense University

    An overview of Geolocation, including its history and technology, and the policy implications for privacy and information assurance. Various types of geolocation technologies are covered, from GPS to cell phone apps. Each topic will be illustrated and presented to the audience for comment and analysis. The session will be wrapped up with some consideration of trends in geolocation, some predictions for the future, and suggestions for the preservation of privacy. 60 minutes.
  • Topic Two: Privacy for Mobile Users: Laptops, Location-Based Services and Location-Sharing
    Janne Lindqvist: Carnegie Mellon University

    What kind of information leaks about you every time you open your laptop, even before you have had the chance to do anything with your computer? What kinds of privacy risks are there in using location-based services? Why do people check-in on foursquare despite the numerous research reports of concerns about location-sharing technologies? In this tutorial, we discuss privacy problems and solutions with laptops, location-based services and location-sharing systems. 30 minutes.
JK -- Wants to discuss the technology of geolocation and what their limits are. Overview of GPS -- a military system that is a remnant of the cold war.  It was intended to provide nuclear ballistic missile guidance and to provide nuclear launch detection capability.  In its free time, it provides access for civilian applications through a separate channel. The military designed the civilian application to be fuzzy, up to 100m; however, geeks have hacked away and used terrestrial fixed position items such as a radio station antenna to provide clearer pinpointing, up to 3in.  It cost 1.5B to put the first set of GPS satellites. There are other methods of precise location -- including cell tower, wifi, rfid, and transaction points (POS sale, i.e. Giant). Combined with GPS, this can provide great location info. FCC regulated that all cell phones must have GPS capacity; now we have thousands of terminals accessing GPS and communicating across a the cell/wifi network channels. Explan difference between passive and active RFID. Used an example of the Operation Desert Sabre and the "Hail Mary" maneuver as the power of GPS and military applications. New civilian applications of GPS: Flash Crowds, Geotourism, Location Art [He actually gave a nod to William Gibson's Spook Country too!], Augmented Reality,Personal Location Services, etc. Points to IPv6 as tipping point for the future of geolocation services as *everything* would be addressable.

JC -- Discussed background as a naval aviator and how important it was to know where you were. Fun historical fact: in the British Royal Navy only officers were taught how to navigate, in order to prevent mutiny. Provided an overview of software like MobileME and its practical uses (monitoring his son). Then we watched a 4square ad...Then Please Rob Me...[TomTom and Dutch police...Sunshine on Apple/Google GPS/Wifi data collection...[all the old examples...]

JL -- Identifiers and Protocol stacks...used a picture of fruit covered layered cake as a visualization of a the stack.  Fruit = application; bottom of layer cake = MAC address. Threats: ID device/user, location tracking, etc. MAC Address 48bits hexadecimal format, i.e. aa:1a:1b:2b:3a:4a. Tracking mitigation: change MAC address every time you log into an access point [brilliant!].  MAC address is an explicit identifier. Implicit identifiers such as SSIDs.  Devices cache these SSIDs to provider faster network connectivity. The set of cached network names is a privacy risk as it will produce a unique identifier for an individual as they move between access points. Services such as exploit SSID and GPS. Mitigation strategies?  Reduce number of probes.  Don't cache. JL produced a paper (PDF) and solution to re-use crypto in WiFi for privacy-preservicng access-point discovery.  [Great presentation!] JL has a website specifically for this conference that provides a tutorial on WiFi and location based services:

Keynote Address: Senator Patrick Leahy (D-VT)

Awesome twitter premonition... @Jim_Harper: Will Senator Leahy tell his #privacy joke about a reporter coming to his house in Vermont?... #cfpconf

Seven minutes later, he did.  First time I heard the joke but I'm guessing Jim has heard it many times before.

Senator Leahy delivered his remarks which were consist with all other public remarks he has delivered.

Keynote Address: Bruce Schneier

Full Keynote available here:

Going to focus on Cybersecurity and the debate around it...Bruce went about discussing the language surrounding the cyber conflict -- for example, cyber katrina, cyber armageddon, declaring war on websites, etc.  Using very extreme terminology to convince the level of threat.

"Perhaps cyberwar is so easy kids can do it" ~discussing the conviction of the 22 year old in Tallinn.

"We dont know if this was state sponsored or kids playing politics"

In America we hate using the word 'war' when it's a real war, but we love using the word 'war' when it's not.

Its not that we're fighting a cyber war but are seeing war-like tactics used in cyber conflicts.

GhostNet -- very large, sophisticate, surveillance network. Assumption that china was behind it.

A lot of people who watch China see the hacking not as state sponsored but state ignored.

Stuxnet -- first military grade cyber weapon we've ever gotten our hands out. A lot of investigative reporting says that US and Israel were responsible.

Discussed Anonymous and LulSec and the things they have pulled off.  For example, Anonymous telling NATO not to challenge them.

Right now on the internet, the attacker has the advantage.

The politics worries me more than the actual events.  We are in the early years of a cyber arms race. Lots of cyber war rhetoric. Lots of money being spent.  It has all the hallmarks and dangers of an arms race.

The idea of war changes the debate and changes the solution space.  Things we'd never agree to in peacetime we agree to when using the word 'war.'

Curtailing anonymity on the net directly dependent on whether we are at war or at peace.

Worries about US military commandeering private assists like major US backbones to mount cyber-attacks

[Great presentation by Bruce.  Good delivery, analysis, and whit.  Going to go ahead and say best one of the conference so far.]

The Privacy Profession -- Corporate Apologists, or Agents of Positive Change?

Moderator: Trevor Hughes: President and CEO, International Association of Privacy Professionals (IAPP)
Mary Ellen Callahan: Chief Privacy Officer, Department of Homeland Security (Deputy CPO John Kropf filling in)
Nuala O'Connor Kelly: Senior Counsel and Information Governance & Chief Privacy Leader, General Electric (Filling in for Trevor)
Jonathan Cantor: Chief Privacy Officer / Director of Open Government, Department of Commerce
Doug Miller - Privacy @ AOL

Panelists introduced their backgrounds and path to privacy. Everyone's story was similar, no one chose privacy.

Quoting a tweet from Ian Glazer, "Most CPOs I meet all have the same back story, quoting Tom Waits, "they all start out w/ bad directions" & up in privacy."

Interesting convo here...nothing really to write about...lots of experience stories for government and corporate CPOs.

Jonathan Cantor working NSTIC issues at Commerce along with many other issues that DoC is taking a position on.  Sounds like a great place and great time to be involved with privacy there.

Privacy is not just a legal or IT issue, it's a larger human rights issue.  People who do privacy are in a great position to lead those conversations.

Hello and welcome to day 2 of CFP 2011. Thanks to the glorious DC Metro system, I arrived 30 minutes late and missed the keynote speech. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Keynote Address: Mona Eltahawy

Missed it...*shakes first at metro system*

Cybersecurity Beyond the Kill Switch: Government Powers and Cybersecurity Policy

Panel organized by Joshua Gruenspecht: Cybersecurity Fellow, Center for Democracy and Technology.
Moderator: Greg Nojeim: Senior Counsel and Director of Project on Freedom, Security and Technology, Center for Democracy and Technology
Liesyl Franz: Vice President for Cybersecurity and Global Public Policy, TechAmerica (Industry Perspective)
Susan Morgan: Executive Director, Global Network Initiative (US Implications of tech policies)
Micah Sherr: Assistant Professor of Computer Science, Georgetown University (PETs, Surveillance, etc)
Michael Seeds: Legislative Director, Representative Mac Thornberry

GN - introduced the panel topics and put an emphasis on getting *away* from the idea of a kill switch. LF will provide industry perspective. SM will provide a review of the international implications of US tech policies and what foreign governments are doing within the US. MS will discuss PET, surveillance technology, and more.  Lastly, MSeeds will discuss Congressional actions.

LF - TechAmerica is an industry trade association. Briefly touching the kill switch idea, LF stated she thought that given the design of our infrastructure she thought the idea of a kill switch was not feasible. [Not necessarily true, if a few peering locations went dark at the same time it would be fairly effective (though not totally) in shutting off the internet]. Wants information exchange to be bolstered for industry to government sharing. To ensure there is no retribution for sharing cyber attack information, Don't restrict companies or internet in a way that constrains flexible & dynamic way. [Agreed. If we kill innovation, we kill the internet and the tech landscape in many ways]

MS -- Claimed Token Nerd status on the panel. Kill Switch: isolating a network is very difficult. With the way our networks are designed, there are too many access points to simply "pull a plug."  Following a checklist does not provide true security [Compliance is not security!  Amen.] Discussed how most attacks are hidden and obfuscated through the use of botnets and multiple attack locations.  Also discussed that a problem with packet filtering and analysis is problematic because the packets may contain PII. [Yes, this is true.  However, with automated tools and filters a lot of the PII can simply be ignored.  You can also use signatures and heuristics based analysis]. How can we share information safely between industry and government?  Use signatures, heuristics, and malware patterns [! hah].  Computer science as a discipline isn't advanced enough to collect data the way the govt wants it to. Micah would like to triple the investment in academic research on cybersecurity and computer science [Amen].

SM -- Business need to understand their role in the protection of human rights.  Professor John Ruggie developed the Protect Respect and Remedy framework (PDF).  The Framework has been incorporated into the OECD guidelines. Looking at the roll of business, industry, state in human rights.  Freedom of expression online and the roles of business in that.

MSeeds -- Where the house is in developing Cybersecurity legislation....Thornburry is looking at multiple buckets.  Including new legislation, updating current legislation, and looking at tools we have to protect our current critical infrastructure. ...More legislation updates that weren't new...Mentioned the Defense Industrial base (DIB) project where the DoD/NSA is sharing classified signatures with ISPs and major telecoms. 

GN -- for the DIB project, what is the flowback to the government after they share those classified signatures?  For example, the DoD/NSA could easily say "watch out for this signature" but what the signature could be doing is watching out for one person. I would be very concerned about the flow back to the government.  Susan -- foreign govt says to provide of secure communication system that we want you to design a system in thsi way because that would allow us to more easily wiretap within the confines of our laws. Is there any principle that a company could rely on to resist that?

SM -- In terms of principals that GNI has created within the last few years....something a company could do is look at these principals and say "we signed up for these principals, we can't fulfill your request." [But facing the loss of a huge government contract would a company really hold on to those principals or acquiesce to the request?]

GN -- question about sharing data in private manner

MS -- From a security stand point, what you're looking at and interested in may be one packet out of a trillion.  What we need to research is how to publish data about attacks while filtering out PII that may not be relevant or substantive to an investigation.  Dorothy Denning did research on this in the 80s at Georgetown.  There have been notable failures of when sharing data has failed...for example AOL's release of supposedly anonymized data.  [See I Love Alaska for a video based on the AOL search logs.]

Question from the audience about Deep packet Inspection (DPI)

MS -- As an internet user and a security research, I am not a big fan of DPI. We need to build something that doesnt have such a huge false positive rate...

GN -- Follow up: if I am a verizon or ATT providing huge bandwidths aren't I doing DPI to find those signatures?

MS -- Depends on the size of the pipe and processing power.

Question from audience about the next generation of internet. The current architecture is very client-server with the client side having as much power as it does would it be possible to create networks where the information resides on the client devices?

MS -- There need to be Confidentiality, Integrity, and Availability controls in place to protect data put in the cloud.  And they are in place.  We could do the same on the client side but these cloud services work...[and the controls are centralized and implemented uniformly vs. potential disparate implementations on client side]

Question from audience about international reciprocity of filtering and the efficacy of filtering.

MS -- Filtering systems are not effective for individuals who really want to get around them. Law Enforcement is also not great at this either.  Cited an example of DHS accidentally shutting down 84k wedbsites by taking down FreeDNS as part of a larger childporn takedown.

LF - GNI assessments of member co's planned for Q1 2012, results will show effectiveness.

Question from audience about data breach notification law...we have laws that protect consumers from identity theft, etc.  Is there any consideration being given to laws that would extend reporting time to advanced threat investigations?  Even if PII is only one or two percent of the compromised information.

MSeed -- There is consideration into that. There is a markup session on Mary Bono Mack's breach bill.

GN -- There are specific sections in the Leahy bill and the Whitehouse proposal that speak to Law enforcement and intelligence activities.


More panel notes below

Good morning from CFP 2011. I will be live blogging to the best of my ability today to provide those unable to attend a small window into the conference.  Be sure to check the CFP media page for pictures, video, and more. The Twitter Hashtag for this conference is #CFPConf

Please note: Live blogging is both for me and you.  These are my notes from the conference.  Nothing should be taken as a direct quote.  These are living posts.  Edits will be made.

Keynote Address
Cameron Kerry: General Counsel, Department of Commerce and privacy leader within the Obama administration:

Cameron Kerry discussed the information economy being built. How data has been used for both good -- economic opporunity and social and political change -- but acknowledged the risks associated with this increased data flow.  Touched on the administration's Comprehensive International Strategy for Cyberspace (PDF) to build out a cyberspace and internet environment that expands trust and the economy while denying criminals and terrorists the ability to exploit that info.

Discussed legislative draft that had uniformed breach reporting requirements to consolidate 46 state laws. The Administration's proposal would impose a new federal obligation on any business entity--with exemptions for certain health-care entities--in possession of personally identifiable information on more than 10,000 individuals to provide prompt notice to affected individuals about security breaches of certain personal data. See:

Kerry touched on NSTIC, encouraging and facilitating a more secure internet.  Green papers on commercial data privacy, free flow of info for businesses, and more.  Commerce green paper series seek comment from individuals and industry to ensure they are capturing needs and way forward that is good for business. 

Commerce released a Cyber Security green paper last week with the goal of responding to threats while remaining dynamic and innovative:

Discussed recent breaches and the need to protect industries.  Highlighted Sony data breach and recent breaches targeting economic data flows (IMF, world bank, etc).  Mentioned attacks at Westboro Baptist Church, PBS, etc. He discussed the sophisticated attacks on RSA and subsequent downstream attacks at Lockheed Martin.

Discussed Department of Commerce's creation of a privacy officer position in response to data breaches internal and external to the agency.

In March, the DoC announced support of a Consumer Bill of Rights.  Based on Fair Information Practice Principles.  Commerce's policy will flush out what those principles will be.  They will not be a depature from the HEW principles or OECD but, rather, seeking to adapt them to the interactive and interconnected world of today.

What will it mean to do business under this dynamic privacy framework?  Privacy policies and notice of choice will still be fundamental building blocks.  Everyone recognizes that notice and choice by itself is not enough.  Everyone here is deeply concerned about data privacy --Kerry polled the crowd to ask who read privacy policies for personal use (not for work).  The crowd barely made a sound. 

Businesses must enter into a new partnership not defined by static privacy policies...but into a dynamic privacy framework that characterizes the regulatory approach and how the businesses deal with their customers and customer data.

Businesses need to enter into a conversation with their customers that will enable their customers to make appropriate trade offs on the use of their privacy through active choices and not through a one time click.  One example is the Just in Time approach.  These need to be contextualized so that they don't lose their functionality.

Mentioned Do Not Track and Privacy by Design.

We are entering a "Darker Scenario" -- breaches and risks and undermining the free flow of information.  As we move to a cloud computing world, the research shows that the barrier to entry is confidence in security and privacy.  It harkens back to the days of e-commerce.  But today if the CC companies themselves cant keep info security, if the gatekeepers to the system cant keep it secure (heartland data payment systems).  The response cant wait for legislation or regulation, it must begin yesterday.  What course the internet takes is in the hands of all stakeholders.  We cant afford to let this moment pass...the future is now.

Panels notes and more after the jump...