9 Ways to Restrain the NSA

Keith Alexander

With U.S. Government surveillance being a hot news issue lately, several members of Congress have stepped up and started working on bills to place limits on NSA powers. Although these are admirable attempts, most proposals likely won’t have much affect on NSA operations. So of course I thought I’d propose some points that I think at a minimum any surveillance bill should cover.

1. No backdoors or deliberate weakening of security

The single most damaging aspect of recent NSA revelations is that they have deliberately weakened cryptography and caused companies to bypass their own security measures. If we can’t trust the security of our own products, everything falls apart. Although this has had the side-effect of causing the internet community to fill that void, we still need to trust basic foundations such as crypto algorithms.

Approaching a company to even suggest they weaken security should be a crime.

Related issue: the mass collecting of 0-day exploits. I have mixed feelings on how to limit this, but we at least need limits. The fact is that government law enforcement and military organizations are sitting on tens of thousands of security flaws that put us all at risk. Rather than reporting these flaws to vendors to get them fixed and make us all secure, they set these flaws aside for years waiting for the opportunity to exploit them. There are many real threats we all face out there and it is absurd to think that others can’t discover these same flaws to exploit us. By sitting on 0-days, our own government is treating us all as their personal cyberwar pawns.

2. Create rules for collection as well as searches

We saw how the NSA exploited semantics to get away with gathering personal records and not actually calling it a search. They got away with it once, we should never allow that excuse again. Any new laws should clearly define both searches and collection and have strict laws that apply to both.

3. Clear definition of national security

Since the Patriot Act, law enforcement agencies have stretched and abused the definitions of national security and terrorism so much that almost anything can fall under those terms. National security should only refer to imminent or credible domestic threats from foreign entities. Drug trafficking is not terrorism. Hacking a school computer is not terrorism. Copyright infringement is not terrorism.

4. No open-ended gag orders

Gag orders make sense for ongoing investigations or perhaps to protect techniques used in other investigations but there has to be a limit. Once an investigation is over, there is no valid reason to indefinitely prevent someone from revealing basic facts about court orders. That is, there’s no reason to hide this fact unless your investigations are perhaps stretching the laws.

5. No lying to Congress or the courts

“There is only one way to ensure compliance to laws: strong whistleblower protection. We need insiders to let us know when the NSA or other agencies make a habit of letting the rules slide.”

It’s disconcerting that I would even need to say this, but giving false information to protect classified information should be a crime. The NSA can simply decline to answer certain questions like everyone else does when it comes to sensitive information. Or there’s always the 5th amendment if the answer to a question would implicate them in a crime.

6. Indirect association is not justification

Including direct contacts in surveillance may be justified, but including friends of friends of friends is really pushing it and includes just about everyone. So there’s that.

7. No using loopholes

The NSA is not supposed to be spying on Americans but they can legally spy on other countries. The same goes for other countries, they can spy on the US. If the NSA needs info on Americans, they can just go to their spying partners to bypass any legal restrictions. Spying on Americans must include getting information from spy partners.

And speaking of loopholes, many of the surveillance abuses we have seen recently are due to loopholes or creative interpretation of the laws. Allowing the Government to keep these interpretations secret is setting the system up for abuse. We need transparency for loopholes and creative interpretations.

8. No forcing companies to lie

Again, do I even have to say this? The NSA and FBI will ultimately destroy the credibility of US companies unless the law specifically states that people like Mark Zuckerberg can’t come out and say they don’t give secret access to the US government.

9. Strong whistleblower immunity

We saw how self regulation, court supervision, and congressional oversight has overwhelmingly failed to protect us from law enforcement abuses. There is only one way to ensure compliance to laws: strong whistleblower protection. We need insiders to let us know when the NSA or other agencies make a habit of letting the rules slide.

Whistleblowers need non-governmental and anonymous third party protection. We need to exempt these whistleblowers from prosecution and provide them legal yet powerful alternatives to going public. You’d think that even the NSA would prefer fighting this battle in a court over having to face leaks of highly confidential documents. In fact, I think that the only reason to oppose these laws if you actually have something to hide. The NSA’s fear of transparency should be a blaring alarm that something is horribly wrong.

The NSA thinks that public response has been unfair and will severely limit their ability to protect us. What they don’t seem to understand is the reasons we have these limits in the first place. When the NSA can only focus on foreign threats, they have no interest in domestic law enforcement. Suspicionless spying is incompatible with domestic law enforcement and justice systems.

The greatest concern, however, is the unchecked executive and military power. The fact that there has been so much for Snowden to reveal demonstrates the level of abuse. Unfortunately, the capabilities are already in place so even legal limits are largely superficial and self-enforced. It would be trivial to ignore those laws in a national security emergency.

I cringe at the thought of becoming one of those people warning others to be afraid, but that is why we put limits on the government, so we know we don’t ever have to be afraid. We solve the little problems now so we don’t have to face the big problems later. We understand the need for surveillance, we just need to know when the cameras point at us.



Dear NSA, It’s Not Just About the Spying

NSA SpyingThis not only applies to the NSA, but to Congress and President Obama: You betrayed our trust. That’s why we are angry.

It’s not about spying and it’s not about having anything to hide. The fact is, my life is very boring and it’s kind of sad knowing how many terabytes of data might be stored of me complaining to the phone company about my phone bill or calling my wife to pick up an energy drink while she’s out. I can’t even imagine how many SMS messages are stored of my kids texting their friends 24 hours a day. Then there’s that endless flow of useless junk in my inbox.

And it’s not just me, it’s my boring life times 300 million other American lives. Just South of me  there’s a million square feet ready to start storing all of that data. We’re not talking about petabytes, exabytes, or even zetabytes here, but yottabytes of data, a number so large there’s just no metaphor to help you comprehend it. I imagine this data center slowly filling up like a massive reservoir behind a newly built dam. A massive reservoir of 300 million lives, 75 million of those being under 18 years old. A million square feet, billions of dollars, eventually up to 200 megawatts of power, 60,000 tons of cooling equipment, and a carbon footprint greater than some entire countries.

Keep in mind that this is just their new data center. There are those existing data centers scattered across the country that are apparently running low on free disk space. Even that isn’t enough, the NSA has new equally massive facilities coming online in Maryland and Texas as well.

So what has all these yottabytes of storage and exaflops of computing power bought us? Apparently we stopped literally dozens of terrorist attacks (I bet not letting fingernail clippers on airplanes also prevented dozens of attacks!). “Dozens of attacks” it turns out means around fifty–ten of which were domestic plots. But some members of Congress have even questioned that number.

“Backed up by secret courts, secret interpretations of law, and the ability to accompany data requests with gag orders empowered the NSA to collect any data it wanted”

When Congress introduced the Patriot Act, there were a number of privacy concerns, but we put our trust in the government to do what was right. We were hurt and angry after 9/11 and there was a national cry to stop these terrorists. We knew when the Patriot Act became law that we would be giving up some of our privacy but it was for the greater good. The government assured us that there were checks and balances to prevent abuse of these new powers.

The government, it turns out, lied to us. NSA officials such as James Clapper, came right out and falsely told Congress that the NSA was not collecting data on Americans. Backed up by secret courts, secret interpretations of law, and the ability to accompany data requests with gag orders empowered the NSA to collect any data it wanted–all with the blessing of Congress. Sure, we already figured that the NSA spied on us, but we kept getting all those assurances that they weren’t.

When we elect government officials we try to not only find those people who represent our political views, but we also look for people with a certain amount of integrity. We want congressmen and presidents who we can trust. Much of President Obama’s original platform was based on changing how government worked by adding transparency, targeting government abuses of power, and encouraging whistleblowers who revealed government abuses. It sounded pretty convincing and enough people believed in him to elect him President, but now even some of his most ardent supporters feel he betrayed their trust.

We also trusted Congress with the billions of tax dollars they spent building the largest spying mechanism ever known to man. Billions of dollars spent on millions of hard disks spinning away recording my kids texting their friends about what a loser their Dad is.

Yes it’s creepy knowing the NSA is always listening and we don’t like that the government considers all of us the enemy. Yes, it’s a violation of our constitutional rights that they gather evidence on us before we have even considered committing a crime. But what really bothers us the most is the violation of trust. We gave you power and–albeit predictably–you overreached way beyond that power, crafting laws that prevented us from even questioning your abuses and aggressively pursuing those who do.

You can claim that these practices are legal, strictly monitored, and performed with court approval, but we just don’t believe you anymore. You no longer have any credibility because humans are good at not trusting those who repeatedly lie to us. In fact, we want you to give us back control over what you do and how you spend our money. We don’t need your massive data collection to stop ten domestic terror attacks. In fact, we don’t even believe you that this data collection is about protecting us from terrorists anyway, you can only use that excuse so much before we start seeing through it. Ultimately, it comes down to the same old power, greed, and corruption that we learned about in History class.

You betrayed our trust so now you don’t get our trust. We don’t want new data centers; we want to cut back on your data collection free-for-all and even start shutting down existing data centers. We want to take away your massive and seemingly unlimited budgets. We want you to stop pre-collecting data so you later take “the book off the shelf and opening it up and reading it.” We want to be able to limit what you can do in the name of national security and we want Congress to roll back some of the overly permissive provisions of the Patriot Act. We want Congress to actually punish those who lie under oath and not just let it slide just because they are the Director of National Intelligence. We want you to provide some form of protection for those whistleblowers who expose clear and possibly illegal abuses of power.

We don’t trust you anymore and we don’t know how far you are willing to go in the name of national security. You are laying a framework of abuse so vast that we fear it could someday become oppressive. We certainly don’t think you have our best interests in mind and we are seriously questioning the power (and petabytes of storage) the people have given you.

It’s time for us to speak now: we want our data back.


Now eBay Wants in on Password Patents

I wrote a couple months ago about the many attempts to patent various methods of checking passwords. Now eBay wants in on the game with United States Patent Application 20120284783. Here’s their summary:

A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user’s previous password, to determine similarity between the two passwords.

Reading through the claims, this is by no means novel or innovative and there certainly is plenty of prior art for this. Want to help prevent yet another abuse of the patent system? You can post any evidence of prior art on this Ask Patents post.


About The US Government’s Absurd Filing in a Megaupload-Related Case

You’d think the US Government has been embarrassed enough with their abuse of power and disregard for procedure in the Megaupload case that they would just let it all quietly die. No, as evidenced by a recent filing in the Kyle Goodwin case, they are going to fight this one until the end.

Because this case potentially affects everything we do in the cloud, I have followed it closely. But I have to say I am a bit amazed by the arrogant, contradictory, hypocritical, almost desperate brief the government filed a few days ago. I recommend taking a few minutes to read the whole thing, but it basically comes down to the government arguing that instead of having one hearing to see if the guy can get his data back they should break it down into several different hearings, one to argue each point. Their logic is that if they don’t get past the first point, they don’t need to hold any more hearings.

The government would like the hearing broken down like this:

1. A hearing requiring Kyle Goodwin to prove he owns the files he says he owns.
2. A hearing to determine if Federal Rule of Criminal Procedure 41(g) allows Goodwin any relief.
3. Another hearing that would consider exactly what relief might be appropriate.

What the government is trying to do here is abuse the process to prevent the question coming up asking if their raid was legal in the first place.

They also imply other hearings, such as an evidential hearing or another to ensure the court even has jurisdiction over the complaint.

Of course, this is all absurd and an obvious attempt to delay the proceedings and put a greater burden on Goodwin and anyone else who might want to get their files back. It is a common tactic and is one of the reasons why many law firms refuse to accept cases suing the government: even if the government is wrong, they have enough resources to completely swamp a law firm with paperwork and procedural obstacles potentially costing the firm millions of dollars just to get the case heard.

The government’s argument is that by breaking the hearings up, they can put less of a burden on the court. They state that by having just one hearing that “the Court may unintentionally authorize a large amount of irrelevant discovery that impinge on the criminal proceedings.” Plus, they argue, if you dispute some facts, that would likely result in having to dispute other facts and that might require “the testimony of numerous witnesses, including potential expert witnesses.” Finally, they argue, that because they won’t know the scope of the hearings, they don’t know how much information they will need to gather.

Much of the government’s filing is a clear attempt to kill the case by saying that Goodwin can’t even prove he owns his files. It all comes down to Federal Rule of Criminal Procedure 41(g):

(g) Motion to Return Property. A person aggrieved by an unlawful search and seizure of property or by the deprivation of property may move for the property’s return. The motion must be filed in the district where the property was seized. The court must receive evidence on any factual issue necessary to decide the motion. If it grants the motion, the court must return the property to the movant, but may impose reasonable conditions to protect access to the property and its use in later proceedings.

To argue that Goodwin has no ownership rights, the government says that he only used a service provided by Megaupload and they only leased servers from Carpathia, therefore Goodwin has no ownership rights to the servers they imaged. The contracts of these services, they argue, probably say that he doesn’t own those servers. But the argument here was never that he owned the servers, only that the government took the only copy of his data.

So what about the data? The government argues that owning a copyright “is not sufficient to establish that he has an ownership interest in… the copies of his data.” They say that there should be a hearing to determine whether Goodwin has a prima facie case before proceeding and that his contract with Megaupload limits his ownership rights. I find it hilarious that this very fact is why everyone is angry about the Megaupload case in the first place: the government had no hearing to prove that the entertainment industry had ownership rights of their data and the fact that Megaupload’s contract and federal laws indemnify them of any liability for sharing copyrighted files.

Their argument also has a major flaw: this is not a contract dispute between Goodwin and Megaupload or Carpathia, it is a lawsuit against the US Government. The government is not a party to any of these contracts and therefore they are completely irrelevant.

Then it gets even stranger. Although the government says they do not have Goodwin’s data on the servers they imaged, and that they are not in possession of the other servers, and that finding any particular users’ data may be technically infeasible, they go and claim that his Megaupload account contains files that might be pirated music. So do they have access to his files or not? Further, having pirated files in his account does not negate the fact that he owns his video files. It’s nothing more than a scare tactic and veiled threat that Goodwin should not continue this case because he does not have “clean hands.”

After the whole argument about Goodwin having to provide evidence of ownership, the government goes on to say that in a hearing to decide a Rule 41(g) motion, “the Court may use affidavits and documentary evidence, without the need for live witnesses.” Basically what they want is to be able to use sworn affidavits instead of putting up live witnesses. This means that they get to introduce a statement from their witness with no opportunity for the plaintiff to cross-examine the witness. Their argument is that Goodwin must bear the burden of proof, not the government. Nice trick, but our legal system doesn’t work that way. The only way to reconcile disagreements of prima facie evidence is through a full trial and that includes witnesses.

What the government is trying to do here is abuse the process to prevent the question coming up asking if their raid was legal in the first place. Part of Goodwin’s case relies on proving that his data was unlawfully seized, which might include proving whether Megaupload’s servers themselves were unlawfully seized and searched. This is an extremely important question that needs to be asked because it will set the precedent for all future government seizures. It affects every company on the Internet that hosts the data of others. And it affects any of us that completely rely on the cloud for running our own lives and livelihoods.

The government must be held to the same standards as anyone else and cannot be allowed to abuse the law to take out any company in any country that threatens the US entertainment industry. If we can stop the little abuses, we help prevent the big abuses.



Updated Thoughts on CISPA

Since I wrote my last post on CISPA a few weeks ago, a number of things have changed and my own opinion has evolved some as well. I still feel that the EFF’s interpretation was perpetuation a great amount of FUD, but that doesn’t really justify the merits of CISPA. There are many things to say about CISPA but I thought I would share some random thoughts here:

The Quayle Amendment Changed Things

While there is some debate whether this amendment is good or bad from the perspective of privacy is debatable, the question here is why was that amendment necessary? And why was the vote pushed forward right after including this amendment? In my opinion, this amendment alone is reason enough to hate this bill. I want to get that out first because although I agree with the premise of the bill, the risks of passing it as it stands are just to great. I don’t agree with the FUD involved in fighting this bill, such as saying it is the new SOPA, but I am always very wary of unintended consequences and it since it is so much harder to undo a law, this must be approached with great caution.

How Much are they Spying Already?

I’m not saying they should pass this bill because they already spy on you, I am saying that if this is a big concern we need to put more effort into laws that limit what they are already doing. Most companies already have intrusion detection and spam prevention systems in place to identify and log attacks and other unwanted threats to their networks. Much of this involves deep packet inspection and storing personal information about those who trigger alerts, including the many false alerts. There really aren’t many rules on what these companies can and cannot do with that information and their terms of service open us all up to huge intrusions of privacy. We do need legislation that clearly defines a threat and clearly defines (and limits) what can be done with that information.

And then there’s the NSA. Certainly we can’t even imagine how much information they gather on every one of us. Really, that just need stop, I don’t remember any U.S. citizens getting any say in allowing them to do that.

It appears that this law allows for better coordinated sharing of information but the fact is we are already threatened with huge invasions of our privacy. If you can be called a customer, an employee, or a citizen, you can be spied on.

Terms of Service vs Law is a Big Distinction

One very important thing to remember is that a company spying on it’s users is often covered under it’s terms of service. You agree to allow that in exchange for using their service. However, law enforcement agencies are limited by law which is much more restrictive. A law such as CISPA would allow law enforcement to fall under the umbrella of terms of service which would greatly expand their access. While this is good in the sense that it would make certain evidence legally admissible in court, the potential for unintended consequences are huge.

We Need Buffers for Stretched Interpretations

We have already seen how easily law enforcement can stretch interpretations or employ secret interpretations of laws. As a parent I see that, like children, you need to be very specific about things or law enforcement will go with the absolute most permissive interpretation. CISPA simply does not do this. Laws are difficult to reverse so we must be very careful before allowing laws that could have great potential for abuse.

Who Profits from CISPA?

Many have said that the RIAA and MPAA are clearly behind this bill but I don’t buy that. I certainly hate everything about the RIAA, MPAA, and anything they back, but I just don’t see this bill benefiting them that much without greatly stretching the interpretation and exposing themselves to significant liability. I’m not saying that is out of the question, it just doesn’t seem to fit here.

Nevertheless, whenever Congress passes any bill nowadays I am always suspicious of who stands to profit here. Yes I am sure there are some sincere motivations here but since when has a law been passed based on it’s sincerity?

Don’t Forget Who Makes the Decision, But Does it Matter?

I have seen a number of misleading articles state that CISPA would allow the Government can go trolling for information and take anything they want in the name of cybersecurity. First of all, I think law enforcement already has enough power through the Patriot Act and other laws that they can already demand just about anything. However, it is important to note that CISPA does not allow the Government to demand this information, it only allows companies to volunteer the information.

Now having said that, if the Government starts paying good money for that info, I’m sure that most companies would be happy to volunteer anything that law enforcement asks for.

Long is Bad but so is Short

One thing that always bothered me about the Patriot Act is how in just a matter of days after September 11th, the Justice Department produce such a huge, sweeping bill. In fact, whenever I see a ny100+ page bill introduced to Congress I get suspicious of how many lobbyists had their hand in this. Complexity is the best weapon that special interests have in introducing loopholes that line their pockets. Which is why seeing the short, simple CISPA was so refreshing and reassuring.

But as we have seen, being short has it’s problems too. Complexity introduces loopholes but vagueness can be just as bad. One thing nice about CISPA is that it is probably much easier to fix few pages of vagueness than to scale back a thousand pages of complexity.

There’s a Bigger Message

I think that it is important to look past the words on the bill and see what the opposition here is really about. It’s not so much about who shares what and how, it is that the American people are getting tired of never-ending legislation that continually gives the Government more power and slowly erodes at our rights of privacy. Do we really even need this bill? Yes there are some specific cases where it would be helpful, but we just don’t know how many more doors we are opening.

We are already tired of constantly hearing how law enforcement agencies are stretching and abusing current laws, do we really want to give them even more power? Will using the Internet become just as personally intrusive as the security gates at an airport? Is there greedy some special interest involved here paying off Congress to make themselves even richer?

The fight against SOPA energized many of us and demonstrated that for once the people do have a voice and we are going to use it. Despite any legitimate benefits of CISPA, Congress is voting on a law that most people just don’t want.

Now there is something to agree with.

The RIAA & MPAA Don’t Want you to Know They Suck

We know that a while back the entertainment industry apparently pressured Google into removing terms that are closely associated with piracy from appearing in Autocomplete. Of course, this strategy is completely absurd and it is hard to imagine that industry execs actually believe this would ever stop a single pirate. Yes, pirates will no longer be freely offered suggestions on what words to search for, but if someone opened up Google looking for pirated material they certainly won’t consider that such an insurmountable barrier that they just give up at that point.

Nevertheless, I noticed a peculiar thing today: if you type riaa sucks or mpaa sucks, the instant search box quickly disappears and offers no suggestions. Now if you press Enter, you can see that “riaa sucks” has about 27,000 results and “mpaa sucks” has about 7,900 results, so certainly both of those qualify as suggestible searches.

What’s even more interesting is that if you start typing Google Sucks you certainly will get some suggestions:

In fact, you can put in just about any company name followed by sucks and there are instant results, but curiously none ever appear for the RIAA or MPAA.

So what we can conclude from this is that either:

  1. Google itself compiled a list of searches as being closely related to piracy and decided to throw in RIAA sucks and MPAA sucks just to be nice, or
  2. The entertainment  industry actually provided the block list and while they were at it abuses that privilege and slipped in a few terms that might be unfavorable to their reputation.

Now I would tend to think that the second situation is the case here, which means it would be very interesting to see the list of words that Google is blocking to see what other interesting terms might be blocked. What’s also interesting is that while playing around with autocomplete terms for the RIAA, I noticed that a large majority of them seem to be favorable rather than critical. This is very surprising considering what 96.6% of the Internet thinks about the RIAA.

So apparently in their efforts to stop piracy, the RIAA and MPAA also get the highly coveted ability to dictate at least what Google auto suggests about them. Whether they are flat-out devious or simply full of naive corporate narcissism I don’t know, but surely an industry who has abused this small amount of leeway would not hesitate to abuse the expanded control they are demanding from search engines.

So my question to Google is, can anyone  who sells intellectual property block their own my company sucks suggestions from auto suggest?

Can Retroactive Immunity be Anything Less than an Admission of Guilt?

Ars Technica reports that Congress is looking in to the extent of the cooperation between phone companies and the NSA. This interest was sparked by the White House’s proposal for retroactive immunity.

What’s interesting about this, however, is what it really means to call for retroactive immunity. It’s one thing to provide immunity for possible future violations of the law that might occur but something completely different to ask for immunity for the past. The main difference is that the only reason to ask for immunity for past actions is if you are aware that past actions were in violation of the law. If you knew that no laws were broken in the past, it would be absurd to ask for immunity. Continue reading “Can Retroactive Immunity be Anything Less than an Admission of Guilt?” »

Is UAC a Fence That Falls Short?

When I was a teenager in California there was private oil pier near Rincon that we liked to jump off. It was great—you’d throw your surf board off first so there was no backing out, because it was scary looking down at the dark green ocean so far below you. Once your board was in the water you had no choice but to follow it out into the emptiness below. Continue reading “Is UAC a Fence That Falls Short?” »

Be Smarter with Account Names

One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is very convenient for low security sites that you rarely visit, some times it just isn’t appropriate. What do you do, for example, when your e-mail address changes? Continue reading “Be Smarter with Account Names” »

The Application Experience Lookup Service

If you have ever locked down a Windows 2003 or Vista machine you have probably run across the Application Experience Lookup Service, also known as Application Experience or AeLookupSvc. The documentation on this service is pretty vague and sometimes contradictory, so people often ask me whether they should keep this service enabled or to disable it. I thought I would clarify exactly what this service does. Continue reading “The Application Experience Lookup Service” »