Hack of the Week: FISA Section 702

This week's HotW comes to us courtesy of the US House of Representatives: FISA Section 702. This bill extends the US intelligence community's legal ability to collect, store, and search our internet activity and digital communications through 2024, all without any pesky warrants. Under this policy, anyone who connects to the internet is suspected of "cybercrime" by default.

Bleeping Computer shines a light on some of the troubling expansions in the bill:

Under the new bill, FISA Section 702 will now allow the NSA to collect electronic communications of US citizens if they mention certain terms, and not necessarily if they communicate with non-US citizens via email or an online chat.

Furthermore, even if the bill says the FBI must obtain a warrant before searching the NSA database for data on US citizens, a warrant is not necessary if the FBI brands the situation a national security emergency, a term considered too broad and easy to bypass by EFF and ACLU experts.

The "I-have-nothing-to-hide" camp will continue trying to defend this policy and rolling their eyes at the Fourth Amendment, but the chilling effect of mass surveillance like this has been quantified already.

This policy has the potential to be against a wide swath of society, the ACLU confirms:

If you are a journalist talking about North Korea, a businessman expressing thoughts about the global economy, or an ordinary person discussing the Trump border wall proposal, your conversation could be considered “foreign intelligence” under the law’s broad definition.

The broad scope of this bill combined with the chilling effect of mass surveillance yields a tools that could easily erode freedoms of both speech and press.

However, there is a confusing wrinkle: recent reports claim the intelligence community's efforts against cybercrime rings are trival compared to previous years. Either these surveillance powers go unused or recent targets don't fall under the "cybercrime ring" category.

Make no mistake, this broad surveillance policy will continue be used widely early and often. It is frustrating to have a single policy that undermines the entire security industry. This bill poses the greatest risk to digital rights since the Rule 41 renewal.

This disaster of a policy, now bill S 139, could go to a Senate vote as soon a Jan 16, a day after MLK Jr Day in the US -- ironic since Dr. King serves as a cautionary tale against unchecked surveillance.

VIZIO and big data abuse

The FTC has charged VIZIO under the FTC Act and New Jersey consumer protection laws for collecting data on 11 million VIZIO TVs without consent. VIZIO has agreed to settle out of court for $2.2mil USD.

The settlement has implications for your data and IoT — an internet-connected TV is certainly an IoT device. The scale of what was allegedly collected is staggering, to the tune of pixel matching down to the second. Before you can ask if this scale of data collection, analysis, and inference is possible, the answer is yes, thanks to big data. Check out my explainer on big data — in this case, this is not a big data application, but a big data abuse by snooping on your viewing habits. Since it is possible to collect that scale of data from an IoT TV, it is possible to collect a similar picture of other IoT devices, which typically have less data to transmit.

Unfortunately, a concurrent statement released by the chairman of the FTC telegraphs that they will back off on consumer privacy concerns. The chairman supplies a weak argument claiming it is unclear if anything “unfair” is going on (emphasis mine):

[The case] alleges that granular (household or individual) television viewing activity is sensitive information. And it states that sharing this viewing information without consent causes or is likely to cause a “substantial injury” under Section 5(n) of the FTC Act.…[U]nder our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.

The data collection in question is hard to avoid when the practice is hidden from customers. What’s hidden here is questioning the effect of correlated data. Let’s give VIZIO the benefit of the doubt and assume they scrubbed all personally identifying information (PII) from the collected data. Bruce Schneier explains why correlated data is just as sensitive as PII in Data Versus Goliath:

[B]eing identified by a unique number often doesn’t provide much protection. The data can still be collected and correlated and used, and eventually we do something to attach our name to that ‘anonymous’ data record.

In addition to being a practice hostile to consumers — one would assume that's what lead to the charge in question — it is unfair to the competition; by collecting data and generating a customer database without consent, VIZIO is able to sell that database to advertisers, providing VIZIO with revenue unfairly earned at the expense of consumers. This could have been avoided with an opt-in.

I’ve warned before on the risk of providing your data to a second party without knowing its final resting place — when taken without your consent, that risk becomes unimaginable. So hurry and get your very own tele screen while supplies last.

Industry standardization: the answer for IoT security

It’s been a busy week for IoT and security. Between the DDos on Krebs’ website and the subsequent release of alleged source code, to Yahoo’s unprecedented, full access custom-built NSA search tool, to the arrest of a purported “Second Snowden” (spoiler alert: not so much), there’s been plenty of news on the wire. But Bruce Schneier’s thoughts IoT security may be the most impactful for IoT security policy in the near future.

For the uninitiated, Mr. Schneier is a world-renowned expert in computer security — he has authored numerous books on the subject in addition to contributing to several cryptographic algorithms. I was thrilled when he joined the board of directors at EFF, enjoy reading his blog, and consider his most recent publication one of the most important books on digital privacy. That said, Mr. Schneier’s solution for IoT security could not be more incorrect; to the point: 

     The IoT will remain insecure unless government steps in and fixes the problem.

This solution is not only the least desirable path, it could cripple innovation within the IoT industry. There is a lot wrong with this approach. Industry standardization, not government regulation, is the better solution:

  • First, government actors are not subject matter experts in either IoT nor security, and will never be held accountable for any failures of government regulation. When market fails, the industry is directly incentivized to repair the damage -- otherwise, they lose our business.
  • Government and market operate under a different set of incentives and measure success differently. We would expect the market to initiate some form of industry standardization — similar standardization generated the USB and Wifi protocols. Further, that the successes of this standardization would benefit both market and consumer; the same is not true of government regulation.
  • While the attack on Krebs was described as “simple and amateurish” (rightly so), there’s a reason why an attack like this would succeed so well at this point in time -- IoT is in the middle of a maturity curve!  No one expected a gigabit throughput on a dial-up modem
  • Most important, this is not a market failure; this is a demonstrated need for stronger security, realized through the test bed of the current state of IoT. Attacks like this are exactly what the field needs to harden IoT systems.

I’ve written before on the dynamics of IoT security — it is more complex than other products, specifically because bad security doesn’t immediately affect the end user. Similar to carbon emissions in cars — legislation there hasn’t filled roadways with a fleet of Priuses and bikes.

I will grant that at the moment, the typical IoT customer probably doesn’t care about the security of their system. But consider two different scenarios:

  1. An IoT attack targets a popular site. The general person’s reaction would be a lot different if NetFlix was targeted instead of Krebs.
  2. Security is a two-way street. If IoT devices are marketed as more secure (and are indeed more secure), its possible the average consumer would be willing to pay for that perceived utility

The economics of IoT doesn’t necessarily mean that exploitable devices will continue because no one cares. Certainly IoT companies are paying attention to event; hopefully this event will precipitate industry standardization of IoT security. I have stated that standardization would be necessary for the IoT security, but the time wasn’t right. Now is the time to reconsider that.

True neutral?

In news that sounds familiar to those of us on this side of the pond, the BBC brings an update on the Swiss referendum that challenged an expansion of surveillance powers that passed the Swiss parliament in 2015; the expansion won the approval of roughly 65% of voters. This should raise a few eyebrows, considering Switzerland’s reputation for neutrality and their stance on privacy. Given the attacks on their neighbors in France and Belgium in the past year, the bill is an understandable reaction — until you realize the it was initially proposed in June of last year, prior to those attacks. However, it may explain the outcome of the recent vote.

Parallels can certainly be drawn between the recent vote in Switzerland and what has happened in the US in the past two or so decades. Currently, the Swiss intelligence community may only rely on publicly-available data. From the above-linked Swissinfo article:

The new legislation being proposed would allow the FIS [Federal Intelligence Service] to carry out investigations in public and private spheres without the authorisation of a judge.

The BBC further details:

It will allow the Federal Intelligence Service and other agencies to put suspects under electronic surveillance if authorised by a court, the defence ministry and the cabinet. 

This sounds similar to the US FISA court, which is more or less a rubber stamp for the NSA — according to EPIC, only 12 of the over 38,000 warrant requests were rejected from 1979 to 2015.

Supporters of the expansion claim it will help Switzerland “catch up with other countries.” This seems like vague language, but consider Switzerland is a member of the 41 Eyes. Further consider its neighbors are closer to the original members of the 5 Eyes (France and the Netherlands are both 9 Eyes members; Belgium the 14 Eyes), and that sentiment becomes more clear -- supporters don't want to be left out of signals intelligence. If history is an indicator, the supporters of this expansion will not be satisfied with non-generalized surveillance.

I am not Swiss, but I hope Switzerland and others can learn from other countries’ past mistakes. The bill is due to go into law 1 Sept 2017.

My open letter to reps regarding Rule 41

Today, the EFF spear-headed a great campaign to protest the recent changes to Rule 41. I've covered that previously.  Below is my open letter to my representatives on why they should reject the recent changes to Rule 41. It's important to support the advocacy groups that work to support everyone's digital rights and civil liberties.

Hello,

I am writing to show my support of the Stopping Mass Hacking Act to order to reject recent changes to Rule 41 of the Federal Rules of Criminal Procedure.

My support of rejecting the changes to Rule 41 is two-fold:

1) Concerning the language of that allows a warrant to be issued against those using privacy tools, such as a VPN. This language assumes any user of privacy tools is automatically guilty of some future crime and effectively removes burden of proof from law enforcement and intelligence agencies. Burden of proof is a foundation of a justice system that prevent conviction and sentencing of those innocent of a crime.

We have existing policies in place that allow for due process in issuing warrants and gathering evidence within a judge's jurisdiction. I agree that policy must change with technology in order to be relevant -- hopefully to secure civil liberties -- but this is a clear case of over reach.

2) Concerning the language of the changes to Rule 41 that allow for unwarranted searches to systems that have been infected by a botnet: a person without a search warrant against them has a reasonable expectation of privacy for their computer/device and its contents. Certainly language in discussions of the fourth amendment concern personal effects such as opaque containers. Many people use opaque containers as some guarantee of privacy; similarly, most people apply these same privacy principles to their electronic property by utilizing passwords and storing their devices in secure places.

Allowing an unwarranted search of an innocent person's computer system that has been infected by botnet is illegal and no different than seizing and searching that person's property simply because a criminal leaves near them.

Based on these facts, I urge you to reject the changes to Rule 41 and pass the Stopping Mass Hacking Act.