One particularly interesting argument seen in the Underwatergate scandal is the one that the NYT, by revealing the existence of warrantless wiretaps on international communications lines, compromised national security.

Reporters asked how that can be. After all, surely the bad guys knew the U.S. had the ability to perform surveillance on them, and has a secret intelligence court, and was presumably getting lots of secret warrants to watch them, and was furthermore watching them overseas without being subject to the 4th amendment.

A lot of new developments in the warrantless wiretap scandal. A FISA judge has resigned in disgust. A Reagan-appointed former DoJ official calls the President a clear and present danger. And the NSA admits they have on rare occasions tapped entirely domestic phone calls, because sometimes people calling to or from international cell phones while those phones are in the USA would see the traffic go overseas and come back again. I have made such calls to Europeans and Australians visiting the USA.

Seeing as this scandal seems to be revolving around the tapping, without warrants, of signals over the undersea telecom cables, I propose we call it Underwatergate.

It's long, but I can strongly recommend the transcript of today's press briefing on the NSA warrentless wiretaps. It's rare to see the NSA speak about this topic.

One can read a fair bit between the lines. The reporters were really on the ball here, far more than one usually sees.

Particularly interesting notes include:

This is an idea from several years go I've never written up fully, but it's one of my favourites.

We've seen lots of pushes for online identity management -- Microsoft Passport, Liberty Alliance and more. But what I want is for the online world to help me manage my physical identity. That's much more valuable.

I propose a service I call "addrescrow" which holds and protects your physical address. It will give that address to any delivery company you specify when they have something to deliver, but has limits on how else it will give away info from you. It can also play a role in billing and online identity.

You would get one or more special ID names you could use in place of your address (and perhaps your name and everything else) when ordering stuff or otherwise giving an address. If my ID was "Brad Ideas" then somebody would be able to send a letter, fedex or UPS to me addressed simply to "Brad Ideas" and it would get to me, wherever I was.

(Read on...)

I don't post most EFF news here, since the EFF has a news page and 2 blogs for that, but today I'm doing it twice because congress is voting tomorrow on renewal of the PATRIOT act. There was a lot of effort to reduce the bad stuff in the bill, efforts that seemed to be getting somewhere but were ignored.

A mantra in the security community, at least among some, has been that crypto that isn't really strong is worse than having no crypto at all. The feeling is that a false sense of security can be worse than having no security as long as you know you have none. The bad examples include of course truly weak systems (like 40 bit SSL and even DES), systems that appear strong but have not been independently verified, and perhaps the greatest villian, "security through obscurity" where the details of the security are kept secret -- and thus unverified by 3rd parties -- in a hope that might make them safer from attack.

On the surface, all of these arguments are valid. From a cryptographer's standpoint, since we know how to design good cryptography, why would we use anything less?

However, the problem is more complex than that, for it is not simply a problem of cryptography, but of business models, user interface and deployment. I fear that the attitude of "do it perfectly or not at all" has left the public with "not at all" far more than it should have.

An interesting illustration of the conflict is Skype. Skype encrypts all its calls as a matter of course. The user is unaware it's even happening, and does nothing to turn it on. It just works. However, Skype is proprietary. They have not allowed independent parties to study the quality of their encryption. They advertise they use AES-256, which is a well trusted cypher, but they haven't let people see if they've made mistakes in how they set it up.

This has caused criticism from the security community. And again, there is nothing wrong with the criticism in an academic sense. It certainly would be better if Skype laid bare their protocol and let people verify it. You could trust it more. Read on...

There have been many efforts at internet "identity" systems, such as Microsoft Passport, Liberty Alliance, and a variety of others. A recent conference was held in SF, though I didn't go, but I thought it was time to put forward one important idea.

During the 1990s, the US Government made a major effort to block the deployment of encryption by banning its export. We won that fight, but during the formative years of most internet protocols, they made it hard to add good authentication and privacy to internet tools. They forced vendors to jump through hoops, made users download special "encryption packs" and made encryption the exception rather than the norm in online work.

You may have run into the story of a fireman charged with burning down his own home. They charged him because his Safeway Club card records showed he had purchased the type of firestarter that was used in the arson on his house.

Sounds like a good case? Problem is somebody else confessed to the arson. He's now a free man.

When I give an E-mail address to a web site, I give a different one to each site. I have many domains, including one where all addresses are forwarded to me unless I turn them off.

The movement for RFID in passports (and biometric passports) is growing. Belgium plans a trial later this year. As a privacy advocate I take some irony in realizing that this gives us what we have been asking for for ages.

Not having to show ID when we travel.

Word of today: "Scensors", a combination of "sensors" and "censors", to mean surveillance devices which, by making people feel watched, cause them to self-censor their behaviour and speech.

(Thanks to Michael Froomkin for accidental inspiration as I sit at his talk at PFIR)

I recently spoke to Gordon Bell about the Digital Life Bits project he's doing at Microsoft Research, digitizing his entire life. I'm seeing more and more evidence that a prediction I made several years ago for "P-Day" may already have come true.

In thinking about the GMail encryption problem, I came to realize that for ordinary users liable to forget their passwords, it would not be suitable to tell them after such an event that all their email archives are forever lost. This means some sort of Key Escrow. Not the nasty kind done with the clipper chip, but one done voluntarily.

I came up with a system I call Friendscrow. (I suspect others have also thought of the same thing.) This is a ZUI (Zero User Interface) system, at least for normal operation.

Most people have heard about the various debates around Google's new GMail service. I wear many hats, both as a friend and consultant to Google and as chairman of the EFF. There have been some tinfoil-hat flaps but there are also some genuine privacy concerns brought about by people moving their life online and into the hands of even a well-meaning third party.

Check out the Essay on privacy issues in GMail and webmail. I welcome your comments in the blog.

Those of us who opposed the TIA and other programs were recently branded as "privacy nuts" for doing so. Hiawatha Bray wrote that it was stupid to quash this sort of research just because it might lead to abuse.

Nonetheless, it is important to understand that this is exactly the role
of the privacy advocate.

Each year when Tivo reminds people they gather anonymized viewing data on Tivo usage by reporting superbowl stats, a debate arises. A common view is that it's OK because they go to a lot of work (which indeed they do) to strip the data of the identity of the user.

As noted, I've read Tivo's reports and talked to Tivo's programmers, and they did work hard to try to keep the data secure and anonymised.

RSA today announced a version of Ron Rivest's blocker tag which is a supposed defence against unwanted RFID scans.

The tag, explained simply, answers affirmatively to an entire subsection of the RFID space, so that any scanner looking for a tag in that space always hears a yes (or gives up) and thus can't find a tag in that space.

Many people, trying to address concerns about the privacy implications of RFID tags have indicated that it can just become the norm, or even a requirement, to "burn" out the RFID tags in purchased products as they are sold.