The ACM Conference on Computers, Freedom, and Privacy

I'm in Montreal attending the annual Association Computer Machinery (ACM) conference on Computers, Freedom, and Privacy (CFP). Now in its 17th year, this conference was once the only venue where topics like cyber-rights, wiretaps, and cryptography policy were actually discussed. That's before Wired magazine and the birth of the commercial Internet as we know it, of course. But CFP is still one of the few places where technologists, policy wonks, government officials, and the cyber-libertarian fringe can get together and have open and honest, if not entirely friendly, conversations.

I gave a tutorial about computer forensics, then sat in on a talk about U.S. wiretap regulation. In the evening there was a 90-minute session called "Postings from the Edge," at which some of the wise old heads of the Internet gave their opinions about the leading technology and policy problems of our day.

Peter Neumann, from SRI International, opened the discussion. He has been following computer security and computer-related risks for years. After years of trying to build secure systems, he now spends most of his public life documenting how systems fail.

The conference opened on May 1--May Day. Neumann, who loves puns, pined that "mayday" is also an expression used by pilots who are sinking, and he said that we have a related problem today. We believe that computers can be trustworthy, he said--but they are not trustworthy. We have a belief that we can build simple systems--but secure systems are not simple. So we just can't build systems that are simple and trustworthy. This is a conflict.

What's more, Neumann said, a lot of problems we are trying to solve with computer security--things like privacy--are extrinsic to the computer system. We try to use secure computers to protect privacy, but privacy isn't being violated by the computer systems; it's being violated by the people who have legitimate access to the computer systems that are holding the private data. "Privacy cannot be protected with technology alone, and yet we have enormous belief in our computer systems and all of the people who have access to them," Neumann said.

We need to be aware of the risks that we are dealing with, addressing those that can be addressed with technology and restructuring our society and civilization to address the others.

Anita Allen, from the University of Pennsylvania Law School, stated that it only took 10 years to sequence the human genome, thanks to computers. Allen said that this week the House of Representatives passed the Genetic Nondiscrimination Act, which will help protect Americans from the "mischief that can be done" with our genetic information. "This is good news for American workers. Without this law, there is a lot of vulnerability that American workers face in the U.S."

Allen noted that a few years ago a railroad in the United States was surreptitiously testing its workers for the "carpel-tunnel gene," and that this information was disclosed and the company was sued by the Equal Opportunity Commission under the Americans with Disabilities Act. Allen pointed out that the new law will prohibit discrimination against people based on their DNA.

Bruce Schneier, from Counterpane Systems, spoke about the generation gap. This gap is bigger than rock and roll. He says that privacy is approached differently by the younger, hip generation that's using the social-networking websites. Schneier held up an article about how young employees can't be trusted because they put all the corporate secrets online. Your reputation might be ruined by blogging on the Net. "When you look at what's happening in the younger generation, there is a notion that these sites form communities," Schneier said. "People form friends all over the world. This is going to completely change the way that our society deals with privacy."

Schneier noted that some people have been fired for blogging and that college-admissions and HR people have Googled others to see what they did at last night's party. He mentioned a New York magazine article called "Say Everything." He said that the younger generation now believes that it has an audience and that everybody thinks they are watching and are onstage. They have archived their adolescence; their entire life is online, and they don't care. They are used to being dumped publicly on a social-networking site; they have thicker skin than we do.

If it is about control--building these sites to give people control--one way to do that is by limiting access. But kids just abandon sites when they want a new past; they just move on. Perhaps having data automatically delete itself after a while might be the right thing to do. Schneier pointed out that the older generation in the 1960s said that the social revolution--sex, drugs, and rock and roll--would be the end of marriage. They were right, Schneier said, and it's okay. "Talk to a teenager," he said. "We have a responsibility to build systems so that they can take maximum advantage of what the society has to answer."

Ed Vitz, from the Public Interest Registry, which manages the dot-org top-level domain, is now forming the Internet Consulting Coalition, which will be dedicated to helping organizations maximize their presence at the first and second domain level.

Vitz said that one of his primary concerns is the loss of an organization's domain name when the domain name expires. Many organizations will lose their dot-org and discover that it's been taken over by a porn site. This seems to hit nonprofits especially hard, perhaps because of their internal problems. "Domain-name monetization has interested Wall Street," said Vitz. "There are seminars on secondary domain markets."

The value of a domain name is based on the amount of traffic to the website and what it can command on the secondary market. "The unintended loss is not a new problem, but the situation is exacerbated because of the growing use of computer programs" that find expired domains and determine how valuable they are, according to Vitz. This is called "domain tasting," he said.

The poster-child example came up last year: a rape crisis center in Syracuse, NY, failed to reregister its domain name, Vitz said. It was picked up by an adult website. "You can imagine the results."

Whit Diffie, from Sun Microsystems--yes, that Whit Diffie: the one who invented public key cryptography--spoke about governmental surveillance. Government needs to do surveillance, Diffie said, so that it can know the needs of the citizenry.

This doesn't mean that surveillance is good or that it doesn't need to be regulated. "We find government surveillance threatening the whole structure of a free society," Diffie said.

Diffie stated that he has been fighting this battle for more than 14 years. It started out as a battle regarding the use of cryptography. All of a sudden, in the 1990s cryptography was good enough and computers were good enough to be used by small organizations, and all of a sudden, the government realized this and tried to reestablish control over cryptography. "After three rounds between 1980 and 2000, they lost," said Diffie. "And we now, in the U.S., have government-endorsed, very high-level cryptography."

"But part of the reason that the government retreated on that flank is that it was advancing on a flank that we didn't notice or didn't have time for," Diffie continued. "And we lost that battle in 1994, but we didn't notice. The government had noticed what some of us had also noticed: that all of the fine research in cryptography wasn't protecting traffic, and the cryptographic market wasn't succeeding hand over fist. Yes, SSL is one of the most widely used cryptographic markets in the world. But the penetration of secure phones is practically nil."

But while people in the cyber-rights movement were focusing on encryption, the government was focusing on having communications systems designed to be wiretap-friendly. The result was the 1994 Communications Assistance for Law Enforcement Act (CALEA). "And now," said Diffie, "all telephone switches have to have wiretapping built into them, and they have to guarantee that very rapidly they can adjust the system to deliver all the communications of the subscriber to the government. And if they don't, they get fined $10,000 per day and per violation."

Originally, CALEA had a carve-out so that it didn't cover the Internet. But the law had a provision that if the Internet substantially replaced the conventional telephone system, it would be covered. "Beginning two to three years ago, the FBI began pushing the FCC to adopt regulations saying that CALEA applies to the Internet," Diffie said.

The problem is that the Internet does not lend itself to interceptions. Diffie explained that if two businesspeople are traveling in Europe and want to have a VoIP conversation, it's much more efficient to send the packets directly from point to point, rather than sending them through an intermediary so that the intermediary can do a wiretap. One solution around this problem is to equip every ISP with advanced remote-controllable wiretap equipment. Of course, another alternative is just to force all phone calls to go through monitoring points. My guess is that the latter is what's going to happen.

Following the speakers' introductions, they were asked what kind of information, hypothetically, they would give to various politicians. I don't remember anything that was said.

Then we had questions and comments. The one notable comment came from Chris Kelly, the chief privacy officer of Facebook. He explained last year's snafu involving Facebook and privacy issues: Facebook had created a news feed to tell people what their friends were doing, and many people didn't like missives going out to their friends--you know, missives like "Anna's relationship status has changed from 'going steady' to 'single.'" It felt like stalking. Kelly said that 750,000 Facebook users joined a protest group about the news feed. Facebook got the message.

Kelly also said that the lesson that Facebook learned from this experience was precisely the opposite of what is written in the media. "You get this when you have 22-year-olds running the company." He said that a lot of people think that information posted in Facebook is available to anybody. In fact, there is no way to post a message in Facebook that everybody can read. And Kelly said that a lot of people think that 22-year-olds have no sense of privacy. He noted that the experience taught him that 22-year-olds care a great deal about privacy. They just have ways of conceptualizing it that are different from the way most 40- and 50-year-olds do.

Another brief will appear tomorrow.

All Your Data Belongs to Us

The April 5 issue of the blog the Consumerist has an interesting article about a significant data-privacy issue that has long been ignored. In the article, reader Chris wrote to the Consumerist about a problem she (or he?) was having with an Apple laptop. Apple wants to replace the hard drive, and Chris wants the hard drive back because the old, broken drive has confidential information on it. The problem is that Apple's policy (and most other companies') is not to return the dead hard drives of computers being serviced. So Chris needs to trust that Apple will properly destroy the drive, or at least its data, and Chris isn't so sure.

Chris isn't the first person to experience this problem, of course; it's quite common. A few years ago, my company had a laptop that was filled with confidential information. The hard drive died. We called up Dell for a replacement, but Dell wouldn't ship a new one unless we promised to send back the old one. And, obviously, with all the confidential information on the hard drive, we wouldn't send it back, either broken or intentionally damaged. So we ended up buying a new hard drive, even though the drive was still under warranty.

What's to be nervous about? Well, there are many documented cases in which a reputable service center nevertheless allowed the data from a customer's machine to leak back into the datasphere. Last year there were reports in the media about a hard drive that had been taken to a major electronics store for warranty repair, and it ended up being sold (with most of its data intact) at a swap fest.

When I was working on my PhD thesis, I spoke with a system administrator for a major electronics firm. The firm had a RAID array with a bad power supply. It sent the RAID array back to the manufacturer and was shipped a replacement. A few months later the firm got a phone call from a university: "Hey, we got your data!" Apparently, the university had also sent back a RAID array for service, and it had been sent the first array, refurbished with a new power supply, but with the original data still intact.

Also while working on my PhD thesis, I found a firm in California that did service for major computer manufacturers. Originally, the firm had a policy of wiping the "broken" drives before selling them on the secondary market. I bought a bunch of drives from the firm via eBay and was pleased to discover that they had all been blanked. But a year later, I bought another drive from the firm and discovered that it was filled with the original customer's data. A bit of Web searching revealed that the service firm had run into financial troubles between the first and second sales.

There is no good way to ensure that hard drives returned for service aren't going to have their data leak out. Because of this, individuals and businesses returning their drives for service must take precautions to make sure they don't have confidential data on them to start with. One way to do this is by using cryptographic file systems like Apple's File Vault. These systems assure that all of the confidential data on the drive is encrypted: even if the service center gets your data, it won't be able to make sense of it.

What's the other alternative? To make hard drives so cheap and easy to replace that there is no incentive to fix them. Although it's difficult to get the hard drive out of my MacBook, replacing the drive in that Dell was downright easy--it just slid out. And these days, you can get a really nice laptop drive for about $70--not much more than it costs to send a laptop twice across the country by next-day delivery. Make it easy to replace the drive and rebuild the operating system, and it's going to be cheaper for companies like Apple to just sell warranty customers a new hard drive at a discount than to worry about getting back the old drive to verify that the "warranty repair" was really justified.

I Am a Victim

Last week I got a letter in the mail from the Mendoza College of Business at the University of Notre Dame. Apparently, the school had put information about me, including my social-security number (SSN) and demographic information, on the Internet. "We have no evidence to date that this information was used inappropriately," the school wrote, but I might want to take "prudent ... precautions" by periodically checking my credit report with the three major bureaus.

What's so infuriating about this is that I never had anything to do with the University of Notre Dame.

In 2001, I was thinking about going back to graduate school, so I took the GMAT, LSAT, and GRE exams. I checked off the boxes that said that my information could be forwarded to schools so that they could recruit me. A few schools contacted me, and that was that. Or so I thought. It seems that the Graduate Management Admissions Council didn't just provide my test scores and demographic information: it also provided my SSN.

But why did the Mendoza College of Business keep that information for six years? And how did it make it available on the Internet?

I called Notre Dame to find out what had happened and was told that a file of GMAT names, scores, SSNs, and other information had been inadvertently left on a computer that was decommissioned. At some later point in time this computer was turned back on and plugged into the Internet, and it made the files available through some kind of file-sharing program. Google picked up the files, indexed them, and added them to its archive. How was this discovered? Somebody did a Google search on his or her own name and found the jackpot of personal information.

The woman I spoke with from Notre Dame said that the school had looked at the log files on the computer, and there were no other signs of access other than by the one person who had accessed his or her files. I'm not sure that this makes sense because she said that there was also no evidence that Google had accessed the files, and clearly Google had. Besides, if the information was cached by Google, bad guys could have downloaded it directly from the cache and avoided leaving traces at Notre Dame.

I called a friend who works in the privacy industry. He said that the GMAT never should have distributed my SSN with this file--there was no reason to do so--and he added that it has since stopped the practice. He also said that universities like Notre Dame are responsible for the majority of the privacy breaches that have been disclosed to date. (That's true, but the flip side is that more names have been released by businesses because they tend to have bigger databases.)

Where does this leave me? More annoyed than anything else. The real problem isn't that personal information keeps getting leaked, but that personal information is so valuable. The reason SSNs can be used for identity theft is that banks and other financial institutions think that if you know somebody's SSN, then you must be that person. This has got to change.