Surveillance State

When the mainstream media first announced Barack Obama's "victory" in keeping his BlackBerry, the focus was on the security of the device, and keeping the U.S. president's e-mail communications private from spies and hackers.

The news coverage and analysis by armchair security experts thus far has failed to focus on the real threat: attacks against President Obama's location privacy, and the potential physical security risks that come with someone knowing the president's real-time physical location.

President Obama and his BlackBerry at the White House in late January.

(Credit: UPI Photo/Ron Sachs/Pool)

Serial numbers
Before we dive in, let's take a moment to note that each mobile phone has a unique serial number, known as an IMEI, or MEID. This unique number is transmitted in clear text, every time the phone communicates with a nearby cell tower. Thus, while the contents of a phone call or the data session (for e-mail) are usually encrypted, anyone with the right equipment can home in on a particular IMEI and identify the location of the source of that signal.

The most common device used to locate a phone by its IMEI is a "Triggerfish", a piece of equipment that is routinely used by law enforcement and intelligence agencies. This kind of device tricks nearby cell phones into transmitting their serial numbers and other information by impersonating a cell tower.

The devices, which are actually fairly low-tech, were used to hunt down famed hacker Kevin Mitnick back in the 1990s. Most interesting of all, according to Department of Justice documents, Triggerfish can be used to reveal a suspect's location "without the user knowing about it and without involving the cell phone provider."

The expensive brand-name Triggerfish devices, made by the Harris Corp., are sold only to government agencies. However, it is almost certain that foreign governments have similar technology. Furthermore, someone with a low budget could likely use the open-source GNU Radio platform, which can already decipher GSM signals, to roll their own phone sniffer.

Finding Obama
We know that the president has been given a White House-issued BlackBerry phone. As a result, Obama's smartphone is broadcasting its IMEI serial number for anyone with the right equipment to detect.

Of course, the president is never alone, and so it is likely that anyone sniffing the wireless spectrum near the president would pick up hundreds of different BlackBerrys in the area.

However, Obama's aides do have to go home at some point, whereas Obama sleeps at the White House. This means that over the course of several days or weeks, it should be possible for a patient adversary to determine which IMEI belongs to the president's phone, and which IMEIs are associated with the phones of aides, simply by following the president (at a distance) and monitoring the spectrum at all hours.

As staffers go home for the evening, and Secret Service agents rotate out of duty, an adversary can strike their IMEI numbers off of the list. Within days, that initial list of 100 BlackBerrys can be reduced down to a single IMEI identifying the president's phone

Were someone to learn the president's IMEI, they could use it to gain valuable (and dangerous) information. For example, by pointing an antenna at the White House, it'd be possible to instantly determine if the president was inside. With a sophisticated-enough antenna, it might even be possible to determine which vehicle the president is sitting in while traveling in a motorcade, or to determine if the Secret Service is driving an empty limousine along a high-profile route to draw attention, while the president travels to a venue in an unmarked vehicle. The digital trail left by the president's BlackBerry would soon announce his presence to those keeping an eye out for his IMEI.

I am sure that others could come up with even more nefarious uses for real-time access to the president's physical location. I will leave that task to the blogosphere.

Burners
The simple solution to this problem, of course, is for the President to regularly change his IMEI serial number by getting a new phone. However, this presents another problem: that of the odd man out.

Imagine that foreign spies point a directional antenna at the White House and are thus able to capture the IMEI numbers of Obama and his team, as they leave and return to the White House from various events.

If a new IMEI number were to suddenly appear, be used for one week, disappear, and then be replaced by a new IMEI, which was also used for a week, before also disappearing, it would soon be obvious that a single person was changing phones. This pattern would be even more obvious, if everyone else in the president's entourage kept using their own phone--and thus broadcast the same IMEI, week after week.

Simply put, the only way that President Obama can gain some level of anonymity with regard to his IMEI number is if everyone in his team also changes their IMEI numbers with the same regularity.

Fans of the HBO TV show The Wire (a group that includes Obama) will no doubt remember the use of cheap prepaid "burner" phones by the fictional drug dealers. In order to avoid being wiretapped by the police, the entire criminal gang would dispose of their phones at once and switch to brand-new devices.

Essentially, the White House needs to start using burners.

Cost-effective protection
It would be extremely expensive (and wasteful) for the president and his staff to get a new BlackBerry each week. Luckily, there are two options available to the White House tech staff that allow them to protect the president's location privacy in a cost-effective (and environmentally friendly) way:

First, the White House geek team can simply shuffle the BlackBerrys used by the President's staff. That is, take away everyone's phone, mix them up, restore the software to the factory default, then issue a "new" phone to each staffer.

Within minutes, the phones would synchronize with the White House e-mail servers, and thus the "new" devices would have instant access to the e-mails and information that had been on the previous device.

The inconvenience factor of such a solution could also be significantly reduced by having twice as many phones as employees--that way, staff would not have to go without their phone for more than a minute or two, as they were swapped each week.

As long as this shuffling of phones were done randomly, the IMEI numbers would be sufficiently anonymized. Sure, a potential attacker would know that the device belonged to a member of the White House staff, but they would not know whether if belonged to a lowly intern, the press secretary, or the president.

A slightly more laborious method would be to hack the software running on the BlackBerrys and flash the devices with a new serial number. While this is quite possibly a violation of the Digital Millennium Copyright Act (which prohibits most forms of phone hacking), it is unlikely that Research In Motion (which makes the BlackBerry) would sue the White House for engaging in such reverse engineering.

Of course, the downside of giving each phone a new serial number is that these phones would then need to be re-registered with the wireless communication company, which would otherwise refuse to provide the devices with service. However, this additional burden for the White House techies would yield significant security benefits, as each phone would be given a clean IMEI number not associated with the White House.

Insiders
In this article, I've focused solely on the scenario of a bad guy with an antenna. There is also the very real (and significant) risk of an insider working for the phone company.

Insiders are a notoriously difficult security problem to fix, something Obama has likely already learned, after his passport file was read by a contractor working for the State Department.

Even if every person working for the White House's telecommunications carrier were honest, it could also be possible to social-engineer the information out of a customer service representative (otherwise known as "pretexting").

Alternatively, an adversary could simply hack into the computer systems used by the phone company in order to get information on Obama's phone. Is was this latter approach that was followed by an unknown attacker who was able to spy on the phone calls of more than 100 Greek government officials during the 2004 Olympics.

Foreign trips
President Obama is likely to go on many foreign trips during his four (or more) years in office. In addition to burdening taxpayers with the obscene international roaming rates associated with his foreign BlackBerry usage, there are new and more serious security concerns to consider.

The federal government can most likely trust AT&T and the other wireless carriers. After all, they did join forces with the National Security Agency to spy on millions of American's phone calls without a warrant. The telecommunication companies in foreign countries are far less likely to be pro-United States, and in some cases, they are likely to be working closely with foreign intelligence agencies.

Thus, as long as President Obama keeps his BlackBerry turned on while he is in China, it is likely that the Chinese government will be closely monitoring his location, as reported by the president's phone to the Chinese government-owned phone company. The same sort of security issues will likely arise in many other countries.

Due to these security concerns, this blogger would be extremely surprised if the Secret Service permitted the President to use his BlackBerry when on foreign trips.

As you can see, the use of a BlackBerry by the president creates a number of very real security headaches that are no doubt keeping several people at the Secret Service awake at night. While the initial focus of the press was on the e-mail and smartphone technology in the president's phone, the real threats and risks are actually associated with more boring functions of the device.

Further reading: M. Jakobsson and S. Wetzel. "Security Weaknesses in Bluetooth" (PDF) describes some very similar location privacy attacks against mobile phones using Bluetooth-based sniffers.

As President Obama's $825+ billion financial stimulus package works its way through Congress, a number of groups have started to call for increased transparency in the way that data on the proposed spending will be shared with citizens.

Most noteworthy are demands from public-interest groups and academics that the the data be provided in a format conducive to user-generated mashups and remixes.

The American Recovery and Reinvestment Act of 2009 passed through the House Appropriations Committee a couple weeks ago, and it is expected to come up for a full House vote in the coming weeks.

In addition to authorizing the spending of an obscene amount of money, the act also mandates the creation of a Web site to "foster greater accountability and transparency" in the use of those funds.

While the bill does a great job in mandating the kinds of information that will be put online (contracts, audits, inspector general reports, etc.), it is rather vague with regard to details on how the information will be provided.

The only hints include language mandating that the information be "easy to understand" and "regularly updated," and include a "database of findings from audits," "printable reports," and "user-friendly visual presentations to enhance public awareness of the use of funds."

Such statements bring to mind the possibility of yet another boring and difficult-to-navigate federal government Web site, perhaps similar to the Federal Communications Commission's antiquated and ineffective home page, or the Federal Elections Commission's slothlike campaign donation search engine.

Faced with the possibility of another Web 1.0 Web site designed by the federal bureaucracy, a number of pro-transparency activists and tech policy academics have started to weigh in on the issue, all of them demanding the same thing: full, easy, and free access to the complete data set powering the Recovery.gov Web site.

For example, while the FEC's donation search engine was often slow and unresponsive during last year's presidential campaign, a number of third parties were able to create fantastic mashups of the campaign donation data--the most notable of these being the Hufington Post's FundRace tool, which provides users with a Google map view of each donation to the presidential campaigns.

The numerous independent sites allowing for the easy navigation of campaign donation data was possible because of the legal requirement that all FEC data be made available in full to the public. As a result, public-interest groups and media organizations were able to create their own innovative mashups and remixes of the data, providing faster and more responsive Web interfaces than the FEC's overwhelmed servers, as well as creating innovative visualization methods for navigating the data set.

John Wonderlich, program director at the nonpartisan Sunlight Foundation, outlined the general problem:

We'd like the site to serve not just the amateur information consumer, but also the programmers that can skillfully remix the information. The citizen observer's role seems well-addressed by the legislation that mandated the site (with requirements for "printable reports," feedback, and to be "easy to understand"), while the needs of the programmer are largely unaddressed. The data should be available in formats that facilitate more advanced use by programmers and analysts alike.

Certainly, the data should be made available following the 8 Principles of Open Data: (1) complete, (2) primary (as it is collected at the source), (3) timely, (4) accessible, (5) machine-processable, (6) nondiscriminatory, (7) nonproprietary, and (8) and license-free. XML and CSV are a minimum.

Search is great, if you are looking to find information about any one thing. But original analysis and visualization require access to data in bulk. If the goal of putting the data online is to increase accountability and transparency, then it is necessary (to) provide bulk data access.

Echoing this last point, David Robinson, the associate director of the Center for Information Technology Policy at Princeton University, told me that "(no) one person or organization could possibly anticipate all the ways that Americans will want to analyze, reuse, or cross-reference the information that Recovery.gov will offer. And no one person or organization needs to do so, as long as the data itself is readily available."

In 2008, Robinson and his colleagues at Princeton published a paper calling for the government to provide open access to the raw data used by all federal Web sites. The highly influential paper has been widely circulated among technology policy circles in recent months.

Jim Harper, the director of information policy studies at the Cato Institute, feels that the entire back-end database should be made available.

"This is a little tricky, because people have to settle on a format, and then require submissions in that format from contractors and state and local entities, etc.," Harper told me. "But if the administration wants to be transparent, a little forcing will go a long way. States and contractors will learn how to deal with standardized data quickly, if it makes the difference on getting federal dollars."

A month ago, Harper moderated a one-day forum at Cato, in which a number of policy experts called for open access to government data. A video and podcast of that event can be found here.

Given that this bill has largely been written and shaped behind closed doors, it remains unclear how much of an impact these pro-transparency activists will have on the legislation that will create the Recovery.gov Web site. As of press time, calls for comment left with the House and Senate Appropriations Committees had yet to be returned.

Someone at the White House appears to be listening to those of us in the privacy community.

For the third time in just six days, the Obama administration has modified the White House Web site privacy policy in response to criticism from the blogosphere.

When the site launched on January 20, it exempted YouTube from federal anticookie tracking rules that would have otherwise cast a legal shadow over the use of embedded videos on the White House blog.

Reacting to criticism from the blogosphere, the White House first modified its Web site on Friday to limit the cookie exposure to only those users who clicked on videos. Then, on Sunday, the White House again tinkered with its privacy policy to scrub YouTube's name from the cookie exemption.

The original YouTube-specific exemption stated:

For videos that are visible on WhiteHouse.gov, a "persistent cookie" is set by third-party providers when you click to play the video.

This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.

However, by Sunday evening, the exemption had been edited to remove all mention of YouTube:

For videos that are visible on WhiteHouse.gov, a "persistent cookie" is set by third-party providers when you click to play the video.

This persistent cookie is used by some third-party providers to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.

The decision by the White House to revisit the cookie exemption does not come as a complete shock. The YouTube rule had in just a few short days generated both bad press and direct criticism from several public-interest groups.

It should be noted that this change is, for the most part, cosmetic. YouTube continues to be the only company whose video content is embedded within the White House Web site. Furthermore, the Google-owned video-sharing site is the only one that has received both official legal clearance from the White House Counsel and direct assistance by the White House tech staff (who embed the YouTube content) in planting tracking cookies within the Web browsers of millions of Americans.

Google CEO Eric Schmidt, who has advised President Obama and who personally donated $25,000 to the president's inauguration celebration (out of a total of $150,000 by six Google executives) must be rather pleased.

Still no transparency
In spite of Obama's much-publicized commitment to transparency, the White House has yet to actually provide a copy of the waiver (something this blogger has requested from White House officials informally, as well as via the Freedom of Information Act).

The text of the original privacy policy implied that a specific waiver had been issued for the cookies forced upon end users who intentionally viewed YouTube videos embedded within the White House Web site. The text now implies a far broader waiver for multiple video-sharing Web sites. However, it remains unclear if a new waiver has been issued, or if the old waiver was broad enough to cover multiple sites.

When I first wrote about the privacy policy text last week, I criticized the White House for providing YouTube with a specific exemption. At the time, I noted that no other company had received such special treatment.

The motivation of my criticism was to try to shame the White House staff into doing away with the exemption--as cookies are in no way required in order to serve online video. Instead of recognizing the need to protect consumer privacy, White House officials reacted by expanding the exemption to other companies.

In many ways, the current policy is actually worse than before: non-tech-savvy consumers now have no idea how many companies might be forcing their Web browser to accept tracking cookies. At least up until last week, visitors could take some comfort in the knowledge that only one company might be invading their privacy when they visited the White House Web site (and then only by a firm that had pledged to "do no evil"). Now, at least according to the White House's wide exemption, there could be many.

Last week, I said we should be reasonable and give the White House Web team a bit of time--after all, it is in a brand-new office, managing a new computer network, and scrambling to meet the demands of a very busy boss. However, if the team has had enough time to tinker with the privacy policy at least three times in the past six days, then it has more than enough time to post a copy of the waiver.

Update: 12 hours after posting this story, the White House (partially) reversed itself. The rather dubious YouTube-only waiver from federal Web privacy rules has been maintained, but the White House Web site has been updated to limit the exposure of visitors to YouTube's tracking efforts to only those people who actually click the "play" button on a YouTube video. For more details on the new changes, read this blog post.

The new Web site for Obama's White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on the site's policies relating to search engine robots, a far more interesting tidbit has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites.

The new White House Web site privacy policy promises that the site will not use long-term tracking cookies, complying with a decade-old rule prohibiting such user tracking by federal agencies. However, the privacy policy then reveals that Obama's legal team has exempted YouTube from this rule (YouTube videos are embedded at various places around the White House Web site).

While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama's home in cyberspace.

No other company has been singled out and rewarded with such a waiver.

In a blog post back in November, I criticized the Obama transition team's Change.gov Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules.

Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user's browser--even for those users who do not click the "play" button.

Someone on the Obama legal team seems to have read my previous blog post, as they've modified the White House privacy policy to specifically exclude YouTube's tracking cookies from federal rules that would otherwise prohibit their use:

"For videos that are visible on WhiteHouse.gov, a 'persistent cookie' is set by third party providers when you click to play the video.

This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie."

YouTube and cookies
Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user's browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits.

YouTube is also able to set and access a user's tracking cookie when she visits a third-party Web page that has embedded a video stored on the YouTube site (such as a blog or other Web site), even if the user never clicks the play button.

The moment that the flash file containing the video player is downloaded from YouTube's servers and displayed in the user's browser as part of another Web page, the cookie is transmitted to YouTube's servers. Considering how widespread the practice of embedding YouTube videos has become, this gives Google an amazing amount of data on the Web-browsing activities of hundreds of millions of Internet users--many of whom may not realize that such tracking data is being collected.

The White House policy is not being followed
The YouTube-related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that:

"If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video."

As of Thursday morning, this statement is false.

In multiple tests by this blogger with both Internet Explorer and Firefox, merely visiting pages on the White House blog causes YouTube to set a long-term tracking cookie in the browser--even if the user does not press the play button to start the video. After eight months, this cookie will be automatically deleted by the user's browser--unless, of course, the user visits another Web page somewhere else on the Internet containing a YouTube-embedded video, in which case, the eight-month cookie clock is reset. Given how widespread YouTube video embeds have become, this cookie essentially lasts forever.

While it is obvious that I am rather critical of this entire affair, I am willing to give the Obama Web team the benefit of the doubt in one area: the fact that their current Web infrastructure does not deliver on the promises made by their privacy policy.

The Obama White House Web site is only two days old, and so it is certainly possible that the team simply hasn't gotten around to deploying a more privacy-preserving system for YouTube video embeds. Protecting users who do not click "play" from automatically receiving a cookie is certainly possible; the Electronic Frontier Foundation in 2008 released a wrapper script for YouTube videos that provided this very feature. Let us hope that the Obama team deploys such a technology in due course.

Can YouTube be justified as a "compelling need"?
For the past 10 years, federal agencies have been prohibited from using tracking cookies on their Web sites, except in a few special cases. The Office of Management and Budget rule M-03-22 states that:

"Agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors' activity on the Internet except .... [when there is] a compelling need."

The question we must now focus on is this: Is the need for Obama to use embedded videos hosted by YouTube (and not, say, another company's video-streaming platform that does not force cookies upon its users) a use that can be reasonably described as compelling?

Presumably, this has been justified on the basis that YouTube forces cookies on the visitors of any Web site that embeds one of its videos. However, while Joe or Jane blogger has no bargaining power with YouTube/Google, the federal government certainly does.

In just the past couple weeks, YouTube has launched dedicated pages for both the House and Senate to show off their own videos, and the site also recently started allowing users to directly download copies of some videos. This latter feature has not yet been widely deployed across the site, and is seems to be limited to videos posted by Obama's team.

Given the famously close connections between Obama and Google, you'd think his tech team could negotiate for a cookie-less way to embed videos. At a technical level, this would be an easy enough change, even if it would deny Google the ability to collect even more information on millions of Americans.

Cookies and other federal agencies
Finally, the new White House YouTube rule may have a far broader impact on the way that federal agencies use Web 2.0 content. Simply put, if another federal agency embeds a YouTube video in its Web site without first having the agency's legal team issue a waiver, have federal rules been violated?

Up until this week, federal agencies have been free to embed Web 2.0 content in their own sites without any real need to consider the privacy risks posed to end users. The fact that the White House Counsel has felt it necessary to issue such a waiver for YouTube videos appearing on the White House Web page could be reasonably interpreted to mean that such a waiver is now required for all embedded Web 2.0 content that might force cookies upon end users. This is certainly new legal ground.

Consider, for example, the Transportation Security Administration, which has posted YouTube videos to its blog numerous times over the past year. Its privacy policy makes no mention of YouTube cookies. Could this lead to issues for the TSA Web team, or perhaps even congressional investigations? Given my own history with TSA, I certainly hope so.

It's that time of year again: predictions for the next 12 months, most of which are likely to be wrong, and a few that, if right, will further cement Surveillance State's status as a top tier tech blog...maybe.

• President Obama will break the heart of Net neutrality activists by picking pro-telecom industry people for the FCC. On the other hand, Obama will pick someone great for the position of privacy czar, and then castrate him/her by not giving the position any power.
• Comcast, AT&T and other ISPs will begin the mass deployment of monthly download caps. However, they will strike profit sharing deals with Google/YouTube and Apple to exempt such traffic from customers' monthly bandwidth limits. Customers who go over the cap will have to pay extra--thus also conveniently killing off much of the P2P market (since no one will pay for BitTorrent), without having to resort to Deep Packet Inspection.
• Google and Yahoo will win the war to define the terms of the privacy vs. data logging debate: The search engines will settle on storing search log data for three to six months, but Microsoft will (unfortunately) fail to define the debate on how the data is anonymized, rather than after how many months. Google and Yahoo will continue to engage in privacy theater by not effectively anonymizing their logs.
• We will not see the passage of any comprehensive overhaul of privacy law in 2009. Efforts to restore privacy to searches of laptops at the border will fail. If legislation does pass, it'll be toothless.
• Bruce Schneier will be the next cybersecurity czar for the federal government.
• The Transportation Security Administration will reverse the liquid ban, but will continue to engage in pointless security theater. The replacement for head honcho Kip Hawley will not shake things up.
• The RIAA will suffer its first major loss in the courts, and will be forced to pay more than $100,000 in damages (in addition to legal costs). Likewise, attempts by the RIAA and MPAA to institute "three strikes" rules in the U.S. will fail.
• The copyright office will reject most of the applications for new DMCA exemptions. It will likely extend the Sony rootkit exemption (although expanding it to downloads/DVDs), and will also likely approve the exemption expansion request for academics to use DVD ripping software for classroom use. All of the other requests will be turned down.
• The transition to digital TV will be a giant trainwreck. Politicians from all sides will rush to point the finger and blame the FCC, and in particular, (by then) former Commissioner Kevin Martin.
• Senator Herb Kohl's investigation into text message pricing will go nowhere, the carriers will not drop prices, and the class action lawsuits will be thrown out of court.

Should members of the public be able to pay for Web advertisements detailing which companies have donated to politicians? While this seems like a great way to promote transparency in politics, Google forbids the practice--we are free to name the politicians who take money but cannot name the companies that give it.

With Google's domination of the search engine market, and the eyeballs that go along with it, the company's AdWords text ads have become a key way for activists, politicians, and corporations to reach the general public. However, over the past year, Google's excessively restrictive policies have resulted in the censorship of lawful advertisements that educated and informed the public.

In one the cases involving religious groups placing anti-abortion ads, Google backed down. As this post will explore, Google's rather absurd, and little known, trademark policy seriously harms the ability of citizens to highlight the donations made to politicians by large corporations.

Trademarks and AdWords
Over the past few years, Google has waged numerous legal battles in order to allow its advertising customers to purchase keyword ads for trademarked phrases. Thus, for example, Nike can make sure that ads for its shoes show up when a Web surfer searches Google.com for Reebok.

Under Google's current trademark policy, Nike can purchase advertisements that will display information for the company's own shoes, such as "Visit Nike.com to get great deals on shoes," but Google forbids anyone but a trademark owner from using a trademarked phrase in an ad. Thus an ad stating that "Nike shoes are worn by Barack Obama, not Reebok" would be forbidden, even if Nike could prove it were true.

This example with two large corporations battling it out doesn't really tug the heart strings. But what about the following few examples of ads, all of which are currently forbidden as per Google's trademark policy?

• A labor rights group that wished to place an ad stating that "Wal-Mart forbids its employees from unionizing," whenever someone searched for the phrase "minimum wage."
• A public-interest group that wished to place an ad stating that "The RIAA has filed over 30,000 lawsuits against Internet users, many of whom were children, elderly, or even dead," whenever a Google user searched for the words "file sharing."

• An activist who wished to place an advertisement stating that "AT&T has given $7,500 since 2004. Who else has donated to the senator?" The ad would be displayed when Internet users searched for the name of a particular politician.

While these first two examples are hypothetical, the final one has actually been censored by Google. I know, because a few weeks ago, Google informed me that an ad campaign that I had run for the last 5 months was being terminated due to a trademark complaint by AT&T.

No sunshine allowed
As regular readers of this blog will know, I dabbled in a bit of tech policy activism in the state of Indiana earlier this year, working on a data breach bill that eventually became law. During the process of getting that bill through committee, I had a nasty run-in with a state senator who didn't take too kindly to my blogging and was willing to hold up my bill as a way to force me to censor my criticism of his colleagues.

Once I left Indiana in May, I promptly registered multiple domain names for Republican State Senate whip Brandt Hershman, www.Brandt-Hershman.com and www.BrandtHershman.com. Both domains point to a single Web page that lists every campaign donation that Sen. Hershman has received, from all corporations, for the history of his political career.

In addition to setting up this Web site, I also placed a Google ad campaign so that anyone searching for "brandt hershman", "senator hershman," or a few other similar keywords would see an advertisement pointing to my site:

What does money buy?

AT&T has given $7,500 since 2004.
Who else has donated to the senator?
www.Brandt-Hershman.com

From June until December of this year, the ad ran without any complaints. However, on December 5, Google notified me that it had suspended my advertisement, based on a trademark complaint:

Thank you for advertising with Google AdWords. After reviewing your account, we've found that one or more of your ads or keywords does not meet our guidelines.

Ad Issue(s): Trademark in Ad Content

SUGGESTIONS:
-> Ad Content: Please remove the following trademark from your ad: AT&T.

When I appealed the suspension of the ad, Google replied with a bit more information, informing me that AT&T had complained about my use of the company's trademark:

Thank you for your email. I understand you're concerned that the term(s) AT&T has been disapproved in your account as a trademark.

Please note that we received a complaint from the trademark owner of AT&T. In their complaint, the trademark owner stated that they are the owner of the mark and that its use in certain advertisements is not authorized. Therefore, your ad was disapproved.

Google's policies, in depth
Google's official policy confirms its zero-tolerance stance toward trademarks in advertisements:

When we receive a complaint from a trademark owner, we only investigate the use of the trademark in ad text. If the advertiser is using the trademark in ad text, we will require the advertiser to remove the trademark and prevent them from using it in ad text in the future.

Google permits trademark owners to submit blanket complaints regarding the use of their mark in advertisements. This means that with just one request, a company can force the removal of every single advertisement that contains the trademark, even if the use is legitimate and lawful.

It's useful to compare Google's trademark and copyright policies. If a copyright owner (say, the Church Of Scientology or Viacom) wishes to force the removal of a link from the Google search index or videos from YouTube, that company must send an individual request for each file or Web site.

If Viacom wants to have 100 episodes of The Daily Show removed from YouTube, it takes 100 requests. However, if Viacom wants to force the takedown of 100 different advertisements that mention The Daily Show, it only takes a single request.

The requirement that copyright owners send individual takedown requests is an important speed bump that protects the fair-use rights of end users, who might be incorrectly accused of violating copyright. No such protection currently exists for Google AdWords customers who wish to lawfully comment on or critique companies whose names are trademarked.

Legal analysis
To make that I wasn't making a fuss out of nothing, I spoke to a number of prominent legal experts, all of whom shared my concern regarding the impact on free speech and transparency in politics.

First, I spoke with Wendy Seltzer, a fellow at Harvard's Berkman Center (disclosure: I am also a fellow at Berkman) and founder of the Chilling Effects Clearinghouse. She told me that:

Google should be concerned that its actions here may actually hurt its (and its users') ability to use trademarks for comparative and search purposes later. Google is now a large enough part of our Internet experience that its concessions to trademark bullies in AdWords could condition readers to think--incorrectly--that all uses of a trademark must be authorized by the trademark holder...

We need to resist this chipping-away at our rights to use brands to speak about the products they promote and things their owners do, and Google, as a major beneficiary of our prodigious use of language, should help us to do so.

Jim Harper, director of information policy studies at the Cato Institute also shared similar concerns:

What (Google) seems to be doing is accepting any complaint as conclusive proof that a trademark violation is occurring. This is a very poor practice, and it grants trademark owners power well beyond their legal rights. On a platform as important as Google's, that will result in a significant diminution of communication about corporations and, in this case, politicians too.

While he was concerned about the impact on free speech, Eric Goldman, a professor at the Santa Clara University School of Law, expressed some sympathy for Google, due to the risk of litigation by trademark owners:

Presumably, AT&T has requested Google not to let any advertisers display "AT&T" in the ad copy--whether the advertisers are competitors, pirates or political speakers. Google is within its legal rights to do so, and there is some legal support for Google's position.

However, unquestionably, Google's policy precludes legitimate trademark references such as yours.

This is not a good situation, but before we criticize Google too harshly, note that they face legal risks whatever they do, and they have tried to find a compromise solution...

Trademark law is so ridiculously expansive that Google feels compelled to implement illogical and chilling policies, so (in my opinion), the real villain is trademark law, not Google.

As both Goldman and Harper told me, Google is perfectly within its rights to refuse to display my advertisement, just as a newspaper or TV stations can refuse to air an ad. However, just as newspapers routinely publish advertisements that criticize companies, so, too, could Google, if it wished to.

The only recourse available to activists wishing to change Google's policies is thus shame--a tactic that has worked pretty well in other similar situations.

Freedom of Speech and Abortion
Earlier this year, a British anti-abortion organization sued Google, after the search engine refused to display an advertisement that the group had sought. The text of the ad was:

U.K. Abortion law
Key views and news on abortion law from The Christian Institute
www.christian.org.uk

Before the lawsuit, Google's policy did not permit the ads promoting Web sites that contained abortion and religion-related content. After a significant amount of bad press, and the settlement of the suit (brought under the United Kingdom's Equality Act), Google reversed itself.

Google's new policy allows religious associations to place ads "in a factual and campaigning way," a Google spokesperson told the British media. She went on to describe the policy in more detail:

This means that their ads need to aim to educate and inform, not to shock. The ads can refer to government legislation, and existing law, and the alternatives to abortion. But, they cannot link to Web sites which show graphic images that aim to shock people into changing their minds.

Outside of the online-advertising space, U.S. telecommunications giant Verizon Communications caused a huge media firestorm in 2007, when it blocked short text message alerts by NARAL, a pro-choice group.

Within days of its anti-free-speech blunder, Verizon quickly backtracked. However, by then, the damage to its reputation was done. Both Congress and the FCC took an interest in the incident, leading to threats of oversight and investigation.

Obviously, abortion is a hot-potato issue that no Fortune 500 company wishes to get caught in the middle of. However, the issue for both Google and Verizon was the same--the companies sell products that enable people to communicate with each other. When they start deciding which kinds of information is appropriate to send, they risk a significant public outcry, as well as the attention of both regulators and Congress.

With any luck, Google will realize that its flawed AdWords trademark policy is hurting free speech and efforts to promote transparency in government. If it doesn't, we all suffer.

With the recent news of the ham-fisted filtering of Wikipedia for over 95 percent of British Internet users by an unelected and unaccountable industry/government hybrid body, it seems like a good time to turn our attention to the issue of the fight against child pornography here in the U.S., and in particular, the freedoms we are willing to hand over along the way.

In this blog post, I will argue that the the time has come for President-elect Barack Obama to appoint a child pornography czar, whose office can take over the tasks currently performed by the powerful yet oversight-free organization: The National Center for Missing and Exploited Children (NCMEC).

However, before we begin, let me state that I, along with the rest of the civilized world, believe that child pornography is a Bad Thing (TM), and those who create or traffic in it are evil people. However, just as one can still support the troops while criticizing the war, I too have an objection to the way we're fighting this war. Actually, to be more accurate, I support the war on child porn, but object to the fact that it's been outsourced to Blackwater NCMEC. But in any case, I'm getting ahead of myself.

The National Center for Missing and Exploited Children
NCMEC was created by a congressional mandate in 1984, and coordinates the the efforts of law enforcement personnel, social service agency staff, elected officials, judges, prosecutors, educators, and elements of both the public and private sector to fight against all forms of child exploitation.

While NCMEC was created by Congress, is mostly funded by the U.S. government (and in particular, the Department of Justice), and plays a key role in assisting the FBI in its fight against child pornography, the organization isn't part of the U.S. government. It is, instead, a nonprofit, and thus not subject to the Freedom of Information Act, the Privacy Act, or limited by constitutional protections guaranteeing free speech, due process, and freedom from unreasonable search and seizure.

NCMEC's power
The National Center for Missing and Exploited Children already wields significant power as an unofficial Internet regulator, some of it granted by Congress, but most of it achieved through "consensual" agreements with Internet service providers. Consider these examples:

NCMEC acts as a clearing house for information and reports on child pornography. Thanks to the Protect Our Children Act of 2008, which was signed into law by the president in October, Internet service providers are now obligated to provide NCMEC with reports on any suspected child pornography that they detect on their networks. Failure to report such information to NCMEC is a crime.

As a result of a quasi-secret deal signed between NCMEC and the major cable companies earlier this year, NCMEC now provides these Internet providers with regularly updated lists of objectionable Web sites run by those cable customers. Upon receipt of a suspect URL, the ISPs immediately remove the files from the Web, with no appeal process for the owners of the Web sites. Oh, and as an added bonus, the ISPs are forbidden from mentioning NCMEC's name when notifying their customers of the takedown.

In June 2008, New York Attorney General Andrew Cuomo and NCMEC strong-armed several major ISPs into terminating their customers' access to Usenet news groups--due to the fact that a few hundred (of the tens of thousands of total Usenet groups) contained child pornography.

Likewise, just a few weeks ago, Craigslist was forced into a deal with 40 state attorneys general and NCMEC in which the site agreed to take steps to root out certain sexually themed or "erotic services" listings. Why NCMEC was concerned about consenting adults selling sex-related services via Craigslist remains unclear.

No oversight, no problems?
The sad truth is that no company can say no to NCMEC. Faced with the possibility of a press conference (perhaps even with an AG or two standing nearby) held in order to criticize the company's noncompliance with an anti-child porn project, any rational company would buckle. The bad PR from not doing so is simply too great.

NCMEC performs an extremely important task, one that has no doubt saved hundreds of children, and I'm glad that I don't have to do it. However, it is also rather strange to entrust this job to a private organization. If this is such an important task, why not give it to the FBI?

The answer to this might be the benefits that come from not being a federal agency: the complete lack of oversight or any requirement for transparency. NCMEC is able to sign secret deals with ISPs and strong-arm companies into cooperating without fear that a FOIA wielding public-interest lawyer or activist will unearth any information on the group's tactics or methods.

Criticism and fear
Over the past several weeks, I've spoken to a number of experts in the field of Internet law and policy. Many of those have strong feelings about NCMEC, but due to the extremely sensitive nature of the child pornography issue, few would go on record to voice their criticism.

Adam Thierer, a senior fellow at the libertarian Progress and Freedom Foundation told me that:

"Despite having the best of intentions, NCMEC has attained a level of authority over the Internet that should now qualify it for closer government scrutiny. The organization should either be covered by the Freedom of Information Act and other relevant government oversight laws and processes, or it should be converted entirely into a federal agency so that it is accountable for its actions as an Internet regulator."

John Morris, senior counsel for the Center for Democracy and Technology voiced similar concerns, telling me:

"We have very significant concerns about the outsourcing of prosecutorial and investigative functions to a non-government entity. And we believe that those functions should only be done (by those subject to) the First and Fourth Amendments, the Privacy Act, and The Freedom Of Information Act."

Other than these two gentlemen, no one else would go on the record.

Reform via a czar
Given its status as a sacred cow, we cannot expect any politician pay heed to calls to overhaul NCMEC or subject it to oversight. However, what we can do, is call for the nationalization of the National Center for Missing and Exploited Children.

Think of it this way: We have a drug czar, a war czar, a copyright czar, and will likely have a cybersecurity czar and car czar under the next administration. Why not throw a child porn czar into the mix? Nationalize NCMEC, make all of its workers federal employees, with good health care and job security, and perhaps even expand its budget--after all, it does good work, right?

NCMEC's job is simply too important to be entrusted to a nonprofit group--such a task can only be performed by a fully trained and funded law enforcement agency (one, which conveniently enough, is subject to the Freedom of Information Act, congressional oversight, and constitutional requirements for due process.)

Best of all, if anyone criticizes this call for a child exploitation czar, we can turn the trump card against them, and accuse them of not caring about the children.

Update at 9:30 a.m. PST: Video audience figures have been updated.

President-elect Barack Obama has now posted his second weekly address to YouTube, and it has already gotten more than 411,000 views. A week ago, I criticized the use of YouTube by Obama's transition team, calling it a no-bid giveaway to the Google-owned video-sharing site.

The solution I called for then--the adoption of BitTorrent as the official distribution platform for Change.gov--was, admittedly, a pipe dream.

In this post, I'll explain why the government needs to step up and host its own videos and why it is simply improper to rely on YouTube to foot the bandwidth bill for Obama's messages to the people. I will also make the case that the use of YouTube and Google Analytics by the Obama transition team violates the privacy of Web site visitors and possibly even violates federal rules banning the use of permanent tracking cookies on government sites.

YouTube as the platform of choice
The announcement a couple weeks ago of Obama's decision to use YouTube for his weekly addresses led to headlines across the world. The president-elect's use of streaming video technology was hailed as revolutionary or, as one transition team rep gushed, "just one of many ways that he will communicate directly with the American people and make the White House and the political process more transparent."

Obama's team uploaded his first video address to YouTube (928,000+ views), AOL (220+ views), Yahoo (8,400+ views), and MSN (545+ views)--all figures as of Monday morning.

In keeping with the spirit of this posting, the above video is not embedded.

(Credit: YouTube)

For his second weekly video, the Obama team seems to have ditched AOL and only uploaded the video to YouTube, Microsoft's MSN, and Yahoo. Web 2.0 start-ups such as Veoh, Vuze, Revver, and Blip.tv have not gotten any love.

While the transition team should be commended for uploading the video to multiple sites (albeit all owned by multibillion-dollar tech titans), the difference in the number of views is rather startling. Without access to accurate stats (which are not public), it is tough to know how many YouTube views came from people viewing the video embedded into the Change.gov site, searching YouTube, or watching a copy embedded into a personal blog or other news site.

However, I do think it is fairly reasonable to assume that a decent percentage of those nearly 1 million views came from people visiting Change.gov, the taxpayer-funded, official site of the Obama transition team. It is those hundreds of thousands of viewers who clicked the play button to load and stream a video embedded from YouTube's servers that are the focus of this post.

Privacy risks
YouTube, like many other sites, uses persistent cookies to track repeat visitors. Thus, when a regular YouTube user views a video embedded in a blog or other third-party site, the user's cookie is automatically sent to YouTube's servers--even without the user clicking the play button. Given the widespread use of embedded videos, this gives Google, which owns YouTube, an even better idea of the surfing habits of millions of people around the world.

And even if you believe Google's "do no evil" motto, it seems at least a little bit creepy for the company to track each time someone visits Change.gov--especially when that person doesn't actually press the play button to watch Obama's latest message to the people.

The privacy risks associated with the widespread use of embedded videos is something that has caused significant concern for privacy activists--enough for the folks at the Electronic Frontier Foundation to develop the privacy-preserving MyTube tool for Webmasters. If the Obama team insists on sticking with YouTube embeds, perhaps it will at least consider deploying MyTube to protect the privacy of citizens who visit the official transition site.

The privacy risks aren't just limited to YouTube.

Just a week ago, Dan Goodin at The Register criticized the use of the Google Analytics Web-tracking code in the Change.gov site--which also sets a permanent tracking cookie. Although he mostly focused on security risks, and not privacy-related threats, he blasted Obama's Web design team, stating that:

The failure of Obama's Webmasters to follow anything remotely like best practices is more than a little troubling because it suggests they don't fully grasp the security realities of living in a Web 2.0 world.

Eight years ago, the issue of cookies tracking users on government sites was a fairly big issue in tech policy circles, drawing the attention of those in Congress. Eventually, the Office of Management and Budget issued a directive that forbid the use of persistent cookies on federal agency sites.

The Obama team's use of both YouTube and Google Analytics raises serious privacy concerns and likely clashes with the OMB directive.

If Obama's transition team can afford to lease a jet for the president-elect and to pay for staff salaries, BlackBerrys, and hotel rooms, why can't it also pay for a few Web servers capable of serving up Flash video?

(Credit: Change.gov)

To be clear, Change.gov is not creating or requesting its own persistent cookies. However, due to the embedding of YouTube videos and Google Analytics Web-tracking code in the site, visitors will be transmitting cookies to Google's servers. Since the YouTube cookies are not set directly by the Change.gov servers, it is unclear whether the Google cookies violate the specific OMB directive. Even if they do not, they clearly violate the intention of the rule--which was created in the days before embedded videos or third-party-hosted Javascript.

The official privacy policy listed at Change.gov makes no mention of cookies, nor of the collection of visitor information by Google's servers. The privacy policy does, however, pledge "not to make personal information available to anyone other than our employees, staff, and agents." At best, the Obama team copied a boilerplate privacy policy from somewhere else and overlooked the use of YouTube and Google Analytics. At worst, it seems pretty deceptive.

When reached for his thoughts, Marc Rotenberg, executive director of the Electronic Privacy Information Center told me:

On the upside, the transition people have done a good job with the ethics in government rules for transition team members. Now they need to revise the Change.Gov Web site and respect the rights of citizens who are seeking information about the new administration.

Lots of traffic
The low-quality video YouTube video embedded into the Change.gov blog is 7MB. When multiplied by more than 900,000 views, we find out that Obama's first video led to the consumption of over 6 terabytes of bandwidth. If the Obama team had to pay for the data, instead of getting it for free from YouTube, it would have cost nearly $1,000, at least if it used Amazon.com's S3 cloud-hosting service.

While YouTube did not serve any advertisements within or around Obama's chat, each of those 900,000+ viewers did see YouTube's name prominently placed within the Change.gov site (as a watermark in the bottom corner of the video). Once the three-minute video is over, viewers are given the ability to watch other related videos (which might have advertisements) or, with one click, to navigate directly to the Google-owned video-sharing site, which certainly has advertisements.

Furthermore, I'm sure that Google's PR team was absolutely overjoyed with the thousands of newspaper articles that flatteringly tied the president-elect to the video-sharing platform. While all press is good press, it is likely such Obama-related press is even better.

Defaults matter
The Obama team's uploading of its weekly videos to YouTube is fine--providing, as it currently does, that it also uploads the videos to a few other places too. As the videos are not copyrighted, members of the public are free to redistribute them via other platforms (as the LegalTorrents P2P site has done), and even mash them up. This is great, and I support this embrace of Internet distribution by the president-elect's team of geeks.

I do, however, have a problem with the use of YouTube-hosted embedded videos on the official Change.gov site.

The transition team has a budget of over $12 million. If it can afford to lease a jet for Obama and to pay for staff salaries, BlackBerrys, and hotel rooms, why can't it also pay for a few Web servers capable of serving up Flash video? Isn't it a bit tacky for the federal government to be relying on Google to host its videos?

It's as if the entire Obama transition team has adopted Hotmail's free e-mail service for its daily communications--with each e-mail sent by an Obama adviser followed by a signature pitching one of Microsoft's products: "See how Windows Mobile brings your life together--at home, work, or on the go."

Obama raised half a billion dollars through online donations during his campaign. His was the first presidential campaign to employ a chief technology officer (a computer geek formerly at the travel site Orbitz). These guys know what they're doing when it comes to technology; they design beautiful, interactive sites and have relied upon complex data-mining algorithms to profile and target individual voters and donors. If they wanted to, they'd have no problem installing a few dozen Adobe Systems Flash streaming servers. However, since YouTube will gladly foot the bill, the Obama team hasn't felt the need.

During his campaign for the presidency, Obama didn't call for a Web 2.0 government, but for a Google government--something that CEO Eric Schmidt, who is now serving as one of Obama's economic advisers, was probably very happy to hear. While I love conspiracy theories as much as the next guy, I don't really see one here. However, given the close connection between Obama and several higher-ups at Google, it is better to avoid the appearance of a conflict of interest.

Thus, it is time to bring an end to embedded YouTube videos on Change.gov. By all means, use streaming video to reach the masses, but let the bits flow from government-owned servers (preferably without privacy-invading cookies). If bloggers wish to embed YouTube videos of the speech on their own sites, that is fine. But Obama shouldn't.

Disclosure: I was a technology fellow at the Electronic Privacy Information Center in spring 2008 where I worked on social-networking-related issues. I also worked for Google as a summer intern in 2006, received two Google fellowships, and currently use Google Analytics tracking tool for my personal site.

How far does President-elect Barack Obama take his commitment to transparency? Is it a serious pledge to shake up Washington, to apply sunlight to the often shadowy depths of the executive branch, or is it merely a very good marketing campaign?

In the past few days, the public has received some seriously mixed signals on the issue--his decision to use YouTube to speak to the American people, and then press reports indicating that he may give up e-mail as president to avoid oversight.

On Saturday morning, Obama's first video address to the people was posted to YouTube. A copy of the video was embedded into the Change.gov blog, and has since received over 650,000 views. In describing the new YouTube effort, an Obama spokesperson told The Washington Post that:

"This is just one of many ways that he will communicate directly with the American people and make the White House and the political process more transparent."

Contrast that bit of hype to the news that the president-elect will likely be giving up his prized Blackberry, and like previous presidents, giving up e-mail the moment he takes office, due to the fact that e-mails can be subpoenaed by Congress, or later end up in the presidential library. As The New York Times reported:

In addition to concerns about e-mail security, [Obama] faces the Presidential Records Act, which puts his correspondence in the official record and ultimately up for public review, and the threat of subpoenas. A decision has not been made on whether he could become the first e-mailing president, but aides said that seemed doubtful.

The real issue here is not one of keeping the president's in-box safe from Chinese hackers, but keeping it safe from Congressional investigators.

If the National Security Agency, Central Intelligence Agency, and a number of other spy agencies can provide e-mail access to their tens of thousands of employees, then the president's e-mail can be kept safe and secure. The U.S. government has classified networks, over which classified data flows, and for obvious reasons, these are not connected to the general purpose Internet. And for the spy on the go who needs real-time access to top secret information? The NSA has its own smartphones made for handling classified data.

It is important to note that no one from the Obama administration has gone on record to speak about this issue yet, and so while it is certainly worth discussing, it is still too early to pass judgment upon President-elect Obama's e-mail policy.

In the meantime, the press has reached out to members of past administrations to share their thoughts on the clash between Obama's stated commitment to transparency and a natural desire for privacy. On this issue, former Bush Press Secretary Scott McClellan told the Associated Press:

"While he has pledged an open and transparent government, I doubt the president-elect is interested in subjecting his own personal communications to that standard." He added, "He will have to think very hard about whether he wants to make his own words that subject to open records by having his own e-mail and his own BlackBerry."

If the next president opts to use e-mail, it will almost certainly become part of the public record at some point. However, that lack of e-mail privacy is far more a feature than a bug.

Without being able to follow the paper trails, and see what is being said by whom in the White House, how can real oversight be achieved? The willingness of the next president to use e-mail (and even a smartphone), even with the knowledge that his messages might later be subpoenaed by Congress, will be the best way for him to demonstrate his belief in the importance of sunlight.

As for the issue of Obama's right to privacy--remember that we are not talking about the president's personal Hotmail account, but his ability to use e-mail for work purposes. Americans generally have little to no legal rights to privacy relating to their use of Internet at work--at least with regard to their employer. Bosses have the right to install Web filters, monitoring software, and to read through specific e-mails.

With that in mind, consider that Obama is a public servant who works for us. We, the public, are his collective boss, and so why should he have any privacy rights over the e-mails he sends on our time? If the White House is the People's House, then its e-mail servers are the People's Servers, and we have a right to see every bit of text that gets sent through them at our expense.

Finally, if the president is serious about transparent government, perhaps he'll pledge to not allow his staff to hide behind executive privilege once Congressional investigators come calling (as I am sure they eventually will). Sure, this will be more unpleasant and potentially embarrassing than merely throwing a few carefully scripted videos up on YouTube. However, such a commitment would actually be transparency we can believe in.