Surveillance State

It's that time of year again: predictions for the next 12 months, most of which are likely to be wrong, and a few that, if right, will further cement Surveillance State's status as a top tier tech blog...maybe.

• President Obama will break the heart of Net neutrality activists by picking pro-telecom industry people for the FCC. On the other hand, Obama will pick someone great for the position of privacy czar, and then castrate him/her by not giving the position any power.
• Comcast, AT&T and other ISPs will begin the mass deployment of monthly download caps. However, they will strike profit sharing deals with Google/YouTube and Apple to exempt such traffic from customers' monthly bandwidth limits. Customers who go over the cap will have to pay extra--thus also conveniently killing off much of the P2P market (since no one will pay for BitTorrent), without having to resort to Deep Packet Inspection.
• Google and Yahoo will win the war to define the terms of the privacy vs. data logging debate: The search engines will settle on storing search log data for three to six months, but Microsoft will (unfortunately) fail to define the debate on how the data is anonymized, rather than after how many months. Google and Yahoo will continue to engage in privacy theater by not effectively anonymizing their logs.
• We will not see the passage of any comprehensive overhaul of privacy law in 2009. Efforts to restore privacy to searches of laptops at the border will fail. If legislation does pass, it'll be toothless.
• Bruce Schneier will be the next cybersecurity czar for the federal government.
• The Transportation Security Administration will reverse the liquid ban, but will continue to engage in pointless security theater. The replacement for head honcho Kip Hawley will not shake things up.
• The RIAA will suffer its first major loss in the courts, and will be forced to pay more than $100,000 in damages (in addition to legal costs). Likewise, attempts by the RIAA and MPAA to institute "three strikes" rules in the U.S. will fail.
• The copyright office will reject most of the applications for new DMCA exemptions. It will likely extend the Sony rootkit exemption (although expanding it to downloads/DVDs), and will also likely approve the exemption expansion request for academics to use DVD ripping software for classroom use. All of the other requests will be turned down.
• The transition to digital TV will be a giant trainwreck. Politicians from all sides will rush to point the finger and blame the FCC, and in particular, (by then) former Commissioner Kevin Martin.
• Senator Herb Kohl's investigation into text message pricing will go nowhere, the carriers will not drop prices, and the class action lawsuits will be thrown out of court.

Should members of the public be able to pay for Web advertisements detailing which companies have donated to politicians? While this seems like a great way to promote transparency in politics, Google forbids the practice--we are free to name the politicians who take money but cannot name the companies that give it.

With Google's domination of the search engine market, and the eyeballs that go along with it, the company's AdWords text ads have become a key way for activists, politicians, and corporations to reach the general public. However, over the past year, Google's excessively restrictive policies have resulted in the censorship of lawful advertisements that educated and informed the public.

In one the cases involving religious groups placing anti-abortion ads, Google backed down. As this post will explore, Google's rather absurd, and little known, trademark policy seriously harms the ability of citizens to highlight the donations made to politicians by large corporations.

Trademarks and AdWords
Over the past few years, Google has waged numerous legal battles in order to allow its advertising customers to purchase keyword ads for trademarked phrases. Thus, for example, Nike can make sure that ads for its shoes show up when a Web surfer searches Google.com for Reebok.

Under Google's current trademark policy, Nike can purchase advertisements that will display information for the company's own shoes, such as "Visit Nike.com to get great deals on shoes," but Google forbids anyone but a trademark owner from using a trademarked phrase in an ad. Thus an ad stating that "Nike shoes are worn by Barack Obama, not Reebok" would be forbidden, even if Nike could prove it were true.

This example with two large corporations battling it out doesn't really tug the heart strings. But what about the following few examples of ads, all of which are currently forbidden as per Google's trademark policy?

• A labor rights group that wished to place an ad stating that "Wal-Mart forbids its employees from unionizing," whenever someone searched for the phrase "minimum wage."
• A public-interest group that wished to place an ad stating that "The RIAA has filed over 30,000 lawsuits against Internet users, many of whom were children, elderly, or even dead," whenever a Google user searched for the words "file sharing."

• An activist who wished to place an advertisement stating that "AT&T has given $7,500 since 2004. Who else has donated to the senator?" The ad would be displayed when Internet users searched for the name of a particular politician.

While these first two examples are hypothetical, the final one has actually been censored by Google. I know, because a few weeks ago, Google informed me that an ad campaign that I had run for the last 5 months was being terminated due to a trademark complaint by AT&T.

No sunshine allowed
As regular readers of this blog will know, I dabbled in a bit of tech policy activism in the state of Indiana earlier this year, working on a data breach bill that eventually became law. During the process of getting that bill through committee, I had a nasty run-in with a state senator who didn't take too kindly to my blogging and was willing to hold up my bill as a way to force me to censor my criticism of his colleagues.

Once I left Indiana in May, I promptly registered multiple domain names for Republican State Senate whip Brandt Hershman, www.Brandt-Hershman.com and www.BrandtHershman.com. Both domains point to a single Web page that lists every campaign donation that Sen. Hershman has received, from all corporations, for the history of his political career.

In addition to setting up this Web site, I also placed a Google ad campaign so that anyone searching for "brandt hershman", "senator hershman," or a few other similar keywords would see an advertisement pointing to my site:

What does money buy?

AT&T has given $7,500 since 2004.
Who else has donated to the senator?
www.Brandt-Hershman.com

From June until December of this year, the ad ran without any complaints. However, on December 5, Google notified me that it had suspended my advertisement, based on a trademark complaint:

Thank you for advertising with Google AdWords. After reviewing your account, we've found that one or more of your ads or keywords does not meet our guidelines.

Ad Issue(s): Trademark in Ad Content

SUGGESTIONS:
-> Ad Content: Please remove the following trademark from your ad: AT&T.

When I appealed the suspension of the ad, Google replied with a bit more information, informing me that AT&T had complained about my use of the company's trademark:

Thank you for your email. I understand you're concerned that the term(s) AT&T has been disapproved in your account as a trademark.

Please note that we received a complaint from the trademark owner of AT&T. In their complaint, the trademark owner stated that they are the owner of the mark and that its use in certain advertisements is not authorized. Therefore, your ad was disapproved.

Google's policies, in depth
Google's official policy confirms its zero-tolerance stance toward trademarks in advertisements:

When we receive a complaint from a trademark owner, we only investigate the use of the trademark in ad text. If the advertiser is using the trademark in ad text, we will require the advertiser to remove the trademark and prevent them from using it in ad text in the future.

Google permits trademark owners to submit blanket complaints regarding the use of their mark in advertisements. This means that with just one request, a company can force the removal of every single advertisement that contains the trademark, even if the use is legitimate and lawful.

It's useful to compare Google's trademark and copyright policies. If a copyright owner (say, the Church Of Scientology or Viacom) wishes to force the removal of a link from the Google search index or videos from YouTube, that company must send an individual request for each file or Web site.

If Viacom wants to have 100 episodes of The Daily Show removed from YouTube, it takes 100 requests. However, if Viacom wants to force the takedown of 100 different advertisements that mention The Daily Show, it only takes a single request.

The requirement that copyright owners send individual takedown requests is an important speed bump that protects the fair-use rights of end users, who might be incorrectly accused of violating copyright. No such protection currently exists for Google AdWords customers who wish to lawfully comment on or critique companies whose names are trademarked.

Legal analysis
To make that I wasn't making a fuss out of nothing, I spoke to a number of prominent legal experts, all of whom shared my concern regarding the impact on free speech and transparency in politics.

First, I spoke with Wendy Seltzer, a fellow at Harvard's Berkman Center (disclosure: I am also a fellow at Berkman) and founder of the Chilling Effects Clearinghouse. She told me that:

Google should be concerned that its actions here may actually hurt its (and its users') ability to use trademarks for comparative and search purposes later. Google is now a large enough part of our Internet experience that its concessions to trademark bullies in AdWords could condition readers to think--incorrectly--that all uses of a trademark must be authorized by the trademark holder...

We need to resist this chipping-away at our rights to use brands to speak about the products they promote and things their owners do, and Google, as a major beneficiary of our prodigious use of language, should help us to do so.

Jim Harper, director of information policy studies at the Cato Institute also shared similar concerns:

What (Google) seems to be doing is accepting any complaint as conclusive proof that a trademark violation is occurring. This is a very poor practice, and it grants trademark owners power well beyond their legal rights. On a platform as important as Google's, that will result in a significant diminution of communication about corporations and, in this case, politicians too.

While he was concerned about the impact on free speech, Eric Goldman, a professor at the Santa Clara University School of Law, expressed some sympathy for Google, due to the risk of litigation by trademark owners:

Presumably, AT&T has requested Google not to let any advertisers display "AT&T" in the ad copy--whether the advertisers are competitors, pirates or political speakers. Google is within its legal rights to do so, and there is some legal support for Google's position.

However, unquestionably, Google's policy precludes legitimate trademark references such as yours.

This is not a good situation, but before we criticize Google too harshly, note that they face legal risks whatever they do, and they have tried to find a compromise solution...

Trademark law is so ridiculously expansive that Google feels compelled to implement illogical and chilling policies, so (in my opinion), the real villain is trademark law, not Google.

As both Goldman and Harper told me, Google is perfectly within its rights to refuse to display my advertisement, just as a newspaper or TV stations can refuse to air an ad. However, just as newspapers routinely publish advertisements that criticize companies, so, too, could Google, if it wished to.

The only recourse available to activists wishing to change Google's policies is thus shame--a tactic that has worked pretty well in other similar situations.

Freedom of Speech and Abortion
Earlier this year, a British anti-abortion organization sued Google, after the search engine refused to display an advertisement that the group had sought. The text of the ad was:

U.K. Abortion law
Key views and news on abortion law from The Christian Institute
www.christian.org.uk

Before the lawsuit, Google's policy did not permit the ads promoting Web sites that contained abortion and religion-related content. After a significant amount of bad press, and the settlement of the suit (brought under the United Kingdom's Equality Act), Google reversed itself.

Google's new policy allows religious associations to place ads "in a factual and campaigning way," a Google spokesperson told the British media. She went on to describe the policy in more detail:

This means that their ads need to aim to educate and inform, not to shock. The ads can refer to government legislation, and existing law, and the alternatives to abortion. But, they cannot link to Web sites which show graphic images that aim to shock people into changing their minds.

Outside of the online-advertising space, U.S. telecommunications giant Verizon Communications caused a huge media firestorm in 2007, when it blocked short text message alerts by NARAL, a pro-choice group.

Within days of its anti-free-speech blunder, Verizon quickly backtracked. However, by then, the damage to its reputation was done. Both Congress and the FCC took an interest in the incident, leading to threats of oversight and investigation.

Obviously, abortion is a hot-potato issue that no Fortune 500 company wishes to get caught in the middle of. However, the issue for both Google and Verizon was the same--the companies sell products that enable people to communicate with each other. When they start deciding which kinds of information is appropriate to send, they risk a significant public outcry, as well as the attention of both regulators and Congress.

With any luck, Google will realize that its flawed AdWords trademark policy is hurting free speech and efforts to promote transparency in government. If it doesn't, we all suffer.

See my full write-up of all of the other DMCA requests here.

When a digital rights management-based music, video, or software product shuts down, as has happened in the past with Microsoft, Google, Yahoo and Wal-Mart Stores, one thing is guaranteed: customers lose legal access to works for which they paid.

Existing copyright law makes it a crime to attempt to circumvent DRM protections, even on legally purchased music, and so consumers are generally dependent upon the failing media store to provide some remedy--perhaps a refund, or a temporary delay of a few months in the death of the DRM-authenticating servers that are necessary for full use of the music. However, the store instead may simply choose to say "bah humbug," shut down, and leave consumers high and dry.

What if, instead, consumers had a legal right to circumvent the DRM protecting those legally obtained but now useless songs, videos, software, and video games? If this blogger and a legal team from Harvard University are successful, this just might be possible.

The Digital Millennium Copyright Act makes it illegal for users to break or reverse-engineer the DRM that protects music, video, software, and consumer electronics. However, every three years, the Copyright Office asks the public to submit requests for new exemptions to the law.

In years past, consumers were given the right to hack region-locked mobile phones, and security researchers were allowed to circumvent the DRM protecting malware-infected music CDs (such as in the famous Sony rootkit fiasco).

The deadline for this year's requests was Tuesday afternoon.

A team from Harvard's Berkman Center for Internet and Society has requested an exemption that, in the event that a central server-based DRM scheme fails in the future, would permit consumers to circumvent and evade the DRM protecting the music, movies, software, and games that they have previously purchased, in order to maintain their existing lawful right to access those works.

The team is made up of myself, Phil Malone, a clinical professor of law at Harvard Law School and director of the Cyberlaw Clinic, and Arjun Mehra, a law student in the clinic. Our full submission can be downloaded here.

In just the past few years, a number of DRM-based music and video stores have gone kaput, leaving their customers without a lawful way to access works for which they paid good money. These include Microsoft's MSN Music Store, Google's Video store, Yahoo Music, and Wal-Mart.

In some cases, consumers could keep listening to media on the same computer, after the shuttering of the authentication server, but they were unable to transfer the songs and videos to new MP3 players or other computers, or even to reactivate them on their original devices, in cases where they had a hard drive crash or needed to reinstall the operating system.

While we're not aware of examples so far of shutdowns or failures of similar DRM systems protecting software and games, this sort of consumer harm is likely in the next few years. For example, were Electronic Arts to go bankrupt, the millions of customers who had purchased a copy of the game Spore would be unable to reinstall that lawfully purchased copy after a hard-disk crash or virus infection.

Under a plan floated by Electronic Arts this past May, some of its games would need to contact a DRM server every 10 days to continue functioning. Such a regime would lead to the instant orphaning of every installed copy of the game, if the company later shut its doors or shut down its authenticating servers.

Luckily for angry EA fans, the company abandoned the 10-day authentication plan after massive consumer backlash, but the likelihood that other game or software vendors will use similar measures in the near future is high.

A researcher exception too
If researchers have to wait until the central authenticating DRM servers have been switched off before they can begin the reverse-engineering process, they might never be able to learn how the DRM works and how it might be lawfully evaded, if a DMCA exemption permitted it.

To understand how to effectively circumvent a DRM system, researchers need to be able to watch authentication messages flowing back and forth between a legitimate client and the master DRM server. Once the server has been turned off, there are no authentication messages being transmitted that the researchers can observe and study.

As a simplistic example, consider that Ali Baba needed to sit outside the 40 thieves' cave in order to overhear the correct password ("open sesame"). Had the thieves vanished, and Ali Baba been left outside the cave, trying random passwords, it is likely that he never would have been able to get inside.

To solve this problem, we have asked the Copyright Office for a second exemption to the DMCA's anticircumvention provisions. We have asked that technologists and researchers be allowed to circumvent such DRM stores in the course of good-faith research before the death of the server, for the purpose of documenting the inner workings of the DRM system.

This way, for example, researchers would be able to legally circumvent the DRM in iTunes or Spore, even while the services are still functioning, in order to understand and document how the DRM software functions.

This would give legitimate researchers (both professional and amateur) the legal protections necessary in order to safely tinker with and take apart existing DRM systems so that, should the services ever be shut down, it wouldn't be too late to gather vital circumvention information.

Of course, it would still be illegal for the general public to use that information to circumvent a DRM store, until the service was shut down and the DRM servers stopped functioning.

Thanks
I'd like to thank Phil Malone and Arjun Mehra, who donated their time to work on and draft this request with me. I'd also like to thank Ed Felten, Tim Lee, Nicole Ozer, Chris Riley, Pam Samuelson, Wendy Seltzer, and Fred von Lohmann, all of whom provided us with valuable feedback during the drafting process.

For copyright activists, Christmas comes but once every three years: a chance to ask Santa for a new exemption to the much-hated Digital Millennium Copyright Act's prohibitions against hacking, reverse engineering, and evasion of digital rights management (DRM) schemes protecting all kinds of digital works and electronic items.

Judging from the list of 19 exemptions requested this year, some in the cyberlaw community are thinking big. (Disclosure: One of the DMCA exemption requests was submitted on behalf of this blogger by Harvard University's Cyberlaw Clinic.)The requests include the right to legally jailbreak iPhones to use third-party software, university professors wishing to rip clips from DVDs for classroom use, YouTube users wishing to rip DVDs to make video mashups, a request to allow users to hack DRM protecting content from stores that have gone bankrupt or shut down, and a request to allow security researchers to reverse-engineer video games with security flaws that put end users at risk.

Electronic Frontier Foundation uber-lawyer Fred von Lohmann told Wired News earlier this week that the government "has repeatedly dismissed any consumer-oriented fair uses, such as making backup copies of DVDs or video games, as well as requests for exemptions to enable copying DVDs to laptops and portable devices." He also told them that the DMCA exemption process is "hopelessly broken."

That depressing outlook doesn't seem to have stopped Lohmann from co-authoring two significant requests (PDF) to the copyright office for exemptions squarely targeted at members of the public.

The highlights
The 19 requests are too lengthy to blog, and so only the most noteworthy (to this blogger) have been presented here. Those wishing to read through the others can find all of the submitted exemption requests at the Copyright Office's Web site.

First, the EFF has asked that consumers be allowed to jailbreak or hack smartphones to run lawfully obtained third-party software on the devices. Such an exemption, if granted, would be great news for the estimated 1 million users who have hacked their iPhone, and risked the wrath of Steve Jobs as his engineers played cat-and-mouse to stop the jailbreaking. Such an exemption would also be fantastic news for Mozilla, which is currently prohibited by Apple's terms of service from bringing the popular Firefox browser to iPhone.

In the EFF's second request, the group has asked the Copyright Office to permit end users to circumvent the DRM protecting DVDs, for the purpose of creating noncommercial videos that fall squarely within the protections of fair use. While such circumvention is already trivially easy to do with tools such as Handbreak, it is technically illegal to do so. For the millions of YouTube users who remix and mash up snippets of copyrighted works (including Sen. John McCain), such an exemption would mean digital freedom.

In complementary filings, representatives from Duke University (PDF), the University at California at Berkeley (PDF), Middle Tennessee State University (PDF) and the Library Copyright Alliance (PDF) asked for a similar exemption for DVD ripping, but solely for professors who wish to create compilations of digital film clips for classroom use. A more limited professor exemption was granted back in 2006, but only for those teaching film studies. Both groups would like to see that exemption expanded to professors and K-12 teachers from all fields.

The Cyberlaw Clinic at Harvard University, representing this blogger, has asked (PDF) the Copyright Office to allow end users to circumvent the DRM protecting music, video, software, and games in the event that a central authenticating server is shut down. This has happened several times in the past few years, including Microsoft's MSN Music Store, Google's Video store, Yahoo Music, and Wal-Mart. The team also asked that researchers be permitted to reverse engineer functioning DRM stores (such as Apple's iTunes) before any shuttering is announced, for good-faith documentation purposes.

Finally, Professor J. Alex Halderman has expanded his successful "Sony Rootkit" 2006 request, and has asked (PDF) that security researchers be allowed to circumvent the DRM in digital works, software or games that create or exploit security vulnerabilities on the computers of end users. While his request is broad, the main focus is on DRM schemes such as SafeDisc and SecuROM, which are widely used in the video game industry (such as in Electronic Arts' Spore).

Next steps
During the next few months, the Copyright Office will allow members of the public to submit comments on the exemptions requested during this cycle. Later, in March, two public hearings will be held, in Washington, D.C., and California. There will likely be appearances by several public-interest groups and law school clinics speaking in support for their exemptions requests, while representatives from the recording, motion picture, and software industries are likely to show up to fight against such efforts to weaken the DMCA. At the very least, the hearings promise to be quite a spectacle.

The MySpace suicide case concluded last week, with the jury finding Lori Drew guilty of three misdemeanor counts of gaining unauthorized access to the popular social-networking site.

While most of the press attention has been focused on the specifics of the case, the more important issue is the potential impact this could have on the Internet in general.

Web site terms of service, which end users universally ignore, suddenly have teeth: violating them is a federal hacking offense, punishable with jail time. The days of being able to freely lie on the Web could be coming to an end. This could mean serious trouble for people who lie about their age, weight, or marital status in their online dating profiles.

Bad cases and bad laws
The specifics of the Lori Drew case are messy and emotional. The important fact is that there is no federal cyberbullying statute, so the U.S. attorney in Los Angeles turned to a novel interpretation of existing computer hacking laws to try to punish the woman. The general idea is that in creating terms of service, a Web site owner specifies the rules of admission to the site. If someone violates any of those contractual terms, the "access" to the Web site is done without authorization, and is thus hacking.

Unfortunately for Internet users everywhere, a jury bought the theory last week and found Lori Drew guilty of three misdemeanor violations of the Computer Fraud and Abuse Act, punishable with up to one year in a federal prison and a $100,000 fine for each of the three counts.

Horrible terms of service
Until the Drew case is overturned, terms of service would appear to have the power of federal hacking laws to back them up, at least in cases where an ambitious federal prosecutor is interested in making a name for himself.

Back in March, I wrote about Google's insane terms of service--which forbid the use of the site's search engine, free e-mail service, or any of its other offerings by people under the age of 18. The site's terms state:

"You may not use...Google's products, software, services and Web sites...and may not accept the Terms if...you are not of legal age to form a binding contract with Google.

Under the Department of Justice's current interpretation of hacking laws, every high schooler who uses Google to do homework is in theory a criminal.

However, it gets even better than that. As the Electronic Frontier Foundation noted in its amicus brief to the court, the dating site Match.com prohibits married persons from using the Web site to cheat on their spouses:

"You must be at least eighteen (18) years of age and single or separated from your spouse to register as a member of Match.com or use the Website."

Dating site eHarmony takes this even further, forbidding its users from lying in their online profiles:

"You will not provide inaccurate, misleading or false information to eHarmony or to any other user. If information provided to eHarmony or another user subsequently becomes inaccurate, misleading or false, you will promptly notify eHarmony of such change.

All those people who have lied about their age or weight in an eHarmony profile would now appear to be computer hackers. Oh, and if you gain 30 pounds after posting your profile and don't promptly update your profile--yep, jail for you.

Silver lining...a weapon against RIAA
Back in the early days of the Digital Millennium Copyright Act, activists discussed the creative use of terms of service to keep agents of the RIAA and MPAA from visiting their sites, and collecting evidence for later trials. In a few minutes of searching, I was able to find at least one Web site whose terms of service still forbid such activity.

Notice to RIAA & MPAA and affiliated contractors: Pursuant to DMCA statutes, you are forbidden from accessing or reproducing any content on this site, due to a violation of our terms of service. This is not a matter for discussion. You must exit this Website now.

These amateur click-wrap agreements didn't seem to hold much weight back then. Could the precedent set by the Lori Drew case provide ammunition to pirates, activists, and the thousands of other Internet users who have an anti-RIAA ax to grind?

Parry Aftab, a lawyer and executive director of an anti-cyberbullying group hailed the court case as a victory, telling the Associated Press that the "verdict has made it very clear if you use the Internet as a weapon to hurt others, especially young, vulnerable teens, you're going to have to answer to a jury. This is not acceptable."

For those of us who see the over 30,000 lawsuits filed by the RIAA as an abuse of the legal system and an organized shakedown of vulnerable high school and college students who know little about the law, perhaps this warning will hold true.

Updated Jan 27 2009 with a comment from the Turkish Government. See below

When criminals turn to disk encryption to hide the evidence of their crimes, law enforcement investigations can hit a brick wall. Where digital forensics software has failed to recover encryption passwords, one tried and true technique remains: violence. It is is this more aggressive form of good cop bad cop behavior which the Turkish government is alleged to have turned to, in order to learn the cryptographic keys of one of primary ringleaders in the TJ Maxx credit card theft investigation.

The 2005 theft of tens of million credit card numbers from an unsecured wireless network run by TJ Maxx stores has lead to over 150 million dollars in damages for the company. The two gentlemen behind the heist sold the pilfered credit card information to others online. Eventually, the stolen cards reached Maksym Yastremskiy, a Ukrainian citizen, and, according to media reports, a "major figure in the international sale of stolen credit card information."

Mr Yastremskiy was later arrested in 2007, while on vacation in Turkey. The US government has formally requested that Yastremskiy be extradited, and has charged him with a number of crimes including aggravated identity theft.

According to comments allegedly made by Howard Cox, a US Department of Justice official in a closed-door meeting last week, after being frustrated with the disk encryption employed by Yastremskiy, Turkish law enforcement may have resorted to physical violence to force the password out of the Ukrainian suspect.

Mr Cox's revelation came in the context of a joke made during his speech. While the exact words were not recorded, multiple sources have verified that Cox quipped about leaving a stubborn suspect alone with Turkish police for a week as a way to get them to voluntarily reveal their password. The specifics of the interrogation techniques were not revealed, but all four people I spoke to stated that it was clear that physical coercion was the implied method.

The Turkish interrogation seemed to have worked as Mr Cox was even able to share Yastremskiy's encryption password with the audience.

Mr Cox, the Assistant Deputy Chief for the DOJ's Computer Crime and Intellectual Property Section, made the comments during his keynote talk at an invitation only event for academic and industry experts focused on phishing related crimes. This blogger has spoken to four sources, each in independent interviews, who claim to have witnessed Mr. Cox making such statements. However, due to the closed-door nature of the event, and fearing that coming forward publicly would lead to them being blackballed from future information sharing sessions, no one would go on the record to make their claims.

If Mr Yastremskiy is successfully extradited to the United States, it is unclear if the evidence from his encrypted disk could be used against him in court. It also remains an open question as to how much the US knew about the alleged beating of Yastremskiy by the Turkish authorities, and when.

If Mr Cox's alleged comments are indeed true, this is alarming news. The majority of cryptographic tools in use today are designed around the general assumption that an end-user can refuse to disclose his or her key if the computer is seized. While password discovery via torture is something that has been discussed in the academic literature for a number of years (it is commonly known as rubber-hose cryptanalysis), it has for the most part remained a theoretical threat. A few tools, such as TrueCrypt, are designed to resist such attacks, and thus use deniable encryption -- that is, making it impossible for someone to examine a computer and be able to determine if there is anything encrypted on the disk. Some tools even allow for multiple deniable encrypted folders, each with a different password.

Of course, Truecrypt and other tools that have adopted deniable cryptography do not stop government agents from torturing a suspect. It just means that they cannot be sure when to stop the beatings, as there could always be one additional hidden file on the disk.

Multiple requests for comment, by both phone and email to Howard Cox and the DOJ Office of Public Affairs have been ignored. Similarly, the Turkish embassy in Washington DC had not responded to a request for comment by press time.

A Freedom of Information Act request has been submitted for the slides and notes for Mr Cox's speech, however, this could take months or years before any information is returned.

Update:On January 27, 2009, Berkan Pazarcı, the First Secretary at the Turkish Embassy in Washington DC replied to the request for a comment that I sent back in October of 2008:

The Turkish Ministry of Justice informed the Embassy that Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body.

Disclosure:

Mr Cox presented at a closed-door session at the Anti-Phishing Working Group e-Crime summit. I presented at the same conference the next day, at a session open to the general public. My hotel and airplane ticket were paid for by the APWG, as part of a scholarship program for graduate students.

In 2006, the FBI investigated me for some of my research into boarding pass security. While no charges were ever filed, it's reasonable to state that I have little affection for the DOJ computer crimes section.

Finally, due to the fact that the Turkish government is involved, it is worth mentioning that I am 50% Armenian by blood. Several generations ago, a number of my family members died at the hands of the Ottoman Empire (now Turkey). I do not have an axe to grind in this area, but in the interest of honest disclosure, I thought it should be mentioned here.

John McCain's presidential campaign has discovered the remix-unfriendly aspects of American copyright law, after several of the candidate's campaign videos were pulled from YouTube.

McCain has now discovered the rights holder friendly nature of the Digital Millennium Copyright Act, which forces remixers to fight an uphill battle to prove that their work is a "fair use."

However, instead of calling for an overhaul of the much hated law, McCain is calling for VIP treatment for the remixes made by political campaigns.

McCain's proposal: complaints about videos uploaded by a political campaign would be manually reviewed by a human YouTube employee before any possible removal of the remix. The process for complaints against videos uploaded by millions of other Americans would stay the same: instant removal by a computer program, and then possible reinstatement a week or two later after the video sharing site has received and manually processed a formal counter-notice.

With 11 homes and 13 cars, it's not terribly surprising that McCain is calling for special treatment for the YouTube videos of politicians. As for the "fair use" claims of the poor starving masses: Let them eat cake.

On Tuesday, the McCain campaign sent a formal letter to YouTube asking for this two-tier system for "fair use" complaints. Copyright-guru Larry Lessig called it a "fantastic letter", adding "bravo to the campaign" in a post to his blog. Since then, the technology press has been pretty supportive, although the focus of the coverage seems to mainly be along the lines of "McCain realizes that fair use claims are uphill battle." This is the wrong message to send, and as much as I respect Professor Lessig, I have to call him out here. He is wrong. McCain should be criticized for his attempt to get special treatment, and Google/YouTube need to treat all users the same way.

All claims of fair use are equal--yet some claims are more equal than others.

The only way we will get an effective overhaul of copyright laws will be by forcing politicians to suffer along with the masses. The minute a special set of rules are made for those in Congress, the incentive to fix the system will disappear. To drive this point home, consider the following:

During the confirmation hearings for Judge Robert Bork, the Washington City Paper obtained a copy of the Republican nominee's video rental records. Alarmed at the possibility that their own rental histories would be revealed by the press, members of Congress jumped to pass comprehensive privacy legislation for the video rental records of all Americans. Up until the Bork fiasco, there had been no real incentive to fix anything, but once the risk to their own records was made clear, Congress acted. As a result, we are now all protected by the 1988 Video Privacy Protection Act.

Compare this to the horrible situation at airports. Americans are routinely harassed, prodded, poked and humiliated by employees of the Transportation Security Administration. While we stand in line like sheep, congressmen get to skip through the security lines, avoiding the entire process. Given the fact that they don't have to suffer at the hands of TSA, it's not terribly surprising that they have little incentive to fix the problems faced by the rest of us.

These two examples should make it clear--we cannot allow politicians to receive special treatment in copyright and fair use disputes. If anything, campaign videos should receive substandard treatment. McCain's videos deserve to rot in purgatory at the back of the DMCA queue, behind videos of toddlers, skateboarding dogs, Starwars Kid remixes, and the hundreds of clips of the dramatic chipmunk. Perhaps then, the senator will throw his weight behind comprehensive copyright reform that'll result in real benefits for the rest of the remix-population.

Updated:This post originally contained incorrect information about Sentinel's products. That has been corrected (see below).

Attorneys general from a number of states have given their support to a collection of weak and ineffective age verification technologies, all of which aim to protect children on the Internet. At a meeting of the Internet Safety Technical Task Force at Harvard University on Tuesday, the consensus seemed to be that while none of the technologies actually work, doing anything at all was better than nothing. Simply put, no one wants to be blamed for inaction against online child predators.

Kicking off the meeting, Richard Blumenthal, the Connecticut attorney general, summed up the general expectation of the other 48 state attorneys general involved in the effort: "If we can put a man on the moon, we can make the Internet safe (for children)." Unfortunately, while the federal government sunk billions of R&D dollars into NASA's space efforts, the AGs have yet to cough up any research funds, and seem to expect industry to come up with their own solutions.

Won't someone think of the children?
Given the intense political pressure to do something about child safety online, and a complete lack of proven, peer-reviewed, and abuse-resistant technologies available on the market, a number of private companies have stepped in to fill the void--with products that can at best be described as ineffective, and at worst as snake oil.

Several age verification solutions were presented at the task force meeting, from companies that included Aristotle, IDology and Sentry. All of the companies seem to do pretty much the same thing--collecting information from public records, and then prompting users to enter some of this info when they wish to log in to an "age restricted" Web site. One example of this is the rated R movie trailers of many Hollywood movie studios, which require a user to enter in his or her name, ZIP, and date of birth before playing the trailer.

This form of verification has been repeatedly criticized as "laughable" by security experts. As a test, I was able to successfully view the trailer for Sony's new thriller movie, Quarantine, by giving the name, date of birth, and ZIP code of vice presidential candidate Sarah Palin, all of which were available on the politician's Wikipedia page. Sony Pictures uses an age verification service from Sentinel (another company which presented at the task force meeting), which seems to only protect the fragile eyeballs of technologically unsavvy youngsters who have not yet learned how to use a search engine.

During the question and answer sessions following their presentations, each of the age verification and other child safety technology vendors admitted that their products are neither bullet proof nor even that difficult to evade. However, they all generally preached a belief in the security benefits of "raising the bar" and providing a "bump in the road."

Speak softly and carry a big stick
With companies and politicians falling over themselves to prove how much they are doing to keep children safe, it is worth taking a look at the incentives and motivations of this industry.

First, the politicians: Attorneys general from 49 states have been focusing on this issue for some time, culminating in an agreement signed with MySpace back in February of this year--the only state to reject the deal was Texas, whose AG felt that the deal didn't go far enough. This is an issue that carries a lot of weight with voters, and as New York AG Andrew Cuomo's recent strong-arming of ISPs over their Usenet news feeds has demonstrated, easy political wins can be gained with little to no pushback from the tech industry.

Second, the social-networking sites: Facebook and MySpace, the 500-pound gorillas of the industry don't seem to be too keen to adopt any of the existing solutions pitched by vendors--primarily because the technology doesn't do much, won't stop abuse, and will cost the companies money. While News Corp's MySpace certainly has deep pockets and could easily pay a couple million for age verification software, the company appears to be resisting calls to do so primarily out of an urge to avoid a slippery slope. That is, if the social-networking site can be pressured into forcing its user base to jump through one level of inconvenient and burdensome verification, other demands will soon follow.

Third, the "solution" vendors: This collection of companies rely upon fear to sell their products--not so much fear of the abuse of children by predators, but the fears of companies and politicians that they will be accused of not doing anything. These firms are not selling complete solutions to the problem of age verification (since one does not exist)--but are selling excuses. That is, if social-networking sites purchase their products, and children are later groomed or abused online, the companies will at least be able to claim that "we've purchased and used the best age verification products that industry offers. Don't blame us--we've at least tried to do something."

The not so thinly veiled threat aired at the event was that if the industry didn't police itself, the various state AGs might have to push for regulation. The fact that the technology isn't effective doesn't seem to be a major cause for concern. All that really seems to matter, at least for the policy makers, is that the industry do something, which can then be sold to voters back home as a success in protecting little Jane or Johnny.

The offshore problem
The elephant in the room in this debate is the issue of foreign Internet companies. That is, if American social-networking sites are forced to implement oppressive and burdensome age verification rules, teens may ditch MySpace and head to a Chinese, Brazilian, or Indian Web company, where a user's age is not verified.

Internet users are a fickle bunch--that is, they are not particularly loyal to brands, and if a company's product ceases to be cool, users will leave in droves. As an example, just look to Friendster, which was at one point the most popular social-networking site on the Internet. Once MySpace offered a better, more enjoyable experience, Friendster turned into a cyber-ghost town. While the network effect is indeed a powerful and sticky force, a lame user experience will be more than enough to make users leave for greener pastures.

Now, as another example, consider the case of Napster, the first peer-to-peer file-sharing company. Remember that for a time, Napster was the most popular file-sharing tool on the Internet, with tens of millions of users. As an American company, once Congress got wind of the file-sharing phenomenon, it was able to hold hearings, and force the CEO of Napster to appear before the Senate Judiciary Committee.

Fast forward a couple years: Napster had been sued into financial oblivion, and America's teens had moved on to a significantly more legislation-resistant file-sharing platform--Kazaa. This file-sharing company, designed by three men from Sweden, developed by programmers in Estonia, headquartered in Australia, and incorporated in the south pacific island nation of Vanuatu, was global in scale, and for the most part, completely beyond the reach of America's laws.

Whatever you think of file-sharing, there is one thing that is beyond debate: Due to a change in the legal environment, Americans abandoned, en-masse, an American company's P2P offerings, and instead signed up for the services offered by a foreign company whose CEO could never be hauled before the U.S. Congress. Furthermore, while Napster was primarily a service offering free music downloads, the Kazaa platform offered easy access to music, movies, pirated software, and pornography (of both legal and illegal varieties)--all from the same easy to use graphical interface. That is, by chasing file-sharing underground, we completely gave up any possibility of lightly regulating it.

No one present at Tuesday's Task Force meeting had any solutions to this problem, nor were they too keen to discuss it. It would be cruelly ironic if in an effort to protect America's youth online, those same children were chased into the hands of unscrupulous foreign firms with little incentive to protect their users from predators and other forms of harm.

Update: The original version of this blog post included Sentinel in the list of companies who push weak age verification software to social networks. In fact, Sentinel has voluntary withdrawn its age verification products from the social networking market, although it continues to supply the easy-to-evade product to Hollywood movie studios.

Disclosure: I am a paid student fellow at the Berkman Center at Harvard University, which participates in and hosted the meeting of the Internet Safety Technical Task Force. In particular, professor John Palfrey, the chair of the Task Force, is also the Faculty co-director of the Berkman Center, where I work. I have neither consulted with Palfrey, nor any of my other colleagues at Harvard with regard to this blog post. It reflects my own opinions, and certainly not those of Harvard or any of the other people associated with the Berkman Center.

If you thought that the National Security Agency's warrantless wiretapping was limited to AT&T, Verizon and Sprint, think again.

While these household names of the telecom industry almost certainly helped the government to illegally snoop on their customers, statements by a number of legal experts suggest that collaboration with the NSA may run far deeper into the wireless phone industry. With over 3,000 wireless companies operating in the United States, the majority of industry-aided snooping likely occurs under the radar, with the dirty-work being handled by companies that most consumers have never heard of.

A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive probing" data-mining services to governments around the world.

ThorpeGlen, a U.K.-based firm, offers intelligence analysts a graphical interface to the company's mobile-phone location and call-record data-mining software. Want to determine a suspect's "community of interest"? Easy. Want to learn if a single person is swapping SIM cards or throwing away phones (yet still hanging out in the same physical location)? No problem.

In a Web demo (PDF) (mirrored here) to potential customers back in May, ThorpeGlen's vice president of global sales showed off the company's tools by mining a dataset of a single week's worth of call data from 50 million users in Indonesia, which it has crunched in order to try and discover small anti-social groups that only call each other.

Slide from "Identification of Nomadic Targets " ISS Webinar

(Credit: ThorpeGlen)

Clearly, this is creepy, yet highly lucrative, stuff. The fact that human-rights abusing governments in the Middle East and Asia have deployed these technologies is not particularly surprising. However, what about our own human-rights-abusing government here in the U.S.? Could it be using the same data-mining tools?

To get a few answers, I turned to Albert Gidari, a lawyer and partner at Perkins Coie in Seattle who frequently represents the wireless industry in issues related to location information and data privacy.

When asked if there is a market for these kinds of surveillance data-mining tools in the U.S., Gidari told me: "Of course. It is a global market and these companies have partners in the U.S. or competitors."

The question is not if the government would like to use these tools--after all, what spy wouldn't want to have point-and-click real-time access to the location information on millions of Americans? The real mystery is how the heck the National Security Agency can legally get access to such large datasets of real-time location information and calling records. The answer to that, Gidari said, is the thousands of other, lesser-known companies in the wireless phone and communications industry.

The massive collection of customer data comes down to the interplay of two specific issues: First, thousands of companies play small, niche support roles in the wireless phone industry, and as such these firms learn quite a bit about the calling habits of millions of U.S. citizens. Second, the laws relating to information sharing and wiretapping specifically regulate companies that provide services to the general public (such as AT&T and Verizon), but they do not cover the firms that provide services to the major carriers or connect communications companies to one other.

Thus, while it may be impossible for the NSA to legally obtain large-scale, real-time customer location information from Verizon, the spooks at Fort Meade can simply go to the company that owns and operates the wireless towers that Verizon uses for its network and get accurate information on anyone using those towers--or go to other entities connecting the wireless network to the landline network. The wiretapping laws, at least in this situation, simply don't apply.

Giardi explained it as follows:

Networks are more and more disaggregated and outsourced, from customer service call centers overseas with full viewing access to data to key infrastructure components and processing. A single communication is handled by many more parties than the named provider today. Moreover, interoperability protocols include network identifiers--send a message from company A to company B and the acknowledgment of delivery may include location and other information. That's just the way the system is designed--location was about billing in the early years and no one bothered to undo the existing protocols when business models changed and interoperability became common practice or a myriad of new messaging companies came into being...So my point is that there are many access points--albeit less convenient than one-stop shopping at the big carriers--to get information including real-time data.

ThorpeGlen's product appears to be a mashup of Google Earth + phone location data (in this case, from 50 million people in Indonesia)

(Credit: ThorpeGlen)

For example, if a Sprint Wireless customer in Virginia calls a relative in Montana--who is a customer of a small, regional landline carrier--information on the callers will spread far beyond just those two communications companies.

Sprint doesn't own any of its own cellular towers, and so TowerCo, the company that owns and operates the towers, of course, learns some information on every mobile phone that communicates with one of its towers. This is just the tip of the iceberg, though. There are companies that provide "backhaul" connections between towers and the carriers, providers of sophisticated billing services, outsourced customer-service centers, as well as Interexchange Carriers, which help to route calls from one phone company to another. All of these companies play a role in the wireless industry, have access to significant amounts of sensitive customer information, which of course, can be obtained (politely, or with a court order) by the government.

With the passage of laws like the FISA Amendments Act and the USA Patriot Act, in most cases, requests for customer information come with a gag order, forbidding the companies from notifying the public, or the end users whose calling information is being snooped upon. Gidari summed it up this way:

So any entity--from tower provider, to a third-party spam filter, to WAP gateway operator to billing to call center customer service--can get legal process and be compelled to assist in silence. They likely don't volunteer because of reputation and contractual obligations, but they won't resist either.

Seeking clarification, I turned to Paul Ohm, a former federal prosecutor turned cyberlaw professor at the University of Colorado Law School and a noted expert on surveillance laws.

Before getting into the details of the issue, Ohm first outlined the basic problem of the various wiretap and surveillance laws; they are extremely confusing and few people fully understand them. The 9th Circuit Court of Appeals seemed to share Ohm's view, stating a few years ago that the Electronic Communications Privacy Act is a "complex, often convoluted area of the law" (United States v. Smith, 155 F.3d 1051).

Ohm then said that the "one thing I can say with confidence is that you are correct to note that the [Stored Communication Act's] voluntary disclosure prohibitions (in 18 USC 2702(a)) apply only to providers to the public."

After describing all the ways that the government could legally collect real-time data on millions of U.S. citizens, Gidari said that essentially, the existence of such a program would likely remain a secret (barring a whistle-blower or leaks to the press by government officials). Summing it up, he stated that:

Whether [a] vendor to a carrier to the public cooperates with agencies (either for a fee or by acquiescence in an order), is something you will not find out as FISA makes it so, regardless of whether the person is in the U.S. or communicating with a person abroad. Such means and methods largely are hidden.

However, if the existence of such a program were ever confirmed, Ohm said that Congress would not be too happy:

If [the sharing of data by niche telecom providers] is seen as allowing an end-around an otherwise clear prohibition in the SCA, Congress is likely to throw a fit when it is revealed and try to amend the law. DOJ is sensitive to this kind of thing (despite what the NSA wiretapping program would lead you to believe) and would probably try to avoid blatantly bypassing otherwise clear language in this way.