January 30, 2011

ICANN, Bill Clinton, and Mr. Magoo

Greetings. As I mentioned earlier today in another venue, and as further explained here, it now appears likely that key ICANN decisions regarding their continuing TLD Expansion Lunacy will be essentially bumped to their San Francisco gala meeting in mid-March.

I realize it's tough to keep track of ICANN meetings these days. Brussels at the end of February. Back to San Francisco two weeks later. If ICANN ever (heaven forbid!) started using Skype or Google Talk or even dedicated videoconferencing instead of so much globetrotting, the airline industry would probably suffer a collective nervous breakdown!

What you might have missed though is that ICANN won't be satisfied with just digging into the crucial topics on the agenda, but apparently has hired -- get this -- former President Bill Clinton to keynote in SF! Yes, this well-known expert on Internet technology and related Internet policy issues will ... no wait, that's someone else. Anyway, Bill Clinton! Our Internet problems are solved!

Now, admittedly, some questions have been raised about this arrangement.

For example, there are concerns about disrupting the serious work of the meeting with Clinton's "superstar" appearance. And what of the cost? Rumor was that he was being paid half a megabucks. "Nonsense!" says ICANN, "Clinton's fees are a matter of public record."

In fact, there's an article -- Clinton's Golden Voice -- from The Washington Post in 2007, detailing the former President's speaking fees between 2001 and 2005. $125K was common, sometimes going as high as even 300K or 350K in several instances. Perhaps there's been some inflation in the six years beyond the dates and fees shown on this chart?

But whether it's 100K or 300K or even more, ICANN assures us that the amount will be covered by "targeted sponsorships," not out of the ICANN budget. Phew. Man, that's a relief. It's good to know that ICANN sponsors aren't going to do something really nutty like donate that money to charity or something similarly silly in these hard economic times. After all, former Presidents need money too. And buying favor with ICANN is a much better investment, of course -- as Mr. Spock might say, "Highly logical."

But I do hope that someone at the meeting will take the opportunity to ask Bill Clinton for his opinions on ICANN's gTLD flooding plans, use of the DNS for censorship and government control, and ICANN's "policy" procedures vs. the Department of Commerce and GAC. If there's any spare time, Mr. Clinton's opinions on IPv4 address depletion and IPv6 deployment would certainly set the Internet user community at ease.

If there's one thing that we can say about ICANN as of late with some degree of certainty, it's that the organization is definitely consistent -- just like Mr. Magoo out for a Sunday drive!

"Road Hog!"

--Lauren--

Posted by Lauren at 09:09 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 29, 2011

Video: Dr. Strangelove Explains the Internet Kill Switch

Greetings. Yesterday, in "Plan D" - How To Disrupt the U.S.A.'s Internet, I employed a concept from Stanley Kubrick's film classic Dr. Strangelove to draw an analogy between the specter of global warfare, and the enormous risks associated with government-directed Internet shutdowns as have already occurred in Egypt, and such has been advanced by some officials as a desirable government-controlled "Internet Kill Switch" concept here in the United States.

The parallels are striking on several levels. But even I was surprised when I looked back at the original Dr. Strangelove footage, and realized that perhaps the characters were actually in a "Cyberwar Room" -- and already were discussing various countries' abilities to use "kill switches" to shut down the Internet.

See what you think ...

Dr. Strangelove Explains the Internet Kill Switch
[YouTube] (~1.3 minutes)

--Lauren--


Posted by Lauren at 01:40 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 28, 2011

"Plan D" - How To Disrupt the U.S.A.'s Internet

Blog Update (January 29, 2011): Video: Dr. Strangelove Explains the Internet Kill Switch



Greetings. In Stanley Kubrick's 1964 dark comedic film masterpiece Dr. Strangelove, misuse of Top Secret attack "Plan R" ultimately triggers a global nuclear catastrophe.

Egypt's government may have had its own doomsday plan of sorts, at least as relates to the Internet, as demonstrated by its ability to almost entirely terminate Internet communications internationally (and according to some reports, domestically as well) in what appears to have been a highly coordinated manner. Various telephone-related communications in Egypt have also apparently been affected.

Various observers have now somewhat glibly asserted that similar broad Internet shutdowns would be "impossible" in the U.S., that only the concentration of associated Internet resources in countries like Egypt permitted the government's actions against their Internet services to be effective.

I have serious doubts that such confidence in the Internet's ability to withstand such actions here in the U.S.A. is necessarily warranted.

Let's leave aside for the moment the federal push for centralized "cyber security" operations controlled by military and intelligence agency entities and operatives. We can even skip for now the calls -- about to be reintroduced in Congress -- for what many would consider to be mandated U.S. Internet "kill switches" under government control, with the possibility that much of the Internet would ultimately be declared to be "critical infrastructure" subject to their purview.

How well might a theoretical "Plan D" -- "D" for "Disrupt the Internet" -- work here in the U.S., today, right now?

For the sake of the argument, let's assume that major Internet firms will obey the federal government's edicts when "Plan D" is invoked under a claim of "national emergency."

Now, you're the national CSSC - Cyber Security Super Czar. Who do you call to shut down the Internet in the United States?

Since the overwhelmingly vast majority of U.S. Internet users have their Internet access through a handful of giant telephone and cable operators, the initial call list is relatively short.

Hello AT&T! Comcast! Verizon! Time Warner! Charter! Qwest! - "Plan D is declared! Shut down all Internet customers not previously designated as National Security Critical (NSC). Thank you for your cooperation!"

There are more calls to make of course, to cover most other "major" Internet ISPs of significant size, but you're finished with the first round within an hour. Minutes later, millions of Internet users find their connectivity is dead.

Next step -- invoke Plan D over Google, AOL, Microsoft, and a handful of other major U.S.-based operations. "National security emergency! Shut down all services not designated NSC!"

Now the major Internet backbone operators - "Plan D! Emergency!"

Major peering points - "Plan D! By order of the President!"

And of course the domestic DNS registries and U.S.-operated DNS root servers - "Plan D! No questions, just do it!"

"Sir, Plan D implementation complete -- three hours and fourteen minutes execution time ... Thank you, sir. Just doing my duty."

- - -

Of course, this has all been merely a thought experiment. We, uh, all know that there is no real "Plan D" -- or similar action plans to disrupt or otherwise declare the equivalent of digital martial law on the Internet. After all, this is the United States, not Egypt. Of course.

In any case, the point of this little fantasy is simple enough. It might be wise to at least consider the extent to which our Internet infrastructure -- even in the U.S. -- may be vulnerable to significantly encompassing shutdown orders that -- even if not 100% effective -- would still serve to drastically curtail individual and corporate communications within a matter of a few hours.

In fact, it might not even require mass shutdowns at the subscriber levels to achieve such ends to a major degree, since the termination of a significant percentage of Internet backbone, peering, and DNS services alone would trigger a broad Internet data "traffic jam" -- that would make L.A. freeway commuting look like a walk in the park by comparison. You might still in theory have your local Internet access, but its usefulness would likely be something similar to carrier pigeon communications.

In Dr. Strangelove, the Plan R recall code "OPE" -- an anagram for "Purity of Essence" or "Peace on Earth" -- almost (but not quite) avoided a global nuclear doomsday.

Unfortunately, the often laudable, but still misguided sensibilities that seem to be leading us into the world of an Internet "Plan D" -- either by design or by continued reliance on our relatively concentrated Internet resources, are not subject to any three-letter recall solutions.

To assume that the Internet here in the United States is invulnerable to a scenario significantly similar in major ways to that now playing out in Egypt may be comforting, but does not seem to reflect the reality of our Internet infrastructure.

Would such an "Internet shutdown" be more difficult to accomplish here than in Egypt? Yes. Would it be impossible to accomplish to a degree that would be considered successful? I doubt it. Quite possibly the process would take more than three hours, but I don't believe it is by any means out of the question.

Would major Internet services challenge government edicts of these sorts, delaying their own shutdowns while court proceedings were engaged? There are many factors to consider, but assumptions that the U.S. Internet infrastructure is so robust that directed Internet "blackout" scenarios are inconceivable strike me as naive at best.

Peace on Earth? Purity of Essence? As usual, the decisions about how to move forward are up to us.

--Lauren--

Blog Update (January 29, 2011): Video: Dr. Strangelove Explains the Internet Kill Switch

Posted by Lauren at 12:17 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 24, 2011

Risks in Mozilla's Proposed Firefox "Do Not Track" Header Thingy

Greetings. Mozilla has proposed plans to implement a "Do Not Track" flagging mechanism in their Firefox browser -- even though apparently no companies have at this time promised to honor such anti-tracking flags.

Frankly, I continue to be singularly unimpressed by "Do Not Track" concepts as currently being discussed, and continue to believe that their ability to cause major collateral damage to the Internet ecosystem of free Web services is being unwisely ignored or minimized by many Do Not Track proponents (see: FTC in Charge of Net Ads? -- and Opt-In vs. Opt).

At an absolute minimum, necessary prerequisites for any Do Not Track implementation methodology discussions should first be rigorous, formal, and precise descriptions/dialogues regarding what Internet "tracking" actually means in a wide range of situations and contexts. Attempts to conflate this complex area into simplistic "Do Not Track" signals for rapid implementation seem premature and ripe for Internet users' "buyer's remorse" down the line.

Additionally, Mozilla's proposed use of HTTP "headers" for Do Not Track purposes presents a number of fundamental technical problems. In general, headers used in this manner represent what I'd call a "non-acknowledged client-push signalling system." Sending out a new "Do Not Track" header -- even beyond basic associated technical requirements at the client and server ends -- and even if there's agreement on how that header is defined -- tells you nothing about what actually happens to that header after being sent by the client browser. How does the user who sends such a header actually confirm that they're "not being tracked" as a result? And how do they know that continued tracking isn't caused by a technical issue that prevented the header from ever being received and processed by the destination server?

Perhaps the header line was "eaten" by an intermediate proxy server (it's quite common for proxies not to pass along all headers). Or maybe the header reached a server that simply hadn't been modified to recognize it yet. Or did the header reach a server in some jurisdiction (say, outside of the U.S.) that wouldn't even be "required" to know about that new header? And so on.

You can't just send a Do Not Track header and expect meaningful results. In practice, you end up having to build an entire confirmation apparatus of some sort -- and even then it's likely to be a mess. Without confirmation, you can send out whatever headers you wish, but when you don't get the results you expect, what does that mean? Who knows?

This all gets very complicated, very quickly.

Unfortunately, much of the current rush for Do Not Track appears to be significantly driven at this stage largely by "political" agendas, and politically-driven "quickly expedient" technologies are often the most problematic of all.

--Lauren--

Posted by Lauren at 12:09 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 21, 2011

The Knights Templar Meet the Google Search Results Conspiracy Theories!

Blog Update (February 15, 2011): "The SEO Lament" - With Apologies to Gilbert and Sullivan



"When correctly viewed, everything is lewd. I could tell you things about Peter Pan, and the Wizard of Oz, there's a dirty old man!" -- Tom Lehrer, "Smut"

Greetings. I love conspiracy theories. I really do. I hardly ever believe them, but they're often great fun nonetheless, just through the sheer joyful lack of logic that usually pervades them to their inner cores.

My own theory has long been that most genuine conspiracies are the ones we don't even suspect exist. Once a would-be conspiracy has been labeled a conspiracy theory in public, it's usually already pretty much toast.

Yet people by and large love believing in conspiracy theories, for a variety of reasons -- for example, they can be very convenient for social control and personal gain.

In 1307, King Philip IV of France -- who was deeply in debt to the Knights Templar -- used the secrecy of their practices and rituals against them by declaring a vast Templar conspiracy -- triggering their mass arrest, torture, executions, and (conveniently) the erasure of Philips's associated debt. Even today, bizarre, ridiculous conspiracy theories regarding Freemasonry continue to circulate, egged on by the secrecy of Masonic rituals.

Conspiracy theories tend to fill information vacuums by attempting to postulate the inner workings of activities based on fragmentary and often statistically misleading observational data. This tendency is also exacerbated by the natural human desire to impose order on chaos, to assume connections where none actually exist, to try give ordered meaning to what otherwise might seem unpalatable asymmetric forces.

Even decades later, many persons refuse to accept the concept that one lone gunman assassinated President Kennedy, despite overwhelming evidence to that effect. It just seems so wrong that a single nobody with a rifle could change history so dramatically. Surely the existence of a vast conspiracy would make such events more emotionally tolerable, at least.

And so we come at last to the technology conspiracy theories of the moment, the increasing drumbeat of claims that Google is biasing their organic (natural, not paid-ad) search results in their favor.

The two sides of this current brouhaha may be best exemplified for now by long-time Google critic Benjamin Edelman's newly released Measuring Bias in "Organic" Web Search, and search marketing specialist Danny Sullivan's response in Study: Google “Favors” Itself Only 19% Of The Time.

I must admit to being somewhat amused both by Benjamin's problematic statistics and by Danny's detailed analysis of those numbers. In particular, the former's methodology is so highly questionable on its face that Danny's effort in this case strikes me as being somewhat akin to publishing a deep, intellectual analysis of a brief Monty Python skit -- the source materials are much more appropriately viewed strictly for their comedic value (I know a dead parrot when I see one!)

In a more serious vein, we note that statistics, though seemingly composed of hard facts and numbers, are in reality almost infinitely mutable, as are the studies that quote them. Darrell Huff's wonderful 1954 expose and guide, How to Lie With Statistics (very much still in print!) is as marvelously relevant now as it was more than a half century ago.

Of course there's nothing funny about the ramifications of bias accusations against Google. And as in the case with King Philip and the Templars, it's easy to find financial motivations in play among some of Google's accusers -- who often tend to be allied with Google's competitors either directly or via "astroturf" relationships.

To be sure, the detailed mechanisms of search ranking algorithms (which in Google's case undergo virtually continuous tweaking for anti-spam and relevancy adjustments) are quite opaque to outside observers.

But it's hard to see how this could reasonably be otherwise, without opening up search results rankings to endless "gaming" of results by spammers and other bad actors, to the vast detriment of Internet users generally.

And after all, search results, whether by Google, Bing, or anyone else, are merely the opinions of those search services at any given moment in time -- not some sort of commandments handed down on stone tablets.

But ultimately what decimates the Google Search Results conspiracy theories for me is that they just don't make logical sense.

Just as Tom Lehrer noted in his classic ditty, given a suitable observational bias, even Peter Pan can be viewed as obscene. But is such a bias reasonable? Of course not.

Similarly, in order to assume purposeful organic search results bias by Google, we need to also assume either (a) that there's a logical upside to doing this for Google, that significantly exceeds the downside risks of being caught doing so, or (b) that Google management would behave in an unethical, potentially self-destructive manner for no logical purpose.

To accept either of these assumptions seems nonsensical. I don't believe Google operates unethically or illogically.

But beyond this, Google simply doesn't need to bias natural search results. They are incredibly successful by any measure, and any possible incremental advantage to manipulating organic results would be enormously swamped by the public relations and other risks that could result from their doing so.

What's more, while it's likely true that most people tend to click initially on highly ranked results, it's also clearly the case that most Internet users are not wearing blinders that restrict them only to the first few results.

If users are not satisfied with what they find initially, they'll usually be back looking at more links and trying out other services in short order. Most Internet users are simply not the search result automatons that some studies would seem to presuppose.

The attacks on Google's natural search results rankings have all the hallmarks of classic, opportunistic conspiracy theories. Not only do they not make sense "by the numbers" -- but they also are illogical when viewed more broadly in terms of Google cost/risk/benefit analysis.

As far as I'm concerned, Peter Pan's small friend Tinker Bell is more likely to exist, than for the search results manipulation bias accusations against Google to be accurate.

And that's the case even if you don't believe in fairies.

--Lauren--

Blog Update (February 15, 2011): "The SEO Lament" - With Apologies to Gilbert and Sullivan

Posted by Lauren at 12:06 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 17, 2011

Goldman Sachs, Facebook, and The Dark Side

Greetings. It is seriously depressing how often I end up having to invoke The Dark Side comparisons in these postings.

Goldman Limits Facebook Investment to Foreign Clients

--Lauren--


Posted by Lauren at 06:59 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 16, 2011

My Google "Internet and Empires" Talk - Five Years Later

Greetings. About a week ago or so, an alert reader (presumably with far too much time on his hands) reminded me that it is now almost exactly five years since I gave my Internet and Empires talk at Google Santa Monica, covering a bunch of issues that I thought were interesting at the time, including privacy, censorship, Street View, China, and other sundry topics. He suggested that I should look it over again in light of events that have since transpired regarding both Google and the Internet.

The original talk was on January 24, 2006, and I posted and blogged it on the following April 14th. I believe it was the first "outside" talk taped at the Santa Monica office, and I'm sitting on a table since there wasn't a podium available yet (but for me, the more informal the better).

A bit over a month ago I uploaded (but didn't really watch) the approximately one hour video as a test of newly unlimited length uploading on my YouTube account, but hadn't planned to make it public to supplant the originally uploaded seven part version (split for the then standard YouTube 10 minute limit).

I hadn't actually viewed the entire spiel in years, but having been reminded of the anniversary, I forced myself to do so, and in light of that I've decided to make the new "all in one chunk" version publicly available, and I've updated the original blog item's links and such appropriately.

Five years seems like a century in Internet time, and it's interesting to see how controversial associated issues have changed -- and in some important cases remain very much with us today.

Part of the reason for my focus on China during that presentation was the coincidence that I was speaking at Google on the very day that the original Google.cn censored search site experiment was announced.

Google of course announced the end of search results censoring in China almost exactly one year ago, a decision that was widely applauded (including by me).

In any case, if you have an hour to kill, there may be worse ways to spend your time than to consider, compare, and contrast the Google and Internet issues of January 2006 with January 2011.

But the real question now is, where will we be in January 2016? I'm not taking any bets on that one.

"Internet and Empires" (YouTube Video)

--Lauren--


Posted by Lauren at 07:15 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 13, 2011

White House Tour Cybersecurity: Send In Your SSN - Via Unencrypted, Unprotected Email!

Greetings. Before the U.S. government proceeds at all with their controversial and risky Trusted Identities in Cyberspace Internet ID scheme, perhaps they should demonstrate their ability to follow for themselves the most basic of Internet security procedures.

Very large numbers of persons tour the White House every year. All prospective tour guests 14 years of age and older are required to pre-submit their Social Security Numbers (SSNs) for security checks (apparently it is common for children under the age 14 to have their SSNs submitted as well).

One might assume that information as sensitive as SSNs would be handled by the associated authorities with the same care and diligence as, say, a typical bank Web site -- using SSL/TLS encryption for the protection of this data that is so often abused for identity fraud.

But that assumption would apparently be false. An array of Congressional Web sites instruct would-be White House tour guests to submit their personal information (names, dates of birth, social security numbers, etc.) via standard unencrypted email to (for example) various addresses @mail.house.gov!

Here are just a few randomly selected examples where (apparently customized by Congressional district in these cases) White House Tour "xls" (spreadsheet format) Security Forms are provided for download (Form Image) along with instructions for emailing them in for processing:

Congressman Steve King

Congressman Raul M. Grijalva

Congressman John Kline

And so on. Search around a bit for yourself -- you'll easily find others. In fact, it appears that emailing back the Security Forms -- with absolutely no Internet transit protection for the personal information included such as SSNs, is the standard mechanism that Congress is mostly using -- and presumably the White House has approved -- for White House tour requests.

If an insurance company, bank, or even a local school were caught telling persons to submit required personal information such as Social Security Numbers via easily diverted, observed, and otherwise abused unencrypted email channels, there would likely be investigations and hell to pay.

But Congress and the White House -- the same entities who presumably wish to play such important "Cybersecurity" roles, apparently can't even handle this basic aspect of Internet security correctly. Yet we're supposed to trust their judgment relating to the creation of a vast and complex Internet Trusted Identities infrastructure.

It would actually be quite funny -- if it weren't so utterly frightening.

--Lauren--

Posted by Lauren at 08:25 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 07, 2011

Internet Freedom Alert: Obama Admin Pushing Ahead Today with Dangerous "Internet Trusted Identity" Scheme

Update (January 8, 2011): Obama's "Trusted Internet ID" Scheme Announcements: Reading Between the Lines

ACLU: Don't Put Your Trust in "Trusted Identities"

Steven Bellovin: Comments on the National Strategy for Trusted Identities in Cyberspace



Greetings. At this moment -- as I type this -- the Obama administration is pushing forward with its horrendous DHS-linked "Trusted Internet Identity" scheme (formally - "NSTIC": "National Strategy for Trusted Identities in Cyberspace") via a meeting and announcements today at the Stanford Institute for Economic Policy Research.

As I've discussed in Why the New Federal "Trusted Internet Identity" Proposal is Such a Very Bad Idea and postings linked within that article, NSTIC is an incredibly dangerous concept fraught with all manner of major direct and collateral risks to individuals, organizations, freedom of speech, and civil rights in general.

In contrast to the benign concepts of Net Neutrality -- which despite right-wing claims to the contrary will not result in a government "takeover" of the Internet or the muzzling of free speech -- NSTIC in fact carries very much those actual risks.

NSTIC will never remain "voluntary" as its proponents claim. It will ultimately put the government firmly into every networked computing device that we use, and become the key mechanism to track users, control access to information, eliminate legitimate anonymity, and otherwise convert the Internet into a tool more suited for future oppression than open communication.

So to Glenn Beck, FOX News, and the various legislators who have been burning so much air time with anti-Net Neutrality rants, take a good look at NSTIC. Even by your own standards, NSTIC is a fire-breathing, city-smashing Godzilla compared with Net Neutrality's Bambi.

And to everyone else who cares about an Open Internet, free expression, and civil liberties, get ready for Internet freedom battles like you've never seen before. The war to protect our freedoms on the Internet has only just begun.

--Lauren--

Update (January 8, 2011): Obama's "Trusted Internet ID" Scheme Announcements: Reading Between the Lines

ACLU: Don't Put Your Trust in "Trusted Identities"

Steven Bellovin: Comments on the National Strategy for Trusted Identities in Cyberspace

Posted by Lauren at 12:01 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 05, 2011

Urgent Call for Privacy-Enhanced Mobile Data Storage and Self-Destruct Mechanisms

Greetings. Once upon a time -- not so very long ago -- an individual arrested by law enforcement, or subjected to search at border custom checkpoints, would typically be carrying little more of interest than clothing, a purse or wallet containing limited sundry items, and more recently a very simple cell phone.

But now many of us carry powerful computing devices that frequently contain immense volumes of personal and business data -- laptops, smartphones, tablets, flash memory thumb drives, and soon other yet to be imagined marvels. While it is increasingly possible to store data only in the cloud for download or streaming on demand, many users still need to maintain significantly large amounts of data on their local devices due to data access speed requirements, or to assure data availability when remote data connections are not available.

Governments in general and law enforcement in particular are increasingly taking the view that their detailed inspections of mobile devices, and the masses of data that they frequently contain, are no different in kind than a simple search of a suspect's or traveler's pockets.

Now the California Supreme Court has alarmingly ruled that arrested suspects' phones -- and by extension any other devices on their person or in their vehicles at the time of their arrest -- can be comprehensively searched in detail. This includes all contained data, without the need for a search warrant: "Photos, address book, Web browsing history, data stored in apps (including social media apps), voicemail messages, search history, chat logs, and more."

While this ruling is not without conflict vis-a-vis some rulings in other states, and may ultimately be decided by the U.S. Supreme Court, it still appears on its face to represent an enormous overreaching of law enforcement in a highly inappropriate manner.

As I mentioned above, international travelers have long faced the risk of U.S. Customs not only inspecting the data on their laptops or other computers upon reentry to the U.S., but of having those devices arbitrarily confiscated for detailed inspection, data copying, and other intrusive investigations for prolonged periods of time.

If the framers of the U.S. Constitution had been able to anticipate that individuals would one day carry such vast quantities of information representing virtually the sum totals of their business and personal lives, it is likely that the Fourth Amendment prohibiting unreasonable searches and seizures would have been written in ways that even more explicitly prohibited "high-tech" data device strip searches.

It's very important to remember that this is not about protecting criminal behavior -- we're talking about the protection and preservation of fundamental constitutional rights, that are now being eroded by opportunistic overreaching on the part of authorities (whether for laudable motives in any given case or not). Nor can we confidently assume that all future governments will even be as "benign" as our own at any given time -- encroachments on privacy rights by government are fundamentally dangerous, especially for innocent, law-abiding citizens.

Fortunately, we do have the means at hand to restore some sense of balance regarding the privacy of our personal, mobile data devices.

The powerful combination of local device storage, increasingly fast "persistent" data connections, cloud-based data repositories, high-grade encryption, and associated technologies, can provide the foundation for an open-source framework to provide privacy-enhanced mobile data storage and data "self-destruction" systems to help return "search and seizure" closer to the concept that the Founding Fathers had in mind.

So, I'm now making this urgent call for broad cooperation in the development of open-source systems and environments that would include at least the following initial attributes:

  • Provide for the "continuous and automatic" backing up of all mobile device data (as desired) in secure off-device locations. Such locations could include cloud-based services and/or locally controlled (e.g. business or home) computer systems and data arrays. Note that under current laws the precise physical location of data greatly impacts the required mechanisms for government inspection or seizure of that data. Mobile devices (certainly in California for now) are pretty much an open book after the new Supreme Court ruling. Various groups are working toward trying to achieve harmonization of laws to provide the equivalent of locally-hosted data privacy protections for cloud-based data, but battles in this regard are still ahead. Also, the ability of authorities to try compel the provision of data decryption keys and related information varies depending on situations, jurisdictions, and other factors.
  • Users should be able to optionally specify degrees of data security desired on a per-item basis. For data without significant privacy-related concerns, mobile device data self-destruct mechanisms could be flagged to bypass that specific data (e.g. specific files, databases, etc.) under particular usage scenarios. Individual data items could also be flagged for various degrees of off-device data repository security -- unencrypted (e.g. publicly shared data), encrypted, or various combinations as appropriate.
  • All communications between mobile devices and remote data repositories would be encrypted.
  • Mobile device data self-destruct mechanisms would be designed to enable ease of use in routine, unusual, and emergency situations for selected or full data. For example, a traveler about to enter U.S. customs could use a routine activation sequence to "cleanse" sensitive business data from a mobile device, then restore it completely (restoration priority at the control of the user) afterwards. In unusual or emergency situations, data self-destruct activation may be through a unique device key sequence or carefully confirmed voice command sequence. Sequences to delete off-device stored backup data in remote repositories, and methodologies for remote triggering of mobile device data self-destruct (including both manually triggered and "tamper triggered" sequences, would likely be commensurately more complex to avoid undesired data loss, depending on the level of backup data chosen and available.
  • Self-destruct/deletion procedures for stored data (both locally stored on mobile devices and to the greatest extent possible on remote repository backup data systems), would be designed to offer varying levels of resistance to forensic deleted data reconstruction, as specified by users for particular data and usage scenarios.

I hope that's enough to get the ball rolling. It's very important that such concepts be implemented in an open-source environment, and that strong, high-grade encryption be used throughout the framework wherever encryption is employed.

Again, this is most definitely not about protecting illegal activities or criminals. The goal is to protect us all -- and our completely legal personal, business, and other data -- from unreasonable acts by those entities who are now leveraging our advanced mobile data devices to a level of intrusion into our lives that is simply not in keeping with our fundamental rights and liberties.

While I do have my own very preliminary, somewhat specific implementation concepts relating to this project, I'm very much inviting all comers and all ideas. In terms of practical project goals, I would encourage the development of these principles into exploratory code as rapidly as possible, across a wide array of mobile platforms and supporting backup repository system environments.

Linux, Windows, and Android are currently available to me in various incarnations. Google's Cr-48 Chrome notebook would be another obvious implementation target platform that I would like to explore early on for the project, though unfortunately I do not have one of those units in hand.

I am not a routine user of the Apple ecosystem, so developers comfortable in the Mac/iPhone world are definitely needed as well, plus Blackberry, Symbian, and any other common mobile platforms.

Please let me know if you're interested in participating. Any and all comments, questions, criticisms, and ideas are of course welcome.

Thanks all. Be seeing you.

--Lauren--

Posted by Lauren at 05:09 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein


January 04, 2011

Video: The Navy's Raunchy "XO Movie Night" Parrot Revealed! Anchors Away!

Greetings and Happy New Year. By now you've probably heard how some Internet Videos have triggered "career-interruptus" for U.S. Navy Captain Owen Honors, who was recently awarded prestigious command of the aircraft carrier USS Enterprise.

Unfortunately for the Captain, a series of extremely "raunchy" videos entitled XO Movie Night -- produced and shown on board the Enterprise around the 2006-2007 period, and featuring then first officer (executive officer - "XO") Owens -- have been revealed and widely disseminated on the Net.

It is being reported today that Captain Owens has (at the very least) lost command of the Enterprise as a result.

Aside from the obvious "never assume videos will stay private" aspects of the Internet that this situation illustrates, there's an oddity worth exploring in the videos themselves.

In scene after scene, a strange and colorful "parrot" of some sort appears, often specifically featured in the footage with Owens -- rather bizarre, indeed.

However, I'm pleased to reveal all regarding this bird -- straight from the parrot's mouth in fact -- in a two minute video, including an actual "parrot demo" no less!

The Navy's Raunchy "XO Movie Night" Parrot Revealed!
[YouTube] (~2 minutes)

A live link to some of the actual XO Movie Night videos is available in the description text of my video at YouTube.

Anchors Away!

--Lauren--


Posted by Lauren at 06:50 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein