February 22, 2016

FBI vs. Apple: A New Crypto Commission to Be Ignored?

As new revelations dribble forth regarding the FBI vs. Apple iPhone case, calls are rising in various quarters (both in tech and government) for the creation of Yet Another Commission of Experts to presumably take a more comprehensive look at the encryption sphere in terms of government desires vs. users' security and privacy.

I'm not opposed to serious commissions on serious matters. I am opposed to commissions whose membership is not representative of all stakeholders, or whose findings are used to disingenuously rubber-stamp existing policies -- or whose findings are simply ignored.

We saw an example of how commissions go wrong with the recent, rushed, FAA "drone registration" panel, which made a number of common sense recommendations that would have served both FAA needs and the privacy and other concerns of honest citizens -- recommendations that were largely ignored by the FAA in what appeared to be a preordained fashion.

A new crypto commission that was similarly castrated would not serve the public interest.

Based on information currently available, we can see that the government effectively locked themselves out of the iPhone in question -- I prefer to charitably assume through error and/or incompetence, rather than the darker possibility of a purposeful plan to force the crypto backdoor controversies more directly into the spotlight of politics during a contentious election year.

Passwords were changed under FBI orders that should not have been. San Bernardino officials did not avail themselves of common device management software that could have prevented this entire problem -- software of a sort that most responsible corporations and other organizations already use with company-owned smartphones in employee hands.

Add to these facts the reality that virtually every expert in the encryption field agrees that backdoor access to these devices' crypto systems puts all honest users' personal data at risk from black-hat hacking -- including from terrorists and other criminals -- and the possibility that any new crypto commission would quickly find itself at loggerheads seems very high indeed.

That all said, a truly representative crypto commission including a wide variety of participants -- not necessarily only the usual folks who seem to always turn up on government-sponsored commissions -- could still (at least in theory) serve a useful purpose in helping the community at large better understand these highly technical and complex issues that do not have simple solutions.

Whether such a commission actually should, could, or will be formulated, and not later be twisted into a mouthpiece for what the government wanted all along, remains to be seen.

I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at 08:39 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

February 19, 2016

Justice Dept. Bizarrely Condemns Apple's Privacy Stance as a "Marketing Strategy"

In the continuing battle between the FBI and Apple over access to the secured data of an iPhone, the Justice Department has today taken the bizarre tack of claiming that Apple is only trying to attract customers and doesn't really care about privacy at all.

Background info on this battle is at:

"What the FBI Really Wants from Apple -- and Why Apple Has Said No":


This twisted government logic has also surfaced from a number of pro-DOJ sources over the last 24 hours or so, and it's so Kafkaesque in nature that it almost takes your breath away.

Because what kind of idiot would want to entrust their personal data and communications to a firm that didn't care about their privacy and security?

Of course it's a good marketing plan to put your users' privacy first and foremost.

That's why Apple, Google, and various other firms put such enormous resources into developing and supporting these privacy and security systems, with some of the most brilliant teams on the planet. They aren't just great policy folks and engineers, they personally really care about these issues themselves. They have loved ones too!

It would not only be terrible marketing, but also ethically unacceptable not to put users' privacy first.

So yes, good marketing and good privacy and good security all go hand in hand -- win-win-win.

Or to put it another way, the DOJ is blowing smoke.

And they know it. They also know why this case is different from previous situations where Apple has helped them access iPhone data in the past -- revealing as a lie another DOJ argument, their claim that this is just about a single phone.

In fact, what the FBI is demanding in this case is something entirely different. Now they want Apple to create essentially a new phone cracking tool that has never existed before, specifically for the FBI to use.

That's what the government is really after right now. It's not really about this one phone at all -- it's about creating the legal precedent going forward that will allow the government to demand that tech firms create new methods specifically to try subvert the very security ecosystems that have been created to protect users in the first place!

The level of DOJ disingenuousness in play is simply staggering.

I almost feel sorry for the officials who have to trot out these self-humiliating arguments, that are so obviously facades.

No matter how this specific case turns out, we're on the cusp of data privacy being crushed like a bug -- at the hands of GOP and Democratic politicians alike.

Oh, and by the way Donald Trump, who today called for a boycott of Apple until they knuckle under to the FBI ... you're not just a dangerous racist, you're a fascist enemy of freedom. But Donald, do feel free to let me know if you disagree.

And that's the truth.

Be seeing you.

I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at 12:58 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

February 17, 2016

What the FBI Really Wants from Apple -- and Why Apple Has Said No

By now you may have heard that Apple is fighting a new court order that demands they provide a means for the FBI to continue attacking the encryption of an iPhone used by one of the attackers in the recent and horrendous San Bernardino mass shootings.

The FBI is taking a very interesting approach in this demand. Rather than order Apple to defeat the phone's encryption per se, they want Apple to disable the mechanisms in the phone's security system that are designed to erase the phone's data after multiple incorrect password entry attempts.

Apple's CEO Tim Cook has responded, accurately calling such an order unprecedented and the desired changes "too dangerous to create."

But what's the FBI really after? Let's think about this a bit.

Because I suspect that the FBI is actually setting a form of "trap" for Apple, Google, and other firms who are deploying strong, non-backdoored encryption in their products.

We can stipulate that in this case it's reasonable to assume that the FBI has essentially laudable motives, and that they think (or more likely simply hope) that the phone contains something useful other than old grocery lists and porn.

Contact lists would also be of interest to the Bureau, but by now any entries on such lists that had actually been recently used for calls or text messages would have almost certainly already been acquired via mobile carrier records.

What's so intriguing about this situation is that the FBI appears to be asking for Apple to provide a way for the Bureau to conduct a long-term "brute force" password attack on the phone. That is, trying vast numbers of passwords until they (if ever) happen to hit the correct one (given the time delay built into the system between password attempts, that could be quite a lengthy undertaking -- hell, even if the delay were disabled the possible passwords are still vast in number).

Does the FBI really believe that they can hit the correct password that way, given the opportunity to keep plugging away hour after hour, day after day, month after month?

Perhaps. More likely, they would initially try a circumscribed set of attempts that they hope will include the actual password, based on the typically crummy password selection methods that most users still employ, and that black hat hackers exploit every day, often with minimal effort.

But there's another possibility that seems even more dangerous.

The FBI may be trying to push Apple into demonstrating if the iPhone encryption ecosystem can be altered and modified without destroying the stored data, in this case to permit exhaustive password searches.

If any such change were shown to be practical on the iPhone, it would provide the basis for further government demands to more directly order Apple to participate intimately in efforts to decrypt the actual data itself.

In other words, what we're seeing play out right now may be the federal government's first real attempt to get "the camel's nose under the tent" of strong phone encryption systems, to try demonstrate any feasibility of full-blown backdoor attacks against these systems.

It's a damned clever approach. And it's clear that Tim Cook fully understands the associated potential for unraveling the entire foundation of strong encryption.

This makes it even clearer than ever why such attacks on these encryption systems are so dangerous to ordinary, law abiding citizens who increasingly depend upon them for so many aspects of their daily lives.

For if the government can gain access to these systems in such manners, it is axiomatic and unquestionable that evildoers of all stripes will find ways to do so as well, in a black hat hacking dream come true.

Health data. Financial data. Personal photos. Personal communications. And so much more.

Crack into these crypto systems -- even with the best of motives and promises galore of tight controls -- and they are forever suspect, effectively ruined, worse than useless since they can no longer be trusted by you, me, or our loved ones.

This is what's actually at stake in this case.

And that's why I support Apple's strong stance in this matter -- and why I hope you will as well.

I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at 08:58 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

February 16, 2016

The UK Government's Big Porn Lie -- and the Coming Global War Against VPNs

There are two particularly interesting developments occurring simultaneously in jolly ol' England and environs these days, as Her Majesty's conservative government pushes forward with their "Total Internet Control" policy effort.

This is largely a three-pronged attack on Internet freedoms and privacy, with the sharpened, curare-coated prongs aimed directly at the vital organs of the United Kingdom's residents.

Combined with other efforts in the EU -- such as expansions of their horrific "Right To Be Forgotten" (RTBF) censorship regime -- we can pretty clearly see the writing on the screens for where all this is leading -- not just in Europe but likely around the world.

In England, legislation focusing on archival of users' Internet browsing activity histories and other Internet usage "expanded metadata" retention requirements seem almost certain to become law in one form on another. A further push to ban strong end-to-end encryption without government-accessible backdoors (aimed at firms like Apple and Google) seems less certain to succeed for the moment, but still appears to be very much in play (and very likely to be enacted somewhere down the line in some form in any case).

And now comes word that the UK government wants to require "age verification" to prevent children from accessing "pornographic" websites. They're convening a panel of so-called experts to try find a magic wand to accomplish this impossible task.

Because it is impossible. Oh sure, you can come up with credit card and similar payment-based or other records-based means to apply at commercial sites that specialize in pornography. They'll be evaded and leaky but they'll have some impact.

Yet commercial porn is just a drop in the bucket. The Internet is awash in sexually explicit material of every possible genre, and the overwhelming vast majority of it is entirely free.

Leaving aside for the moment the eternal question of what "porn" actually is in any given context and in the eyes of any given beholder, most free sexually-oriented imagery isn't even on sites that are devoted to such content.

Photos, videos, and other "sexual" materials are even more likely to show up on individuals' blogging and interest pages broadly defined, and they're absolutely trivial to find and explore in depth (that's, uh, what I'm told, anyway -- uh, yeah).

Seriously though, sex is all over the Net. And attempts to block access to associated sites and individual pages would be entirely hopeless in the vast majority of instances, unless governments were willing to take particularly draconian steps.

And since we're talking about the current conservative UK government, we certainly can't take draconian off the table, or ignore how other governments around the world might follow such an example or are already moving in the same direction.

Clearly the ultimate method to control users' Internet activities is not to try ban sites and pages that are forbidden, but to only permit access to sites and pages that the government has already anointed as acceptable. In other words, instead of having a blacklist, you have a whitelist -- all that is not approved is verboten.

However, to move toward such controls there's something else you need to do also -- as the Chinese in particular have learned with their vast Internet censorship regime.

You need to try block Internet proxies and VPNs -- since both of these provide methods for knowledgeable users to bypass your mandated Internet restrictions that are the foundation of your censorship policies.

These technologies can enable accessing websites you've tried to block. They can permit web browsing without leaving an easily accessible browsing history trail. They can obscure attempts at encryption.

In other words, VPNs and proxies -- which can be so crucial for persons living under oppressive governments -- are seriously bad news for those governments trying to control their freedom loving citizen slaves.

Government officials will of course argue that they're only doing what's best for the little people -- protecting them from crime, terrorism, contaminating ideas, naked breasts, and so forth.

This is why -- peering into my flickering Crystal Ball of Technology Policy -- I predict that the current relatively low level battles against VPNs, proxies, and similar censorship evasion technologies in some parts of the world will bloom into all out global war in the relatively near future with both traditionally dictatorial governments and a range of supposedly democratically-oriented governments jumping on the bandwagon -- mostly using terrorism fears as their operative excuse.

Efforts to try convince governments not to move in these directions should and will continue, as will software engineering developments to harden, obscure, and protect VPN-style and associated technologies from blocking attempts -- likely to trigger a continuing sequence of technological attacks and counterattacks.

But if you think that government discussions and actions to monitor and control your use of the Internet were already starting to get a bit scary, you can count on one thing for sure.

You ain't seen anything yet.

I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at 10:42 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

February 11, 2016

Does Google Hate Old People?

No. Google doesn't hate old people. I know Google well enough to be pretty damned sure about that.

Is Google "indifferent" to old people? Does Google simply not appreciate, or somehow devalue, the needs of older users?

Those are much tougher calls.

I've written a lot in the past about accessibility and user interfaces. And today I'm feeling pretty frustrated about these topics. So if some sort of noxious green fluid starts to bubble out from your screen, I apologize in advance.

What is old, anyway? Or we can use the currently more popular term "elderly" if you prefer -- six of one and half a dozen of another, really.

There are a bunch of references to "not wanting to get old" in the lyrics of famous rock stars who are now themselves of rather advanced ages. And we hear all the time that "50 is the new 30" or "70 is the new 50" or ... whatever.

The bottom line is that we either age or die.

And the popular view of "elderly" people sitting around staring at the walls -- and so rather easily ignored -- is increasingly a false one. More and more we find active users of computers and Internet services well into their 80s and 90s. In email and social media, many of them are clearly far more intelligent and coherent than large swaths of users a third their age.

That's not to say these older users don't have issues to deal with that younger persons don't. Vision and motor skill problems are common. So is the specter of memory loss (that actually begins by the time we reach age 20, then increases from that point onward for most of us).

Yet an irony is that computers and Internet services can serve as aids in all these areas. I've written in the past of mobile phones being saviors as we age, for example by providing an instantly available form of extended memory.

But we also are forced to acknowledge that most Internet services still only serve older persons' needs seemingly begrudgingly, failing to fully comprehend how changing demographics are pushing an ever larger proportion of their total users into that category -- both here in the U.S. and in many other countries.

So it's painful to see Google dropping the ball in some of these areas (and to be clear, while I have the most experience with the Google aspects of these problems, these are actually industry-wide issues, by no means restricted to Google).

This is difficult to put succinctly. Over time these concerns have intertwined and combined in ways increasingly cumbersome to tease apart with precision. But if you've every tried to provide computer/Internet technical support to an older friend or relative, you'll probably recognize this picture pretty quickly.

I'm no spring chicken myself. But I remotely provide tech support to a number of persons significantly older -- some in their 80s, and more than one well into their 90s.

And while I bitch about poor font contrast and wasted screen real estate, the technical problems of those older users are typically of a far more complex nature.

They have even more trouble with those fonts. They have motor skill issues making the use of common user interfaces difficult or in some cases impossible. Desktop interfaces that seem to be an afterthought of popular "mobile first" interface designs can be especially cumbersome for them. They can forget their passwords and be unable to follow recovery procedures successfully, often creating enormous frustration and even more complications when they try to solve the problems by themselves. The level of technical lingo thrown at them in many such instances -- that services seem to assume everyone just knows -- only frustrates them more. And so on.

But access to the Net is absolutely crucial for so many of these older users. It's not just accessing financial and utility sites that pretty much everyone now depends upon, it's staying active and in touch with friends and relatives and others, especially if they're not physically nearby and their own mobility is limited.

Keeping that connectivity going for these users can involve a number of compromises that we can all agree are not keeping with ideal or "pure" security practices, but are realistic necessities in some cases nonetheless.

So it's often a fact of life that elderly users will use their "trusted support" person as the custodian of their recovery and two-factor addresses, and of their primary login credentials as well.

And to those readers who scream, "No! You must never, ever share your login credentials with anyone!" -- I wish you luck supporting a 93-year-old user across the country without those credentials. Perhaps you're a god with such skills. I'm not.

Because I've written about this kind of stuff so frequently, you may by now be suspecting that a particular incident has fired me off today.

You'd be correct. I've been arguing publicly with a Google program manager and some others on a Chrome bug thread, regarding the lack of persistent connection capability for Chromebooks and Chromeboxes in the otherwise excellent Chrome Remote Desktop system -- a feature that the Windows version of CRD has long possessed.

Painfully, from my perspective the conversation has rapidly degenerated into my arguing against the notion that "it's better to flush some users down the toilet than violate principles of security purity."

I prefer to assume that the arrogance suggested by the "security purity" view is one based on ignorance and lack of experience with users in need, rather than any inherent hatred of the elderly.

In fact, getting back to the title of this posting, I'm sure hatred isn't in play.

But of course whether it's hatred or ignorance -- or something else entirely -- doesn't help these users.

The Chrome OS situation is particularly ironic for me, since these are older users whom I specifically urged to move to Chrome when their Windows systems were failing, while assuring them that Chrome would be a more convenient and stable experience for them.

Unfortunately, these apparently intentional limitations in the Chrome version of CRD -- vis-a-vis the Windows version -- have been a source of unending frustration for these users, as they often struggle to find, enable, and execute the Chrome version manually every time they need help from me, and then are understandably upset that they have to sit there and refresh the connection manually every 10 minutes to keep it going. They keep asking me why I told them to leave Windows and why I can't fix these access problems that are so confusing to them. It's personally embarrassing to me.

Here's arguably the saddest part of all. If I were the average user who didn't have a clue of how Google's internal culture works and of what great people Googlers are, it would be easy to just mumble something like, "What do you expect? All those big companies are the same, they just don't care."

But that isn't the Google I know, and so it's even more frustrating to me to see these unnecessary problems continuing to persist and fester in the Google ecosystem, when I know for a certainty that Google has the capability and resources to do so much better in these areas.

And that's the truth.

I have consulted to Google, but I am not currently doing so -- my opinions expressed here are mine alone.

Posted by Lauren at 12:18 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

February 10, 2016

Call for Participation: Internet Political Trolls Collection Project 2016

It's no secret that vile political trolls remain massively at large in the social media landscape during this USA 2016 presidential election season.

But who are they? Who are their targets? Who do they support? What are the specific aspects of their attacks in social media comments and their other postings?

I've begun a survey to collect some detailed data on these and related questions from anyone who has themselves observed politically-oriented trolls on social media. It should take only a few minutes to complete, and you can return as often as desired to report additional trolls.

Your participation (and that of anyone else with whom you feel comfortable sharing this survey for their participation) will be greatly appreciated.

I consider individual survey responses to be private and will only publicly report aggregate and summary data from this effort.

The survey -- "Internet Political Trolls Collection Project (USA 2016)" -- is at:


Thanks very much!

Be seeing you.

And please don't feed the trolls!


Posted by Lauren at 01:06 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein