Avoiding the All-Seeing Eye

Not too long ago I posted Privacy and Data Security for the Normal Person and provided general steps the average computer user can take to protect privacy and security online. In the wake of the disclosures about NSA monitoring, many people have wondered what it would take to actually protect communications from being monitored by governments.

The short answer was provided long before the advent of the computer:

“Three may keep a secret, if two of them are dead.”
― Benjamin Franklin, Poor Richard’s Almanack

But, assuming that you have a secret that you’re willing to risk communicating to someone else, how can you do it while minimizing the chances that someone else will get access to it?

One thing that frequently gets mentioned is the idea of encrypting your email using something like PGP. The truth is that most of the world does not use email encryption precisely because it is hard to use. Something like SilentCircle’s SilentMail and BitMessage provide good alternatives.

While PGP and other tools can protect the contents of your messages, if you’re using any cloud-based service (like GMail) to compose your messages, the unencrypted versions of your drafts are leaving your computer and flying through the aether, which means they can be monitored. Also, if your recipients are using any cloud service, then once they unencrypt the message, it’s stored in unencrypted form on that cloud service. So, if you want to make sure that your encrypted messages have to be decrypted before someone like the NSA could read them, both you and your recipient have to be encrypting/decrypting your messages before they leave your computer. One way to do this would be to compose your messages in a word processor, encrypt the files and send them as an attachment to an email that your recipient can download and decrypt on his/her computer at home.

The next level of protection would be to follow the advice of this article from Scientific American on how to set up and manage your own email server. For the technically minded DIY-ers, this is a good way to take control of your own email, and there are advantages to this beyond some level of protection from commercial and governmental monitoring.

Be aware, though, that being responsible for your own email server means being responsible for your own backup and recovery. There are many cloud-based services that provide backup services, but, again, once your unencrypted data is in the cloud, it can be monitored. To protect information in the cloud, you can use something like Cloudfogger in conjunction with a cloud storage service like Dropbox.

Managing your own email server only covers the sending side of the equation, though. You need to make sure that your recipients handle their email securely, as well, which can limit the number of people with whom you communicate securely. On top of that, the first layer of what the NSA has been collecting, however, is not the contents of messages, but, rather the metadata associated with the email – who it is from, who it is to, etc. As this article shows, just using modern tools to analyze communications metadata can reveal plenty of interesting information.

Metadata Dog

So, in addition to you and your fellow communicators maintaining your own email servers and using them to send PGP-encrypted mail, if you really want to minimize the chances of being monitored:

Browsing: When browsing the net you can mask your identity by using an anonymizing tool like Tor. For search, rather than Google or Bing you can use an alternative like Ixquick, which says it does not log any IP addresses or search terms or share information with third parties. Ixquick also has a “proxy” service that allows you to look at other websites through the Ixquick service, so that you’re browsing of those other sites is also protected. However, there are some technical limitations and downsides to the proxy service.

IM/Text: For encrypted IM you can try Off-the-Record with Pidgin (Windows) or Adium (Mac) plugins. Like running your own email server, installing these services can be technically challenging and require patience. Options for more secure texting include Silent Circle’s SilentText and WhisperSystems TextSecure. Like email, your communications are only as safe as your recipients are willing to make them.

Online phone/video chats: For online phone/video chats, you can avoid the major services like Skype and Gchat by moving to more secure alternatives like Jitsi, which can be used for P2P encrypted audio/video chats or SilentEyes.

Telephone: The nice thing about phone calls is that the data is ephemeral. To protect your calls from eavesdropping or stop a government entity from obtaining metadata about who you are calling and when you could use an encryption app like Silent Circle’s SilentPhone or WhisperSystems’ RedPhone to make and receive encrypted calls.

At the end of the day, though, if a state actor wants to know what you’re talking about, they will find out.

Posted in cloud, cybersecurity, privacy | Leave a comment

The More That Things Change …. Bitcoin Bumps Up Against the Golden Rule*

[UPDATED 7/22 – Added information about Secret Service Operation Open Market and its relationship to the shut down of Liberty Reserve.]

*Them that has the gold, makes the rules.

For the last decade or so, governments and mainstream businesses have been taking incremental steps towards recognizing the value of virtual goods and currencies.

As early as 2005, the NY Times reported that there were over 100,000 people employed as professional “gold farmers” in China. In 2008, the US National Taxpayer Advocate, in her annual report to Congress (PDF), recognized that the digital assets acquired in virtual worlds have real world value and recommended that the IRS take steps to clarify the tax issues around the trading of those items. (The relevant portions of the report are extracted here.) Also in 2008, China imposed an income tax of 20% on income derived from the online trade of virtual currencies.

In 2011, Chinese insurance company Sunshine Insurance Group introduced a “virtual property” insurance product,
to address “an increasing number of disputes between online games operators and their customers, which are often related to the loss or theft of gamers’ virtual property such as ‘land’ or ‘currency’.”

This year we’ve seen an acceleration of action in the financial and governmental arena related primarily to virtual currencies and their poster child, the “cryptocurrency” Bitcoin.

In March, the US Dept. of Treasury Financial Crimes Enforcement Network (FINCEN) issued what is so far the most specific piece of regulatory Guidance on the financial regulatory issues with virtual currencies (FIN-2013-G001 “Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies”). This guidance clarifies the applicability of the Bank Secrecy Act (“BSA”) to entities creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies, and relate to a wide variety of virtual currencies. The Guidance applies to those who are “exchangers” and “administrators” of virtual currencies, rather than “users” of virtual currencies. Basically, if you acquire virtual currency and then use it to buy something else – virtual or real – you’re a user; if you trade virtual currencies, you’re an “exchange;” and if you issue/redeem a virtual currency, you’re and “administrator.” For more in depth analysis of the FINCEN Guidance, go here (PDF).

In April, a bar in NY became the first real world business to accept Bitcoin (although the first transaction trading real world goods for Bitcoins is believed to have been in 2010). At the same time, Fox News reported that with over $1 billion in Bitcoins in circulation, the Bitcoin economy exceeded the economies of 20 other countries.

With all that money at stake, you can be sure the tax authorities are taking notice, and in May, the U.S. Government Accountability Office issued a report (PDF) detailing the tax-reporting requirements for virtual currencies and the inherent challenges in trying to achieve compliance. BNA has a good article on some of the tax issues associated with use of currencies like Bitcoin.

If you think you might be an “exchange” or an “administrator” and you do business in the US, I strongly recommend you seek legal counsel, because on May 17 Federal authorities seized a bank account associated with one of the leading Bitcoin exchanges on the grounds that the account owner, Mutum Sigillum LLC (a subsidiary of Japan-based Mt. Gox, the world’s biggest Bitcoin exchange), was not registered as a money transmitter in violation of 18 USC § 1960 – Prohibition of unlicensed money transmitting businesses. Then on May 28, the U.S. Dept of Treasury designated Liberty Reserve S.A., a virtual currency provider, as a financial institution of primary money laundering concern under § 311 of the USA PATRIOT Act on the grounds that its virtual currency is “specifically designed and frequently used to facilitate money laundering in cyber space.” At the same time, the U.S. Attorney’s Office for the Southern District of New York unsealed an indictment that charged Liberty Reserve and seven of its principals with allegedly running a $6 billion money laundering scheme and operating an unlicensed money transmitting business. For more information about the government’s investigation into Liberty Reserve, see this article.

With all of this attention from financial regulatory authorities, it’s no wonder that US banks are getting leery of Bitcoin businesses. In April, the world’s fourth-largest Bitcoin exchange, BitFloor, had to close down after its bank closed the company’s account. Given the risk of disruption, many Bitcoin-based businesses have been looking over their shoulders in fear that their banks will decide to shut them down.

Enter an unlikely savior – the Internet Archive, or, more accurately, the Internet Archive Federal Credit Union. According to this report, IAFCU has taken on a half-dozen Bitcoin businesses.

Virtual currencies are hitting the mainstream, and governments desperate for money and eager to prosecute sexy-sounding cybercrimes are taking notice.

Posted in BitCoin, virtual currency | Tagged , , , , , , | Leave a comment

Unintended Consequences of Online Tools

As I’ve noted before, you can share too much online. But a few recent stories about unintended uses of new online tools caught my eye to serve as a warning about the Law of Unintended Consequences.

First, there’s this story about how people in Africa are using the mobile phone payment system M-Pesa when they are suspicious that their partner is cheating on them. Basically, when you suspect your partner is cheating because he/she is constantly receiving calls/texts from a number that doesn’t have contact information associated with it, you can use M-Presa to send a minimum payment (less than $1). When you send the money, you receive a confirmation with the identity of the recipient, enabling you to either confirm your suspicions or at least confront your partner about the identity of this mysterious caller.

Second, there’s this story from Julia Dawidowicz at AnimalNewYork.com about how clip-on health trackers can disclose when you’ve been engaging in “vigorous” activity while remaining in one place.

BodyMedia armbands and Basis watches are gaining popularity in the tech world as a way to monitor and share fitness data with doctors, trainers, and even social media friends. Each type of physical activity produces its own unique “signature” — that is, the sharable line graph will look different when you do yoga than when you go for a run. Or when you have a sweaty romp in the bedroom.

Dawidowicz goes on to say, “If you thought secret email reading or phone bill snooping was bad, just imagine the possibilities these devices will offer the controlling, jealous crazies of the world if when they become part of our daily repertoire.”

And speaking of the “controlling, jealous crazies of the world,” there have been a few stories about people using LinkedIn as a stalking and harassment vehicle, this one from BuzzFeed, and this one from Huffington Post about a Change.org petition for LinkedIn to add a “block” feature.

All of these go to show that sharing information online can have a dark side, as well. Be careful what you put out there.

Posted in mobile apps, privacy, social media, Uncategorized | Tagged , , , , , , , | Leave a comment

The Hazards of Self-Service IT

Until the advent of peer-to-peer and cloud-based services, corporate systems were developed/acquired, deployed and managed by IT managers and sysadmins. Access to server-level resources (including large storage volumes) was tightly controlled, laptops and desktops were locked down, and even in environments where users had administrator rights to their own devices, the worst someone could do was install an application. Granted, that application might’ve been an infected version of Elf Bowling, but malware frequently caused problems that were quickly brought to the attention of IT and the system as a whole was monitored by corporate anti-virus and intrusion detection systems so the damage could be contained.

However, with the rapid growth and acceptance of cloud technologies, a new model for IT service design and deployment has evolved and users are working around corporate systems they view as inefficient or lacking in functionality by using “do-it-yourself” cloud services. This ranges from using personal email for official communications to sharing files via a service like Dropbox or an externally-hosted SharePoint instance to using a cloud-based CRM.

A post on the July 12, 2013, WSJ Japan RealTime blog provides an example of what can go wrong.

In January, senior Japanese officials attending a conference in Geneva decided to use Google Groups to communicate with one another and colleagues back home rather than use the agency’s group email system, which apparently had a reputation for being slow when used internationally.

Throughout the conference, officials exchanged a total of 66 emails regarding the treaty being negotiated and media reactions in Japan. The messages included details on meetings with the Swiss and Norwegian delegations and draft statements to be made by the head of the Japanese delegation.

Unfortunately, the team failed to realize that, like so many social networks that assume anyone using their service must want to share information with the whole world, the default privacy setting for Google Groups allows public access to all discussions. [Ob. plug for Privacy by Design]

Although this unprotected use of Google Groups was technically a violation of the agency’s policies, this is simply an example of end users taking IT into their own hands because (a) they consider the officially-approved solution to be inferior to what’s available outside of the offerings provided by IT, and/or (b) getting approval for use of a different solution involves excessive bureaucracy and red tape. Even the cloud based services that require payments are so cheap and easy that they are within the signing authority of lower levels within the organization. IT never even sees the bills.

Looking further into the matter, the [Japanese government] found the situation to be far more widespread, involving many other government and public organizations. It found there were more than 6,000 cases of personal and central-government data being available for anyone to view on Google Groups.

Seven medical institutions and nursing facilities had no restrictions on their group discussions, which included medical information on more than 300 patients and the health records of high-school students.

Other government bodies, including the tourism and transport ministry, the agriculture ministry and the earthquake reconstruction agency, also had business-related emails open to the public.

Unfortunately, as the Japanese conference delegation demonstrated, when users bypass approved systems, they also bypass IT’s ability to protect the organization’s networks and sensitive information. In addition to exposing sensitive information, the use of unapproved (and unknown) external services can open a hole for potential network security breach.

The problems created by “self-service” cloud usage go even further than confidentiality and security. When employees leave, you may lose access to those password protected accounts (even if you knew they existed), and if you end up in litigation you may have had a duty to preserve that information and/or produce it as part of a discovery request. Even if you have access to the accounts, cloud providers may not store information in easily accessible, legally compliant (i.e., “reasonably usable”) format. Facebook and other social media services are not e-discovery friendly, and if you don’t have access to the accounts, obtaining information without employee’s password/cooperation may require litigation against that cloud provider.

“Not In MY Organization!”
According to the recent “State of Cloud Security” survey of 700 IT decision makers by the Ponemon Institute, 50% of the respondents were confident they know all cloud services in use in their organization. (This number was 45% in 2010). While I leave you to draw your own conclusions, the Japanese example might suggest that some of those respondents are overconfident. Even if that number is correct, that means at least half of organizations may have “rogue” cloud services in use.

So, odds are that your organization has at least some “self-service” cloud usage. IT should work with senior management, legal (and privacy/compliance if they aren’t within legal) to establish a policy for cloud services usage. The policy should clearly explain the risks associated with unauthorized “self-service” cloud services and specify the penalties for failure to comply with the policy. (These penalties need to be enforced consistently at all levels of the organization.)

Once the policy is in place, IT departments should include education about the policy and the risks created by these services as part of regular end user training. But policies and training only go so far, because users will always try to circumvent systems or approval processes they view as inhibiting their ability to get their job done. So IT needs to develop systems and procedures to detect suspicious cloud activity.

First, and foremost, IT should be performing proactive monitoring for unauthorized cloud usage as part of SOPs. Reports/alerts should be set to identify suddenly changing patterns of network traffic, suspicious network activity traversing intrusion detection/prevention systems, or unusual shifts in demand for data storage. All of these could be signs of “self-service” cloud activities.

Going beyond automated tools, IT should already have a “feel” for the systems and/or security procedures that cause users to chafe, and which users are the most frustrated by them. By working with various departments and users on a proactive basis to address these problems and provide solutions, IT can be viewed as a facilitator rather than a hindrance. Among other things, Accounting can look for reimbursements for payments to cloud providers. While that won’t detect use of free services like Google Groups, it will detect regular usage of things like Dropbox, AWS and SalesForce.com.

Recognize also that people like to brag about their solutions to problems they’ve experienced. Walking around and talking to people about how they use they existing systems and their day-to-day activities can reveal a host of information about actual issues and needs as well as how people are circumventing systems and policies to get their work done.

Got ‘Em!

Once you detect use of unauthorized cloud services in your organization (no, that wasn’t supposed to be “If you detect…”), what should you do?

First, remember that, in general, people only create their own solutions when they feel like the existing solutions/procedures prevent them from getting their job done.

Given that, resist the impulse to shut it down immediately unless the cloud service creates an immediate security or compliance threat. Take an objective look at the solution and determine whether the person/people using it simply didn’t understand functionality offered by existing systems (i.e., a training problem), whether the functionality can be provided as efficiently by existing systems (i.e., it’s available but may not have been turned on or provided to that group) or if the cloud service can be merged into the supported environment. Also, look into monitoring tools that can detect that service by others, because when one person finds a solution to a problem they share the solution with their co-workers who have similar problems.

Posted in cloud, cybersecurity, privacy | Tagged , , , | Leave a comment

FTC Reports That Many Mobile Apps May Not Be COPPA Compliant

Originally posted February 17, 2012

On Feb. 16, 2012, the Federal Trade Commission released a staff report titled, “Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing,” in which the FTC criticized companies for failing to properly disclose to parents how the companies are collecting personal data through mobile applications (“apps”) aimed at young children.

Available at http://www.socialgameslaw.com/2012/02/ftc-reports-that-many-mobile-apps-may-not-be-coppa-compliant.html

Posted in mobile apps, privacy, social media | Tagged , , , , , , | Leave a comment

Data on the Effect of the EU Cookie Rule

Originally posted June 27, 2011

The EU “Cookie Rule,” which requires companies with European customers to get informed consent from visitors to their websites in order to use most cookies (other than those “strictly necessary” for the service requested by the consumer), went into effect on May 25.

Available at http://www.socialgameslaw.com/2011/06/data-on-the-effect-of-the-eu-cookie-rule.html

Posted in privacy | Tagged , , | Leave a comment

You Can’t Take It With You – Death and the Virtual World

Originally posted April 13, 2011

A UK charity recently did a survey to look at how people deal with idea of death and digital music, photography and online bank accounts. Their research found that although 80% of those surveyed have such things, fewer than 10% have given any thought about what should happen to those assets when they die. More than half also said their computers contained important domestic and personal information which could not be accessed by family members.

Available at http://www.socialgameslaw.com/2011/04/you-cant-take-it-with-you—death-and-the-virtual-world.html

Posted in privacy, social media, TOS, virtual worlds | Tagged , , , , | Leave a comment