Future Tense
The Citizen's Guide to the Future

March 7 2017 1:34 PM

WikiLeaks Has Released a Trove of Documents Detailing the CIA’s Hacking Capabilities

On Tuesday, WikiLeaks released thousands of new documents it claimed were from the Central Intelligence Agency. The documents, which detail some of the CIA’s hacking capabilities, are part of a larger trove of data WikiLeaks says it will continue to release in a series. WikiLeaks is calling the series Vault 7 and has named Tuesday’s dump Year Zero:

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

“Year Zero,” WikiLeaks writes, “introduces the scope and direction of the CIA’s global covert hacking program, its malware arsenal and dozens of ‘zero day’ weaponized exploits” against vulnerabilities in smartphones, computers, and Samsung smart TVs. The smartphone vulnerabilities reportedly allow the CIA to hack into phones running popular secure messaging apps like Signal and WhatsApp and intercept messages and data before the apps’ encryption is applied. (While some on Twitter have interpreted this to mean that Signal has been "broken,” that isn’t the case.) The dump also reportedly reveals ways in which the CIA has attempted to cover its digital tracks in its hacking efforts and the location of a major base for CIA hackers in Europe.

WikiLeaks says many of the hacking tools described in Vault 7 were made unclassified to skirt rules on posting classified information to the internet—most of the CIA’s malware requires the use of the internet for communication. “This means that cyber ‘arms’ manufactures and computer hackers can freely “pirate” these ‘weapons’ if they are obtained,” WikiLeaks claims. “The CIA has primarily had to rely on obfuscation to protect its malware secrets.”

WikiLeaks says it has elected not to release the actual code for the CIA’s malware and cyberweapons “until a consensus emerges on the technical and political nature of the CIA’s program and how such ‘weapons’ should analyzed, disarmed and published.”

The New York Times reported that a former intelligence officer it contacted has said the some of the information included in the dump “appears to be genuine.” David Kennedy, CEO of the information security firm TrustedSec, told Wired the dump’s information appeared genuine as well:

“From what I can tell, this seems to be legitimate,” says David Kennedy, CEO of TrustedSec, who formerly worked at the NSA and with the Marine Corps’ signals intelligence unit. “It shows expansive capabilities of the CIA and divulges NSA tools as well. But a lot of it seems to be missing, as far as direct codebase used for these.” Wikileaks says it redacted much of that more specific information.
Those redactions, in part, make it difficult to ascertain just how comprehensive the leaked information is. In spite of Wikileaks’ claims, it is only a small fraction of the CIA’s total arsenal.

March 6 2017 3:41 PM

Futurography Newsletter: Cybersecurity and the New Space Race

Hello, fellow Futurographers,

This month, Futurography is focusing on the new space race, a competition that’s no longer just about the old Cold War superpowers. We’re starting with a conversational introduction to the geopolitics of space that’ll help bring you up to speed about why everyone from India to Luxembourg is heading for the heavens. We’ve also got our usual cheat sheet, laying out key players, further readings, big debates, and other information.

There’s plenty more coming in the weeks ahead, including an event Wednesday event in Washington: “Will Collaboration or Competition Propel Humans to Mars and Beyond?” Even if you can’t attend in person, we’ll be streaming the event online, so there’s no excuse to miss it.

In the meantime, here’s what we published in last month’s course on cybersecurity self-defense:

Once you’ve read all of those, test your knowledge with our quiz on the topic. And check out what other Slate readers had to say.

Blasting off,

Jacob Brogan

for Future Tense

Future Tense is a partnership of Slate, New America, and Arizona State University.

March 6 2017 3:33 PM

What Slate Readers Think About Personal Cybersecurity

170104_FUTUROGRAPHY_backToArt718

Over the past month we’ve published articles about cybersecurity self-defense as part of our ongoing project Futurography, which introduces readers to a new technological or scientific topic each month. We’ve published a lot of practical articles on the topic, but we’re also interested in what you have to say, so we’ve written up the results of our survey on the topic. Meanwhile, Futurography continues with our March course on the new space race.

Futurography readers offered a wide range of responses in response to our question about their relative levels of confidence in their personal cybersecurity. Many claimed that they were somewhere between “moderately” and “very” confident (“My stuff is probably better secured than most people’s stuff,” one claimed), but others were less sure of themselves. “I do a[n] inadequate job, but feel the alternatives are worse,” a reader wrote, and another described him or herself as merely “cautiously alert.” One went so far as to describe him or herself as “helpless,” writing that even trying to read the fine print on smartphone apps “just makes me feel more anxious.”

Whatever their feelings, almost all agreed about the one cybersecurity technology we should all be employing: password managers. While others advocated complex, unique, or frequently changed passwords, most of our readers simply focused in on the value of this relatively accessible security strategy. “Perhaps the best reason is to keep track of your accounts on different apps and services so that you can shut down old stuff you don’t use and so on,” one typical respondent wrote.

That said, a few offered objections to commercial password management systems and proposed alternative solutions. Concerned that password managers “all send stuff over the net,” one such reader explained, “I do have one which does not use the net for anything, so I have to carry it around with me. It keeps my password list in a 128-bit encrypted text file on a USB drive. I only plug this into a PC I know is clean (which is increasingly hard to know.)” Another reader suggested that the old-fashioned method may be the best one, telling us, “I use paper and pen to keep track of passwords, why have PW info anywhere on line if you’re worried about having your PW compromised?”

This approach squared with another reader’s suggestion that “less technology” may be key to our cybersecurity best practices. “Segmenting that technology into specific areas of our lives and keeping control of it should be the priority,” he or she wrote. Other popular answers on that front included setting up two-factor authentication and relying on apps such as Signal that feature end-to-end encryption. And at least one suggested good cybersecurity doesn’t necessarily begin at home, echoing Jamie Winterton’s warning that you should be very cautious about connecting to public Wi-Fi.

When it came to the cybersecurity threats that actually worry them, the majority of readers pointed to ransomware. Many others identified phishing—attempts to trick the unsuspecting into furnishing their passwords or other information—as a prominent concern. A few suggested that this wasn’t necessarily because they thought they would fall prey to some scheme, but because, as one put it, they feared “relatives or others tied to me” might. Similarly, some mentioned that they were troubled by the possibility big data leaks, especially of records from government agencies such as the Internal Revenue Service or the Social Security Administration.

Not everyone agreed with those conclusions, and a few ranked some of those prominent answers among the most overrated cybersecurity threats. Others rolled their virtual eyes at topics such as car hacking, retail breaches, basic computer viruses. To that last one, a respondent wrote, “Those are just toys that some bored kid makes.” Despite that, many of our readers claimed that they do use anti-virus software. Those who said they didn’t mostly identified themselves as Mac users, though a few others seemed to agree with Michael Thornton’s suggestion that you just can’t rely on such programs these days.

One way or another, the majority of our readers seem to be cautious types. Many who wrote in proposed that it’s important to acknowledge all possible threats, however insignificant they may seem. As one put it, “[N]othing is overrated in cybersecurity.”

This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down.

March 3 2017 12:38 PM

After Mike Pence’s AOL Account Was Hacked in 2016, He Started Another One

On Thursday, the Indianapolis Star reported that Mike Pence had employed a personal email account for official correspondence while serving as governor of Indiana. As the Star observes, this revelation—much like other stories about government officials using private email—raises important transparency questions. It’s also obviously hypocritical, coming as it does from an official who attacked Hillary Clinton for similar missteps—not least of all because scammers hacked his account in 2016 and sent out an email to his contacts list, pretending that he was stranded in the Phillipines and needed money.

More puzzling, though—or at least more amusing—was Pence’s choice of email providers. In an age of easily accessible Gmail accounts and customizable domains, Pence continued to rely on America Online for his email needs. Pence was, in fact, so committed to the platform that, according to the Star, “He also set up a new AOL account” after apologizing to those who’d received a scam message from his account.

Yes, that AOL. The one whose signup CDs you used as frisbees.

Once upon a time, Pence’s choice of providers would have been unremarkable: In the early days of the commercial internet, it all but went with territory. Since then, however, the domain has become vaguely embarrassing. Rightly or wrongly, to keep employing AOL was to implicitly admit that you didn’t really get the internet—that you were happier to let the spider come to you than to crawl the web of your own accord.

Over the years, some have pushed back against that largely unspoken premise. Most notably, in a 2011 Politico blog post, Ben Smith suggested that AOL accounts might actually be status symbols. Claiming that they were still employed by figures such as Dick Morris, Ann Coulter, and Matt Drudge, Smith wrote that he’d “started to notice a certain prestige attached to the AOL.com survivors.” Adrian Chen quibbled with Smith’s conclusions, arguing, “This is another example of the sycophantic logic that twists powerful people’s flaws into reinforcing how much better they are than normal people.”

As Mike Pence demonstrates, though, the powerful do use AOL, whether or not they employ it to prove how powerful they are. Perhaps Pence’s choice was more like that of Slate’s Derreck Johnson, who wrote in 2014 that he’s been using the same AOL address since the mid-’90s. “Do I hold onto it for the same reason I hold onto my Air Huaraches and my seemingly endless back issues of The Source? Possibly,” Johnson asked and answered. But ultimately, his persistence was (and remains! He’s still got the account) a matter of simple practicality. “I just haven’t switched because I haven’t needed to,” he wrote.

But if that’s the case for Pence, we still have to account for a lingering detail—that he apparently created a new AOL account after his old one was hacked. (Why, one wonders, did he not simply initiate account recovery protocols and change his password? Did he think his account was tainted? Haunted, perhaps?) Assuming the Star’s reporting on this detail was right, we have to assume that Pence was so committed to AOL that he was willing to keep using it, even if that meant starting over with a new, unfamiliar address.

In an attempt to better understand the new vice president’s mindset, I did something I would have never expected to do in 2017: I created a new AOL account of my own.

Today, the AOL.com homepage is a busy mess, seemingly designed to cram as much information into as little space as possible. If you’re logged in, it’ll give you the weather, local news, your horoscope, and more, all condensed onto a single screen, and available with minimal scrolling or clicking. This is the distant descendant of the company’s old quasi-walled garden model, the entire internet (or a simulacrum thereof) writ-small and rendered safe. So long as you remain incurious, there’s enough here to distract you all day.

AOL’s email application, by contrast, feels at least a little more contemporary. On first pass, its design is reminiscent of Gmail’s. But look a little closer and you’ll start to notice the sort of features you might associate with the AOL of old. Button placement on the formatting bar emphasizes file attachment and image insertion—the better, presumably, to forward along those adorable pictures of your grandkids. Similarly, it offers users easy access to emojis, but only 16 of them, enough to enable expressive correspondence, but not enough to beget choice paralysis. As in many other email clients, the font defaults to Arial—a largely inoffensive sans serif option—but click the dropdown to switch it up, and the first alternative it furnishes is Comic Sans. (Google Inbox, by contrast, defies alphabetical order and buries Comic Sans in the middle of the list, as if to avoid accidental clicks. And unlike AOL Mail, it eschews WingDings altogether.)

Good luck to those employing these features to their fullest, though. When I tried to send Slate’s Katy Waldman an email showing off the newfound ease with which I could switch between colors and fonts, the service cut me off, telling me only, “The message was not sent because of an error.” After I tried a few more times, it finally acknowledged that it was concerned that I was a spammer, and made me pass a test to prove that I wasn’t a bot.

Given that I had just created my account and wasn’t writing in complete sentences, AOL’s caution was probably appropriate. And while I don’t doubt that other email providers have similar protections in place, it somehow seems apt that the once ubiquitous AOL would be so hesitant about a new user. Why would anyone join AOL in this day and age, if not to fill the internet up with more garbage? But it also makes one wonder how the message from Pence’s hacked account, which went out under the subject line “Nefarious News !!!” and featured at least three significant errors in its first sentence, passed muster.

This is all to say, I almost get it. AOL may be dorky, but it’s convenient and mostly functional. As it happens, though, Pence may have moved on as he moved up in the world. In January, CNN reported that the official vice president Twitter handle linked to a Gmail account.

March 2 2017 4:41 PM

Netizen Report: Man in Myanmar Sentenced to Prison for Defaming Aung San Suu Kyi on Facebook

The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in internet rights around the world. It originally appears each week on Global Voices Advocacy. Ellery Roberts Biddle, Leila Nachawati, and Sarah Myers West contributed to this report.

new advox logo

In a manifesto published in mid-February, Facebook CEO Mark Zuckerberg laid out a sweeping vision of the social network’s role in “bringing us all together as a global community.” It echoed a 2015 Facebook ad that promised “the more we connect, the better it gets.”

Of course, the ubiquitous connectedness to which Zuckerberg aspires can serve the interests of many different actors—including governments seeking to keep a clean, positive image online and to quiet their critics. Highlighted below are a few such examples from February 2017.

A man in Myanmar was sentenced to six months in prison for defaming State Counselor Aung San Suu Kyi on Facebook. Activists from Myanmar are calling for amendments to Section 66D of the Telecommunications Law, which criminalizes defamation. According to PEN Myanmar, 38 people have been charged under section 66D since Suu Kyi’s National League for Democracy took power, among them human rights activists and journalists known for their critical commentary on the party.

Palestinian journalist Sami al-Saai, a political reporter with the local and independent Al Fajer Al Jadeed TV Station, was arrested by Palestinian Intelligence Services on Feb. 2 in the West Bank and charged with “inciting sectarian strife” in Facebook posts. Despite having posted bail, he was held in Jericho Prison for 20 days, where he says he was forced to stand for very long periods of time, deprived of sleep, and injected with an unknown drug four times a day. Al-Saai believes that he was actually arrested because he has sent reports on Palestinian political prisoners in Israel and the West Bank to Hamas, the militant movement that governs the Gaza Strip and is the main political rival to the nationalist Fatah party, which controls the Palestinian Authority.

Dengin Ceyhan, a Turkish pianist and supporter of the 2013 Gezi Park protests, was arrested in mid-February for social media posts that allegedly insulted Prime Minister Erdogan. Ceyhan is in good company—Turkish Minute cited statistics from Turkey’s Ministry of Interior indicating that from August 2016 to January 2017, 1,656 social media users were arrested “on suspicion of terrorist propaganda and insulting senior state officials on social media.” For regular updates on social media censorship and persecution of journalists by Turkish authorities, see the Committee to Protect Journalists’ Turkey Crackdown Chronicle.

In India, students push back against online harassment
University students in India rallied behind a female student facing online rape and death threats for standing up to the right-wing student group Akhil Bharatiya Vidyarthi, which has ties to Hindu nationalist organizations. The student, Gurmehar Kaur, started the #StudentsAgainstABVP protest after ABVP protesters disrupted a conference about the culture of protest that included members of the “Free Kashmir” movement.

Hong Kong daily suffers cyberattacks, vandalism
Staff at the pro-Beijing newspaper Sing Pao Daily have reported physical and digital attacks on their work and homes to local police. In addition to multiple cyberattacks on the newspaper’s website on Feb. 18 and Feb. 19, vandals believed to be associated with local organized crime attacked the home of a senior editor at Sing Pao, leaving his front door covered in red paint. The attacks indicate a divide among pro-Beijing leadership in Hong Kong.

Ukraine will censor websites that “undermine sovereignty”
Ukraine's Ministry of Information Policy is preparing a list of websites that “undermine Ukrainian sovereignty” in an effort to uphold the country's new information security doctrine. The policy appears to target the dissemination of pro-separatist and pro-Russian information. A statement from the presidential administration said the policy was introduced “with a view to counter the destructive information impact of Russia in conditions of hybrid war unleashed by it.”

Wanna blow the whistle in Tunisia? There’s a bill for that.
Tunisia’s assembly voted unanimously on Feb. 22 in favor of a draft law that would protect the rights of whistleblowers denouncing corruption. The law also provides penalties for individuals seeking to reveal the identities of anonymous whistleblowers.

Russian regulators are eyeing Telegram
Russian media regulator Roskomnadzor held a closed-door meeting with the authors of several popular channels on the messaging app Telegram. While it remains unclear what they discussed, a critic of Roskomnadzor wrote on his channel that officials were seeking information about the service in order to find new content to ban. The meeting was reportedly organized by the head media liaison for the All-Russia People’s Front, a political movement created by Vladimir Putin in 2011.

U.K. Parliament zeroes in on algorithms
The U.K. Parliament Science and Technology Committee launched a new inquiry into the use of algorithms in public and business decision-making. “How an algorithm is formulated, its scope for error or correction, the impact it may have on an individual—and their ability to understand or challenge that decision—are increasingly relevant questions,” said the Committee in its announcement. Submissions on this topic may be sent to the committee through April 21.

New Research

Protecting Sources and Whistleblowers in a Digital Age”—Information Law and Police Centre, Institute of Advanced Legal Studies

Internet Rights at the Human Rights Council 34th session”—Association for Progressive Communications

March 2 2017 4:18 PM

Will Collaboration or Competition Propel Humans to Mars and Beyond? A Future Tense Event.

Between the close of the Cold War and the more recent retirement of the U.S. shuttle fleet, we’ve long since left the first Space Age behind. But now it seems there’s a new space race brewing—one that may take humans out of our planet’s orbit.

The first Space Age was a geopolitical race between superpowers eager to outreach one another. Today's space race is a more complex interplay of networked nations and private players alternatively competing against, and collaborating with, one another. Once the exclusive provenance of old power nations, space exploration has increasingly opened to new global players with India, China, Nigeria, Japan, the European Union, and the United Arab Emirates getting in the race. Private enterprises are also playing an increasingly prominent role in our interplanetary yearnings, as evidenced by the ventures backed by Jeff Bezos, Elon Musk, and Richard Branson.

NASA is still very much in the game, but without a moonshot-like commitment for Mars, its projected 2040 manned mission seems far off. A start-up company, or an upstart country, may beat us there—or perhaps help us all get there together as partners.

Join us at noon on Wednesday, March 8, in Washington, D.C., to consider whether it will be competition or cooperation that finally gets us to Mars and beyond.

For more information and to RSVP, visit the New America website.

Speakers

Andrés Martinez
Editorial director, Future Tense

George Whitesides
CEO, Virgin Galactic and the Spaceship Company

Anne-Marie Slaughter
President and CEO, New America

Lindy Elkins-Tanton
Director, School of Earth and Space Exploration, Arizona State University

Scott Pace
Director, Space Policy Institute, Elliott School of International Affairs
Professor of the practice of international affairs, George Washington University

Eric Stallmer
President, Commercial Spaceflight Federation

Ellen Stofan
Former chief scientist, NASA

Konstantin Kakaes
Fellow, New America
Author, The Pioneer Detectives

Talal M. Al Kaissi
Senior adviser, commercial affairs and special projects; director of U.S./UAE space affairs, UAE Embassy Trade & Commercial Office

Rob Chambers
Orion production strategy Lead, Lockheed Martin Space Systems

Thomas Cremins
Associate administrator for strategy and plans, NASA

Véronique Dockendorf
Deputy chief of mission, Luxembourg Embassy

Deji Bryce Olukotun
Author, Nigerians in Space and After the Flare (forthcoming, 2017)
Senior global advocacy manager, Access Now

Karl Schroeder
Science fiction writer and futurist

March 2 2017 3:24 PM

Norwegian Website Quizzes Trolls Before Allowing Them to Comment  

A Norwegian news site is now asking its readers to take a short reading comprehension quiz before allowing them to post comments below certain articles, according to a report from Nieman Lab. “The goal,” writes Joseph Lichterman, “is to ensure that the commenters have actually read the story before they discuss it.”

The site, NRKbeta, which covers technology for Norway’s public broadcasting company, sees the quiz as a way to certify that readers are beginning a discussion from the same place, and as a “count to ten before you speak” preventative buffer. NRKbeta thinks the feature has improved the civility of its conversations and may add the quiz to all of its stories if the experiment continues to perform well.

NRKbeta’s solution may be novel, but the problem it addresses is not. Across the web, publishers and social platforms are struggling to improve the quality of online discourse. Toxic conversations can escalate to harassment, or at least discourage participation from a diverse representation of readers. (When NPR removed commenting from its site last summer, ombudsperson Elizabeth Jensen cited estimates showing that 83 percent of its commenters were male, while overall readership was only 52 percent male.) And comment threads gone wild can work against the journalistic goals of news sites if they change how readers interpret a story, as some research suggests. Meanwhile, sites are often unable to dedicate more resources to moderation, and many are reluctant to constrain the free exchange of ideas and debate. Given these challenges, it’s understandable that many publishers have thrown in the towel, either removing comment sections from their sites or outsourcing their conversations to platforms like Facebook and Twitter.

A premise of NRKbeta’s experiment is that many commenters haven’t read the article they intend to discuss. In a 2016 survey of commenters, the Engaging News Project offered some evidence to support that idea, finding that more than half of commenters spent the same amount of time or more in the comment threads than reading the article. Nineteen percent of commenters spent more time commenting than reading.

What do you think? Is this a great idea or a terrible idea? Answer our poll, then consider joining the conversation in our comments section.

March 2 2017 2:00 PM

The DOJ’s Director of Public Affairs Used Gmail to Send a Work Email. Is That Legal?

On Wednesday, the Washington Post reported that Attorney General Jeff Sessions had spoken twice with Russian Ambassador Sergey Kislyak during the 2016 campaign. While Sessions’ objections to that news were mostly dubious, some were drawn to another aspect of his official response. On Twitter, Edward-Isaac Dovere, Politico’s chief political correspondent, noted that Sarah Isgur Flores, the Department of Justice’s director of public affairs, was using her personal Gmail account to reply to reporters.

There was a degree of immediate irony to Flores’ use of Gmail. As Dovere pointed out, she had previously snarked about Hillary Clinton’s email server. But Flores’ chosen platform also raises a handful of more pressing, immediate issues that she—and others in the government—should consider.

Let’s be clear about one thing: From a security perspective, Gmail is probably a fine option, one that might well be safer than Flores’ official DoJ account. It’s not, of course, perfect: For instance, as Wired reported in February, Gmail has lagged behind other communications platforms in its ongoing failure to support end-to-end encryption, which would ensure that only a message’s sender and receiver can decrypt it.

But as Josephine Wolff has written in Slate, Gmail may still be safer than many of the alternatives. Among other things, Wolff notes, “Google has some fairly effective monitoring tools for anomalous behavior among its users as well as a lot of data on phishing and spam email.” If your only concern is keeping your messages private, you could certainly do a lot worse than Gmail.

The trouble is, Flores was acting in a more public capacity here. Indeed, her use of Gmail for government business raises important legal questions. If Flores routinely uses her personal account to send Department of Justice communications, she may be limiting the accessibility of those emails to the public in the event of a Freedom of Information Act request. In the process, she may also be opening her own emails to more public examination.

This is hardly a new problem—for the Department of Justice least of all. In a 2012 paper for the Federalist Society titled “Gmail.gov: When Politics Gets Personal, Does the Public Have a Right to Know?” Michael D. Pepson and Daniel Z. Epstein discuss an example from 2005 and 2006 in which White House political staff employed their Republican National Committee email accounts to discuss then Attorney General Alberto Gonzales’ dismissal of U.S. attorneys.

In some cases, government officials may rely on such alternatives in an attempt to evade scrutiny. But as James Valvo, counsel and senior policy adviser for Cause of Action told me, the issue also remains widespread because it’s simply more convenient for government representatives to work through their personal accounts. “A lot of this is getting caught up in ease of response. But that’s no excuse,” he said.

As Pepson and Epstein explain, this is a legal gray area:

The practical reality is that, whether for nefarious or innocent reasons, federal agency employees have and will continue to conduct agency business using personal e-mail accounts and personal communications devices. Until Congress or the courts definitively clarify whether these work-related communications are subject to FOIA’s disclosure provisions, a dangerous loophole enabling unscrupulous agency employees to intentionally evade the light of public scrutiny may exist.

Pepson and Epstein go on to write, however, that in the absence of a definitive resolution, work-related emails are likely still subject to FOIA requests:

Common sense, case law, and FOIA’s plain language compel the conclusion that, irrespective of federal executive branch agencies’ employees’ reasons for using personal e-mail accounts or personal communications devices to conduct agency-related business within the scope of their employment, their work-related communications must be subject to FOIA’s disclosure provisions.

In other words, public business that Flores does through her private account may still be a matter of public record. According to Valvo, more recent case law seems to confirm that conclusion, further affirming that private emails can be subject to FOIA requests.

The more pressing problem here may be the question of record keeping—which was an important issue to the Trump campaign in its own attacks on Hillary Clinton. When government personnel rely on private email, it’s difficult to confirm that they’re holding onto relevant communications or that they’re providing those messages when requested. As Pepson and Epstein write, “[I]t would be practically impossible for even the most well-intentioned, experienced FOIA officer to gain access to these communications on behalf of a requester without resort to extraordinary means, e.g., subpoenaing government employees’ e-mail records from Google.”

Thus, short of monitoring all government employee communications—which would raise a host of other privacy concerns—it’s may be hard to know how to proceed. Even when it isn’t nefarious, email usage like Flores’ therefore presents a challenge for those committed to government oversight.

As Valvo observes, it should raise questions for government officials as well. “If government officials are using their personal accounts, they need to be aware, first, that they are not in compliance with federal records laws. And second that they’re opening their personal emails up to search in response to FOIA requests,” he says.

Flores did not respond to a request for comment sent to her Gmail address on Thursday morning.

March 2 2017 12:22 PM

In Defense of “Sent From My iPhone”

On Wednesday night, the Wall Street Journal and Washington Post both ran pieces reporting that Attorney General Jeff Sessions met with a Russian official during the 2016 campaign despite having denied the existence of any such meetings during his Senate confirmation hearing.

Soon after, the White House sent CNN’s Jim Acosta an angry denial:

It’s a funny statement in and of itself, practically inviting anyone with cartooning ambitions to draw “senator” and “campaign surrogate” hats for Sessions. But what about the four familiar little words at the end?

People on Twitter certainly didn’t overlook the “Sent from my iPhone” bit.

The excellent Margarita Noriega had a ball:

And others followed:

It’s commonly accepted that “Sent from my iPhone” is the lamest of sign-offs, a closing line that makes any email at least 10 percent more eyeroll-worthy. But why?

“Sent from my iPhone” is useful information. It explains why an email is brief to the point of curtness, or why there’s a bizarre typo. In 2013, Bianca Bosker wrote on the Huffington Post that she adds “Sent from my iPhone” to emails sent the old-fashioned way—it buys leniency:

When I fake an iPhone reply, I do so with the full knowledge the recipient will recognize that it means I’m operating at a limited capacity, on a tiny touchscreen device that won’t allow me to look up the detailed information he’s asking for, or include any pleasantries or answer in great depth.

I can’t endorse this subterfuge, which cynically takes advantage of the social contract. Are we no better than animals?

But Bosker nails the utility of the signature. Some of those mocking the Sessions statement might agree on the practicality point but argue that the specific wording is the issue. “You can do better than ‘Sent from my iPhone,’ ” Alexis Madrigal scolded on the Atlantic in 2013. And indeed, many people have composed witty, snappy alternatives to the default, vanilla “Sent from my iPhone.” Madrigal’s sister’s signature is rather winsome: “Sent from a phone. Regularly foiled by autocorrect. But duck it." I’m particularly fond of one occasional email correspondent’s notice: “(From phone, through space!)”

But let’s be honest. The only thing lamer than “Sent from my iPhone” is trying too hard to create a witty alternative and coming up short. Few people sparkle in this medium—the sign-off has to be short, it has to communicate the message clearly, it has to suggest that you jotted it off quickly in a moment of inspiration. Above all, it must be funny and winky and self-deprecating. How exhausting.

I don’t blame the White House rep, then, for sticking with the default text. Why is it offensive for someone with a busy job—dismantling democracy is hard work!—to use his or her iPhone to send a work message late at night? I reserve the right to change my mind, though, if it comes out that the spokesperson added “Sent from my iPhone” as a way to buy time or forgiveness. That is a crime against email etiquette that I can’t abide.

March 1 2017 4:11 PM

Cloud Computing Makes the Internet More Reliable and Secure, Except When It Doesn’t

It’s been a rough couple of weeks for the internet. First, Google researchers revealed a serious vulnerability that was causing private data to be leaked from some websites supported by Cloudflare. Then, other Google researchers announced that they had broken the popular encryption algorithm SHA-1. Finally, just when you thought your faith in the internet couldn’t sink any lower, an Amazon data center in Virginia started having problems Tuesday, causing major outages for a number of sites that rely on the company’s popular Amazon Web Services infrastructure.

At this point, we practically expect that whatever personal information we enter into websites will be stolen. But this is different. These incidents point to weaknesses in some of the most ubiquitous and trusted brands (and algorithms) in technology—thousands of organizations and millions of people rely on Cloudflare, Amazon Web Services, and SHA-1 every day. And, in fact, part of the point and promise of using cloud computing services, like Amazon Web Services, is to ease the burden for every individual company owner and website operator.

Cloud computing essentially means using servers that are provided and managed by a company, like Amazon, Microsoft, Google, or Oracle, to store and process your data. It’s popular for lots of reasons—for one thing, it gives customers a lot of flexibility in terms of how much computing power and storage they need because these massive cloud providers can pretty easily scale up their resources to meet periods of heavy demand or use. This makes for more efficient (and even, potentially, more sustainable) use of computing power, since thousands of different users can share the same set of servers. It also means that those users can outsource a lot of their security, reliability, and maintenance concerns to their cloud provider. So instead of thousands of individual website operators trying to secure individual little caches of user data and keep their sites up and running, you end up with thousands of websites all relying on Amazon to do those things for them.

On the whole, from a security and reliability standpoint, this is usually a good thing. Amazon, like most other major cloud providers, has invested in both resources and very talented security engineers to ensure that its infrastructure is well protected and resilient. Without a doubt, it does a better job at providing security than most of their customers would be able to do on their own.

But nobody’s perfect, and when you’ve got thousands of customers all relying on a single service provider and something does go wrong, it’s no longer a small isolated incident. Instead, it’s huge swaths of the internet suddenly becoming inaccessible, as they did on Tuesday.

In the wake of that outage, some people were quick to point out that the internet was deliberately designed to be decentralized specifically so it would not have single points of failure that could take out huge parts of the network. Centralizing everyone’s computing in the massive data centers of the major cloud service providers means that those companies do, indeed, become single points of failure. Very secure, reliable single points of failure, for the most part, but certainly not infallible ones.

So does cloud computing make the internet more secure and reliable? Yes and no. The individual customers of Amazon Web Services is probably less likely to get compromised or experience outages than they were when they were handling those issues on their own. That means fewer small-scale security and reliability problems affecting individual businesses and being handled by relative amateurs. (Incidentally, it also probably means fewer ripe targets for the amateurs of the criminal world. You probably won’t get far taking on an Amazon or a Microsoft unless you know what you’re doing.)

On the other hand, even as the smaller-scale, more distributed outages and interruptions decrease, the potential for really widespread, crippling problems that affect millions of people simultaneously will grow. Those problems probably won’t be frequent because we’ll be in good hands—but we’ll all be in the same hands, which creates some new risks.

That’s not to say cloud computing makes for a less secure or reliable internet than a very decentralized one. On the whole, it raises the level of protection for everyone—and makes the work of adversaries considerably harder by forcing them to try to outsmart very savvy companies that have a lot of resources to devote to security. But it also means that on the rare but inevitable occasions when those companies fail us it may feel like the entire internet is under siege.

READ MORE STORIES