Why Did It Take Microsoft So Long to Acknowledge a Huge Security Hole That It Found?
On Tuesday, a team of researchers announced the latest widespread security vulnerability. Called FREAK, an acronym that might actually be better than POODLE, it’s a flaw that affects how HTTPS secure connections are established between browsers and Web servers, downgrading the connection to a weaker, more crackable encyrption.
Alongside the announcement, both Google and Apple made statements Tuesday about forthcoming patches for their products, especially mobile browsers. The companies each told the Washington Post and Reuters that they had patches rolling out. Apple promised its patch for early next week. But when you think about software that might be affected by a mainstream vulnerability, there’s another company that should come to mind. Where was Microsoft in all this, and was Windows affected?
On Thursday night, the company finally released a statment. But it wasn't a reassurance that everything was okey-doke. It was an admission that FREAK “affects all supported releases of Microsoft Windows.” And the company hasn’t been very reassuring about its plans for plugging the hole, noting in its Thursday statement that it is conducting an “investigation.” On Friday a company spokesperson told Slate, “Our investigation continues and we’ll take the necessary steps to protect our customers.”
The company’s delayed reaction is especially surprising since the miTLS research team that discovered FREAK is a collaboartion between the French Institute for Research in Computer Science and Automation (called Inria) and, um, Microsoft Research. Kinda seems like communication broke down on this one.
Of course, it’s very difficult to implement large-scale security fixes, especially under pressure and when new vulnerabilities are cropping up all the time. Microsoft rightly pointed out in its statement that FREAK is an “industry-wide issue that is not specific to Windows operating systems.” And FREAK originally seemed like a pretty niche vulnerability, so the researchers may have given Apple and Google an early heads up because they thought that the hole was most relevant to them.
“It is pretty ironic, but I would say that it’s not surprising either,” said Rohit Sethi, vice president of product development at consulting firm Security Compass, of Microsoft’s situation. “We have seen in the past these sorts of things happen where researchers talk about vulnerabilities where there was a standard place where people thought it could be exploited.” Sethi notes that once a vulnerability is public and people are looking at it, they often realize there are more weak points than were previously identified. “It tends to kind of catch people off guard,” he said.
In its statement, Microsoft provided detailed instructions about workarounds that “do not correct the underlying issue but would help block known attack vectors before a security update is available.” Implementing them would probably be difficult for most people, though. And since millions of Windows users rely on Microsoft to protect their safety, the company needs to get moving.
David Kennedy, the founder and CEO of cybersecurity firm TrustedSec, says that because FREAK is a vulnerability in legacy protocols from the ’90s, he can understand why it would take time to analyze old code and assess the situation. But he is also surprised by Microsoft’s timeframe. “You would typically expect to see a research team notify corporate,” he said. “I would definitely expect Microsoft to be further down the line with information gathering. It seems like there was a lag in communication between the two groups.”
Who’s Joining ISIS’s Twitter Army?
The pro-ISIS Twitter ecosystem remains large, vibrant, and dangerous, according to a new survey published by the Brookings Institution, but efforts to suspend supporters’ accounts are disrupting the group’s ability to get its message out.
The report, by terrorism analyst J.M. Berger and Jonathon Morgan, a developer for the nonprofit crowdsourcing firm Ushahidi, estimates that there were roughly 46,000 pro-ISIS Twitter accounts between September and December 2014, though not all of them were active at the same time.
About 73 percent of those tweeted in Arabic, 18 percent in English, and 6 percent in French, a breakdown that roughly corresponds to what we know of the demographic composition of ISIS itself.
Not surprisingly, the vast majority of pro-ISIS tweeters don’t have geolocation turned on for their tweets—the organization has threatened to confiscate the phones of those who do—but of the small minority who did, 28 percent were in Iraq and Syria, 27 percent in Saudi Arabia, and just a scattered handful in other countries. There were just a few in Europe and none in the United States, which makes sense given how quickly posting pro-ISIS propaganda online can lead to a knock on your door in those countries. Here’s a map of the GPS-located tweets sent out from the Middle East in late December 2014:
However, there was more variety among the users who posted (unverifiable) location data in the profiles:
ISIS-supporting accounts had an average of 1,004 followers, which is much higher than the average Twitter user. Only around 4 percent have more than 5,000 followers. Accounts like that of Shami Witness, the influential propagandist with 17,700 followers who was recently revealed to be a Bangalore corporate executive, are the exception. ISIS tweeters are also more active than average with about 7.3 tweets per day, but much of the group’s activity is driven by a small group of superusers with hundreds of tweets per day.
About 69 percent of ISIS supporters with smartphones are running Android compared with 30 percent with iPhones, a factoid unlikely to turn up in Google’s marketing material.
Twitter began shutting down ISIS accounts in the summer of 2014 and stepped up its suspension campaign against the group last fall, during the period that Berger and Morgan were studying. About 1,000 of the accounts under observation got shut down. ISIS’s “official” accounts have been more or less eliminated, though the group still finds ways to get the word out.
Suspending terrorist accounts is controversial. Some argue that it’s a pointless game of whack-a-mole, with offenders just reregistering under different aliases, and counterproductive, since social media can provide valuable information to intelligence agencies in law enforcement. Berger and Morgan reject the first complaint, finding that while it will probably never be possible to eliminate ISIS from Twitter entirely, there’s clear evidence that the group’s efforts have been disrupted by the suspensions. Last summer, experts were stunned by ISIS’s Twitter savvy, including its ability to launch coordinated hashtag campaigns—and even hijack the publicity surrounding events like the World Cup—to circulate propaganda. At one point, ISIS was even releasing its own tailored social media apps.
After the suspension campaign, fewer accounts were being created, activity was down, and users were spending more of their time tweeting at one another in an effort to rebuild their networks rather than spreading propaganda, recruiting new members, or harassing opponents. For potential ISIS recruits or “lone wolves” looking for inspiration, pro-ISIS material is harder to find than it was a few months ago. (Perhaps the best evidence that account closures have frustrated ISIS: Members of the group have threatened Twitter co-founder Jack Dorsey.)
Berger and Morgan agree that that Twitter is a valuable source of intelligence on ISIS, but nonetheless feel that a large number of accounts could still be eliminated without much negative impact.
They do, however, suggest a different unintended consequence of account suspensions. The crackdown has made ISIS’s Twitter network more internally focused, with users more likely to only follow one another’s accounts. This means users are also less exposed to outside, potentially deradicalizing influences. By attempting to stamp out ISIS’s Twitter ecosystem, Twitter may have turned it into even more of an echo chamber.
One topic that the report doesn’t address is whether ISIS’s reliance on decentralized social media users to spread propaganda affects its ability to control the message received by its global followers. ISIS, the Kouachi brothers, who attacked Charlie Hebdo last summer, were al-Qaida supporters. But Amedy Coulibaly, who attacked a Kosher supermarket on their behalf, declared his allegiance to ISIS. While the two groups are formally at war in Syria, their international followers are willing to work together.
It will be interesting to see if, by allowing its followers, many of them thousands of miles from the battlefield, to spread its message, ISIS also ends up allowing them to shape it.
People With Disabilities Shouldn’t Be Defined by the Technologies They Do or Don’t Use
In the last decade or so, articles lamenting and/or questioning the role of technology in our modern lives have become nearly as ubiquitous as smartphones. Does technology free us or limit us? Is it changing humanity for better or worse? What are the social impacts on our children? We struggle with whether we control it, or whether the latest technologies (and by extension those who develop, market, and sell them) really control us.
What most of these debates have in common is that they generally ignore people with disabilities. More rarely, an article may focus exclusively on people with disabilities with the underlying assumption that technology, everything from cutting-edge exoskeletons to pre-implantation genetic testing, must be an unmitigated good in the disability context since it mends something broken that needs to be fixed. Perhaps we need to rethink that assumption about the lesser lives of people with disabilities, as well as the questions we are asking ourselves.
France Wants to Punish Facebook for Censoring a Painting of a Vagina. Terrible Idea.
Upon first glance, this news might seem like a big win for free expression. Facebook’s indecency policies, after all, are absurdly arbitrary and puritanical, calling for the censorship of nude drawings and breastfeeding photos. And a Courbet fan has a much better chance of winning a free speech claim against Facebook in France than in America: While the First Amendment only applies to government censorship, France’s free speech laws can sometimes be used to punish private censorship, as well.
But in reality, Thursday’s decision could clear the way for civil libertarian nightmares down the road. European countries generally take a very lenient approach to free speech, granting the government broad powers to censor any expression deemed hateful. Allowing European courts to monitor the online speech hosted by American companies would ultimately result in punishment of unpopular views and chilling of vital expression. French courts have already tried to forbid Yahoo from permitting the sale of Nazi memorabilia online, and President François Hollande is currently considering legislation that would hold websites like Facebook and Google accountable for allowing the publication of hateful speech.
This is a dark path, and I doubt even those fed up with Facebook’s censorship are willing to go down it. France has a right to censor its own citizens, but its repressive theories of free speech shouldn’t start infecting American-based Internet hotbeds of expression. I adore The Origin of the World and think Courbet’s influence on Post-Impressionist earns him a spot among the greatest painters since the Italian Renaissance. But I’m willing to let Facebook censor it if it means keeping France’s hands off the modern era’s most vital forums for uninhibited expression.
The Cops Can Pretty Much Always Search Your Smartphone in Canada
On Monday night, Alain Philippon, a Canadian citizen, was passing through customs at a Nova Scotia airport when border patrol officers demanded that he provide the password to his smartphone. Philippon refused. He was promptly charged with obstructing border security, a criminal charge under the Canadian Customs Act, which he plans to fight in court.
Philippon’s legal battle against this absurd abuse of power is principled and important. It is also probably futile. Canada’s laws surrounding search and seizure are flimsy, malleable, and—by American standards—draconian. Nowhere is this fact more apparent than in Canadian law surrounding cellphone searches. Just months after the U.S. Supreme Court unanimously ruled that police officers need a warrant to search a smartphone, the Canadian Supreme Court ruled the exact opposite, holding that the invasion of privacy involved “was not particularly grave.” Barring a shift in court personnel, a similar ruling is likely in Philippon’s case.
Why is Canadian search-and-seizure law so awful? The problem traces back to Canada’s Charter of Rights and Freedoms, an analog to America’s Bill of Rights. Whereas the Bill of Rights’ Fourth Amendment declares flatly that “the right of the people” to be free from “unreasonable searches and seizures … shall not be violated,” the Charter takes a more nuanced (that is, squishy) view. Section 8 gives everyone “the right to be secure against unreasonable search or seizure”—but Section 1 says this right is subject to “reasonable limits prescribed by law” that are “demonstrably justified in a free and democratic society.”
This outward balancing of rights and limits, now called proportionality, essentially gives judges carte blanche to curtail rights when they believe a more pressing interest has arisen. Canadian judges need only show that the law abridging the right is necessary, rationally connected to a proper purpose, and significantly beneficial to society. In last year’s case, the court decided that warrantless cellphone searches are constitutionally kosher because they “may serve important law enforcement objectives.” If a warrantless search of a cellphone is OK post-arrest, it’s probably also permissible at border patrol, where everyone’s expectation of privacy is significantly diminished.
Defenders of the Canadian system like to point out that America’s Fourth Amendment prohibits only “unreasonable searches and seizures,” giving judges wide latitude to determine which searches are actually “reasonable.” But the U.S. Supreme Court has consistently held that the warrant requirement is the rule, and warrantless searches the exception, usually justified only by safety concerns in exigent circumstances. And even when a warrant is not required, law enforcement generally must still have “reasonable suspicion” that criminal activity is afoot before performing a search. Canada’s Charter, by comparison, lets judges dispense with the warrant requirement pretty much willy-nilly, so long as they can articulate some plausible justification.
This distinction becomes exceedingly important in a situation like Philippon’s. The leading American case on electronic border searches, issued by the 9th Circuit, dictates that law enforcement must have a “reasonable suspicion of criminal activity” before breaking into password-protected files. Current Canadian law, on the other hand, would seem to let custom agents force their way into any electronic device—sans warrant, sans reasonable suspicion—in the name of border security.
Both American and Canadian doctrines of privacy rights in a digital age are undergoing a sea change as judges grapple with increasingly tech-savvy criminals. (American judges have been especially stumped by the questions of self-incrimination when it comes to password protection and forced decryption; one court held that suspects can be forced to unlock a phone protected by fingerprint but not a phone protected by a written passcode.) At this point, however, it’s pretty clear that the Canadian Charter is not nearly as protective of digital privacy as the Fourth Amendment. Even when they don’t get it right, American judges are at least seriously thinking about how the Constitution protects our electronic devices from intrusive searches. Canadian judges seem to have put digital privacy roughly on par with free speech—a nice idea in theory, but just not worth it in fact.
If You Thought the Net Neutrality Debate Was Resolved, You Were Impressively Optimistic
Last week, open-Internet advocates celebrated a victory when the FCC passed protective net neutrality rules. The changes included reclassifying broadband as a utility so the agency would have more authority to regulate telecom companies. But if you thought Repubicans would go quietly on the issue, you've been watching too much unthrottled Netflix.
On Wednesday, Republican Rep. Marsha Blackburn of Tennessee reintroduced the Internet Freedom Act as part of an attempt to stop the FCC from moving forward with its new net neutrality rules. The bill has 19 original co-sponsors and attacks the idea that the FCC decision will lead to a truly open and modern Internet.
In a statement Blackburn said, “These overreaching rules will stifle innovation, [and] restrict freedoms. ... Once the federal government establishes a foothold into managing how Internet service providers run their networks they will essentially be deciding which content goes first, second, third, or not at all.”
As Motherboard has noted, Blackburn is one of the legislators who receives the most money from telecom companies.
Blackburn has championed similar bills before, but now that the FCC has had its vote, the version can pointedly address the agency's latest decision. It says, "The rule adopted by the Federal Communications Commission ... on February 26, 2015 (relating to broadband Internet access service) shall have no force or effect ..." You can't get much more straightforward about your goals than that.
Could Immersive Virtual Reality Tech Solve World Problems?
The plane already was convulsing by the time the “please fasten seatbelt” sign came on. Dark, foreboding clouds filled the sky. We must have been flying right into a storm. All I could think of was that opening scene in Lost where the plane splits in half.
We rode out the turbulence and made an uneventful landing. As the plane came to a stop on the tarmac, I pulled off my goggles, and the virtual world of the cabin disappeared. I was in a conference room in the offices of River, a startup incubator in San Francisco’s SoMa district, miles from the airport.
River was launched earlier this year by venture capital Rothenberg Ventures with the goal of advancing the state of virtual reality by providing VR startups with office space plus $100,000 in seed funding. In those offices you’ll find hardware hackers working on a new VR headsets and 3-D cameras, filmmakers creating lush, interactive digital movies, and developers building the “Ticketmaster for VR events.” But most importantly, you’ll find VR designers hard at work helping people solve real-world problems today.
And not just “problems” in the sense that too many startups mean as they try to monetize a solution to a minor inconvenience. For years, virtual reality has made inroads in helping to treat serious phobias, post-traumatic stress, and burn victims’ pain. Now, as the price of VR tech plummets, this therapeutic tech is advancing—and could soon become available to many more people who need it.
Since Facebook acquired VR company Oculus last year, we’ve heard a lot about the potential for virtual reality to transform the economy by revitalizing consumer entertainment, social media, shopping, education, and travel. We’ve speculated about what the killer app for VR might be, or whether it even needs one. Less has been said about the progress VR has already made as a tool for healing. In fields like pain management, physical rehabilitation and the treatment of anxiety disorders such as post traumatic stress, VR is coming into its own. And thanks to the recent emergence of affordable consumer VR rigs like Samsung Gear VR, patients may finally be able to take advantage of technology that’s been inaccessible to the larger public for two decades.
For example, the airline simulation I experienced—created by River company Psious—is a virtual reality version of exposure therapy, an approach to treating anxiety disorders such as phobias and post traumatic stress disorder. The idea is to gradually expose someone to the source of their anxiety—flying, for example—in a safe setting in a way that enables them to face that fear in the real world later. The company offers several other simulators, including ones to help with arachnophobia, fear of needles, claustrophobia, and public speaking.
The simulations aren’t perfectly immersive—it’s obvious you’re in a computer-generated world when wearing a headset—but studies have found VR to be more effective at treating some phobias than traditional exposure methods like mental visualization or photographs. The problem is that historically, VR systems have cost tens of thousands of dollars, making such therapy available to a small percentage of people. Psious, however, is now able to sell a bundle of hardware—including a Homido headset, a smart phone and a haptic feedback device—for $300. “We haven’t invented anything,” Psious co-founder Dani Roig acknowledges. “We just democratized these kind of treatments.”
The conventional wisdom is that VR was vastly overhyped in the 1980s and ’90s, and after a few disappointments like Nintendo’s Virtual Boy, quietly disappeared until 2012 when Oculus began demo-ing its Rift headset. But the thing is, virtual reality never really went away.
Just ask Howard Rose, who has spent the past 20 years building virtual worlds for medical researchers. In the mid-1990s, his company Firsthand helped the University of Washington design SpiderWorld, an application for treating arachnophobia. Later the company built Attack of the S. Mutans!, a game designed to help children develop better toothbrushing habits, and IraqWorld, a game designed to help treat PTSD.
But the company’s most important project may be SnowWorld, a first-person action game designed to help burn victims manage their pain designed in conjunction with University of Washington researchers led by Hunter Hoffman. Researchers have been using the game to help distract patients from their pain for years. Now Rose and Firsthand co-founder Ari Hollander are now focusing strictly on pain management with their new River-backed startup Deepstream VR.
But while the usefulness of VR for treating acute pain in burn victims is generally well-accepted, a review of VR-based pain management studies published in 2012 noted that the research into VR’s effectiveness for treating chronic pain is much less mature. The problem, Rose says, is that because VR equipment is so expensive, researchers have focused their time and resources on only the most dire needs for pain relief.
That makes this new wave of consumer devices exciting. The earliest practical VR technologies were flight simulators used by the military, and much of the VR hardware industry has focused on this market. “People were making their bread and butter on military gear,” Rose says. “And they weren’t motivated to make it cheaper.”
That’s changing. Though much has been written about the Rift’s special lens and custom software, Rose says the most important factor driving down the cost of VR gear is the rise of smartphones, which dramatically lowered prices for components such as gyroscopes and accelerometers. “Four years ago we were using $4,000 sensor networks.” he says. “Sensors are now really cheap, and they’re everywhere. Displays have gotten better and smaller.”
Much of this new crop of VR hardware—including the Samsung Gear VR, Google Cardboard, and the VR One—simply places a smartphone into a pair of goggles, displaying a stereoscopic image on the phone’s screen and using its internal sensors to track head position.
These gadgets still may be too expensive or not immersive enough to bring about the VR revolution we’ve been promised for years. But they’re fine for therapeutic applications. And by bringing down to just a few hundred dollars, these devices are poised to help doctors, therapists, and researchers treat more patients than ever before. About 18 percent of the U.S. population suffers from an anxiety disorder and 7 to 8 percent experience PTSD at some point in their lives. Meanwhile, chronic pain affects 100 million people in the U.S. alone.
Even if VR never becomes a consumer darling, it’s poised to improve the lives of millions.
Also in WIRED:
I Tried to Watch CSI: Cyber, I Really Did
Right away, before anything else, I want to say that CSI: Cyber is not the worst. It definitely has some accuracy issues, but when you think about shows like House and Dexter that took wild liberties in portraying interesting professions, CSI: Cyber is doing all right. The problem is that it's not really about hacking, because hacking is boring.
The show centers around Special Agent Avery Ryan—played by a stony Patricia Arquette. She runs the FBI’s Cyber Crime division, a team of nerdy, misfit, white-hat hackers that includes James Van Der Beek for some reason. It's a classic crime-drama setup. There's even the kind-hearted boss, Assistant Director Simon Sifter (played by Peter MacNicol), who is vaguely on the side of bureaucracy, but has a soft spot for the antics of those crazy kids in Cyber Crime.
Agent Ryan works cybercrime cases because around the "beginning of the Internet," her behavioral psychology practice got hacked, all the records were stolen, and her patients' secrets were exposed. She says, “I keep thinking if I could just turn one hacker at a time, nothing like that will ever happen again.” So the whole show is basically premised on a forced conversion vendetta.
But anyway! The pilot, called "Kidnapping 2.0," raises some important questions about cloud services and the Internet of Things as it tracks a ring of criminals who have been surveilling babies through insecure baby monitor cams, then auctioning the babies off, kidnapping them, and selling them to families overseas.
Since we hear about vulnerabilities and cybercrimes every day in the news now, it seems like CSI: Cyber is debuting at the perfect time. As assistant director Sifter says, “Oh, those poor parents. They buy a baby cam to protect their child, and it’s the very thing that gets him abducted. That is truly horrifying.”
But the same weariness we have with the news cycle will probably spread to this show. Since watching people try to trace malware or crack encryption keys is visually boring (people typing for hours or just a computer executing a command without divine revelations or lucky guesses), the show adds chase scenes, sniper attacks, underwater rescues, and suspect interrogations to keep things moving. But all of that makes it seem like a cybercrime episode of normal CSI, rather than an actual chronicle of how white-hat hacking gets done.
Once the show covers all the big topics, it will probably have to repeat various basic premises with different combinations of compromised devices. It's only the first episode and a character has already said, “You thought patch-and-pray was going to make this problem go away?” But Americans seem to love formulaic crime dramas, so being repetitive doesn't necessarily mean the show won't be popular.
As FBI informant and LulzSec co-founder Hector "Sabu" Monsegur wrote on the Daily Dot, "The premise of reckoning with the reality of cloud vulnerabilities is an awesome one. Unfortunately, Kidnapping’s story disintegrates sooner than you can change the channel."
There isn't a lot of incentive to accurately depict technology on TV, because it's at the same time so familiar to viewers and so limitessly magical. It's almost too easy to sneak in questionable tech in a believable way. When Agent Ryan dusts for prints, takes a photo of what she finds, and checks it against a database to get an instant fingerprint match—all from her smartphone—that's probably not realistic. But then there's a whole other level of fudging when a few of the characters perform virtual autopsies on three shooting victims in an immersive 3-D projection room, essentially a Star Trek holodeck. What? How?
Netizen Report: China Continues to Crack Down on Virtual Private Networks
The Netizen Report originally appears each week on Global Voices Advocacy. Renata Avila, Ellery Roberts Biddle, Marianne Diaz Hernandez, Lisa Ferguson, Hae-in Lim, and Sarah Myers West contributed to this report.
Global Voices Advocacy’s Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world. This week’s report begins in China, where the government has continued its crackdown on the use of virtual private networks by blocking Avast.com, a free anti-virus and anti-spyware protection software for Windows, Android, and Mac users. According to technology blogger William Long, the block is linked to the site’s SecureLine VPN service. In addition, Chinese companies including Alibaba, Tencent, Baidu, and Weibo deleted more than 60,000 accounts for reasons as varied as “being misleading, rumor mongering, links to terrorism, or involving violence, pornography and other violations.”
Quartz reports that for unclear reasons, when Chinese users attempt to navigate to sites banned by the Great Firewall, they are sometimes being directed to seemingly random sites, a hacking technique known as DNS poisoning. Normally, such requests are routed to nonexistent IP addresses.
A new trial for a Saudi blogger?
Saudi Arabia’s criminal court may attempt retrying blogger Raif Badawi for apostasy charges, which carry the death sentence. Badawi has already been sentenced to 10 years in prison and 1,000 lashes for his criticism of Saudi clerics, although his lashes have been postponed since they were first administered. A judge previously threw out the apostasy charge in 2013, after Badawi clarified for the court that he is Muslim.
Eyes on Africa
In what has been dubbed South Africa’s WikiLeaks, Al Jazeera and the Guardian published “The Spy Cables,” a horde of documents painting Africa as the “El Dorado of espionage” and South Africa as a major hub for communications in the region. The documents, which date from 2006–2014, generally involve spying by or on Israel and Iran, with the CIA, the U.K.’s MI6, and others as supporting characters. Revelations include security weaknesses of the South African government and a partnership for satellite surveillance with Russia. Some have expressed concern about the consequences of the publication of the cables, which include the name of a potential North Korean asset who may now face torture or possibly death. Furthermore, Right2Know, a campaign launched in 2010 to oppose the proposed Protection of State Information Bill, worried that the humiliation stemming from the cables’ publication could provide the momentum to finally pass the “Secrecy Bill,” which could threaten whistleblowers and journalists with up to 25 years in prison for publishing “state secrets.”
“Right to be forgotten” could head to the Southern Hemisphere
The Buenos Aires legislature is considering a city law similar to the European “right to be forgotten” ruling. The law would provide for the protection of personal data released by websites and search engines, with an exception for public persons in whom citizens have a “special interest.” The law would require users to submit requests for harmful content to be removed, and companies would need to comply with such requests within five days.
Google Tehran HQ coming soon?
Google and other Internet companies may soon be able to set up offices in Iran, provided they respect the country’s “cultural” rules, according to the Fars news agency. Sites such as Facebook, YouTube, and Twitter have been blocked intermittently in Iran since a series of protests surrounding the 2009 presidential election. Iran’s Deputy Telecommunications and Information Technology Minister Nasrollah Jahangard said that American businesses may face problems operating in the country due to U.S. sanctions, but he claimed companies outside the United States have begun negotiations to enter the market.
Privacy and security researcher Runa Sandvik recounts how she used a Freedom of Information Act request to obtain records showing information that U.S. Customs collected about her (and the photographs taken of her) every time she entered the country during a four-year period.
- “From Social Media Service to Advertising Network: A Critical Analysis of Facebook’s Revised Policies and Terms”—ICRI/CIR and iMinds-SMIT
- “Privacy Implications of Health Information Seeking on the Web”—Tim Libert, University of Pennsylvania
- “Pulling the Plug: Network Disruptions and Violence in Civil Conflict”—Anita Gohdes, University of Mannheim
Did Hillary Clinton Compromise Her Email Security or Make It Stronger?
On Monday night, the New York Times unleashed a new controversy about Hillary Clinton's four years as secretary of state. It seems that Clinton exclusively used a nongovernment email address for professional correspondence during her tenure—apparently she didn't even have a state.gov address. The whole situation basically just seems like a perfect storm of HR screw-ups and shady communication practices. But maybe it was for the best.
Let’s put aside the question of whether Clinton violated the Federal Records Act, which says that public officials should store written communications on federal servers—they’re government records that must be available for review, with various exceptions for classified communications. (For more on the legal questions, read my colleague Josh Voorhees’ post on the Slatest.) Did Clinton’s email habit make her vulnerable to hackers?
It seems that Clinton did all of her emailing through a domain called “clintonemail.com.” As the Washington Post points out, this address was created on Jan. 13, 2009, which was the first day of Clinton's Senate confirmation hearings. It’s not clear who set it up, but the domain was renewed in 2013 and is paid for through 2017.
In 2008, Farhad Manjoo wrote on Slate that “it's not a good idea for politicians to use personal e-mail accounts,” because of the security risks. And in light of revelations about Clinton’s practices, this view is circulating again. American Civil Liberties Union principal technologist Christopher Soghoian tweeted on Tuesday, “While the American public didn’t know about Hillary’s private email account, it probably wasn’t a secret to foreign intelligence agencies.” And Nate Cardozo, a staff attorney with the Electronic Frontier Foundation, told Motherboard:
I don't actually have any less faith in Google than I do in the government to secure those emails, but it's still a terrible idea. Let's assume for the sake of argument she was using Gmail. If she was using Gmail, it means Google was scanning all of the email to present her with targeted advertising … Do we want a private company doing profiling on our Secretary of State?
It’s not clear whether Clinton actually used Gmail or some other commercially available service. But could Clinton have actually been smart to go outside the .gov email system? (Again, this is just about the security, not legality or ethics.) After all, U.S. government email systems are frequent targets for hackers, whether state-sponsored or freelance. In November, the unclassified State Department email system was compromised by hackers and was temporarily shut down. This incident occurred long after Clinton’s departure, but does call the State Department’s cyberdefenses into question.
Joe Loomis, the founder and CEO of the security group CyberSponse, said that though there are risks, he can also see how there could be security benefits to setting up a personal email account for State Department work. He says that hackers looking to target Clinton's communications would normally have attempted to infiltrate her State Department email address and might have had knowledge about how the account was configured, making it an easier target.
“It’s one way that you can almost kind of mask yourself from being targeted by using off-channel communication,” he said. “[Hackers] have to guess what the email is against all the email providers, Yahoo, Outlook, MSN, Google, whatever.” Loomis says that though the accountability issue is important, he has heard about a lot of people in government using personal email accounts to make their communication channel more difficult to guess. John Kerry is actually the first secretary of state to solely use a state.gov email account.
If Clinton and her advisers were savvy in setting up her personal account, it could have offered more protection than the unclassified government email system. If they implemented rigorous end-to-end encryption (in which a message is encrypted at every stage of its movement from server to server across the Internet and can only be locally decrypted by the recipient on the other end), and especially if Clinton’s account only communicated internally via intranet with other government employees, her messages might have been highly secure. But using a standard consumer email service like Gmail or Yahoo wouldn’t have been very secure at all.
Christopher Peikert, a cryptography researcher at the Georgia Institute of Technology, explained:
The majority of email ... travels unencrypted “in the clear” across a wide variety of networks (and even countries) as it goes from sender and receiver. It’s fair to say that anyone with a computer on any one of those networks can read any of the email that passes through—there are easily available tools that make this possible.
Basically a personal email account would give Clinton the element of surprise—hackers might not have been able to find her account to target it. But once hackers had her clintonemail.com address in their sights, it might be easier to crack unless she and her team knew a lot about creating a secure email environment. And then again, the State Department email doesn’t seem to have been so secure, either. It feels like a no-win.
Evidence of Clinton's use of a personal email account surfaced a couple of years ago. In March 2013, Gawker reported that Clinton had been corresponding with former Bill Clinton aide Sidney Blumenthal on a personal account. Gawker’s John Cook wrote at the time, “And why was Clinton apparently receiving emails at a non-governmental email account? The address Blumenthal was writing to was hosted at the domain ‘clintonemail.com,’ ... which is privately registered via Network Solutions. It is most certainly not a governmental account.”
Clinton is certainly not the first official to skirt rules about government email. Before Gina McCarthy was approved as administrator for the Environmental Protection Agency in 2013, a Senate panel questioned her on the agency’s known use of personal email accounts for business. In a hearing McCarthy openly admitted that she used her personal email address to send herself attachments so she could print them in her Boston home. As Bloomberg’s Brendan Greeley noted at the time, “Either the EPA doesn’t have a cloud-based system to read and print documents at home, or it does, and it doesn’t work very well. Regardless, the problem is so universal that McCarthy felt perfectly justified telling a Senate panel she does it.”
Meanwhile, during hearings in June 2014 about how the Internal Revenue Service had lost emails relevant to a political targeting probe, Texas Republican Blake Farenthold made a suggestion: “I went on Amazon and found you could buy a terabyte hard drive for $59. Buy two of them, so $120.”
Though the State Department’s email security may need work, the agency hasn’t been completely out to lunch since the rise of email. In 2004, it was the first agency to “transfer electronic textual records” to the National Archives and Records Administration. And its Foreign Affairs Manual contains an extensive section on “Electronic Records, Facsimile Records, and Electronic Mail Records,” which notes:
The Department’s Records Management Office (OIS/RA/RD) conducts periodic reviews of the records management practices both at headquarters and at overseas posts ... These periodic reviews now will include monitoring of the implementation of the Department’s E-mail policy.
It would seem that Clinton was never subject to a “periodic review.” State Department deputy spokesperson Marie Harf did tell Bloomberg on Tuesday, “We have no indication that Secretary Clinton used her personal e-mail account for anything but unclassified purposes.”
It’s hard to imagine that Clinton was never even assigned a state.gov email address, but the situation is sort of understandable when you think about Clinton’s rank. With so many aides to brief her on what was going on, she probably didn't need her work email to find out when there was cake in the break room.