Privacy

Security, Hierarchy, and Networked Governance

/ Christopher Parsons

UnlockedThe capacity for the Internet to route around damage and censorship is dependent on there being multiple pathways for data to be routed. What happens when there are incredibly few pathways, and when many of the existing paths contain hidden traps that undermine communications security and privacy? This question is always relevant when talking about communications, but has become particularly topical given recent events that compromised some of the Internet’s key security infrastructure and trust networks.

On March 22 2011, Tor researchers disclosed a vulnerability in the certificate authority (CA) system. Certificates are used to encrypt data traffic between parties and to guarantee that security certificates are actually issued to the parties holding them. The CA system underpins a massive number of the Internet’s trust relationships; when individuals log into their banks, some social networking services, and many online email services, their data traffic is encrypted to prevent a third-party from listening into the content of the communication. Those encrypted sessions are made possible by the certificates issued by certificate authorities. The Tor researchers announced that an attacker had compromised a CA and issued certificates that let the attacker impersonate the security credentials associated with many of the world’s most prominent websites. Few individuals would ever detect this subterfuge. In effect, Tor researchers discovered that a central element of the Internet’s trust network was broken.

In this post I want to do a few things. First, I’ll briefly describe the attack and its accompanying risks. This will, in part, see me briefly discuss modes of surveillance and motivations for different gradients of surveillance. I next address a growing problem for today’s Internet users: the points of trust we depend on, such as CAs and the DNS infrastructure, are increasingly unreliable. As a result, states can overtly or subtly manipulate to disrupt or monitor their citizens’ communications. Finally, I suggest that in spite of these points of control, states are increasingly limited in their capacities to unilaterally enforce their will. As a consequence of networked governance, and its accompanying power structures, citizens can impose accountability on states and limit their ability to (re)distribute power across and between nodes of networks. Thus, networked governance not only transforms state power but redistributes (some) power to non-state actors, empowering those actors to resist illegitimate state actions.

Continue reading

Review: Surveillance or Security?

/ Christopher Parsons / 1 Comment

surveillance-or-security-the-risks-posed-by-new-wiretapping-technologiesIn Security or Security? The Real Risks Posed by New Wiretapping Technologies, Susan Landau focuses on the impacts of integrating surveillance systems into communications networks. Her specific thesis is that  integrating surveillance capacities into communications networks does not necessarily or inherently make us more secure, but may introduce security vulnerabilities and thus make us less secure. This continues on threads that began to come together in the book she and Whitfield Diffie wrote, titled Privacy on the Line: The Politics of Wiretapping and Encryption, Updated and Expanded Edition.

Landau’s work is simultaneously technical and very easy to quickly read. This is the result of inspired prose and gifted editing. As a result, she doesn’t waver from working through the intricacies of DNSSEC, nor how encryption keys are exchanged or mobile surveillance conducted, and by the time the reader finishes the book they will have a good high-level understanding of how these technologies and systems (amongst many others!) work. On the policy side, she gracefully walks the reader through the encryption wars of the 1990s,[1] as well as the politics of wiretapping more generally in the US. You don’t need to be a nerd to get the tech side of the book, nor do you need to be a policy wonk to understand the politics of American wiretapping.

Given that her policy analyses are based on deep technical understanding of the issues at hand, each of her recommendations carry a considerable amount of weight. As examples, after working through authentication systems and their deficits, she differentiates between three levels of online identification (machine-based, which relies on packets; human, which relies on application authentication; and digital, which depends on biometric identifiers). This differentiation lets her  consider the kinds of threats and possibilities each identification-type provides. She rightly notes that the “real complication for attribution is that the type of attribution varies with the type of entity for which we are seeking attribution” (58). As such, totalizing identification systems are almost necessarily bound to fail and will endanger our overall security profiles by expanding the surface that attackers can target.

Continue reading

Is Iran Now Actually Using Deep Packet Inspection?

/ Christopher Parsons / 4 Comments


Photo by Hamed Saber

I’ve previously written about whether the Iranian government uses deep packet inspection systems to monitor and mediate data content. As a refresher, the spectre of DPI was initially raised by the Wall Street Journal in a seriously flawed article several years ago. In addition to critiquing that article, last year I spent a while pulling together various data sources to outline the nature of the Iranian network infrastructure and likely modes of detecting dissident traffic.

Since January 2010, the Iranian government  may have significantly modified their network monitoring infrastructure. In short, the government seems to have moved from somewhat ham-fisted filtering systems (e.g. all encrypted traffic is throttled/blocked) to a granular system (where only certain applications’ encrypted traffic is blocked). In this post I’ll outline my past analyses of the Iranian Internet infrastructure and look at the new data on granular targeting of encrypted application traffic. I’ll conclude by raising some questions that need to be answered about the new surveillance system, and note potential dangers facing Iranian dissidents if DPI has actually been deployed.

Continue reading

Agenda Denial and UK Privacy Advocacy

/ Christopher Parsons / 5 Comments

stopFunding, technical and political savvy, human resources, and time. These are just a few of the challenges standing before privacy advocates who want to make their case to the public, legislators, and regulators. When looking at the landscape there are regularly cases where advocates are more successful than expected or markedly less than anticipated; that advocates stopped BT from permanently deploying Phorm’s Webwise advertising system was impressive, whereas the failures to limit transfers of European airline passenger data to the US were somewhat surprising.[1] While there are regular analyses of how privacy advocates might get the issue of the day onto governmental agendas there is seemingly less time spent on how opponents resist advocates’ efforts. This post constitutes an early attempt to work through some of the politics of agenda-setting related to deep packet inspection and privacy for my dissertation project. Comments are welcome.

To be more specific, in this post I want to think about how items are kept off the agenda. Why are they kept off, who engages in the opposition(s), and what are some of the tactics employed? In responding to these questions I will significantly rely on theory from R. W. Cobb’s and M. H. Ross’ Cultural Strategies of Agenda Denial, linked with work by other prominent scholars and advocates. My goal is to evaluate whether the strategies that Cobb and Ross write about apply to the issues championed by privacy advocates in the UK who oppose the deployment of the Webwise advertising system. I won’t be working through the technical or political backstory of Phorm in this post and will be assuming that readers have at least a moderate familiarity with the backstory of Phorm – if you’re unfamiliar with it, I’d suggest a quick detour to the wikipedia page devoted to the company.

Continue reading

iPhone Promiscuity

/ Christopher Parsons

Photo credit: Steve KeysI’ve written a fair bit about mobile phones; they’re considerable conveniences that are accompanied by serious security, privacy, and technical deficiencies. Perhaps unsurprisingly, Apple’s iPhone has received a considerable amount of criticism in the press and by industry because of the Apple aura of producing ‘excellent’ products combined with the general popularity of their mobile device lines.

In this short post I want to revisit two issues I’ve previously written about: the volume of information that the iPhone emits when attached to WiFi networks and its contribution to carriers’ wireless network congestion. The first issue is meant to further document here, for my readers and my own projects, just how much information the iPhone makes available to third-parties. The second, however, reveals that a technical solution resolves the underlying cause of wireless congestion associated with Apple products. Thus, trapping customers into bucket-based data plans in response to congestion primarily served financial bottom lines instead of customers’ interests. This instance of leveraging an inefficient (economic) solution to a technical problem might, then, function as a good example of the difference between ‘reasonable technical management’ that is composed of technical and business goals versus the management of just the network infrastructure itself.

Continue reading

Decrypting Blackberry Security, Decentralizing the Future

/ Christopher Parsons / 5 Comments

Photo credit: HonouCountries around the globe have been threatening Research in Motion (RIM) for months now, publicly stating that they would ban BlackBerry services if RIM refuses to provide decryption keys to various governments. The tech press has generally focused on ‘governments just don’t get how encryption works’ rather than ‘this is how BlackBerry security works, and how government demands affect consumers and businesses alike.’ This post is an effort to more completely respond to the second focus in something approximating comprehensive detail.

I begin by writing openly and (hopefully!) clearly about the nature and deficiencies of BlackBerry security and RIM’s rhetoric around consumer security in particular. After sketching how the BlackBerry ecosystem secures communications data, I pivot to identify many of the countries demanding greater access to BlackBerry-linked data communications. Finally, I suggest RIM might overcome these kinds of governmental demands by transitioning from a 20th to 21st century information company. The BlackBerry server infrastructure, combined with the vertical integration of the rest of their product lines, limits RIM to being a ‘places’ company. I suggest that shifting to a 21st century ‘spaces’ company might limit RIM’s exposure to presently ‘enjoyed’ governmental excesses by forcing governments to rearticulate notions of sovereignty in the face of networked governance.

Continue reading