Podcast: IT Security, Internet Freedom and Open Government at Threatpost

This morning, I was privileged to join Dennis Fisher on the Digital Underground podcast to talk about IT security, open government, Internet freedom and open data movements, including how they’re affecting IT security.

ListenIT Security, Internet Freedom and Open Government [MP3]

Fisher is a founding editor of the Threatpost blog and is one of the best information security journalists in the industry and a former colleague from TechTarget.

Over the course of the podcast, we discussed the different ways in which Internet freedom and privacy play into the current climate online. (We also talked a bit about Twitter and journalism.) As 2011 matures, legitimate concerns about national security will continue to be balanced with the spirit of open government expressed by the Obama administration.

The issues created between Wikileaks and open government policies are substantial. Open data may be used for accountability, citizen utility and economic opportunity. But as federal CIO Vivek Kundra said to Harvard Business School students studying Data.gov last year, the transparency facet in the Obama administration’s open government initiative has multiple layers of complexity.

Fisher and I explore these issues, along with a number of the complexities involved with improving information sharing between the public and private sector when it comes to vulnerabilities and threats. Currently, over 80% of the nation’s critical infrastructure is in the private sector.

Related stories:

Clinton: There is no silver bullet in the struggle against Internet repression. There’s no “app” for that

Today in Washington, Secretary of State Clinton reiterated the State Department’s commitment to an Internet freedom policy in a speech at George Washington University. Rebecca MacKinnon, journalist, free speech activist, and expert on Chinese Internet censorship, provided some on the spot analysis immediately following Clinton’s words. MacKinnon made an interesting, and timely, point: there are limits to directly funding certain groups. “I think one of the reasons that the Egyptian and Tunisian revolutions were successful was that they were really home grown, grass roots. At the end of the day, the people in the countries concerned need to really want change and drive that change.”

MacKinnon parsed the considerable complexity of advocating for Internet freedom in the context of Wikileaks and electronic surveillance in other areas of the federal government. For those interested, she elaborated on the issues inherent in this nexus of government and technology in her Senate testimony last year. At some point this winter, there will be a hearing on “CALEA 2″ in the United States Congress that’s going to be worth paying close attention to for anyone tracking Internet freedom closer to home, so to speak.

Should the U.S. support Internet freedom through technology, whether it’s an “app” or other means? To date, so far the State Department has allocated only $20 million of the total funding it has received from Congress, according to a report on Internet censorship from the Senate Foreign Relations Committee obtained by the AFP. (Hat tip to Nick Kristof on that one).

Clinton defended the slow rollout of funding today in her speech (emphasis is added):

“The United States continues to help people in oppressive Internet environments get around filters, stay one step ahead of the censors, the hackers, and the thugs who beat them up or imprison them for what they say online. While the rights we seek to protect are clear, the various ways that these rights are violated are increasingly complex. Some have criticized us for not pouring funding into a single technology—but there is no silver bullet in the struggle against Internet repression. There’s no “app” for that. And accordingly, we are taking a comprehensive and innovative approach—one that matches our diplomacy with technology, secure distribution networks for tools, and direct support for those on the front lines.”

The caution in spending may well also be driven by the issues that the State Department encountered with Haystack, a much celebrated technology for Internet freedom tool that turned out to be closer to a fraud than a phenomenon.

There may be no silver bullet to deliver Internet freedom to the disconnected or filtered masses, per se, but there are more options beyond the Tor Project that people in repressive regimes can leverage. Today, MIT’s Technology Review reported on an app for dissidents that encrypts phone and text communications:

Two new applications for Android devices, called RedPhone and TextSecure, were released last week by Whisper Systems, a startup created by security researchers Moxie Marlinspike and Stuart Anderson. The apps are offered free of charge to users in Egypt, where protesters opposing ex-president Hosni Mubarak have clashed with police for weeks. The apps use end-to-end encryption and a private proxy server to obfuscate who is communicating with whom, and to secure the contents of messages or phone conversations. “We literally have been working night and day for the last two weeks to get an international server infrastructure set up,” says Anderson.

No word on whether they’ve received funding from State yet. For more on today’s speech, read the full report on the State department’s Internet freedom policy at the Huffington Post, Ethan Zuckerman or the ever sharp Nancy Scola on #NetFreedom, which does, in fact, now look like a “big deal.”

Senate considers update to Electronic Communications Privacy Act

Today in Washington, the Senate Judiciary Committee held a hearing on updating the Electronic Communications Privacy Act (ECPA), the landmark 1986 legislation that governs the protections citizens have when they communicate using the Internet or cellphones.

The statements of the witnesses before the Senate from the Commerce Department, Justice Department and witnesses are embedded in ths post. Below, find an exclusive interview with digital privacy and security researcher Chris Soghoian, who until recently was the resident geek at the Federal Trade Commission, and some context on “Digital Due Process,” the coalition of industry and privacy advocates advocating for an ECPA update.

“From the perspective of industry and definitely the public interest groups, people shouldn’t have to consider government access as one of the issues when they embrace cloud computing,” said Soghoian. “It should be about cost, about efficiency, about green energy, about reliability, about backups, but government access shouldn’t be an issue.”

While the tech blogosphere may be focused on Twitter, Facebook and inside baseball among the venture capitalists of Silicon Valley’s today, the matter before Congress should be earning more attention from citizens, media and technologists alike. Over at Forbes, Kashmir Hill made the case that industry will benefit from a clearer Electronic Communications Privacy Law. Take it one step further: updates to the ECPA have the potential to improve the privacy protections for every connected citizen, cloud computing provider or government employee. As she pointed out there:

One of the most egregious ECPA issues is how it treats the protection of email. “Why should email in someone’s inbox be treated different from something in someone’s sent folder?” asked Smith [Microsoft’s general counsel]. “Why is something unread in my junk folder subjected to greater privacy than something read in my inbox? Why does an email I sent in April have fewer privacy protections than one I sent in September?”

Smith discussed security and privacy concerns with respect to cloud computing after the hearing: Get Microsoft Silverlight

It’s important to be clear: Congress is unlikely to move on updating ECPA before the mid-term elections or in the lame duck session. That said, the hearing in the Senate today and the hearing on ECPA reform and the revolution in cloud computing in the House of Representatives tomorrow will inform any legislative action in the next Congress.

Chairman Patrick Leahy was clear in his opening statement today: American innovation has outpaced digital privacy laws.

When Congress enacted ECPA in 1986, we wanted to ensure that all Americans would enjoy the same privacy protections in their online communications as they did in the offline world, while ensuring that law enforcement had access to information needed to combat crime. The result was a careful, bipartisan law designed in part to protect electronic communications from real-time monitoring or interception by the Government, as emails were being delivered and from searches when these communications were stored electronically. At the time, ECPA was a cutting-edge piece of legislation. But, the many advances in communication technologies since have outpaced the privacy protections that Congress put in place.

Today, ECPA is a law that is often hampered by conflicting privacy standards that create uncertainty and confusion for law enforcement, the business community and American consumers.

For example, the content of a single e-mail could be subject to as many as four different levels of privacy protections under ECPA, depending on where it is stored, and when it is sent. There are also no clear standards under that law for how and under what circumstances the Government can access cell phone, or other mobile location information when investigating crime or national security matters. In addition, the growing popularity of social networking sites, such as Facebook and MySpace, present new privacy challenges that were not envisioned when ECPA was passed.

Simply put, the times have changed, and so ECPA must be updated to keep up with the times. Today’s hearing is an opportunity for this Committee to begin to examine this important issue.

“There does seem to be wide agreement that current ECPA standards are a muddled mess,” said Julian Sanchez, a research fellow at the libertarian Cato Institute, and contributing editor for Reason Magazine. “The fear about “uncertainty” expressed by Baker is ridiculous when you consider the scholarly consensus and the evident confusion in the courts trying to apply it. In reality, DOJ finds the ambiguity convenient, since they can jurisidiction-shop for magistrates whose interpretations they find congenial.”

Jim Dempsey of the Center for Democracy and Technology made the following statement on ECPA, promoting security and protecting privacy:

Justice Brandeis famously called privacy “the most comprehensive of rights, and the right most valued by a free people.” The Fourth Amendment embodies this right, requiring a judicial warrant for most searches or seizures, and Congress has enacted numerous laws affording privacy protections going beyond those mandated by the Constitution.

In setting rules for electronic surveillance, the courts and Congress have sought to balance two critical interests: the individual’s right to privacy and the government’s need to obtain evidence to prevent and investigate crimes, respond to emergency circumstances and protect the public. More recently, as technological developments have opened vast new opportunities for communication and commerce, Congress has added a third goal: providing a sound trust framework for communications technology and affording companies the clarity and certainty they need to invest in the development of innovative new services.

Today, it is clear that the balance among these three interests – the individual’s right to privacy, the government’s need for tools to conduct investigations, and the interest of service providers in clarity and customer trust – has been lost as powerful new technologies create and store more and more information about our daily lives. The protections provided by judicial precedent and statute have failed to keep pace, and important information is falling outside the traditional warrant standard.

The personal and economic benefits of technological development should not come at the price of privacy. In the absence of judicial protections, it is time for Congress to respond, as it has in the past, to afford adequate privacy protections, while preserving law enforcement tools and providing clarity to service providers.

Dempsey’s full testimony is embedded below:
Jim Dempsey Testimony on ECPA Update

The American Civil Liberties Union also had specific recommendations for Congress on ECPA reform. “The Electronic Communications Privacy Act was written in 1986 before the Web was even invented and is in desperate need of an upgrade,” said Laura W. Murphy, Director of the ACLU Washington Legislative Office. “While Americans have embraced technology as an essential part of everyday life, they have not surrendered their fundamental right to privacy. Congress must ensure that our privacy laws reflect the technology Americans use every day.”

The testimony of the ACLU on ECPA reform is embedded below:

ACLU statement on update to ECPA

The written testimony of Microsoft general counsel Brad Smith is embedded below:

Microsoft counsel Brad Smith’s Testimony before Senate

The written testimony of he Honorable James A. Baker, Esq., Associate Deputy Attorney General, United States Department of Justice, is embedded below:

Baker Testimony on ECPA Updates

The written testimony of the Honorable Cameron F. Kerry, Esq., General Counsel of the United States Department of Commerce is embedded below:

Cameron Kerry Testimony before the Senate

The written testimony of attorney Jamil Jaffer Testimony is below:

Jamil Jaffer Testimony before the Senate Judiciary Comittee

Digital Due Process

Earlier this year, I reported on the launch of DigitalDueProcess.org, a coalition pushing for an ECPA update for online privacy in cloud computing age. A powerful collection of organizations has been pushing for an update to ECPA. Members of the coalition include Google, Microsoft, AT&T, AOL, Intel, the ACLU and the Electronic Frontier Foundation. The guidance from the coalition would enshrine principles for “digital due process,” online privacy and data protection in the age of cloud computing within an updated ECPA.

The coalition set up a website, DigitalDueProcess.orgcontaining its proposals for updating ECPA in the face of new cloud computing security and online privacy challenges. Google Public Policy released a video, embedded below, describing the concept of “digital due process,”

Exploring the future of online privacy with Jules Polonetsky

How will regulations and laws that address the new challenges of online privacy evolve? What are the tradeoffs between societal benefit and individual rights? How should the opportunities inherent in data mining be balanced with harm-based standards? What are the responsibilities of governments, businesses and citizens to protect privacy?

Yesterday at the Gov 2.0 Summit in Washington, my interview with Jules Polonetsky covered all of those topics and more. Polonestsky is the Co-chair and Director of the Future of Privacy Forum, a think tank seeking to improve the state of online privacy by advancing responsible data practices. His writing and research can be found at Futureofprivacy.org.