• Like
  • Save
Saying no to the government
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saying no to the government



Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Saying no to the government
    Christopher Soghoian
    Indiana University
    Presented at LSI Cloud Computing Seminar
  • 2. About me and my work
    PhD Candidate at Indiana University
    Privacy activist
    Some of my previous work includes:
    TSA / No Fly List activism
    TACO Behavioral Advertising add-on for Firefox
    Open letter to Google Re: SSL for Gmail
    These opinions are my own.
  • 3. A problem for Internet companies
    Consumers care about their privacy, and are particularly concerned about government access.
    The government routinely compels Internet and telecom companies to disclose their customers’ data.
    When the firms do disclose (as required by law), they are criticized, blamed and shamed by privacy activists.
  • 4. Saying “no” to the Feds is great PR
    Qwest and the NSA (2001).
    Gonzales v. Google (2006).
    Kramerbooks and Kenneth Starr (1998).
    Tattered Cover v. City of Thornton (Colo. 2002).
    In re Application of U.S. (D. Col. 2010)
  • 5. Saying yes to the feds brings bad press
    Jetblue sharing passenger data with DoD (2004).
    AT&T and Verizon providing “sneak peeks” to the FBI (DOJ OIG report, 2010).
    Yahoo and Chinese dissidents (2003).
    What about the legal costs?
  • 6.
  • 7. Companies can be compelled to violate their end user’s privacy
    In re the U.S. for an Order Auth. the Roving Interception of Oral Commc’n, 349 F.3d 1132, 1134 (9th Cir. 2003).
  • 8. How can you protect your customer’s data from government access, yet still comply with the law?
  • 9. Companies have significant freedom
    Technical Policies:
    Minimal data retention
    Transport encryption
    Storage encryption
    Don’t ever handle user’s encryption keys.
    Legal policies:
    No voluntary disclosure of data in emergencies.
    Charge the government.
    Theofel standard, no matter where the request comes from.
    Publish stats on government requests.
  • 10. Data Retention
    If you don’t log it, you can’t be compelled to disclose it.
    Examples include Indymedia.us (2009).
    The Tor anonymous browsing network.
    Sprint Nextel (static IPs retained for 2 years) vs. T-Mobile & Cricket (no logging of IP info).
  • 11. Swedish ISPs
    An anti-piracy law enacted April 1, 2009, forcing ISPs to disclose identities of accused P2P infringers.
  • 12. Transport Encryption
    Not all cloud computing providers provide the same degree of security.
    You wouldn’t use a bank that doesn’t offer SSL – why do you trust a cloud based provider that doesn’t offer SSL (and enable it by default).
  • 13.
  • 14. Storage Encryption
    Several services now offer cloud based storage of user data, with an encryption key only known to the user.
    If the government compels disclosure of data, they have nothing useful to deliver.
    Do NOT handle the user’s encryption keys, even for a second or two.
  • 15. Pro-privacy ECPA positions
    Yes, ECPA strictly regulates when the government can compel the disclosure of customer information.
    However, companies can adopt extremely strong pro-privacy positions, and still comply with ECPA.
  • 16. Voluntary Disclosure and ECPA
    18 USC 2702 regulates the voluntary disclosure of data to the government in emergencies.
    There is no emergency obligation to disclose.
    Rule 41 (d)(3)(A) states: “A magistrate judge may issue a warrant based on information communicated by telephone or other reliable electronic means.”
    Companies can and should adopt a policy of “no valid legal process, no data.”
  • 17. Charge the government
    18 USC 2706: permits you to charge the government reasonable costs for compliance with requests.
    The problem with free: No reason not to ask.
    Charging just $1 changes the equation.
  • 18. Don’t keep the money
    “Selling” your users’ data to the government looks really bad.
    Solution: Charge the government, and then donate the money to charity.
  • 19. Theofelv. Farey-Jones
    DOJ’s position: Once an email has been opened, it can be obtained with a subpoena.
    Ninth circuit disagrees.
    Some ISPs have argued that since their HQ is in 9th circuit, Theofel applies no matter where the request comes from.
    Others have simply argued that Theofel is the correct interpretation of the law.
    DOJ isn’t happy – Good. Make them fight it out in court.
  • 20. Publish Stats!
  • 21. Further reading (my work)
    An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government, Forthcoming.
    Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era,Journal on Telecommunications and High Technology Law, Vol. 8, No. 2, 2010.
    More info and other work available at: http://www.dubfire.net
    Email me: csoghoian@gmail.com