Saying no to the government

236 views
216 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
236
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Saying no to the government

  1. 1. Saying no to the government<br />Christopher Soghoian<br />Indiana University<br />Presented at LSI Cloud Computing Seminar<br />
  2. 2. About me and my work<br />PhD Candidate at Indiana University<br />Privacy activist<br />Some of my previous work includes:<br />TSA / No Fly List activism<br />TACO Behavioral Advertising add-on for Firefox<br />Open letter to Google Re: SSL for Gmail<br />These opinions are my own.<br />
  3. 3. A problem for Internet companies<br />Consumers care about their privacy, and are particularly concerned about government access.<br />The government routinely compels Internet and telecom companies to disclose their customers’ data.<br />When the firms do disclose (as required by law), they are criticized, blamed and shamed by privacy activists.<br />
  4. 4. Saying “no” to the Feds is great PR<br />Qwest and the NSA (2001).<br />Gonzales v. Google (2006).<br />Kramerbooks and Kenneth Starr (1998).<br />Tattered Cover v. City of Thornton (Colo. 2002).<br />In re Application of U.S. (D. Col. 2010)<br />
  5. 5. Saying yes to the feds brings bad press<br />Jetblue sharing passenger data with DoD (2004).<br />AT&T and Verizon providing “sneak peeks” to the FBI (DOJ OIG report, 2010).<br />Yahoo and Chinese dissidents (2003).<br />What about the legal costs?<br />
  6. 6.
  7. 7. Companies can be compelled to violate their end user’s privacy<br />In re the U.S. for an Order Auth. the Roving Interception of Oral Commc’n, 349 F.3d 1132, 1134 (9th Cir. 2003).<br />
  8. 8. How can you protect your customer’s data from government access, yet still comply with the law?<br />
  9. 9. Companies have significant freedom<br />Technical Policies:<br />Minimal data retention<br />Transport encryption<br />Storage encryption<br />Don’t ever handle user’s encryption keys.<br />Legal policies:<br />No voluntary disclosure of data in emergencies.<br />Charge the government.<br />Theofel standard, no matter where the request comes from.<br />Publish stats on government requests.<br />
  10. 10. Data Retention<br />If you don’t log it, you can’t be compelled to disclose it.<br />Examples include Indymedia.us (2009).<br />The Tor anonymous browsing network.<br />Sprint Nextel (static IPs retained for 2 years) vs. T-Mobile & Cricket (no logging of IP info).<br />
  11. 11. Swedish ISPs<br />An anti-piracy law enacted April 1, 2009, forcing ISPs to disclose identities of accused P2P infringers.<br />
  12. 12. Transport Encryption<br />Not all cloud computing providers provide the same degree of security.<br />You wouldn’t use a bank that doesn’t offer SSL – why do you trust a cloud based provider that doesn’t offer SSL (and enable it by default). <br />
  13. 13.
  14. 14. Storage Encryption<br />Several services now offer cloud based storage of user data, with an encryption key only known to the user.<br />If the government compels disclosure of data, they have nothing useful to deliver.<br />Do NOT handle the user’s encryption keys, even for a second or two.<br />
  15. 15. Pro-privacy ECPA positions<br />Yes, ECPA strictly regulates when the government can compel the disclosure of customer information.<br />However, companies can adopt extremely strong pro-privacy positions, and still comply with ECPA.<br />
  16. 16. Voluntary Disclosure and ECPA<br />18 USC 2702 regulates the voluntary disclosure of data to the government in emergencies.<br />There is no emergency obligation to disclose.<br />Rule 41 (d)(3)(A) states: “A magistrate judge may issue a warrant based on information communicated by telephone or other reliable electronic means.”<br />Companies can and should adopt a policy of “no valid legal process, no data.” <br />
  17. 17. Charge the government<br />18 USC 2706: permits you to charge the government reasonable costs for compliance with requests.<br />The problem with free: No reason not to ask.<br />Charging just $1 changes the equation.<br />
  18. 18. Don’t keep the money<br />“Selling” your users’ data to the government looks really bad.<br />Solution: Charge the government, and then donate the money to charity.<br />
  19. 19. Theofelv. Farey-Jones<br />DOJ’s position: Once an email has been opened, it can be obtained with a subpoena.<br />Ninth circuit disagrees.<br />Some ISPs have argued that since their HQ is in 9th circuit, Theofel applies no matter where the request comes from.<br />Others have simply argued that Theofel is the correct interpretation of the law.<br />DOJ isn’t happy – Good. Make them fight it out in court.<br />
  20. 20. Publish Stats!<br />
  21. 21. Further reading (my work)<br />An End to Privacy Theater: Exposing and Discouraging Corporate Disclosure of User Data to the Government, Forthcoming.<br />Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era,Journal on Telecommunications and High Technology Law, Vol. 8, No. 2, 2010.<br />More info and other work available at: http://www.dubfire.net<br />Email me: csoghoian@gmail.com<br />

×