August 5th, 2008

Email and Cell Phone Privacy Threatened in Two Separate Court Cases

San Francisco – The Electronic Frontier Foundation (EFF) has filed friend-of-the-court briefs in two key propecia contraindications electronic privacy cases that threaten to expand the government's spying authority.

In the first case, Bunnell v. Motion Picture Association of America (MPAA), EFF filed a brief with the 9th U.S. Circuit Court of Appeals arguing that federal wiretapping law protects emails from unauthorized interception while they are temporarily stored on the email servers that transmit them. This case was brought against the MPAA by the owners and operators of TorrentSpy, a search engine that let Internet users locate files on the BitTorrent peer-to-peer network. After a business dispute, one of TorrentSpy's independent contractors hacked into the company email server and configured it to copy and forward all incoming and outgoing email to his personal account and then sold the information to the MPAA. However, the federal district court ruled that because the emails were stored on the mail server for several milliseconds during transmission, they were not technically "intercepted" under the federal Wiretap Act. In its amicus brief filed Friday, EFF argues that this dangerous ruling is incorrect as a matter of law and must be overturned in order to prevent the government from engaging in similar surveillance without a court order.

"The district court's decision, if upheld, would have dangerous repercussions far beyond this single case," said EFF Senior Staff Attorney Kevin Bankston. "That court opinion — holding that the secret and unauthorized copying and forwarding of emails while they pass through an email server is not an illegal interception of those emails — threatens to wholly eviscerate federal privacy protections against Internet wiretapping and to authorize the government to conduct similar email surveillance without getting a wiretapping order from a judge."

The second case concerns a request by the Department of Justice (DOJ) to a federal magistrate judge in Pennsylvania for authorization to obtain cell phone location tracking information from a mobile phone provider without probable cause. The magistrate instead demanded that the DOJ obtain a search warrant based on probable cause, and the DOJ appealed that decision to the federal district court in the Western District of Pennsylvania. In an amicus brief filed Thursday, EFF urged the district court to uphold the magistrate's ruling and protect cell phone users' location privacy.

"Location information collected by cell phone companies can provide an extraordinarily invasive glimpse into the private lives of cell phone users. Courts have the right under statute — and the duty under the Fourth Amendment — to demand that the government obtain a search warrant based on probable cause before seizing such sensitive information," said Bankston. "This is only the latest of many cases where EFF has been invited to brief judges considering secret surveillance requests that aren't supported by probable cause. We hope this court recognizes the serious Fourth Amendment questions that are raised by warrantless access to cell phone location information and affirms the magistrate's denial of the government's surveillance request."

The American Civil Liberties Union (ACLU), the ACLU-Foundation of Pennsylvania, and the Center for Democracy and Technology (CDT) also joined EFF's brief.

For the full amicus brief in Bunnell v. MPAA:
http://www.eff.org/files/filenode/Bunnell_v_MPAA/BunnellAmicus.pdf

For the full amicus brief in the cell phone records case:
http://www.eff.org/files/filenode/celltracking/LenihanAmicus.pdf

For more on cell phone tracking:
http://www.eff.org/issues/cell-tracking

July 29th, 2008

The U.S. Department of Homeland Security has concocted a remarkable new policy: It reserves the right to seize for an indefinite period of time laptops taken across the border.

A pair of DHS policies from last month say that customs agents can routinely–as a matter propecia blood pressure of course–seize, make copies of, and "analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States." (See policy No. 1 and No. 2.)

DHS claims the border search of electronic information is useful to detect terrorists, drug smugglers, and people violating "copyright or trademark laws." (Readers: Are you sure your iPod and laptop have absolutely no illicitly downloaded songs? You might be guilty of a felony.)

This is a disturbing new policy, and should convince anyone taking a laptop across a border to use encryption to thwart DHS snoops. Encrypt your laptop, with full disk encryption if possible, and power it down before you go through customs.

Here's a guide to customs-proofing your laptop that we published in March.

It's true that any reasonable person would probably agree that Customs agents should be able to inspect travelers' bags for contraband. But seizing a laptop and copying its hard drive is uniquely invasive–and should only be done if there's a good reason.

Sen. Russell Feingold, a Wisconsin Democrat, called the DHS policies "truly alarming" and told the Washington Post that he plans to introduce a bill that would require reasonable suspicion for border searches.

But unless Congress changes the law, DHS may be able to get away with its new rules. A U.S. federal appeals court has ruled that an in-depth analysis of a laptop's hard drive using the EnCase forensics software "was permissible without probable cause or a warrant under the border search doctrine."

At a Senate hearing in June, Larry Cunningham, a New York prosecutor who is now a law professor, defended laptop searches–but not necessarily seizures–as perfectly permissible. Preventing customs agents from searching laptops "would open a vulnerability in our border by providing criminals and terrorists with a means to smuggle child pornography or other dangerous and illegal computer files into the country," Cunningham said.

The new DHS policies say that customs agents can, "absent individualized suspicion," seize electronic gear: "Documents and electronic media, or copies thereof, may be detained for further review, either on-site at the place of detention or at an off-site location, including a location associated with a demand for assistance from an outside agency or entity."

Outside entity presumably refers to government contractors, the FBI, and National Security Agency, which can also be asked to provide "decryption assistance." Seized information will supposedly be destroyed unless customs claims there's a good reason to keep it.

An electronic device is defined as "any device capable of storing information in digital or analog form" including hard drives, compact discs, DVDs, flash drives, portable music players, cell phones, pagers, beepers, and videotapes.

31 Jul 2008 17:29

Public and private entities can use deep packet inspection to analyse internet users' traffic, with potentially serious ramifications for privacy and the nature of the web

Anyone who uses the internet needs to be aware of deep packet inspection, its uses and potential misuses.

You may recognise deep packet inspection (DPI) as something internet service providers (ISPs) use to conform to the Communications Assistance for Law Enforcement Act (Calea), the US government-ordered internet wire-tapping directive. If that's not enough, DPI, albeit behind the scenes, allows ISPs to block, shape, and prioritise traffic, which is now fuelling the net-neutrality-versus-traffic-priority debate. So, what is DPI and how does it work?

Deep packet inspection
DPI is next-generation technology that's capable of inspecting every byte of every packet that passes through the DPI device. That means packet headers, types of applications and actual packet content.

Up until now, this wasn't possible with intrusion-detection or intrusion-prevention systems (IDS/IPS) or stateful firewalls. The difference is that DPI has the ability to inspect traffic at layers 2 through to 7 — hence the 'deep' in DPI.

A simple analogy would be that of snail mail. IDS/IPS firewalls would be the mail sorters who just read the letter's address, knowing nothing about the letter's content. Inspecting internet traffic from layers 2 through to 7 would correspond to the person who actually reads the letter and understands the contents.

To recap, DPI allows the people controlling the device to know everything, including the payload of each packet in the data stream. For example, if an unencrypted email is scanned, the actual body of the email can be reassembled and read.

Nate Anderson wrote an excellent Ars Technica article, Deep packet inspection meets net neutrality, Calea, in which the following quote appears:

"Deep packet inspection refers to the fact that these boxes don't simply look at the header information as packets pass through them. Rather, they move beyond the IP and TCP header information to look at the payload of the packet. The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company propecia baldness hair loss like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user."

Anderson also explained what happens at layer 7:

"Layer 7 is the application layer, the actual messages sent across the internet by programs like Firefox or Skype or Azureus. By stripping off the headers, deep-packet-inspection devices can use the resulting payload to identify the program or service being used. Procera, for instance, claims to detect more than 300 application protocol signatures, including BitTorrent, HTTP, FTP, SMTP and SSH. Ellacoya reps tell Ars that their boxes can look deeper than the protocol, identifying particular HTTP traffic generated by YouTube and Flickr, for instance. Of course, the identification of these protocols can be used to generate traffic-shaping rules or restrictions."

What makes DPI all the more impressive is that the packet analysis happens in real-time, with data stream throughput approaching 20-30Gbps. With no loss of throughput, ISPs are able to insert these devices directly in their data streams, forcing all traffic to pass through the devices. Procera, Narus, and Ellacoya are front-runners in the development of this technology, having placed equipment throughout the world.

DPI's potential uses
DPI technology is unique in that, as of now, it's the only way to accomplish certain US governmental security directives. DPI also has the potential to do a great deal of good. For example, distributed denial-of-service (DDoS) attacks are virtually impossible to thwart. Conceivably, if DPI were in place and configured correctly, it would detect the DDoS packets and filter them out. Some more potential uses are listed below:

• Network security: DPI's ability to inspect data streams at such a granular level may prevent viruses and spyware from either gaining entrance to a network or leaving it
• Network access: DPI creates conditions where network-access rules are easy to enforce due to the deep inspection of packets
• Calea compliance: DPI technology augments traffic-access-points technology used initially for governmental surveillance equipment
• Enforcement of service-level agreements: ISPs can use DPI to ensure that their acceptable-use policy is enforced. For example, DPI can locate illegal content or abnormal bandwidth usage
• Quality of service: P2P traffic gives ISPs a great deal of trouble. DPI would allow the ISP to instigate traffic control and bandwidth allocation
• Tailored service: DPI allows ISPs to create different services plans, which means users would pay for a certain amount of bandwidth and traffic priority. This point is controversial and affects net neutrality
• DRM enforcement: DPI has the ability to filter traffic to remove copyrighted material. There's immense pressure from the music and film industries to make ISPs responsible for curtailing illegal distribution of copyrighted material

The above applications have the potential to give users a better internet experience. Yet it wouldn't take much mission creep to create major privacy concerns. It would be remiss if these were not pointed out so that everyone can understand the ramifications.

Possible misuses of DPI
DPI is another innovative technology that has ISPs arguing with privacy advocates. ISPs and DPI developers are adamant that the technology is benign and will create a better internet experience. However, privacy groups have two major concerns: that there would be little or no oversight, and the potential for losing still more individual privacy. Many experts find the following uses of DPI to be especially troubling:

• Traffic shaping: Traffic shaping is where certain traffic or entities get priority and a predetermined amount of bandwidth. With the increasing number of bandwidth-hungry applications, ISPs are having to make decisions on whether to increase available bandwidth with infrastructure build-out or increase control of the existing bandwidth. Installing a DPI system is usually the choice, as it's cheaper and has a more predictable return on investment. Albeit cheaper, it's riskier, and that may be why the net-neutrality debate is going on at the moment 
• Behavioural targeting: Behavioural targeting uses DPI technology for the sole purpose of harvesting user information anonymously — supposedly — and selling it to interested parties who use the information to create ads that are targeted to the individual

Final thoughts
This is a very complex subject, with the potential to change everyone's view of the internet. An optimist would say that DPI will help enhance the experience, even producing ads that are relevant to each individual user. However, a pessimist may say it's Big-Brother technology that only benefits ISPs. No-one is sure how the internet will look when the dust settles around the issue of DPI, but it should be interesting.

Michael Kassner is a network field engineer and independent wireless consultant.