Rossander’s Security Reader

Joshua Gilliland writes an excellent blog on many legal issues. Today’s posting about a recent court case in California is a disturbing story. Please go read the full version.

The issue at hand is the government’s right to track you as you go about your business. The case involved a suspected drug dealer. The police planted a GPS tracking unit on his car and compiled full records of his movements over several days. They found evidence of illegal activity and convicted him. He appealed, arguing that the way the police collected the evidence violate the 4th Amendment.

At the risk of defending a convicted drug dealer, there are some very disturbing aspects of this case.

First is the Court’s determination that bugging your car with a GPS is fundamentally the same as bugging it with an older “beeper” technology. GPS is far more intrusive and more capable. It is not limited to proximity, it’s always on and it is far more precise in the location reported. And while my location at any one store may be a public action, there is no easily public way to aggregate that information. So even if an individual trip out of the house is public, I still retain an expectation of privacy for the pattern of trips.

Second is this Court’s determination that your driveway is “public” – that you have no expectation of privacy on a car on your own property. From the available reports, the police invaded the suspect’s property to plant the bug. Their argument was that the gas meter reader and postman have rights to come to your front door, therefore the police have a right to come onto your property, too. Their argument for doing so is, in my opinion, weak. The limited right to come onto my property for a defined purpose (and in compliance with an implicit contract for service) does not equate to an unlimited right of access. I do not, for example, sacrifice my rights to allege trespassing by vandals just because the postman delivers mail.

The most worrisome point, though is that both these concerns could have been made moot if the police simply asked for a warrant before attaching the bug. The government’s assertion of a right to do this without a warrant is what makes this such a very concerning precedent. Like Josh, I hope that the Supreme Court accepts the appeal and overturns this standard, preferrably sooner than later.

I’m not a huge fan of Stephen Colbert but he occasionally has some very interesting things to say about privacy. The Electronic Freedom Foundation recently highlighted his video article on solving the problem of young people posting things online that they will later regret.

As EFF very creatively put it, “the CEOs of Google and Facebook can be astonishingly tone deaf [about] the privacy of their customers.” To live up to their view of the world, you either have to be a superhuman saint or a faceless drone with a life so boring that you may as well not even exist. They have a financial incentive to set the bar that high because the alternative is to stop them from datamining and profiting from our private information.

Germany is experimenting with some interesting privacy laws which may start to rebalance private and public rights. They have successfully taken on Google Street View and are working on a number of other privacy issues. Of course, there’s no guarantee that the US would or even should follow Germany’s lead but we should watch it carefully.

In the meantime (and in the CEOs’ defense), I have to agree with the core principle that if you would be embarrassed to see it on the front of tomorrow’s newspaper, maybe you shouldn’t be doing it. Or at least don’t advertise it by posting the incriminating picture yourself for the whole world to see it.

This week’s post isn’t strictly a computer security topic but it’s a core privacy issue and I think that’s close enough.

Time magazine ran an article recently asking Should Videotaping the Police Really Be a Crime? The article tells the story of Anthony Graber, a Maryland Air National Guard staff sergeant, who faces up to 16 years in prison for posting a videotape of a traffic stop on YouTube.

Apparently, Graber keeps a video camera on top of his motorcycle helmet to record his journeys. He got a little too enthusiastic this time, popping a wheelie and going 80 in a 65 mph zone. The camera was rolling when an unmarked gray sedan cut him off as he stopped behind several other cars at an exit from the interstate. A man in a gray pullover and jeans got out of the car wielding a gun and repeatedly yelled at Graber, ordering him to get off his bike. Only then did Maryland State Trooper Joseph D. Uhler identify himself as “state police” and holster his weapon. Graber got a speeding ticket which he says he deserved.

Anyway, even if you deserve the speeding ticket, I can understand being upset about the traffic stop. Uhler should have known better and was certainly trained better – plainclothes police must identify themselves before they can have any expectation of obedience. If someone jumps out of a car screaming and waving a gun at me, I only hope I can react as calmly as Graber. Rather than file a formal complaint, though, Graber did what many do these days when dissatisfied with the service whether it’s of a company, a restaurant or the government – he posted his experience online.

Fast forward one month to April 8 when Graber is woken up as six officers raiding his parents’ home in Abingdon, Md., where he lived with his wife and two young children. They arrested him and confiscated four computers, the camera, external hard drives and thumb drives. He learned later that prosecutors had obtained a grand jury indictment alleging he violated state wiretap laws by recording the trooper without consent. Maryland is one of 12 states which require all parties to consent before a recording might be made if a conversation takes place where there is a “reasonable expectation of privacy.”

My apologies for the long introduction but we’re finally at the privacy issue: Does a traffic stop conducted in full view of the public and on a public roadway ever constitute a situation where there is a reasonable expectation of privacy? For that matter, is any official action by a law enforcement officer a private act deserving of that kind of protection from scrutiny? How do you square this criminal charge by the prosecutors with the COPS mentality where homes are invaded and suspects arrested on TV? (The perpetrator must sign a waiver or have his/her face blurred but no such waivers are requested of family members and other bystanders.)

I am extremely uncomfortable with the position taken by these prosecutors. In my opinion, an arrest or even a stop for questioning is an inherently public act. The State might have an obligation to protect the privacy of the suspect (since he/she still retains the presumption of innocence) but no such protection applies to the officer of the State. Nor should any such protection be needed – if an officer is behaving appropriately, why should he/she be worried about being filmed? That’s the argument trotted out by prosecutors in favor of the traffic cameras and other forms of public monitoring, after all. And it applies even more so since the officer is acting in his/her official capacity rather than a citizen’s private act of driving.

Third-party filming presents a more complicated question but in this case I think the suspect’s act of videotaping can be taken as implied consent.

Unfortunately, the Graber prosecution is not a rogue act. Prosecutions for videotaping of police encounters appear to be on the upswing. And even if they don’t win the legal case, the very threat by the police is intimidating and chills our society. Few people have the will to risk jail to defend their rights. Graber’s case may still be thrown out (his hearing is scheduled for October) but his lawyer says that “the message of intimidation has already been sent.” Graber says that he is afraid of police now and so nervous driving that he has put his motorcycle up for sale.

I’ve done a little digging into the debates around the time that Maryland and others were writing those wiretapping laws. From everything I can tell, they were written to protect us from state-sponsored intrusions into our privacy unless and until the state gets a warrant explicitly authorizing the intrusion. Can anyone find a differing opinion in the record?

So back to privacy at your company. If I believe the police should be transparent in their dealings with the public, I should hold myself to the same standard. Can an employee videotape an encounter with another? What about recording a meeting with a manager? Do they need to disclose it? What will you do when they don’t? With the advent of cellphone-based cameras, I don’t know if you could stop the recording even if you try. Disgruntled employees keep notes on their coworkers – they always have. This is different only in degree.

Ideally, we should all behave in such a way that we’d never be embarassed if something showed up online. That’s a very high standard of professionalism. We teach people over and over to make that assumption when writing emails. Now we have to think about it all the time. Are your people up to it? Are you?

“Cloud” computing has been a popular buzzword in the news for a few years now but it’s rarely defined. So in the interest of debunking some of the hype and identifying some of the unique risks, here goes…

Cloud computing means having someone else do your computing for you – taking data and calculations that you would have crunched on your own mainframe or workstation and, instead, crunching it on some computer on the internet. (The name comes from the IT diagramming convention of showing the internet as an amorphous cloud.) In theory, this gets you access to more and bigger computers than you would be able to afford yourself. It also gets you access to your data from any internet browser, not just your own dedicated computer. If you are a webmail user (yahoo, gmail, hotmail, etc), you are already using cloud computing.

There are two general business models for cloud computing providers. The first are companies who already have lots and lots of computers but who only need their computing power for surges. Amazon, Google and eBay might be examples. They have to build their data centers to handle Cyber-Monday. Renting computer time to you is a way to get back some of their investment when they’re not busy with their own crunch.

The second are companies who start out with the model of renting – the United Rentals of the computer world. IBM is moving aggressively in this space. A variation on this is Software-as-a-Service (or SAAS) where a particular vendor lets you move his application and the associated data out of your data center and onto his machines for a fee. Moving your financials to Peachtree’s online application might be an example.

In either business model, there are some serious security and legal issues to think through before you decide to outsource your computing. For example:

1. Security – Are they able to keep your data separate from the data of all their other customers? Who else now has access to your confidential data?
2. eDiscovery – If you get sued and have to turn over your computer records, can they segregate them? Can they produce your records fast enough to keep the courts happy? And how much are they going to charge you for the privilege?
3. Privacy – What if the vendor gets a subpoena or request for your data? Will they fight it? Will they even tell you about it?
4. Records Retention – Hopefully, you have a carefully thought-out policy that makes sure all information is kept as long as it is needed (either by the business or by law) but no longer. Keeping information longer than you need it is, by definition, risk without reward. How will you ensure that the vendor lives up to your policy?
5. Privacy laws – Some of these vendors send data overseas. All of them send it outside your local jurisdiction. Is this contract going to get you in trouble with any processing, retention or transfer restrictions, such as those in the European Data Protection Directive? Worse, are you going to inherit those privacy obligations because your data is comingled with others?

Cloud computing can be a boon to small businesses that are growing rapidly and can’t yet afford a dedicated data center. But the cloud can also be a dangerous place. Don’t rush into the relationship without a lot of thought and consideration for the risks and for your mitigation strategy.

A while back, CBS News ran an “exposé” on the security risks of digital copiers. I answered a few emails but quickly let it drop. Apparently, this story is being run around the internet again, though, so let’s take a few minutes to formally debunk it.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

• Digital copiers contain hard-drives – True.
• The hard-drive keeps a copy of the documents being copied – True.
• The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
• The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.