Category Archives: Law: Internet Law

Anonymity is Hard: Harvard Bomb Hoax Investigation Surmounts Tor + Guerilla Mail

According to the affidavit from FBI Special Agent Thomas M. Dalton, the person who sent a fake bomb threat to cause Harvard to evacuate several buildings during exams used a throwaway email address from Guerrilla Mail, which he contacted via Tor. The FBI caught him anyway because the sender of the bomb threat accessed Tor via the Harvard wireless network.

The Guerrilla Mail FAQ says that “Logs are deleted after 24 hours,” but the FBI apparently got there inside that window. Presumably using the Guerrilla Mail logs, the FBI determined that the sender of the emails used Tor, an anonymization tool, to connect to Guerrilla Mail. Although the affidavit doesn’t spell any of this out, Harvard’s logs allowed it to figure out who had been using their wireless network to connect to Tor. They then somehow — correlating who among the limited pool of Tor-users with the people who had exams in the buildings evacuated due to the bomb threat? — fingered a suspect (or suspects?). I’d love to know how many people were in the intersection of those two sets. When confronted by the FBI a Harvard undergrad who confessed. One has to wonder, though, if there would have been sufficient evidence to convict beyond a reasonable doubt without that confession. After all, there are other ways to contact Tor.

Tor is widely considered to be the best tool available for online anonymity, so this serves as a cautionary lesson on how difficult it is to be anonymous on line.

The text of the affidavit is below:
Continue reading

Posted in Law: Internet Law | 1 Comment

UMiami’s Holiday Wishes

Online here if you don’t see it below.

Your university tuition dollar at work.

Stop here if that filled you with holiday cheer.

Continue on if you want some Grinch.
Continue reading

Posted in Law: Internet Law, U.Miami | Leave a comment

SSL Certificate Trust Model Has Problems

French agency caught minting SSL certificates impersonating Google:

The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.

The certificates were issued by an intermediate certificate authority linked to the Agence nationale de la sécurité des systèmes d’information, the French cyberdefense agency better known as ANSSI. After Google brought the certificates to the attention of agency officials, the officials said the intermediate certificate was used in a commercial device on a private network to inspect encrypted traffic with the knowledge of end users, Google security engineer Adam Langley wrote in a blog post published over the weekend. Google updated its Chrome browser to reject all certificates signed by the intermediate authority and asked other browser makers to do the same. Firefox developer Mozilla and Microsoft, developer of Internet Explorer have followed suit. ANSSI later blamed the mistake on human error. It said it had no security consequences for the French administration or the general public, but the agency has revoked the certificate anyway.

An intermediate certificate authority is a crucial link in the “chain of trust” that’s key in connections protected by SSL and its successor protocol, known as transport layer security (TLS). Because intermediate certificates are signed by a root certificate embedded in the browser, they have the ability to mint an unlimited number of digital certificates for virtually any site. The individual certificates will be accepted by default by most browsers.

Maybe it’s time to dust off and update my article on digital signatures and digital certificates, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 Ore. L. Rev. 49 (1996). I think this was the first article published in a US law review on the topic, and even though it’s held up well, there have been many developments in nearly 20 years. On the other hand, there are three new papers I need to finish first…

Posted in Law: Internet Law | Leave a comment

New Privacy Paper Posted

“PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, forthcoming in the Ohio State Law Journal, just posted to SSRN.

Abstract:

U.S. law puts the onus on the individual to protect his or her own privacy with only a small number of exceptions (e.g. attorney-client privilege). In order to protect privacy, one usually has three possible strategies: to change daily behavior to avoid privacy-destroying cameras or online surveillance; to contract for privacy; or to employ Privacy Enhancing Technologies (PETs) and other privacy-protective technologies. The first two options are very frequently unrealistic in large swaths of modern life. One would thus expect great demand for, and widespread deployment of, PETs and other privacy-protective technologies. But in fact that does not appear to be the case. This paper argues that part of the reason is a set of government and corporate policies which discourage the deployment of privacy technology. This paper describes some of those polices, notably: (1) requiring that communications facilities be wiretap-ready and engage in customer data retention; (2) mandatory identification both online and off; (3) technology-limiting rules; and also (4) various other rules that have anti-privacy side effects.

The paper argues that a government concerned with protecting personal privacy and enhancing user security against ID theft and other fraud should support and advocate for the widespread use of PETs. In fact, however, whatever official policy may be, by its actions the prevailing attitude of the U.S. government amounts to saying that PETs and other privacy protecting technology, must be kept on a leash.

A last-minute update reconsiders the argument in light of the Snowden revelations about the widespread dragnet surveillance conducted by the NSA.

Comments welcome!

Posted in Civil Liberties, Law: Internet Law, Writings | 1 Comment

Small World

I was impressed to learn that the lawyer defending Barrett Brown from a 100 year prison term for the crime of linking to things is the very same now-former Navy lawyer I consider an American hero. Some heroes just don’t quit.

(found via Digby)

Posted in Civil Liberties, Law: Internet Law | 2 Comments

Good Work

If you want to see what an absolutely first-class appellate brief looks like, look no further than Petitioner’s Brief in U.S. v. Auernheimer, authored by Tor Ekeland and Mark Jaffe, Hanni Fakhoury of the EFF, Marcia Hofmann (ex-EFF, now in private practice) and Orin Kerr (GWU Law).

If I’m ever convicted of reading and copying stuff off an unprotected web page, I want these guys as my lawyers.

And, yes, that’s the essence of the felony conviction being appealed:

The government charged Auernheimer with felony computer hacking under the Computer Fraud and Abuse Act (“CFAA”) for visiting an unprotected AT&T website and collecting e-mail addresses that AT&T had posted on the World Wide Web. The government also charged Auernheimer with identity theft for sharing those addresses with a reporter.

Auernheimer’s convictions must be overturned on multiple and independent grounds. First, Auernheimer’s conviction on Count 1 must be overturned because visiting a publicly available website is not unauthorized access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a “theft.” The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the e – mail addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime.

Incredible.

Disclosure: I’m on the EFF Advisory Board, but have no connection to the case other than liking those of the lawyers I know.

Update (7/2/13): Here’s EFF’s official announcement, Appeal Filed to Free Andrew ‘Weev’ Auernheimer.

Posted in Law: Criminal Law, Law: Internet Law | Tagged | 1 Comment

Estate Planning for Your Digital Afterlife

Over the weekend I attended parts of a great symposium put on by the Miami Law Review on social media and the law.

The Law Review had drafted me to moderate a panel on “Will You Have a Digital Afterlife?” It was an interesting experience: the estate planning/probate version of privacy issues is a sort of funhouse mirror version of how I usually think about digital privacy: everything I recommend to people — e.g. strong passwords, strong encryption — can make digital probate more difficult.

The first complication is that we may not know with much certainty what the decedent wanted. Did he want the heirs to have full access to his encrypted hard drive? What if there’s a porn collection?

Second, how about the email account — it may have important information about what bills need to be paid, but it might also have a secret correspondence with far-out political groups or a mistress that the decedent might not have wanted the survivors to see. Online social media accounts have additional complexities as some providers take the view that the contract terminates with death and thus make no attempt to preserve, or may even flush, the contents. Others have contract terms of service that routinely deny access to surviving family members, if only because that blanket rule may make life easier for the provider.

Laws prohibiting various sorts of unauthorized access, written with the living in mind, add another level of complexity as innocent attempts by family members to find out about the credit card bill or the phone bill may amount — in formal terms at least — to criminal actions punishable (in theory) like the worst forms of hacking; computer intermediaries (and lawyers!) may justly be nervous about enabling such access without clear advance directives from the deceased.

The panelists — Christina L. Kunz, James Lamm, Michael J. Mcguire, and Damien A. Riehl — did an excellent job of introducing this complex area of law to an audience composed mostly of neophytes like me.

I came away from James Lamm’s talk, for example, persuaded that I should execute an ‘Authorization and Consent for Release of Electronically Stored Information’ and also add a codicil to my will that covers access to electronic material stored in the cloud or elsewhere.

James Lamm, by the way, blogs at Digital Passing.

[Note (2/21): edited to conform to a very polite copyright-related request from Mr. Lamm. You'll have to wait for his article, or consult him, for more details.]

Posted in Law: Internet Law | 1 Comment