Category Archives: Law: Internet Law

SSL Certificate Trust Model Has Problems

French agency caught minting SSL certificates impersonating Google:

The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.

The certificates were issued by an intermediate certificate authority linked to the Agence nationale de la sécurité des systèmes d’information, the French cyberdefense agency better known as ANSSI. After Google brought the certificates to the attention of agency officials, the officials said the intermediate certificate was used in a commercial device on a private network to inspect encrypted traffic with the knowledge of end users, Google security engineer Adam Langley wrote in a blog post published over the weekend. Google updated its Chrome browser to reject all certificates signed by the intermediate authority and asked other browser makers to do the same. Firefox developer Mozilla and Microsoft, developer of Internet Explorer have followed suit. ANSSI later blamed the mistake on human error. It said it had no security consequences for the French administration or the general public, but the agency has revoked the certificate anyway.

An intermediate certificate authority is a crucial link in the “chain of trust” that’s key in connections protected by SSL and its successor protocol, known as transport layer security (TLS). Because intermediate certificates are signed by a root certificate embedded in the browser, they have the ability to mint an unlimited number of digital certificates for virtually any site. The individual certificates will be accepted by default by most browsers.

Maybe it’s time to dust off and update my article on digital signatures and digital certificates, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 Ore. L. Rev. 49 (1996). I think this was the first article published in a US law review on the topic, and even though it’s held up well, there have been many developments in nearly 20 years. On the other hand, there are three new papers I need to finish first…

Posted in Law: Internet Law | Leave a comment

New Privacy Paper Posted

“PETs Must Be on a Leash”: How U.S. Law (and Industry Practice) Often Undermines and Even Forbids Valuable Privacy Enhancing Technology, forthcoming in the Ohio State Law Journal, just posted to SSRN.

Abstract:

U.S. law puts the onus on the individual to protect his or her own privacy with only a small number of exceptions (e.g. attorney-client privilege). In order to protect privacy, one usually has three possible strategies: to change daily behavior to avoid privacy-destroying cameras or online surveillance; to contract for privacy; or to employ Privacy Enhancing Technologies (PETs) and other privacy-protective technologies. The first two options are very frequently unrealistic in large swaths of modern life. One would thus expect great demand for, and widespread deployment of, PETs and other privacy-protective technologies. But in fact that does not appear to be the case. This paper argues that part of the reason is a set of government and corporate policies which discourage the deployment of privacy technology. This paper describes some of those polices, notably: (1) requiring that communications facilities be wiretap-ready and engage in customer data retention; (2) mandatory identification both online and off; (3) technology-limiting rules; and also (4) various other rules that have anti-privacy side effects.

The paper argues that a government concerned with protecting personal privacy and enhancing user security against ID theft and other fraud should support and advocate for the widespread use of PETs. In fact, however, whatever official policy may be, by its actions the prevailing attitude of the U.S. government amounts to saying that PETs and other privacy protecting technology, must be kept on a leash.

A last-minute update reconsiders the argument in light of the Snowden revelations about the widespread dragnet surveillance conducted by the NSA.

Comments welcome!

Posted in Civil Liberties, Law: Internet Law, Writings | 1 Comment

Small World

I was impressed to learn that the lawyer defending Barrett Brown from a 100 year prison term for the crime of linking to things is the very same now-former Navy lawyer I consider an American hero. Some heroes just don’t quit.

(found via Digby)

Posted in Civil Liberties, Law: Internet Law | 2 Comments

Good Work

If you want to see what an absolutely first-class appellate brief looks like, look no further than Petitioner’s Brief in U.S. v. Auernheimer, authored by Tor Ekeland and Mark Jaffe, Hanni Fakhoury of the EFF, Marcia Hofmann (ex-EFF, now in private practice) and Orin Kerr (GWU Law).

If I’m ever convicted of reading and copying stuff off an unprotected web page, I want these guys as my lawyers.

And, yes, that’s the essence of the felony conviction being appealed:

The government charged Auernheimer with felony computer hacking under the Computer Fraud and Abuse Act (“CFAA”) for visiting an unprotected AT&T website and collecting e-mail addresses that AT&T had posted on the World Wide Web. The government also charged Auernheimer with identity theft for sharing those addresses with a reporter.

Auernheimer’s convictions must be overturned on multiple and independent grounds. First, Auernheimer’s conviction on Count 1 must be overturned because visiting a publicly available website is not unauthorized access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C). AT&T chose not to employ passwords or any other protective measures to control access to the e-mail addresses of its customers. It is irrelevant that AT&T subjectively wished that outsiders would not stumble across the data or that Auernheimer hyperbolically characterized the access as a “theft.” The company configured its servers to make the information available to everyone and thereby authorized the general public to view the information. Accessing the e – mail addresses through AT&T’s public website was authorized under the CFAA and therefore was not a crime.

Incredible.

Disclosure: I’m on the EFF Advisory Board, but have no connection to the case other than liking those of the lawyers I know.

Update (7/2/13): Here’s EFF’s official announcement, Appeal Filed to Free Andrew ‘Weev’ Auernheimer.

Posted in Law: Criminal Law, Law: Internet Law | Tagged | 1 Comment

Estate Planning for Your Digital Afterlife

Over the weekend I attended parts of a great symposium put on by the Miami Law Review on social media and the law.

The Law Review had drafted me to moderate a panel on “Will You Have a Digital Afterlife?” It was an interesting experience: the estate planning/probate version of privacy issues is a sort of funhouse mirror version of how I usually think about digital privacy: everything I recommend to people — e.g. strong passwords, strong encryption — can make digital probate more difficult.

The first complication is that we may not know with much certainty what the decedent wanted. Did he want the heirs to have full access to his encrypted hard drive? What if there’s a porn collection?

Second, how about the email account — it may have important information about what bills need to be paid, but it might also have a secret correspondence with far-out political groups or a mistress that the decedent might not have wanted the survivors to see. Online social media accounts have additional complexities as some providers take the view that the contract terminates with death and thus make no attempt to preserve, or may even flush, the contents. Others have contract terms of service that routinely deny access to surviving family members, if only because that blanket rule may make life easier for the provider.

Laws prohibiting various sorts of unauthorized access, written with the living in mind, add another level of complexity as innocent attempts by family members to find out about the credit card bill or the phone bill may amount — in formal terms at least — to criminal actions punishable (in theory) like the worst forms of hacking; computer intermediaries (and lawyers!) may justly be nervous about enabling such access without clear advance directives from the deceased.

The panelists — Christina L. Kunz, James Lamm, Michael J. Mcguire, and Damien A. Riehl — did an excellent job of introducing this complex area of law to an audience composed mostly of neophytes like me.

I came away from James Lamm’s talk, for example, persuaded that I should execute an ‘Authorization and Consent for Release of Electronically Stored Information’ and also add a codicil to my will that covers access to electronic material stored in the cloud or elsewhere.

James Lamm, by the way, blogs at Digital Passing.

[Note (2/21): edited to conform to a very polite copyright-related request from Mr. Lamm. You’ll have to wait for his article, or consult him, for more details.]

Posted in Law: Internet Law | 1 Comment

A Very Cute Respose to Employer Demands for Facebook Passwords

I hereby (fictionally) resign is a great, if alas so far fictional, account of blowback from an employer’s demand for Facebook passwords.

Spotted via Emergent Chaos, Chaos Emerges from Demanding Facebook Passwords.

Posted in Law: Everything Else, Law: Internet Law | Leave a comment

Harold Feld’s Insanely Long Field Guide To The Verizon/SpectrumCo/Cox Deal

Do you want to think of yourself as a well-informed citizen when it comes to technology issues? If so, you probably need to read Harold Feld’s explanation of the Verizon/SpectrumCo/Cox Deal.

In reading this, please keep in mind that in the many years I have been acquainted with Harold Feld, I have never seen anything that would tend to brand him as an alarmist.

A choice bit:

And before you could say “dangerous levels of spectrum concentration,” the former mortal enemies had become total BFFs — just like Stephen Colbert and Jimmy Fallon, but in reverse. In fact, Verizon Wireless and cable multisystem operators (“MSOs” as we say in telecom) are so into each other now that they simultaneously entered into agreements to become exclusive resellers of each other’s products and to jointly develop a whole bunch of new technologies together. The companies insist these three side agreements are totally, completely and utterly unrelated to the spectrum sale and that unrelated side agreements are just the natural love child of freaky four-way spectrum hook ups.

A few weeks later, Verizon graciously offered to buy out Cox’s AWS spectrum so that Cox could get out of the wireless business. And, in what can only be an amazing coincidence for utterly independent agreements that should in no way make anyone think that the major cable players are colluding with their Telco/Wireless chief rival, Verizon and Spectrumco offered to let Cox in on the same three agreements to become exclusive resllers and become a member of the “Joint Operating Entity” (JOE) to develop all these cool new technologies.

So you see, it’s all totally innocent, and does not in the least look like a cartel agreeing not to compete, dividing up markets, and setting up a Joint Operating Entity so they can continue to meet and discuss their business plans on an ongoing basis while developing a patent portfolio to use against competitors like DISH and T-Mobile. In fact, these three side agreements are so harmless and so completely independent of the spectrum sale that Verizon and the MSOs initially refused to give them to the FCC. When they finally did agree to put them in the record under protest, they cut a whole bunch of stuff out. Because really, as Verizon and the cable MSOs said in their response, what one mega-corp says to four of its largest competitors is really no one’s business.

Verizon will actually resell the cable MSO video services they used to (and in theory still do) compete against, while the MSOs will resell Verizon’s mobile wireless service. On top of that, they will get together as part of the “JOE” to discuss each other’s business, facilitating further cooperation. Finally, the technology developed by these one-time-rivals will be used to disadvantage competitors, much the same way Comcast is currently using its TV Everywhere certification to keep HBO On The Go off devices that facilitate ‘cord-cutting’, like Roku.

But there’s so much more…the really wonky stuff starts like this:

We can divide the substantive issues into three main categories: (a) Spectrum concentration issues that come from pumping up one of the top two wireless carriers with even more primo spectrum; (b) whether the side deals represent an illegal division of relevant markets between competing firms or, even worse, the formation of an actual cartel (a term I do not use lightly); and, (c) all kind of angsty, big picture stuff about whether the whole theory of the Telecom Act of 1996 really works and we can have facilities based competition, or whether Susan Crawford is right and we are doomed to a dystopian future where a cable monopoly controls our broadband and thus our digital future — except for the mobile part which will be controlled by an AT&T/Verizon Duopoly. But since they will be part of the new Communication Cartel, that won’t really matter.

And it does go on. Yes, it is insanely long. But he’s got me believing it’s a Big Deal.

For example,

The parties agree to form a “Joint Marketing Entity” (JOE) “for the development of technology to better integrate wireline and wireless products and services” (to quote the official press release). To translate: the largest residential broadband providers, who also happen to be among the largest residential video, and the largest mobile services provider, will sit down to jointly develop technologies on how to better integrate their supposedly competing services. You know how Google, Apple, Microsoft, and RIM are all involved in this “mobile patent war?” Imagine if, instead of each of them trying to develop competing wireless operating systems and technologies, they said: “Hey, we’re the four biggest developers of mobile operating systems. Instead of competing, lets pool all our patents together and not let anyone else license them from us except on terms we all agree to use. We’ll meet in a back room every month, talk about all our future development plans, and make sure that we develop patented technologies and proprietary standards for where we plan to take the industry going forward.” Why would that possibly raise any concerns?

I could go on, but then this would become an insanely long summary.

Read it.

Posted in Law: Internet Law | Leave a comment