I believe this action of the IETF is consistent with the claims I made in my article Habermas@discourse.net: Toward a Critical Theory of Cyberspace, 116 Harv. L. Rev. 749 (2003).
Category Archives: Law: Internet Law
The inaugural issue of the Journal of Self-Regulation and Regulation is out, and it includes an article of mine, From Anonymity to Identification. The article is adapted from a talk I gave in Heidelberg last December. I’m in good company: other authors in this issue are Markus Beckedahl, Jeanette Hofmann, Marianne Kneuer, Milton L. Mueller, Ekkehart Reimer, William Binney, Kai Cornelius, Myriam Dunn Cavelt, Sebastian Harnisch and Wolf J. Schünemann.
The full text of this open-access journal is available online, including a .pdf of From Anonymity to Identification. As Larry Solum likes to say, download it while it’s hot.
Here’s the abstract for “From Anonymity to Identification”:
This article examines whether anonymity online has a future. In the early days of the Internet, strong cryptography, anonymous remailers, and a relative lack of surveillance created an environment conducive to anonymous communication. Today, the outlook for online anonymity is poor. Several forces combine against it: ideologies that hold that anonymity is dangerous, or that identifying evil-doers is more important than ensuring a safe mechanism for unpopular speech; the profitability of identification in commerce; government surveillance; the influence of intellectual property interests and in requiring hardware and other tools that enforce identification; and the law at both national and supranational levels. As a result of these forces, online anonymity is now much more difficult than previously, and looks to become less and less possible. Nevertheless, the ability to speak truly freely remains an important ‘safety valve’ technology for the oppressed, for dissidents, and for whistle-blowers. The article argues that as data collection online merges with data collection offline, the ability to speak anonymously online will only become more valuable. Technical changes will be required if online anonymity is to remain possible. Whether these changes are possible depends on whether the public comes to appreciate and value the option of anonymous speech while it is still possible to engineer mechanisms to permit it.
I think this qualifies: FTDI Removes Driver From Windows Update That Bricked Cloned Chips (via Slashdot).
As Ars Technica explains:
Hardware hackers building interactive gadgets based on the Arduino microcontrollers are finding that a recent driver update that Microsoft deployed over Windows Update has bricked some of their hardware, leaving it inaccessible to most software both on Windows and Linux. This came to us via hardware hacking site Hack A Day.
The latest version of FTDI’s driver, released in August, contains some new language in its EULA and a feature that has caught people off-guard: it reprograms counterfeit chips rendering them largely unusable, and its license notes that:
Use of the Software as a driver for, or installation of the Software onto, a component that is not a Genuine FTDI Component, including without limitation counterfeit components, MAY IRRETRIEVABLY DAMAGE THAT COMPONENT
The license is tucked away inside the driver files; normally nobody would ever see this unless they were explicitly looking for it.
The result of this is that well-meaning hardware developers updated their systems through Windows Update and then found that the serial controllers they used stopped working. Worse, it’s not simply that the drivers refuse to work with the chips; the chips also stopped working with Linux systems. This has happened even to developers who thought that they had bought legitimate FTDI parts.
Nice four-hander here: the rights of the end-user, the rights and duties of the vendor, the rights and liabilities of the legitimate parts maker, and the potential liabilities of Microsoft for serving up the malware-to-counterfeits via Windows Update.
Heck, it could be an article.
Update (10/28/14): Good semi-technical background info on this at Errata Security: The deal with the FTDI driver scandal.
According to the affidavit from FBI Special Agent Thomas M. Dalton, the person who sent a fake bomb threat to cause Harvard to evacuate several buildings during exams used a throwaway email address from Guerrilla Mail, which he contacted via Tor. The FBI caught him anyway because the sender of the bomb threat accessed Tor via the Harvard wireless network.
The Guerrilla Mail FAQ says that “Logs are deleted after 24 hours,” but the FBI apparently got there inside that window. Presumably using the Guerrilla Mail logs, the FBI determined that the sender of the emails used Tor, an anonymization tool, to connect to Guerrilla Mail. Although the affidavit doesn’t spell any of this out, Harvard’s logs allowed it to figure out who had been using their wireless network to connect to Tor. They then somehow — correlating who among the limited pool of Tor-users with the people who had exams in the buildings evacuated due to the bomb threat? — fingered a suspect (or suspects?). I’d love to know how many people were in the intersection of those two sets. When confronted by the FBI a Harvard undergrad who confessed. One has to wonder, though, if there would have been sufficient evidence to convict beyond a reasonable doubt without that confession. After all, there are other ways to contact Tor.
Tor is widely considered to be the best tool available for online anonymity, so this serves as a cautionary lesson on how difficult it is to be anonymous on line.
The text of the affidavit is below:
Online here if you don’t see it below.
Your university tuition dollar at work.
Stop here if that filled you with holiday cheer.
Continue on if you want some Grinch.
The secure sockets layer (SSL) credentials were digitally signed by a valid certificate authority, an imprimatur that caused most mainstream browsers to place an HTTPS in front of the addresses and display other logos certifying that the connection was the one authorized by Google. In fact, the certificates were unauthorized duplicates that were issued in violation of rules established by browser manufacturers and certificate authority services.
The certificates were issued by an intermediate certificate authority linked to the Agence nationale de la sécurité des systèmes d’information, the French cyberdefense agency better known as ANSSI. After Google brought the certificates to the attention of agency officials, the officials said the intermediate certificate was used in a commercial device on a private network to inspect encrypted traffic with the knowledge of end users, Google security engineer Adam Langley wrote in a blog post published over the weekend. Google updated its Chrome browser to reject all certificates signed by the intermediate authority and asked other browser makers to do the same. Firefox developer Mozilla and Microsoft, developer of Internet Explorer have followed suit. ANSSI later blamed the mistake on human error. It said it had no security consequences for the French administration or the general public, but the agency has revoked the certificate anyway.
An intermediate certificate authority is a crucial link in the “chain of trust” that’s key in connections protected by SSL and its successor protocol, known as transport layer security (TLS). Because intermediate certificates are signed by a root certificate embedded in the browser, they have the ability to mint an unlimited number of digital certificates for virtually any site. The individual certificates will be accepted by default by most browsers.
Maybe it’s time to dust off and update my article on digital signatures and digital certificates, The Essential Role of Trusted Third Parties in Electronic Commerce, 75 Ore. L. Rev. 49 (1996). I think this was the first article published in a US law review on the topic, and even though it’s held up well, there have been many developments in nearly 20 years. On the other hand, there are three new papers I need to finish first…