According to an article in ZDNet the government of Kazakstan is requiring all internet users in the capital to install government-issued certificates on their phones and computers. This will allow the government to eavesdrop on all otherwise secured https web communications by routinizing so-called man-in-the-middle attacks.
Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government’s certificate. Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.
Kazakhstan users have told ZDNet today that they are not able to access sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix without installing the government’s root certificate.
This is the Kazakh government’s third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019.
Both previous attempts failed after browser makers blacklisted the government’s certificates.
Excellent essay by Ross Anderson on Contact Tracing in the Real World, especially apposite in light of a number of government and private tracker apps being floated and even implemented.
This rap video featuring ‘Alexander Hamilton’ vs. ‘Satoshi Nakamoto’ over the merits of centralized, government-fiat currency, versus decentralized cryptocurrencies.is surprisingly good; actually it’s very good:
This evening I’m attending an event on “Blockchain: Business, Regulation, Law and the Way Forward” featuring Jerry Britto (Coin Center), Marcia Weldon (MiamiLaw), and Samir Patel (Holland & Knight).
The event is organized jointly by three student groups: the Federalist Society, the Business law Society, and the Alliance Against Human Trafficking. That’s a pretty eclectic group. I think it shows how widely the blockchain dream has taken hold.
And yet, despite this, not absolutely everyone loves blockchain. I for one am somewhat skeptical, as I think the use cases are much more limited than the optimists would have it. Indeed, my views are almost summarized by this great graphic, which sets out a decision tree for people thinking of using blockchain:
Yes, the reality is a bit more complicated, but if you can’t explain why the above doesn’t apply to you, you probably shouldn’t be using blockchain….
This week’s edition of the Miami Law Explainer features yours truly being interviewed on 3D guns. You can get the Apple-flavored Miami Law Explainer, or the Android-flavored Miami Law Explainer.
I’m told that either way it runs about eight minutes, which isn’t even long enough for a trip to the store.
The Miami Law Explainer is a new series in which different members of the MiamiLaw faculty are interviewed on current legal topics. Check it out.
At UM’s Data Privacy Day event I made 10 suggestions about what you can do to protect your e-privacy and autonomy. Here they are:
- Trust cyber-civil liberties NGOs like EFF to recommend things to use and to do. If you take away nothing else, remember this URL: Eff.org.
- Use EFF’s Privacy Badger browser plugin.
- Take their audit – Panopticlick – of how unique your browser fingerprint is. Unique fingerprints are a way you can be tracked. Block cookies and super-cookies.
- Use their Https Everywhere tool
- Find the EFF surveillance self-defense guide. It offers advice tailored for different groups that might have greater / lesser needs for privacy/defense (e.g. LGBTQ, activists, journalists, lawyers, activists).
- Use VPNs — virtual private networks. And only use good ones – be careful about jurisdiction and policies:
- The UM off-campus VPN is a valuable service, and good to protect against third parties … but not against UM. Does UM log your usage? Do they record your originating IP#? The sites you visit? Despite some frantic Google searches, I can’t tell — it seems they don’t say. I think therefore you have to assume they do. And if were the UM General Counsel my first instinct would probably be to say they need to do the logging to protect themselves.
- Is your VPN service dirt-cheap or free? Does the service cost only a few dollars for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.
- Look for establishment in a democratic country with a strong commitment to the rule of law. Without that, even the best promises in the Terms of Service (ToS) to not log web page access OR IP# and access times is meaningless. Note that many, probably most, VPNs in most other countries are required to do some logging.https://it.miami.edu/a-z-listing/virtual-private-network/index.html
- Does the VPN promise to prevent DNS leakage to your ISP?
- Ideally, the VPN should support IPv6 as well as IPv4 to prevent leakage when the remote site is on IPv6. This will become more important in the future as more and more sites move to IPv6.
- Use Tor as much as possible. (But see #8 below.)
- Inspect your browser settings on your phone and computer to set max privacy options (including blocking 3rd party cookies and enabling Do Not Track). Use a privacy hardened browser on your phone such as the Warp browser. On both computer and phone always use a search engine such as Duckduckgo that will not track you.
- Encrypt every drive, every email (when possible), and especially all cloud-stored data before uploading it.
- Get a password manager and use it – never re-use a password. Use 2-factor authentication for google, other services that support it. (Only 10% of google users do!)
- Don’t put any apps on your phone that connect to anything financial (due to risk of ID theft if phone stolen).
- Lobby UM to make it easier to use VPNs and Tor, on both the wired and wireless networks. Ask UM to be more transparent about what cookies its web pages set and what they track and record. And, importantly, ask UM to not require you take every single UM cookie in order to use the “remember me for 30 days” feature of its authentication app DUO. Also, ask UM to promise that it has your back, and that it will challenge any request for your data to the maximum extent the law allows (right now it makes no such promises at all; even National Security letters are sometimes withdrawn if the data-holding entity says it will go to court to ask for it to be reviewed).
- Lobby for privacy laws that limit data collection – once data are collected major First Amendment issues come into play, making it hard to limit use and re-use of accurate data. Also lobby to stop the US government secretly introducing vulnerabilities into fundamental crypto standards.
- Resist the frame: understand that the true definition of the ‘greater good’ is one in which the individual is able to flourish. Remember that ‘terrorist’ is a label that fits best after conviction – before that what we have is a ‘suspect’; conceivably any of us can be a suspect. So arguments that we should control crypto or prevent privacy in order to give law enforcement access to all our data when they decide they need it should be viewed with great caution and a firm eye on how the powers they want could be misused by them or by others who get hold of their tools. And even if we someday find ourselves in a world where things have gone badly wrong, and we do find ourselves subject to pervasive surveillance, follow Vaclav Havel, who in his great work ‘Living in Truth’ reminded us that so long as we choose not to self-censor we have chosen not to surrender a key part of our freedom.
(Some links added after original posting)