Category Archives: Cryptography

Miami Law Explainer on 3D Guns

This week’s edition of the Miami Law Explainer features yours truly being interviewed on 3D guns. You can get the Apple-flavored Miami Law Explainer, or the Android-flavored Miami Law Explainer.

I’m told that either way it runs about eight minutes, which isn’t even long enough for a trip to the store.

The Miami Law Explainer is a new series in which different members of the MiamiLaw faculty are interviewed on current legal topics.  Check it out.

Posted in Cryptography, Law: Everything Else, The Media | 1 Comment

10 Things You Can Do to Protect e-Privacy & Autonomy

At UM’s Data Privacy Day event I made 10 suggestions about what you can do to protect your e-privacy and autonomy.  Here they are:

  1. Trust cyber-civil liberties NGOs like EFF to recommend things to use and to do. If you take away nothing else, remember this URL: Eff.org.
    1. Use EFF’s Privacy Badger browser plugin.
    2. Take their audit – Panopticlick – of how unique your browser fingerprint is.  Unique fingerprints are a way you can be tracked. Block cookies and super-cookies.
    3. Use their Https Everywhere tool
    4. Find the EFF surveillance self-defense guide. It offers advice tailored for different groups that might have greater / lesser needs for privacy/defense (e.g. LGBTQ, activists, journalists, lawyers, activists).
  2. Use VPNs — virtual private networks.  And only use good ones – be careful about jurisdiction and policies:
    1. The UM off-campus VPN is a valuable service, and good to protect against third parties … but not against UM. Does UM log your usage? Do they record your originating IP#? The sites you visit? Despite some frantic Google searches, I can’t tell — it seems they don’t say. I think therefore you have to assume they do. And if were the UM General Counsel my first instinct would probably be to say they need to do the logging to protect themselves.
    2. Is your VPN service dirt-cheap or free? Does the service cost only a few dollars for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.
        1. Look for establishment in a democratic country with a strong commitment to the rule of law.  Without that, even the best promises in the Terms of Service (ToS) to not log web page access OR IP# and access times is meaningless.  Note that many, probably most, VPNs in most other countries are required to do some logging.https://it.miami.edu/a-z-listing/virtual-private-network/index.html
        2. Does the VPN promise to prevent DNS leakage to your ISP?
        3. Ideally, the VPN should support IPv6 as well as IPv4 to prevent leakage when the remote site is on IPv6. This will become more important in the future as more and more sites move to IPv6.
  3. Use Tor as much as possible.  (But see #8 below.)
  4. Inspect your browser settings on your phone and computer to set max privacy options (including blocking 3rd party cookies and enabling Do Not Track).  Use a privacy hardened browser on your phone such as the Warp browser.  On both computer and phone always use a search engine such as Duckduckgo that will not track you.
  5. Encrypt every drive, every email (when possible), and especially all cloud-stored data before uploading it.
  6. Get a password manager and use it – never re-use a password. Use 2-factor authentication for google, other services that support it. (Only 10% of google users do!)
  7. Don’t put any apps on your phone that connect to anything financial (due to risk of ID theft if phone stolen).
  8. Lobby UM to make it easier to use VPNs and Tor, on both the wired and wireless networks.  Ask UM to be more transparent about what cookies its web pages set and what they track and record.  And, importantly, ask UM to not require you take every single UM cookie in order to use the “remember me for 30 days” feature of its authentication app DUO.  Also, ask UM to promise that it has your back, and that it will challenge any request for your data to the maximum extent the law allows (right now it makes no such promises at all; even National Security letters are sometimes withdrawn if the data-holding entity says it will go to court to ask for it to be reviewed).
  9. Lobby for privacy laws that limit data collection – once data are collected major First Amendment issues come into play, making it hard to limit use and re-use of accurate data. Also lobby to stop the US government secretly introducing vulnerabilities into fundamental crypto standards.
  10. Resist the frame: understand that the true definition of the ‘greater good’ is one in which the individual is able to flourish. Remember that ‘terrorist’ is a label that fits best after conviction – before that what we have is a ‘suspect’; conceivably any of us can be a suspect. So arguments that we should control crypto or prevent privacy in order to give law enforcement access to all our data when they decide they need it should be viewed with great caution and a firm eye on how the powers they want could be misused by them or by others who get hold of their tools. And even if we someday find ourselves in a world where things have gone badly wrong, and we do find ourselves subject to pervasive surveillance, follow Vaclav Havel, who in his great work ‘Living in Truth’ reminded us that so long as we choose not to self-censor we have chosen not to surrender a key part of our freedom.

(Some links added after original posting)

Posted in Cryptography, Internet, Law: Privacy, Surveillance, Talks & Conferences | 1 Comment

New Certificate for Discourse.net

In the unlikely event you care, be aware that I have just installed a new digital certificate for discourse.net:

-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgISAwbA4ToLbxzs73qWpqv0tIB2MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA3MzAxNDIwMDBaFw0x
NjEwMjgxNDIwMDBaMBcxFTATBgNVBAMTDGZyb29ta2luLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAJ7hO4Qrj0Uh3NnivkqMh44XQLRLPgTIvKT9
/Vlhx0Aw37ag14EY6wSuuEIkyKiKcgkUdUScS7Fh6VyZhwbAwnApjWs0Osqk2I3G
z+xjxQF1LJnB8EJ3ylVWCNvYHdDmmhtEV/l302UlzujEF57wtTWtDWlXjzh21bJs
KDYPhPk07uUGn8Z8EI8V24Ue8PMv+b9kzVApXYP60/rYiL0CKgKi5bnGGkx8xuct
SUXXorsw2lf66U3f0qLiNLUMBUBOunFtt1fzhhj3wJdVy6rsnAI6sqpj4SBNAlRh
LjF/5McU+F5clH3GOloohQS1h7w4LPpBUtDZKmZLnn8KQSmckncCAwEAAaOCAh8w
ggIbMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU1204bhZjA7s0THBR2BVNc9gDdg4w
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIMZnJvb21raW4uY29tghB3d3cuZnJvb21raW4uY29tMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBABnz0pnyKYZ05JS6ATu/
Z0S7/P3q8FOBatH7EkhEcAPoEGigP8M4mScYYMalrWBCISkGX4+YyF/uB7jm9q/n
lGCdeq9zegZfiB9CkWPY+PzBDEJ97XIMTb9x8QOC6IOnRmznBP+XHHAHIF8os+/o
GZFGxhjct3a8QG75mSTBnQrwUkgaIhuORYXz5aH6zQcbU+mAsiey9XPRsw/YWVHr
ueplQL9PpHPxM9TpRR1bwqISB8LZxZKDyGldspCI1yO+qWvISO8OiID4R16Kfc5W
LnyTLPfmkUleWB9MITWVJ93uHayCtAKU+O6tZSrG7pU4ahphNaQ6kngfst9OwTSo
Ogw=
-----END CERTIFICATE-----

If your browser popped up a warning about the site’s cert changing, this is the reason. If it didn’t, well that just shows you how far we have to go in getting security to work well online.

The cert is issued by Let’s Encrypt, and replaces one I had to pay for.

Posted in Cryptography, Discourse.net | Leave a comment

My New Paper May Make Some of My Friends Angry

Building Privacy into the Infrastructure: Towards a New Identity Management Architecture comes to what I fear some of my friends in the privacy community will find to be an unacceptable conclusion.

I’ll be presenting it at the Privacy Law Scholars Conference in Washington next week. Hopefully, since many attendees are in fact friends, they won’t bring brickbats.

Posted in Cryptography, Econ & Money, Law: Internet Law, Law: Privacy, Surveillance, Talks & Conferences | Leave a comment

Clipper Chip on Ebay

A guy is selling a T TSD 3600 Pair Clipper Chip Version New in Box Unused on E-Bay.

I have a birthday coming up, but the asking price is $250, which is just a bit too expensive. And I imagine the price will go up. Plus it sounds like they’d be hard to use, too.

Spotted via Scheier.

(Why do I care? The Metaphor is the Key: Cryptography, the Clipper Chip and the Constitution, 143 U. Penn. L. Rev. 709 (1995) and It Came From Planet Clipper, 1996 U. Chi. L. Forum 15.)

Posted in Cryptography | Leave a comment

Yahoo Does Apple v FBI

Yahoo! Politics has me on Apple and the slippery slope problem of government claiming powers to draf needed helpers under the All Writs Act.

Posted in Cryptography, Law: Constitutional Law, The Media | Leave a comment