The 5th Amendment and Your Computer

I’ve always felt that being forced by a court to unlock a safe or decrypt a computer drive was a violation of the 5th Amendment’s protection against self-incrimination.  Whether you produce a physical key/combination or a password is irrelevant in my mind.  It seems that the EFF feels the same way.  The case of Francis Rawls brings this issue to the forefront and also highlights an interesting peer-to-peer network called Freenet.  Mr. Rawls is being held indefinitely on contempt of court charges for refusing to decrypt his two external hard drives.

Since I’m not a lawyer I won’t try to hash out complex legal issues.  The legal issues are laid out here and you can read them for yourself.  The EFF filed a friend-of-the court brief in this case that states their position on the issue.  Read it if you so choose.  My take-a-ways are these:

1. The courts and the law need to recognize that technology has changed how we humans interact with one another, with how we order our lives, and how we store our private and personal papers, thoughts, and inner most secrets.  We have moved into a digital world while the law is still stuck in the old world of physical keys, hard copy papers, and physical vaults.  In the case of forced decryption you must use the contents of your mind to render intelligible what is currently unintelligible (encrypted data).   I view this as a 5th Amendment violation.  In my opinion the law needs to catch up to the way we currently use encryption to protect the important contents of our lives which are now kept on computers and smartphones.  It needs to bring 18th, 19th, and 20th century civil rights protections into the 21st century.

2.  What if you really do forget your password?  Can you really rot in jail in the USA for years on end without a trial?  What if someone plants an encrypted device on your person or property and tips off the police that you’re hiding illegal content?  That could get very ugly very fast.  Even if you are eventually cleared you may still loose your job and reputation.

3.  In my opinion peer-to-peer networks like Freenet can give a false sense of security to people and lead to disastrous consequences.  If you are conducting sensitive activities and aren’t using the anonymity of the Tor network then you are making a mistake.  The case of Mr. Rawls begs the question – if Freenet is so secure and anonymous how did Mr. Rawls get caught?  To quote from the site itself:

Communications by Freenet nodes are encrypted and are routed through other nodes to make it extremely difficult to determine who is requesting the information and what its content is.

Users contribute to the network by giving bandwidth and a portion of their hard drive (called the “data store”) for storing files. Files are automatically kept or deleted depending on how popular they are, with the least popular being discarded to make way for newer or more popular content. Files are encrypted, so generally the user cannot easily discover what is in his datastore, and hopefully can’t be held accountable for it. Chat forums, websites, and search functionality, are all built on top of this distributed data store.

Note the sentence – “Files are encrypted, so generally the user cannot easily discover what is in his datastore, and hopefully can’t be held accountable for it.”  Hopefully???? Really???  ‘Hopefully’ you won’t be held accountable for someone else’s illegal content??????  ‘Hopefully’ you won’t go to prison for decades because of someone else’s stuff??   WTF??   Based on that sentence alone I would never install such software on my computer.  Folks, I can’t tell you what to do but please use some common sense when engaging in sensitive, anonymous activity, whether you’re a dissident, journalist, student, or member of a vulnerable group. Anonymity is hard and if you let others put something on your computer you may be called to account for it.  Knowing what’s on your computer and keeping it safe can be the difference between life in the real world and life in prison.

More thoughts on computer privacy and anonymity

Given the contentious 2016 election and the renewed debate over government surveillance I decided to post a new page to the blog about how to maintain privacy and anonymity on the internet.  Follow this link to see the page.  The political environment in the US and around the world is not and has not been friendly to the privacy rights of individuals.  While total anonymity is impossible there are at least some steps everyone can take to secure sensitive data and make themselves harder to track.  Most people aren’t very technical and don’t think much about securing their private data when using computers and smart phones.  I’m hoping I can help those non-technical folks who are interested in protecting their privacy to do so. I really love what the EFF has to say about surveillance and I hope more people will read it.

It’s not just journalists or important people who should take their online privacy seriously.  The average citizen and political activists of all kinds should have a real interest in protecting themselves online.  The DNC hack/phishing attack in 2016 drives that point home.  In fact, anonymous speech can be crucial to a vibrant democracy.  When political and social pressure is brought to bear it can drive people to self censorship.  Social media makes it easy to find people with unpopular opinions and then ostracize or harass them.  Who wants to go out on a limb with a new idea if they know opponents of that idea will attack them personally?  If ideas are presented anonymously then maybe the idea will be judged without prejudice toward the originator of the idea.  The Federalist Papers were initially published anonymously to minimize personal discrediting attacks that might be leveled against certain individuals.  The Anti-Federalist Papers were done the same way.  Imagine that – a battle of ideas and arguments not personal attacks on individuals and their private scandals.

Private individuals should feel free to contribute to the public discourse and make their ideas known without fear of online harassment.  Knowing how to defend oneself online will boost confidence and lead to more political involvement.  Knowledge is power and technical knowledge is no exception.  In the times we live in such knowledge is paramount.  Educate yourself and engage with the online world in full force.  The bottom line is that if your are a political or social activist you owe it to  yourself to make your data secure and keep your private life private.

Don’t Make Yourself So Easy To Track

Most technically proficient people know that our smartphones are very good personal tracking devices that record where we go and how long we are there.  A great article at The Verge reminds us that law enforcement is wise to this and getting more and more search warrants to pull Android user location data.  To many non-technical people these location tracking features might come as a surprise.   The article points out that police recently used Android location data to solve a bank robbery.  The police originally went to the suspect’s wireless carrier, AT&T, but the information obtained there was less precise (and useful) than data obtained from Google.  You see Google has a nice little location history feature in the phone that uses GPS data.  The wireless carriers use cell tower data that is less precise than GPS.  According to the article:  “Location History uses the phone’s location data to build a persistent portrait of where a user has traveled with their phone, a history that can be viewed or edited in the Timeline tab of Google Maps. Every time the phone establishes a strong enough location point, the system makes an entry in the user’s Timeline history, establishing that the user was in that place at that time.”  Remember, this data can go back years.  This sounds like a bonanza for law enforcement, journalists, hackers, and divorce lawyers.  It is also a detriment to people’s privacy.  Being tracked to this degree is not what most people have in mind when buying a smartphone.  For more information on how law enforcement uses this information, read this article from The Intercept.  Fortunately, you can turn the location history off by going to Android’s settings menu, under “Personal”, and selecting “Location.”  The toggle Location off.  That should stop the phone from recording your location and tagging photos with GPS data.  You can also go to Google’s Account Privacy page and turn it off there and view other Google settings related to your privacy and web history.  Don’t make yourself so easy to track.  Think about those default settings and what they do.  Are they benefiting you or someone else?  You have a right to privacy, but you need to actively defend it.  You can’t rely on companies that obtain their revenue through targeted advertising to do it for you.

Tor Needs Exit Nodes – Help Them Out!

It is no surprise that Tor needs more exit nodes. It is also not surprising that few people volunteer to host one. When you hear stories of people getting raided by the police for hosting a Tor exit you are bound to think twice. I’ve been wondering if there was a way to help facilitate more exit nodes without having to host one myself. I thought it would be nice if those of us who support Tor could make donations to help those that are willing and able to run the nodes. It turns out that we can do that very thing. The Tor Project refers people to four charities that run nodes. They need donations to keep going. The four are: (Germany)

Noisebridge (San Francisco)

Nos-Oignons  (France)

DFRI  (Sweden)

Check them out and make a donation if you can. I did. Remember, every little bit helps.  If you have other ideas on good ways to help please leave a comment.



Majority Think “Dark Net” Should Be Shut Down

According to a new poll a majority of people think the “dark net” should be shut down.  Given the non-stop negative press it receives and the constant whining from governments about the “dark net” this is no surprise.  What people in Western countries don’t appreciate is just how important the “dark net” is to those living under repressive regimes.  It is also an important place for journalists and whistle blowers.  I’ll go even further and say that anonymous speech is a human right we all should be able to enjoy regardless of where we live.  It seems to be a natural human instinct to fear and attack what we cannot control and do not understand. I suspect most people do not understand the so called dark net or Tor hidden services.  They fear it because of the negative publicity and sensational news reporting on the subject. They fear it because it is not under some kind of “control.”  In my opinion, this is exactly why we should value it – because it is not controlled.  Because government oppression and public opinion cannot shut it down.  The spirit of the age seems to be working against freedom right now – calls to ban end to end encryption, ban so called “burner” phones, ban hate speech, ban tor, and ban anonymous speech.  If we don’t fight back hard now we will lose our free speech rights and once lost those freedoms may never be recovered.  I recently read 1984 for the first time and it was terrifying.  But the most terrifying thing is that I can see such a state actually existing and many people would be just fine with it.  Freedom doesn’t belong to the left wing or the right wing, it belongs to every human being.  Don’t give it up for a little perceived safety.  You won’t be safer in a police state, but you will be well on your way to living in hell.

Good Encryption is Hard Enough Without Government Back Doors

One thing I’ve found recently is that it can be hard to explain to people who don’t understand the nature of encryption on the Internet exactly why we can’t have a system of encryption that keeps the bad guys out but can let the good guys in. It sounds so simple in the abstract, our government should not be denied the ability to get to important data just because it is encrypted. What is wrong with key escrow or back doors? No matter what I say about encryption keys being stolen, governments being corrupt, etc. I just can’t seem to make my point the way I want to.

Fortunately Bruce Schneier has posted a blog piece that makes the case for us. It is called “Encryption is Harder Than It Looks.” This piece does a great job of explaining just why good encryption cannot and should not be undermined.  He points out two truths in cryptography:

  1. Cryptography is harder than it looks.
  2. Complexity is the worst enemy of security.

And gets right to the point:

“Cryptography is harder than it looks, primarily because it looks like math. Both algorithms and protocols can be precisely defined and analyzed. This isn’t easy, and there’s a lot of insecure crypto out there, but we cryptographers have gotten pretty good at getting this part right. However, math has no agency; it can’t actually secure anything. For cryptography to work, it needs to be written in software, embedded in a larger software system, managed by an operating system, run on hardware, connected to a network, and configured and operated by users. Each of these steps brings with it difficulties and vulnerabilities.”

“Although cryptography gives an inherent mathematical advantage to the defender, computer and network security are much more balanced. Again and again, we find vulnerabilities not in the underlying mathematics, but in all this other stuff. It’s far easier for an attacker to bypass cryptography by exploiting a vulnerability in the system than it is to break the mathematics. This has been true for decades, and it’s one of the lessons that Edward Snowden reiterated.”

“The second truism is that complexity is still the worst enemy of security. The more complex a system is, the more lines of code, interactions with other systems, configuration options, and vulnerabilities there are. Implementing cryptography involves getting everything right, and the more complexity there is, the more there is to get wrong.”

“Vulnerabilities come from options within a system, interactions between systems, interfaces between users and systems– everywhere.”

A security researcher told him:

If anyone tells you that [the vendor] can just ‘tweak’ the system a little bit to add key escrow or to man-in-the-middle specific users, they need to spend a few days watching the authentication dance between [the client device/software] and the umpteen servers it talks to just to log into the network. I’m frankly amazed that any of it works at all, and you couldn’t pay me enough to tamper with any of it.

Says Schneier – “The designers of this system aren’t novices. They’re an experienced team with some of the best security engineers in the field. If these guys can’t get the security right, just imagine how much worse it is for smaller companies without this team’s level of expertise and resources. Now imagine how much worse it would be if you added a government-mandated back door.”

Please take a moment to read his post. I think every business leader, politician, and anyone else with an opinion on the encryption debate should read his post and the references he provides. If we don’t stand strong on encryption now, we will never gain back the ground that is lost.


EFF Starts the Electronic Frontier Alliance

The Electronic Frontier Foundation announced that they are launching the Electronic Frontier Alliance to bring together diverse groups of activists and organizations.  The idea is for the Alliance to be a central “hub” of information and activity in the fight for digital rights and civil liberties.  It is encouraging to see that they are reaching out to a broad range of ideologically diverse groups – from BLM to the Tea Party.  Any organization that champions free speech and digital rights must do so for all groups regardless of political affiliation.

“The Alliance will bring together groups pursuing a range of strategies and tactics—from hacker spaces crowdsourcing the open source development of software tools, to student groups hosting teach-ins and documentary screenings.”

To join the group an organization must affirm 5 fundamental principles:

  1. free expression: people should be able to speak their minds to whomever will listen.

  2. security: technology should be trustworthy and answer to its users.

  3. privacy: technology should allow private and anonymous speech, and allow users to set their own parameters about what to share with whom.

  4. creativity: technology should promote progress by allowing people to build on the ideas, creations, and inventions of others.

  5. access to knowledge: curiosity should be rewarded, not stifled

These principles are the bedrock of a free and open internet and society. Give the EFF whatever support you can.  They deserve it.

New Push for Encryption Backdoors After Latest Terrorist Attacks

Congress is once again getting worked up about the need to pass legislation that will effectively make strong encryption the enemy.  The The International Business Times is reporting that Congress is “discussing various pieces of legislation that would address the use of encryption and could potentially require that tech companies build backdoors into their products for law enforcement officials.”  The attacks on encryption are all too predictable after terrorist attacks occur.  Unfortunately, the general public does not understand encryption technology or the need for it.  It is an abstract concept in most people’s minds that quickly gets pushed aside when they become frightened.  Indeed, most members of Congress do not understand how encryption makes the internet a safer place than it would otherwise be.  They also don’t understand why you can’t just “break it a little bit” and still have good security.  Encryption helps secure people’s privacy in a concrete and meaningful way.  It is precisely at times like this that there needs to be a strong push to protect privacy and resist knee jerk reactions.  Members of Congress must be made aware of how requiring tech companies to backdoor their products would devastate their international sales and ruin their credibility.  They should also know how those backdoors would open the doors to hackers and criminals.  Look for more attacks on anonymity and anonymizing tools like no contract cell phones.  This is only the beginning.  Big government wants unlimited control of everything – the Internet and you as well.

Tor Engineers Would Rather Quit Than Backdoor Tor

It was reassuring to hear Apple engineers threaten to quit their jobs rather than hack the iPhone.  Now comes another encouraging post from the engineers who work at the Tor Project.  In a statement issued on Mike Perry’s Tor Blog it is reported that Tor Engineers would rather resign than compromise the integrity of the Tor network.  Fortunately, Tor is open source and its code can be reviewed and verified by outside experts.  This makes malicious code hard to hide.  Tor is used by people all over the world to communicate sensitive information in a secure way.  Without it, those fighting for freedom in very dangerous countries would have one less tool with which to accomplish their work of bringing the truth to light.  We should all salute the integrity and determination of those working on and sustaining the Tor network.

Obama (and government in general): No Friend of Encryption and Privacy

Well, its official now. President Obama is all for a key escrow concept that undermines privacy and security.  He may not have used that term but that is exactly what he wants. At the same time, the FBI is also proving to the world that it is not content with just that one Apple iPhone in the San Bernardino case.  A leaker has revealed that it is now going after WhatsApp.  WhatsApp offers an instant messaging application with end to end encryption.  This gives WhatsApp the ability to ensure customer privacy and inadvertently evade court ordered wiretaps. There are very few details of the WhatsApp situation because the whole case is under seal. The only thing they will say is that it isn’t a terrorism case.  Which goes to show, this isn’t just about terrorism, its about the government’s insatiable appetite to get whatever the hell it wants.

Specifically, President Obama said:

     “You cannot take an absolutist view on this,” Obama said at the South  by Southwest festival in Austin, Texas. “If your argument is strong       encryption no matter what, and we can and should create black boxes, that I think does not strike the kind of balance we have lived with for 200, 300 years, and it’s fetishizing our phones above every other value.”

     “The question we now have to ask is, if technologically it is possible to make an impenetrable device or system, where the encryption is so strong there’s no key, there’s no door at all, then how do we apprehend the child pornographer? How do we solve or disrupt a terrorist plot?” Obama said. “If in fact you can’t crack that at all, government can’t get in, then everybody’s walking around with a Swiss bank account in their pocket.”

The Obama Administration’s schizophrenic position on encryption stems from its desire to be all things to all people: strong on encryption on the one hand while wanting some kind of key escrow program on the other.  I don’t see how anything other than a key escrow program will satisfy the government a this point.  The FBI position in the WhatsApp case illustrates the same points.  Only a key escrow program will give the government what they want while pretending to promote strong encryption and safe communications and data storage.  In fact, a requirement that companies be able to provide all customer data to the government could end up outlawing Tor and all encryption with perfect forward secrecy.  Make no mistake, key escrow undermines strong encryption and violates people’s fundamental right to privacy.  Some things are so private and personal that they should be beyond the government’s reach – one of those things is our computer hard drives.  In this day and age computer storage is an extension of the person – people pour their lives and souls in their computers. Whether that is a smart thing to do or not is irrelevant – it is a reality we must live with.  If, in the future, there is technology that can hack your brain, do you want a court order to be the only thing standing between you and a machine that can rape your brain and lay all your private thoughts and emotions bare for all the world to see?  I don’t, but that is where this is headed.  I hate to say it, but maybe it’s time for big US Tech companies to consider moving their operations offshore (and taking their jobs with them) to locations that are more privacy friendly. In the future I plan to add some pages to this site detailing easy steps anyone can take to safeguard their privacy – Tor, VPNs, encryption applications, disk cleaners, etc.

Here are the relevant links: