Tech Life: Where digital security meets the ‘surveillance state'

Sandy Clark (foreground), a Ph. D. graduate student in U of Penn's Computer and Information Sciences program, and Matt Blaze, Dir. of the Distributive Systems Lab, hold P25 two-way radios in their lab. (Photo by / Clem Murray) EDITORS NOTE: HE1Radio23-a 8/22/2011 The computer scientists at Penn had a grant to try to crack the security features of the encrypted two-way radios used by most federal agencies. They were in for a surprise: a significant chunk of law enforcement traffic was not even encrypted, meaning that any hobbyist could easily listen to details about confidential informants, counterterrorist measures, and the like. They presented their results at a conference this month, and already are working with law enforcement agencies to correct the problem. The scientists also were able to crack the encrypted traffic, with the use of a modified child's toy. 1 of 2
Sandy Clark (foreground), a Ph. D. graduate student in U of Penn's Computer and Information Sciences program, and Matt Blaze, Dir. of the Distributive Systems Lab, hold P25 two-way radios in their lab. (Photo by / Clem Murray) EDITORS NOTE: HE1Radio23-a 8/22/2011 The computer scientists at Penn had a grant to try to crack the security features of the encrypted two-way radios used by most federal agencies. They were in for a surprise: a significant chunk of law enforcement traffic was not even encrypted, meaning that any hobbyist could easily listen to details about confidential informants, counterterrorist measures, and the like. They presented their results at a conference this month, and already are working with law enforcement agencies to correct the problem. The scientists also were able to crack the encrypted traffic, with the use of a modified child's toy. 1 of 2
Posted: July 13, 2012

How secure are your Internet communications and phone calls? How private are your travels with a cellphone in your pocket or purse?

"Privacy is dead" earned the status of an Internet meme long before Facebook and other social media showed how willingly some of us would sacrifice our personal information for connection, celebrity, or even just the lure of free stuff.

But commercial intrusions such as ads based on our Web surfing aren't the only risks we face in the age of the Internet, cellphones, and ubiquitous electronics. Or even the most important ones.

Just this week, U.S. Rep. Ed Markey (D., Mass.) announced that U.S. wireless carriers had received more than 1.3 million demands last year for subscriber data — including subpoenas or orders seeking text messages or subscribers' whereabouts — from federal, state and local law enforcement agencies. Verizon, the largest carrier, told Markey that such requests were rising about 15 percent a year.

Nothing to worry about for the law abiding, right? But abroad, some such requests come from authoritarian regimes — and our own hands may not be totally clean. As a new Pew Internet study on the role of technology companies noted last week, Bloomberg recently reported that Western companies had provided surveillance systems to governments such as Iran and Syria with abysmal human-rights records.

Especially since the 9/11 attacks, U.S. officials and the high-tech community have struggled for a balance between two undeniable concerns: our common interest in security and law enforcement vs. our individual interests in privacy and autonomy — what Justice Louis Brandeis famously called "the right to be let alone."

Later this month, the Senate is likely to begin debate on the latest focus of that struggle: the proposed Cybersecurity Act of 2012, sponsored by Sen. Joe Lieberman, the Connecticut independent.

Lieberman's bill is narrower than Sen. John McCain's competing proposal, the Secure IT Act, according to Greg Nojeim, who follows the debate closely as senior counsel at the Center for Democracy and Technology, an advocacy group.

Nojeim said both bills share the same goal — and an aim he shares, as well: helping those who run the nation's information networks and critical infrastructure avoid cyberattacks. But Nojeim worries that in the quest for an impossible goal — perfect security — we risk tipping the balance too far toward what he calls a "surveillance state." He says both proposals allow too much personal information to be shared and "used for reasons unrelated to cybersecurity."

Matt Blaze, a University of Pennsylvania computer scientist, shares Nojeim's concern that we might be missing that elusive balance.

As a researcher in cryptography and computer security, Blaze spends much of his time trying to improve network security. Last year, he drew national attention — and aided law enforcement — when he identified a major security flaw in radio systems used by federal agents to communicate.

But Blaze also worries about the unintended consequences of too much data collected and stored in systems that are inherently insecure — a result, he says, not of anyone's design, but simply of the way technology has progressed.

Ironically, some efforts to fight crime electronically may have made crime easier. One example occurred in Greece, after officials pushed to install wiretapping interfaces in new phone networks.

"Someone discovered a few years ago that one of the main cellphone networks in Athens had been thoroughly compromised by somebody," Blaze says. "They never solved it — they never figured out who. But somebody was using the interface to tap about 100 top officials, including U.S. embassy officials."

It's also hard for laws to keep up with technology. For instance, the Electronic Communications Privacy Act protects the privacy of e-mail for 180 days — plenty long when the law was enacted in 1986 but inadequate today.

"Storage was expensive, and no providers saved it that long," Nojeim says. "Now they can and do save it for years, and users expect them to." Yet when Internet companies and groups such as CDT pushed last year to lengthen the protection, Congress balked.

Blaze says that every time new technology is introduced, law enforcement worries that it will be outgunned — that their "surveillance systems are going dark."

But he says a fairer reading of recent history, and the explosion of new technologies with inherent insecurities, shows that the eavesdroppers are way ahead — whether they're good guys or bad guys.

"Thirty years ago, if I wanted to bug your phone I might have attached alligator clips or installed a microphone," he says. "Today, I can do that with a software virus."

Above all, Blaze warns against the trap of believing "there's a stark, zero-sum trade-off between privacy and security." It's a more complex calculus, and a constant challenge to policymakers as well as technologists.

But this much is clear: "Once data is collected," he says, "it will be used in ways you didn't expect."

Contact Jeff Gelles at 215-854-2776 or jgelles@phillynews.com.

|
|
|
|
|