Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (60 page)

54. (p. 189) Jed Rubenfeld, "The End of Privacy," Stanford Law Review 61, no. 1
(October 2008): 118-199.

55. (p. 190) James Otis, "Against Writs of Assistance," February 1761, http://www
.constitution.org/bor/otis-against-writs.txt.

56. (p. 190) Otis, "Against Writs of Assistance."

57. (p. 190) Rubenfeld, "The End of Privacy," 124-125.

58. (p. 190) Rubenfeld, "The End of Privacy," 158-160.

59. (p. 190) Al Gidari, personal communication, July 27, 2009.

60. (p. 191) Steven M. Bellovin, personal communication, January 6, 2009.

61. (p. 191) Sun Microsystems Inc., Proxy Statement, June 8, 2009.

62. (p. 191) I believe that despite the study's limited sample size, the conclusions
hold much more broadly.

63. (p. 191) Shishir Nagaraja, "The Economics of Covert Community Detection and
Hiding," WEIS 2008-Seventh Workshop on Economics of In formation Security (Hanover,
NH, June 25-28, 2008), 8-9.

64. (p. 191) This description is vague, which is in fact one of the problems in anonymization research. What Narayanan and Shmatikov show is that for any reasonable
definition of privacy, reidentification is possible (Arvind Narayanan and Vitaly Shmatikov, "Deanonymizing Social Networks," Proceedings of the 2009 IEEE Computer Society
Symposium on Research in Security and Privacy (Piscataway, NJ: IEEE, 2009), 173-187).

65. (p. 191) Arvind Narayanan and Vitaly Shmatikov, "Deanonymizing Social Networks."

66. (p. 191) This statement is true as of this writing (September 22, 2009). Obviously
Facebook may change its policies at any time.

67. (p. 192) Steven Bellovin et al., "Risking Communications Security," 30.

68. (p. 192) Eric Lichtblau and James Risen, "Officials Say U.S. Wiretaps Exceeded
Law," New York Times, April 15, 2009.

69. (p. 192) James Risen and Eric Lichtblau, "E-Mail Surveillance Renews Concern
in Congress," New York Times, June 16, 2009.

70. (p. 192) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, A Review of the Federal Bureau of Investigation's Use of Exigent
Letters and Other Informal Requests for Telephone Records (Washington, DC: U.S.
Department of Justice, January 2010), 16.

71. (p. 192) 18 U.S.C. §2709(b)(2).

72. (p. 192) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 10.

73. (p. 192) U.S. Department of Justice, Office of the Inspector General, A Review of
the Federal Bureau of Investigation's Use of the National Security Letters (Special Report)
(Washington, DC: U.S. Department of Justice, March 2007), 22.

74. (p. 192) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 65.

75. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 20.

76. (p. 193) As often happens with people who work together, the two groups also
socialized together. This further brought down barriers (U.S. Department of Justice,
Office of the Inspector General, Oversight and Review Division, Federal Bureau of
Investigation's Use of Exigent Letters, 25-26).

77. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 13.

78. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 41-42.

79. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 65.

80. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 137-138.

81. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 70.

82. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 70.

83. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 46-47.

84. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 70.

85. (p. 193) In fact, after May 2006 the community-of-interest requests appeared in
boilerplate language in NSLs (U.S. Department of Justice, Office of the Inspector
General, Oversight and Review Division, Federal Bureau of Investigations Use of Exigent
Letters, 56-57).

86. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 60.

87. (p. 193) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 74.

88. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 44, 182-184.

89. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 44.

90. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 47.

91. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 48.

92. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 70.

93. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 74.

94. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 82, 84, 88.

95. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 82.

96. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 86.

97. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters,
124-127.

98. (p. 194) The use of exigent letters grew out of experience in the New York field
office. One telephone company analyst who worked with them there briefed the
CAU, which adopted them without question. Analysts from the other companies
were pressed to accept them (U.S. Department of Justice, Office of the Inspector
General, Oversight and Review Division, Federal Bureau o fInvestigation's Use of Exigent
Letters, 40-42).

99. (p. 194) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 191.

100. (p. 195) U.S. Department of Justice, Office of the Inspector General, Oversight
and Review Division, Federal Bureau of Investigation's Use of Exigent Letters, 276.

101. (p. 195) Bellovin et al., "Security Implications," 15.

102. (p. 195) Sometimes buildings are erected before such issues are brought to light.
A striking one occurred with New York's Citicorp Center. A year after the tower was
built in 1977, it was discovered to be at risk of collapse if strong hurricane winds
came at a 45-degree angle. It was retrofitted with steel plates, which corrected the
problem (Joseph Morgenstern, "The Fifty-Nine Story Crisis," New Yorker, May 29,
1995, 45-53).

103. (p. 195) Network Working Group, RFC 2804-IETF Policy on Wiretapping, May
2000, http://www.faqs.org/rfcs/rfc2804.html.

104. (p. 195) Network Working Group, RFC 2804-IETF Policy on Wiretapping.

105. (p. 196) Whitfield Diffie and Susan Landau, Privacy on the Line: The Politics
of Wiretapping and Encryption, rev. ed. (Cambridge, MA: MIT Press, 2007), 232-
239.

106. (p. 196) Matt Blaze, "Protocol Failure in the Escrowed Encryption Standard,"
Proceedings of the Second ACM Conference on Computer and Communications Security
(New York: ACM, November 1994), 59-67.

107. (p. 196) Micah Sherr, Eric Cronin, Sandy Clark, and Matt Blaze, "Signaling
Vulnerabilities in Wiretapping Systems" (IEEE Security and Privacy 3, no. 6 (November/
December 2005): 13-25.

108. (p. 196) Sherr et al., "Signaling Vulnerabilities in Wiretapping Systems."

109. (p. 196) A 2007 system was using MD5 for hashing even though the algorithm
had already been shown to be weak.

110. (p. 196) Tom Cross, "Exploiting Lawful Intercept to Wiretap the Internet," Black
Hat DC 2010 (February 2010); the architecture is from F. Baker, B. Foster, and
C. Sharp, RFC 3924: Cisco Architecture for Lawful Intercept in IP Networks (October
2004), http://www.faqs.org/rfcs/rfc3924.html.

111. (p. 197) The first problem in the architecture was that the system error messages
stated whether the request had an incorrect username or an incorrect password. This
simplifies finding a valid username. The second problem was with implementations.
The system was designed to compare the hash of the interception request with the
hash of the expected response, and the protocol called for message digests shorter
than 12 bytes to be discarded. Many implementations did not do that, allowing a
small brute-force attack to find an appropriate credential (Cross, "Exploiting Lawful
Intercept," 4-6).

112. (p. 197) Tom Cross, personal communication, March 7, 2010.

113. (p. 197) David G. Boak, A History of U.S. Communications Security (Volume I); the
David G. Boak Lectures, National Security Agency (Fort Meade, MD: National Security
Agency, 1973), 59.

114. (p. 197) The Chinese-manufactured smartcard readers were discovered before
the damage was devastating, and the consequences of the fake Cisco routers was
minor. The equipment did not have secret back doors (John Markoff, "F.B.I. Says
the Military Had Bogus Computer Gear," New York Times, May 9, 2008), and the
counterfeiting appeared to have been done solely for profit. Genuine routers cost
$1,300, while the fakes sold for a little under a fifth of that. (These are low-end
routers; high-end Cisco routers designed to work in the Internet backbone run to
millions of dollars.) There was a real market for the fakes, which came into the
United States through a variety of suppliers.

115. (p. 197) Seagate, "Maxtor Basics Personal Storage 3200," http://www.seagate
.com/www/en-us/support/downloads/personal storage/ps3200-sw.

116. (p. 197) John Flaka, War by Other Means: Economic Espionage in America
(New York: W.W. Norton and Company, 1997), 117.

117. (p. 198) David Kahn, The Codebreakers: The Comprehensive History of Secret Coinmunication from Ancient Times to the Internet, rev. ed. (New York: Scribner, 1996), 33.

118. (p. 198) David G. Boak, A History of U.S. Communications Security (Volume II);
the David G. Boak Lectures, National Security Agency (Fort Meade, MD: National
Security Agency, 1973), 10.

119. (p. 198) Boak, A History of U.S. Communications Security (Volume II), 10.

120. (p. 199) http://www.crypto.com/blog/wiretap_risks.

121. (p. 199) That is why web-based financial transactions are secured through SSL.

122. (p. 199) Boak, A History of U.S. Communications Security (Volume I,, 59.

123. (p. 199) This was the credo of the Mountain States Telephone and Telegraph
Company in the early years of the twentieth century.

124. (p. 200) Andrew Hetherington, "Constitutional Purpose and Interclause Conflict: The Constraints Imposed on Congress by the Copyright Clause," Michigan
Telecommunications Technical Law Review 9 (2003): 479.

125. (p. 200) 206 U.S. 46 (1907).

126. (p. 200) Kansas v. Colorado, 90.

127. (p. 200) 514 U.S. 779 (1995).

128. (p. 201) U.S. Terms Limits, Inc. v. Thornton, 838.

129. (p. 201) The 1786-1787 Shay's Rebellion was an insurgency mounted by poor
farmers in western Massachusetts objecting to paying taxes needed to repay Revolutionary War debts.

130. (p. 201) As Supreme Court Justice Robert Jackson observed, the Constitution is
not a suicide pact (Terminiello v. Chicago, 337 U.S. 1 (1949), Robert Jackson, dissenting).

131. (p. 201) These include, respectively, President Lincoln's suspension of habeas
corpus, the internment of Japanese-American citizens, and denial of civil liberties,
including freedom of association and freedom of speech, among others.

132. (p. 201) Richard Posner, Not a Suicide Pact: The Constitution in a Time of National
Emergency (Oxford: Oxford University Press, 2006), 44.

133. (p. 201) Woods v. Cloyd W Miller Co., 333 U.S. 138 (No. 486) 74 F.Supp. 546,
reversed, Jackson (concurring).

134. (p. 202) Woods v. Cloyd W Miller Co. 333 U.S. 138 (No. 486) 74 F.Supp. 546,
reversed, Jackson (concurring).

135. (p. 202) Larry Lessig named this the "West Coast code" in deference to Silicon Valley.

136. (p. 202) Windows 3.1 was introduced in 1992. Vista was released in stages, first
to hardware and software manufacturers, then businesses, and finally in retail;
worldwide distribution was in 2007.

137. (p. 202) Windows 3.1 had been built on the model of a single user, not as part
of a network.