Surveillance State

An internal review by University of Colorado officials has found that a controversial research project conducted by a team of computer scientists did not constitute research misconduct. University lawyers have also stated their belief that the team probably did not violate US wiretapping laws.

As I reported in a blog post yesterday, a team of researchers from both the University of Colorado and University of Washington recently presented a controversial study in which they recorded a limited portion of the communications of users of Tor -- a popular anonymizing proxy network.

According to a written statement posted by the research team, an internal university review conducted on the 24th of July 2008 found that:

Based on our assessment and understanding of the issues involved in your work, our opinion was that by any reasonable standard, the work in question was not classifiable as human subject research, nor did it involve the collection of personally identifying information. While the underlying issues are certainly interesting and complex, our opinion is that in this case, no rules were violated by your not having subjected your proposed work to prior IRG scrutiny. Our analysis was confined to this IRG (HRC) issue.

In a statement made to the Boulder Daily Camera newspaper today, spokesman Bronson Hilliard said that University attorneys described the wiretap law as "broad." He added that "legal counsel's opinion was that there's no clear indication that there was any kind of criminal action on the part of the researchers."

The Electronic Communications Privacy Act (ECPA), which governs network surveillance and access to private stored communications is particularly difficult to understand, something the US 9th Circuit Court of Appeals recognized when it described ECPA as "a complex, often convoluted, area of the law" (pdf). Computer scientists simply have no business making judgments about the legality of network monitoring and interception research -- and should, as the EFF advises, seek legal advice before doing so.

While I have strong personal objections to the methods employed by the researchers, the primary criticism in my original blog post was that the researchers had not sought a review of their project by university lawyers and the school's human subjects review board before conducting their study. Given that the University of Colorado was able to conduct both of these within 12 hours of the publication of my blog post yesterday, it is difficult to see how seeking such reviews ahead of time would have been any significant burden.

Personally Identifying Information

In reaching its decision, the University of Colorado review determined that the researchers did not collect any "personally identifying information" from users of the Tor network. This is in spite of the fact that for 15 days, the researchers collected the unique network addresses of each user sending data through their server.

While that may be the view of the University, there are certainly others that disagree. Back in February of this year, the European Union announced that it now considers IP addresses to be personally identifiable information.

IP addresses have been used by law enforcement to justify FBI raids on homes, by the record companies in copyright infringment suits, as well as in foreign countries, where suspects have been arrested and beaten because their IP addresses appeared in an incriminating log files.

In the last few weeks, there has been a significant amount of discussion of this issue, after a court ordered YouTube to hand over the IP addresses of millions of users to Viacom as part of its massive copyright infringement suit against the video sharing site. While Google (which own YouTube) has long argued that IP addresses are not personally identifying information, at least with regard to calls for the company to delete its own search log files, it rapidly changed its position once it was faced with the possibility of handing such data over to Viacom.

"Safe" storage of data

The researchers themselves admit that the data that they have collected is extremely sensitive. In their statement issued yesterday, they stated that "we took extreme caution in managing these traces and have not and will not plan to share them with other researchers."

If the information was not sensitive and could be potentially used to identify Tor users, why would they need to take such care managing the data, and why could they not share it with others? If it is not personally identifying information, why don't they put it online?

The fact is that this information is extremely sensitive, and were it to fall into the wrong hands -- an oppressive foreign government that does not take kindly to anonymous speech -- users whose IP addresses could reveal their identity could soon find themselves subject to arrest, imprisonment or torture.

While we can be asked to trust this research team not to share the data with others, there is little that they can do if presented with a government subpoena, or other lawful request. Furthermore, there is always the risk that they could accidentally lose the data, or be the victim of data theft.

Finally, the researchers have not said how long they plan to hang onto this data. As much as I criticize Google, at least they partially anonymize their server logs after 18 months.

The only safe and responsible way to handle this sensitive data is to delete it. Anything else is simply irresponsible..

Be Nice to Privacy

To be clear -- my focus on this issue is not about enforcing the law, no matter how flawed it may be. There are many unjust laws that I despise, chief among them the Digital Millennium Copyright Act, and I will eagerly defend researchers who violate these.

Communications privacy laws, unlike the DMCA, are (mostly) written for our protection. After spending the last several months criticizing AT&T, and later the US Congress' complete capitulation for illegal wiretapping immunity, I do not see how I could rightfully defend these researchers. Yes, they had good intentions -- but then, so might have the Bush Administration when it asked the telecoms to help it spy on millions of Americans.

A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.

The team of two graduate students and three professors neither sought legal review of the project, nor ran it past the Human Subjects Committee at their university, putting them in a particularly dangerous position.

The academic paper, "Shining Light in Dark Places: Understanding the Tor Network" (pdf) was presented at the Privacy Enhancing Technologies Symposium yesterday, in Leuven, Belgium. The authors are listed as: Damon McCoy, Kevin Bauer, Dr. Dirk Grunwald, Dr. Tadayoshi Kohno and Dr. Douglas Sicker.

The goal of the project was to learn what kind of traffic was flowing over Tor -- a free network providing anonymous web and other Internet services to hundreds of thousands of users world-wide. Some of Tor's users include pro-democracy dissidents, journalists and bloggers in countries like China, Egypt and Burma who would otherwise face arrest and torture for their work.

Tor relies on volunteers who donate computing power and bandwidth to run approximately 2500 publicly accessible proxy servers, which are then used by hundreds of thousands of people to hide their Internet traffic.

In order to study Tor, the researchers setup their own 'exit node' server on the University of Colorado's high-speed network. For 4 days in December 2007, they logged and stored the first 150 bytes of each network packet that crossed their network, thus revealing what kind of traffic was crossing the network, and the remote websites that Tor users were visiting. While the authors do not state how many sessions they snooped on, they do state that their server carried over 700GB of data.

In a second part of the study, the researchers ran an 'entry node' to the network for 15 days, which allowed them to determine the source IP address of a large number of Tor users. They used this to learn which countries use Tor more heavily than others. Note that in this second part of the study, the researchers did not have access to the destination site information, nor were they able to observe the kinds of traffic going through their server.

The researchers found that HTTP (web traffic) was responsible for 58% of their servers' bandwidth. They also found that the BitTorrent file-sharing protocol, while accounting for only 3% of the number of connections, was responsible for over 40% of the overall bandwidth. They also observed that German users were responsible for over 30% of the requests through their server.

No Legal Review Sought

In his presentation of the work at the PET Symposium yesterday, Kevin Bauer, one of the graduate students who wrote the paper shed some light on the limited amount of legal analysis performed on the project.

Bauer said that the researchers "spoke informally with one lawyer, who told us that that area of the law is ill defined" based on this, the researchers felt that it was "unnecessary to follow up with other lawyers."

The lawyer they spoke to was Professor Paul Ohm, who teaches at the University of Colorado Law School. Ohm has previously collaborated with two of the researchers on an earlier publication, which discussed the legal risks faced by academics engaged network monitoring research. Ohm, a former federal computer crimes prosecutor, has also been the subject of some media attention in recent months, after he publicly stated that ISP-level advertising and traffic-shaping systems may violate US wiretap laws .

In a response to questions by this blogger, Professor Ohm seemed to attempt to distance himself from the researchers, writing by email:

I met with the research team once before they had finished their research, although I don't know how far along they were at that point. At the meeting, I gave them a very brief sketch about federal Wiretap law and they gave me a very brief sketch of their research. They seemed to have put in place a number of controls to try to minimize the risk of liability. I haven't seen the final paper (as far as I can recall).

I'm not their lawyer, and I've never been their lawyer, and I haven't produced any official or unofficial legal advice about their research, but because I spoke with them about this, I don't think it would be appropriate for me to give you any opinions about the research other than this brief statement.

Legal Risks

The Electronic Frontier Foundation, which wrote a legal guide for operators of Tor servers, strongly advises server administrators against snooping on their users. A section in the legal guide makes this clear:

Should I snoop on the plaintext that exits through my Tor relay?

No. You may be technically capable of modifying the Tor source code or installing additional software to monitor or log plaintext that exits your node. However, Tor relay operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications .... Do not examine the contents of anyone's communications without first talking to a lawyer.

While state laws vary, one immediate concern would be the Wiretap Act, a federal law that broadly prohibits snooping by network operators and others. The core prohibition of the Wiretap Act is found at section 2511(1)(a), which prohibits any person from intentionally intercepting, or attempting to intercept, any wire, oral, or electronic communication." A violation of these rules is is a Class D felony, and can result in fines up to $250,000 and up to 5 years in jail.

It is this same law that groups such as the ACLU and EFF sued AT&T and other telecom companies for violating, when they shared customer communication with the US National Security Agency. AT&T was able to obtain retroactive immunity from the US Congress, but only after spending tens of millions of dollars on lobbyists.

In order to learn more about the legal issues at play, I spoke with Kevin Bankston, the EFF lawyer who wrote the Legal guide for Tor server operators, and who also lead the EFF's lawsuit against AT&T. Bankston told me that:

"I agree that their logging the content exiting their nodes would appear to constitute interceptions of those electronic (not wire) communications under the Wiretap Act, and I don't think they qualify for the narrow provider exceptions [18 USC 2511, 2 (a) I], so I still see the same potential civil and criminal liability that was noted in our FAQ."

No Human Subjects Committee Review

In addition to possible legal issues, the project also raises serious ethical concerns related to the study of users' communications without their consent.

During his presentation, Bauer revealed that the researchers did not seek the approval of their university's Institutional Review Board -- a body that reviews research projects that involve human subjects. He said that, "we were advised that it wasn't necessary," adding that the IRB review process is used "used more in medical and psychology research at our university," and was not generally consulted in computer science projects

Information listed on the website of the University of Colorado's Human Research Committee states that: "All research involving human participants that is conducted by UCB faculty, staff or students must receive some level of review by the Human Research Committee."

Of particular concern to all Institutional Review Boards is any research that involves the study of participants under the age off 18, and other at risk or vulnerable persons. Given that the users of the Tor network have gone out of their way to seek anonymity, and that in some cases, their discovery could lead to arrest or torture, it would seem that these users would almost certainly be considered to be vulnerable. Furthermore, it is quite likely that the snooped communications include at least a few users under the age of 18 -- something that the researchers did not address in their paper.

In a paper published earlier this year, Dr. Simson Garfinkel explored some of the common myths and pitfalls for computer security researchers that study real users and their behavior, and the need to submit their projects to an IRB review.

Dr Garfinkel specifically deals with one of the researcher's claims:

Myth: Because the Common Rule exempts research involving subjects that cannot be identified, IRB approval is not required when using anonymized data

Although this would certainly be convenient, most institutions only allow a determination of exemption to be made by the IRB itself.

A request for clarification on these issues left with the director of the University of Colorado Human Research Committee had not been returned by press time.

Other concerns

In addition to the issues surrounding US legal liability, and ethical concerns over human subject testing -- there is one other problem: International law.

While the researchers are Americans, and conducted their study on a server based in the US, there is certainly an international angle to their study. Users from around the world sent traffic through the researchers' server, and as such more strict Canadian and European intercept and data privacy laws may apply.

Furthermore, one of the strongest privacy protections inherent in the Tor system is the complete lack of logging. That is, if law enforcement agencies approach a Tor server administrator seeking information on a user of the system, the admin can truthfully reply that they have no logs, and thus have nothing that they can be compelled to produce.

Taking questions before their presentation, two of the authors told me that they still have a copy of the data that they collected, and admitted that it was not currently stored on an encrypted disk. They did stress that it was, however, being kept in a "secure" location.

What this means of course, is that law enforcement agencies could easily subpoena this data, thus legally compelling the researchers into handing over the data. This places the users of the Tor network at a significant risk, one that certainly violates the expected social norms of the system.

During the question and answer session after his presentation, Bauer stated that the researchers were still not sure what they were going to do with the data set, and were exploring possibilities for releasing it to researchers in an anonymized and non-personally identifiable way. This statement was met with boos from the audience, which was mainly made up of privacy researchers and activists, a number of whom run their own legitimate Tor servers.

Caveat Emptor

While the US government did not send officials to this annual meeting of privacy researchers, the Canadian government did. A representative for Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario was in the audience during the presentation.

When asked for comment on the research project, and any potential impact for Canadian citizens who may have used the snooping Tor server, Cavoukian issued the following statement:

"Whether you run an ISP, a search engine, a Tor server node, or a research project, the principle of Data Minimization should rule. Universal privacy practices require that strong limits be placed on the processing and storage of personal data. In today's online world of constant data availability, privacy requires data minimization at every stage of the information life-cycle: If you don't need the data, don't collect it in the first place; if you don't need it any more, then destroy it securely -- don't keep it any longer than you need to. Full stop."

Wise words indeed.

The major national cable providers are all to sign a troubling yet major censorship deal with a private anti-child porn organization. The deal would give the National Center for Missing and Exploited Children (NCMEC) carte blanche power to issue a takedown of any customer's content hosted on a cable provider's servers.

The group will provide each cable company with a list of Web site addresses that they believe contain child porn. The cable companies will then, per the agreement, scrub the content from their servers.

A press release describing the agreement states that:

The cable operators that have agreed to execute the (memo of understanding) within 30 days include: Comcast Corporation; Cox Communications; Charter Communications; Cablevision Systems Corporation...Time Warner Cable has already signed the MOU.

It is unclear what, if any, notification cable customers will receive before their Web sites are deleted, or what legal rights they will have to appeal the classification of their content as illegal child pornography.

The memo of understanding states that the private group will provide cable companies with a list of kiddie porn URLs, that "in NCMEC's good faith" appears to meet the federal definition of child pornography.

According to Cynthia Brumfield, the industry watcher who first broke the story:

"The identified URLs and content will be deleted (by the cable company) and the operator will provide NCMEC the customer's name and address in those instances where that information is available. NCMEC will then work with law enforcement authorities."

Thus, we have a private third-party group, who will be given the power to force the takedown of content, who will be given the names and addresses of the "violators." Is there anything else?

Oh yes--NCMEC wants its participation in the takedown to be kept secret. Brumfield cites the memo of understanding (which is not public)--which she said states that cable companies will:

"remove or limit the availability of apparent child pornography images or other content based on the List, and in taking such action replaces the offending page with a notice, such notice shall contain no reference to NCMEC."

I hope i am not the only one who is extremely troubled by this deal. Kiddie porn used to be one of the three major trump cards justifying censorship, invasion of privacy, and the general evisceration of civil liberties (the other two trump cards being illegal drugs and terrorism). However, with this deal and the recently successful child porn justified efforts of the NY AG to eradicate Usenet discussion groups, child porn seems to have outgrown its two fellow trump cards.

The threat of kiddie porn now seems to be capable of justifying any amount of censorship--something that no CEO accountable to his shareholders will dare stand up to.

This kind of takedown power should not be given to a private, unaccountable group. Both the FBI and DHS/US Customs already manage databases of enabling their agents to digitally fingerprint such content. As much as I dislike the FBI, they are at least (occasionally) held accountable. Journalists can submit Freedom Of Information Act requests, and the heads of the agency can be hauled in front of a congressional committee. NCMEC, on the other hand, is not subject to an FOIA request.

Public challenge
And so, I issue the following public challenge:

Comcast's anti-BitTorrent efforts were undone once the Associated Press was able to prove that the cable giant slowed down the file-sharing of a copy of the King James Bible.

Thus, I promise a bounty of 100 U.S. dollars to anyone who can somehow trick a cable company into taking down a copy of the King James Bible, under the mistaken belief that it's actually kiddie porn.

You may either work to trick the cable company directly, or instead go after the shadowy National Center for Missing and Exploited Children. It is highly unlikely that cable companies will verify the URLs given to them by NCMEC, and so this may actually prove to be easier.

I am not encouraging anyone to break the law. I am sure this can be done with social engineering, and a bit of smarts. Finally, if you opt to donate your $100 award to the Electronic Frontier Foundation, I will match it 100 percent.

Disclaimer: This challenge is made by a private individual, and does not reflect the policy of CNET.

In a major change of policy, the Transportation Security Administration has announced that passengers refusing to show ID will no longer be able to fly. The policy change, announced on Thursday afternoon, will go into force on June 21, and will only affect passengers who refuse to produce ID. Passengers who claim to have lost or forgotten their proof of identity will still be able to fly.

As long as TSA has existed, passengers have been able to fly without showing ID to government agents. Doing so would result in a secondary search (a pat down and hand search of your carry-on bag), but passengers were still permitted to board their flights. In some cases, taking advantage of this right to refuse ID came with fringe benefits--being bumped to the front of the checkpoint queue.

For a few years after September 11, 2001, TSA's policies when it came to flying without ID were somewhat fuzzy. The agency, like many other parts of the Bush Administration, has hidden behind the shroud of classification--in TSA's case, labeling everything Sensitive Security Information.

Seeking to clarify the rules, activist John Gilmore took the U.S. government to court in 2004. Gilmore chose to take a particularly hard line, by refusing to show ID to TSA and also by refusing to undergo the more thorough "secondary screening" search. He eventually lost his case before the 9th Circuit of the U.S. Court of Appeals.

"The identification policy requires that airline passengers either present identification or be subjected to a more extensive search. The more extensive search is similar to searches that we have determined were reasonable and consistent with a full recognition of appellants constitutional right to travel."

Since then, in at least two letters to citizens, TSA has re-affirmed this right. In March 2008, a TSA official wrote that:

"If a traveler is unwilling or unable to produce a valid form of ID, the traveler is required to undergo additional screening at the checkpoint to gain access to the secured area of the airport."

A change in policy

In a press release issued on Thursday with little fanfare, TSA announced a major change in its rules.

"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."

This new procedure will not affect passengers that may have misplaced, lost or otherwise do not have ID but are cooperative with officers. Cooperative passengers without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures."

To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.

While TSA's announcement stated that the goal of the change was to "increase safety," this blogger disagrees. The change of rules seems to be a pretty obvious case of security theater. Real terrorists do not refuse to show ID. They claim to have lost their ID, or they use a fake.

TSA's new rules only protect us from a non-existent breed of terrorists who are unable to lie.

Fixing flaws vs. security theater

In a research paper published in 2007, I outlined a number of glaring loopholes allowing the total circumvention of the much criticized no-fly lists. The two main flaws were that passengers can modify boarding passes, and that they can refuse to show ID.

In December 2007, TSA began testing out a secure, authenticated, tamper-proof boarding pass scheme. It has since been rolled out to a number of major airports around the country.

With hundreds of millions of dollars having already been spent on the various no-fly lists, it is at least interesting to see that someone at TSA is now spending time on fixing the loopholes in the system. The most glaring of this has long been the fact that passengers can refuse to show (or claim to have forgotten) their ID. Simply put, without being able to know who is walking through a checkpoint, there is no way to know that the "bad guys" have been caught by the no-fly list.

TSA's new rule, while perhaps motivated by a desire to beef up security, is significantly flawed. Terrorists will lie, and claim to have lost their ID--while law-abiding citizens wishing to assert their rights will be hassled, and refused flight.

Of course, all of this is premised on the idea that the no-fly list is actually a useful safety tool--something that I, and a number of other prominent security experts, strongly disagree with. Simply put, terrorists do not pre-register their intent.

As Bruce Schneier has noted before, the no-fly list is a collection of hundreds of thousands of people who are too dangerous to fly, but not guilty enough to be charged with a crime.

These are interesting times, indeed.

Thanks to Gary @ View from the Wing for spotting TSA's announcement.

Disclosure: I am supposed to be on a hiatus, but this topic was too important to leave alone. I am currently an intern at the American Civil Liberties Union of Northern California. These opinions are my own, and do not reflect anyone that pays me.

Dear Readers,

I'll be taking the summer off from blogging here at Surveillance State.

On May 5, I started a summer internship at the American Civil Liberties Union of Northern California. I want to avoid any possible conflict of interest regarding my blog posts, and so the simplest solution is to not blog.

In early September, I move to Boston to begin a 1 year student fellow position at the Berkman Center for Internet and Society at Harvard Law School. I fully expect to begin blogging again as soon as I get to Boston.

See you in a few months.

Updated on 5/19/08 with comment from RealPlayer (see below)

Users of YouTube and other video-sharing sites could face $750 per clip penalties if they have watched a video that was uploaded without the copyright holder's permission.

Copyright infringement in the United States strict liability offense. What this means, is that users are liable when they illegally copy works, even if they're not aware that this is wrong, or that the work is protected by copyright.

As an example, let us consider the popular video sharing website YouTube.

Every week, 6 days after the show airs, HBO uploads the most recent episode of "Real Time with Bill Maher." However, within a few hours of the show's TV broadcast, a number of other users upload copies that they have recorded with their computers.

When a user visits YouTube, and searches for "Bill Maher", he will see a large number of results - some of which will be for official content uploaded by HBO, and the vast majority of which is for copyrighted content illegally uploaded by other users.

According to a strict reading of the copyright laws, and discussions with legal scholars, users could unknowingly be liable if they click on the wrong YouTube link. The fact that they're not aware that a video was illegally uploaded is irrelevant. All that matters is that they clicked on a link, and watched the video.

For BitTorrent websites like The Pirate Bay, where the vast majority of the files are illegal, it is at least semi-reasonable to expect most users to know that they are engaged in an illegal act. However, for sites like YouTube, where both legal and illegal content are available on the same platform, it is significantly trickier. How exactly, are the less-tech savvy amongst us supposed to determine if a file is legal to watch?

Copytraps

The issue of unintentional home user liability is the subject of a recent paper by Ned Snow, a law professor at the University of Arkansas. In "Copytraps", Professor Snow argues that copyright law unfairly exposes end users to significant liability, for actions which they have no reason to believe are illegal.

Professor Snow puts forth the following example: A user visits Google, and searches for the name of a band they like. One of the first results takes them to a website, named "legal-music-downloads.com". Once there, the user hands over her credit card, and pays $.99 per song to this unknown website. Now, imagine that "legal-music-downloads.com" is in fact a fraudulent website run by a couple guys in Eastern Europe. They download files from BitTorrent, and then illegally re-sell them to American consumers.

As Prof. Snow describes, the fact that the end user thought she was participating in a legal purchase is irrelevant. All that matters is that she has copied (downloaded) a copyrighted work, which was not sold through legitimate means. This user could be liable for up to $750 per song.

This may sound crazy, but it's completely possible under the existing system. Yes, the RIAA and MPAA have for now, gone after people who were sharing files. However, there is nothing in the law forcing them to stick to just those users. They are legally permitted to go after downloaders too.

Experts respond

To make sense of this, I turned to a few other experts in copyright law. First, I spoke with Corynne McSherry, a staff attorney at the Electronic Frontier Foundation. McSherry told me that the scenarios I outlined were not beyond imagination, and quite possible under existing copyright law.

As an example of copyright holders going after downloaders, she pointed to a 2006 attempt by the Embroidery Software Protection Coalition to get the identities of all the participants of an online embroidery discussion forum. In support of their claims, the Coalition compared the stitchers' online screeds to "terrorist activities" and accused them of posting slanderous statements "that marched across the Internet bulletin boards and chat groups similar to Hitler's march across Europe."

The Embroidery Coalition, following tactics similar to the RIAA and MPAA, threatened grandmothers with lawsuits for downloading copyrighted embroidery patterns from the Internet. These little old ladies were given the choice of either paying a few hundred dollars, or facing a lawsuit.

Luckily, the lawyers at the EFF were able to get the Coalition to back down, but this does at least prove that left unchecked, copyright law can be used to go after the end users.

The EFF's McSherry told me that the penalties in copyright law were "not like many other areas of the law where you have to show harm." Thus, illegally copying a song that is sold for $.99 at the iTunes store can still lead to a $750 per song fine. McSherry labeled this as "completely disproportionate" and said that because of this, "for regular people, who don't have thousands of dollars, the inclination is to settle (the cases), rather than to fight."

YouTube users at risk

While Professor Snow focuses on the example of lying websites, I am personally far more interested in liability for users of major sites like YouTube.

Sherwin Siy, an attorney with Public Knowledge, told me that my YouTube fears might be overblown. Siy points to a difference between downloading a video, and streaming it. He told me that "arguing that a buffer copy (for a streaming view) is a duplication, that's even more of an uphill (battle), and the potential awards might not be worth the attorneys fees." He added that "merely watching a video on your screen, authorized or not, isn't going to be an infringement if you're not publicly performing or copying it."

Siy also noted that copyright law does allow for a reduced $200 per work penalty for infringement, if the pirate can prove that they had no reason to believe that they were infringing.

Updated:

Siy clarified his point in a followup email: "For instance, if my local network TV affiliate were to broadcast an infringing copy of a TV show, and I were to watch it at home, I would definitely not be liable. The copytraps idea might come into play had I (however innocently) taped or DVR'd the broadcast."

While Siy makes some good points, I will have to disagree with him on the issue of viewing vs. downloading. There are many off the shelf tools that allow users to download YouTube videos. The most widely deployed of these is RealPlayer, which automatically makes allows the user to make a local copy of every YouTube video that a user watches. YouTube has no way of knowing if someone is streaming or downloading a video - as it's simply a case of transferring bits over a wire. If the RIAA or MPAA ever subpoenaed YouTube's logs, they wouldn't be able to differentiate these users either.

YouTube's Position

A few years ago, a number of major firms started threatening Linux end-users with patent lawsuits. In response, one or two Linux companies to shield their customers from such lawsuits. That is, buy Linux from us, and we'll cover any potential legal bills.

Thinking along these lines, I reached out to YouTube to get their perspective. I wanted to know if they would offer to foot the bills of users who were sued after watching a video on their site. I also wanted to find out if YouTube has ever disclosed a list of infringing viewer IP addresses to a copyright holder.

YouTube's spokesperson ignored my actual questions, and instead told me that:

We prohibit users from uploading infringing material, and we cooperate with all copyright holders to identify and promptly remove infringing content as soon as we are officially notified.

As a company that respects the rights of copyright holders, we expect to continue to take the lead in providing state of the art DMCA tools and processes for all copyright holders.

While the liability for end users remains unclear, there is certainly the potential for some nasty lawsuits, should the copyright owners decide to go down that path. In a conversation with me, Prof. Snow described a scary future with Copyright Trolls who delay sending takedown letters to websites, so that the number of infringing users (who the company can later go after) will increase.

A scary future indeed.

Update: Jeff Chasen, a VP at RealPlayer contacted to let me know that I had erred in my original blog post. He told me that:

RealPlayer does not automatically download or make local copies of videos from YouTube. RealPlayer 11 gives users the option of downloading the video they are watching, but it requires that the user click a button to initiate the download. No copies or downloads occur until a user explicitly takes an action.

I do stand by my original point though, which is that YouTube (and any copyright holder who gets a list of the views/downloads via a subpoena) has no way to tell when a user is watching a video, and when a user is downloading them via a single-click RealPlayer tool.

Over the past few weeks, things have heated up again in Lebanon, with the U.S.-backed government on one side and the Syrian-backed Hezbollah on the other.

To many U.S. observers, this might be just another case of tensions flaring up in the Middle East. Do not be fooled. This is all about telecommunications policy--and the design of secure, attack-resistant data networks.

But first, a bit of background. Hezbollah and Israel have been at war for some time. In an effort to stop Hezbollah's guerrilla fighters from communicating, Israel has in the past jammed the cell phone towers in the Hezbollah-controlled areas in southern Lebanon. Eager to make sure that didn't happen again, Hezbollah has covertly built out a fiber-optic network throughout the areas it controls.

Jamming cell phones is relatively easy, as it is simply a matter of sending out radio waves. Disrupting a fiber-optic network, on the other hand, is extremely difficult. The Israelis would need to locate the individual fiber-optic lines, and then cut them. To do that, they'd need boots on the ground, in control. This is not something that Israel, or even the central Lebanese government, can currently do.

It seems that recently, the U.S.-backed central government of Lebanon tried to put an end to Hezbollah's private network. Hezbollah responded with force, eventually taking over West Beirut. As the Boston Globe recently reported:

(Hezbollah's leader, Hassan Nasrallah) said the government's decision to shut down Hezbollah's fiber-optic communications network was tantamount to a declaration of war. For the (central) government, the network represented an intolerable example of Hezbollah's efforts to set up an Iranian- and Syrian-backed state within Lebanon. Hezbollah justifies the network, which carried its communications during a 2006 war with Israel, as a vital security asset.

This sort of thing, as interesting as it is, is way out of my league. To get a better grasp of the situation, I spoke with John Robb, an expert in modern asymmetrical warfare, an author, and blogger.

Robb said Hezbollah is not alone in building out its own communications infrastructure. He said that it is fairly common for such groups and that a similar situation exists in the Sadr City area of Baghdad.

Yahoo, Cisco Systems, and other U.S. companies have been heavily criticized for their assistance of China and its so-called Great Firewall. Thinking along these lines, I asked Robb which U.S. companies might be manufacturing Hezbollah's equipment.

He responded that there is no reason to suspect that U.S. equipment was being used. He added that Chinese-made, no-name optical-networking gear is available in most of these markets and certainly available to Hezbollah. Even equipment five to seven years old, Robb said, would work for Hezbollah's needs.

As a technologist, and someone interested in tech policy, this is fascinating. We typically hear that developing countries are leapfrogging over the traditional wire-based network infrastructure, due to the costs involved, and going straight to mobile or Wi-Fi technologies. It's interesting to see that fiber-optic networks can play a vital role in these countries. It seems that when there is a real threat of network interruption and jamming, the cost and difficulty of laying the cable is worth it.

At the Freedom To Connect conference a few weeks back, Doc Searls coined the term "glass roots" to describe community-built fiber networks. That term doesn't quite apply here, so I'm going to quickly stake my claim to "fiber warfare" (fiber vs. cyber, get it?). Remember, you heard it here first.

With that out of the way, I thought it'd be fun to end on a snarky note. For the last six months, I suffered with an AT&T 3Mbps DSL line. So how would Hezbollah act as an ISP? Consider these questions:

• What, exactly, does Hezbollah consider to be "reasonable network management," and are its views on this area the same as Comcast's?
• Does Hezbollah block BitTorrent? Does it use Linux?
• Does Hezbollah offer so-called "naked" DSL?
• If I do not get satisfactory customer service from the Hezbollah ISP, what happens if I resort to a Consumerist.com-style executive e-mail carpet bomb? Will its executives bomb me back?
• How does Hezbollah respond to Digital Millennium Copyright Act cease-and-desist threats? If the RIAA and MPAA are too scared to send DMCA threats to Harvard, will they risk sending them to Hezbollah?
• If I pay my fiber network bill late, will Hezbollah terminate my connection, or me?
• We do not have competition in most U.S. markets, but instead have a duopoly of crappy DSL and evil cable. How many Americans would switch to Hezbollah's fiber network if it meant that they could use BitTorrent without Comcast "temporarily delaying" their data transfers? Could Hezbollah force the Federal Communications Commission to open up the market to real competition?

Update:For more info on Hezbollah's network infrastructure, check out this detailed report.

The United Kingdom has the most surveillance cameras per capita in the world. With the recent news that CCTV cameras do not actually deter crime, how can the local town councils justify the massive surveillance program? By going after pooping dogs.

In a recent interview with The Guardian, the head of the Metropolitan Police's Visual Images Office explained the failings of CCTV:

"Billions of pounds has been spent on it, but no thought has gone into how the police are going to use the images and how they will be used in court. It's been an utter fiasco: only 3 percent of crimes were solved by CCTV. There's no fear of CCTV. Why don't people fear it? (They think) the cameras are not working."

Conjuring up the bogeymen of terrorists, online pedophiles and cybercriminals, the U.K. passed a comprehensive surveillance law, The Regulation of Investigatory Powers Act, in 2000. The law allows "the interception of communications, carrying out of surveillance, and the use of covert human intelligence sources" to help prevent crime, including terrorism.

Recent reports in the U.K. media indicate that the laws are being used for everything but terrorism investigations:

• Derby City Council, Bolton, Gateshead, and Hartlepool used surveillance to investigate dog fouling.
• Bolton Council also used the act to investigate littering.
• The London borough of Kensington and Chelsea conducted surveillance on the misuse of a disabled parking pass.
• Liverpool City Council used Ripa to identify a false claim for damages.
• Conwy Council used the law to spy on a person who was working while off sick.

Privacy activists were, unsurprisingly, up in arms. Shami Chakrabarti, director of human rights group Liberty, told the BBC that "you don't use a sledgehammer to crack a nut, nor targeted surveillance to stop a litter bug." Liberty and other groups have called for a complete review of the law and its unplanned uses.

Is this surprising? Not really. Just as we've seen in the U.S., once law enforcement and intelligence agencies are given new unchecked powers, abuse tends to happen. The more secretive and unchecked the powers, the more widespread the abuse. (See: Warrantless wiretapping, detainee torture, COINTELPRO, The CIA's Operation Chaos.)

A new IRS Web site that allows taxpayers to check on the status of their refund checks could lead to users being phished.

The new "Where's my stimulus payment?" site asks taxpayers to enter in their Social Security number, and a few other trivial bits of information before informing the user of the amount of their refund, and the date it will be sent out.

While no doubt useful, this Web site sets a horrible example, and encourages dangerous behavior by users. Furthermore, in the hands of someone who knows the last four digits of a taxpayer's Social Security number, it could be used as an oracle (by submitting multiple requests) to determine the full SSN of a taxpayer.

Screenshot of the IRS Stimulus Website

(Credit: Christopher Soghoian)

The IRS is frequently mimicked by phishers. The agency even goes so far as to offer advice on its site, debunking many common phishing attacks. Furthermore, agency has shut down more than 1,600 phishing sites claiming to be the IRS in the past few years.

From a security education perspective, it is a really bad idea to have such a form on the official IRS Web site. The IRS should not be training users (via positive reinforcement) to enter their full Social Security numbers into Web sites. It is bad enough that credit cards and banks require us to do so when signing up. The IRS has an existing relationship with every tax-paying citizen. It does not need to use our SSN to authenticate us, and could use one of many other bits of information.

Secondly, the URL, http://sa2.www4.irs.gov/irfof/IRServlet?app=IRACTC is simply horrible. The vast majority of users will have no idea if this is a legitimate Web site or not. Why could they not select something a bit more readable, such as "www.irs.gov/stimulus".

At the very least, the IRS should authenticate users with additional information (such as the amount of federal taxes paid in 2008). It already does this for users who wish to e-file. This would at least stop the site being used as an oracle to confirm/guess someone else's SSN.

To see why this is such a bad idea--look at the image below of a phishing scam claiming to be an IRS refund Web site. Now look at the image above, the IRS's new refund status site. Can we really expect most users to tell the difference?

Phishing Site targetting IRS

(Credit: Laughing Squid / Flickr)

There is no right to privacy at international borders. For those of us with laptops, this presents a pretty major problem: How do we get through U.S. Customs with our beloved portable devices, without having Uncle Sam peeking at every e-mail we've sent, every MP3 we've listened to, and every "home movie" we've made?

The obvious solution, encryption, is not enough. Non-Americans have no right to enter the U.S. Don't want to hand over your encryption keys? No problem--but you will be put on the next airplane back to your home country (if you're lucky...If the government really doesn't like you, you may end up getting sent to Syria).

Those of us "lucky" enough to have a U.S. passport may be forced to enter the password for the data, if we want to avoid having the devices seized and never returned.

For travelers heading to countries other than the U.S., it can be even worse. Refusing to hand over your encryption key to a lawful request by British Police can result in jail time. Ouch.

CNET News.com's Declan McCullagh posted a guide to securing laptops for border searches back in March. The Electronic Frontier Foundation's Jennifer Granick wrote a blog post on the subject recently, in which she broke down the case law and offered a bit of advice. While both of these are interesting reads, neither includes the practical solution which I use.

Chris' Guide to Safe International Data Transport

1. Before going on any international trip, back up all of your important and potentially embarrassing, incriminating, or troubling data. This includes any copyrighted content which you may not be able to prove you own.
2. Create an encrypted disk image/encrypted folder of that data. This can be done with Pretty Good Privacy, Truecrypt, or software built into many operating systems.
3. Remember the password. This is very important, as if you forget it, you lose all your data.
4. Upload the encrypted data to a reliable place on the Internet (or two). Personally, I use Amazon S3, which charges 15 cents per GB-month of storage plus 17 cents per GB of data transfer.
5. Wipe your laptop clean (do this properly, or the data may be accessible after the fact with forensics software), and install a fresh copy of your OS onto it.
6. Travel. You should have no problem at U.S. Customs (or in any other country) as you won't have anything problematic on your computer.
7. At your hotel/office, fire up your Web browser and download the encrypted data file from Amazon's servers.
8. Decrypt the data.

Once you are done with your trip, you can simply re-encrypt the data, upload it to Amazon again, and wipe the disk clean.

For those of you traveling to countries (or places in the U.S.) with slow Internet connections, you may wish to burn your encrypted data to a DVD and FedEx it to your destination. Do it a few days before you leave, and you should know before you get on the airplane if the disk made it to your destination safely by checking the delivery status online.

I realize that I take paranoia to a more extreme level than most, but I find that this technique works really, really well for me. For those of you who are even more paranoid, and are worried about customs agents being able to recover the deleted data from your laptop disk, you may wish to avoid keeping the decrypted data on your laptop at all (while on the trip). Portable flash drives are quite cheap these days, and can be easily destroyed (a microwave, a hammer, driving over them in a rental car, etc.) once your trip is done.

Disclosure: Jennifer Granick represented me, pro-bono, in my civil troubles with TSA back in 2006 and 2007.