Category Archives: Current Affairs

Urban@UW individual questions

1. How would you define the question/ challenge/ focus in a manner that you find compelling?

Privacy has been defined by different groups indifferent ways. Often times the best way to protect personal privacy rights is to empower people to have greater control over what data is shared. Policy makers need to think broadly and specifically about the unintended consequences of data collection, not just how valuable it can be to special interests. Supporting privacy initiatives is often something that can turn into government transparency, accountability, and trust. Seattle could exclusively adopt free software solutions when deploying technology that interfaces with the public.

Two related points:

White House Commits to Open Access, Open Education and Open data in New Open Government Plan

Emerging threats for lawyers and human rights defenders: surveillance on massive scale in real time

Concerns from others in the group:

— Justice?
— Democratizing data?
— Supporting an advocacy agenda?
— Access? Affordability? Income barriers? How to keep people out of the criminal justice system?
— What is the overarching process for developing questions about data?
— Is the data driving the questions, instead of the questions driving the data? Who owns the data?
— Who gets to frame the questions? Who gets to think about how the data is used?
— Public vs private sector influence?

2. What is the most important need or area of impact that we could have addressing this challenge?

3. What is needed to address this challenge and what are the gaps to fulfilling this need?

4. What has failed in the past, and why?

5. What risks are there?

6. Who else should be involved?

7. What’s missing from this challenge, as you see it?

Advertisements

Seattle continues “business as usual” trend when deploying surveillance systems

This post was read to the attendees of September 2015’s Community Technology Advisory Board (meeting minutes).


A few months ago I raised concern at CTAB about connected cars technology — about the need to be informed about the technology’s capability — because Seattle residents will not be informed if Seattle government and Seattle leaders are not informed.

Today, Crosscut reporter David Kroman published an article titled, Seattle installs new system to track individual drivers which concerns a related hardware identification tracking system. There are a few problems I have with Seattle’s interpretation of what it considers a “surveillance system” and how it’s unable to safeguard its residents from intrusive surveillance technology even in light of Seattle’s recently adopted privacy principles.

Let’s look at some of the facts of this tracking system:

Seattle government, including its CTO, does not consider this to be a surveillance system despite the manufacturer calling it a tracking system. History proves that tracking systems easily become surveillance systems, just look at our cell phone network.

SDOT is free to pursue infrastructure improvements without approval from the city council and even called this project “business as usual”. (quote: Adiam Emery, an Intelligent Transportation System Engineer with SDOT)

The public was not brought into the conversation before the deployment of this tracking system.

A privacy impact assessment was not performed.

The tracking system records when and where a hardware identifier exists including personal cars, personal cell phones, and markers such as speed, distance, and behavior are analyzed.

Seattle does not receive raw data and Acyclica claims they do not store raw data despite there being no audit of such a system.

Washington state supreme court recently unanimously passed a bill restricting the use of Stingrays and other surveillance devices that mimic cell towers because of the privacy implications.

The tracking system is something that was already in place and its privacy invasive capabilities were later upgraded to include these wireless surveillance mechanisms.

This data is collected 24/7/365 including of nearby homes and work places that are within reach of monitored intersections.

The data is transmitted to a third party but we do not know if the data is encrypted at rest before it is transmitted or if the transmission is encrypted.

SDOT Public Information Officer Norm Mah:

the city receives no raw data from the readers, which they say means it cannot trace information back to individuals or individual devices. Mah compared it to a bar code on a baseball ticket: The system knows you’re there, but not who you are. The data fed into the readers is “scrubbed,” meaning it’s analyzed and aggregated into a lump of useful information, absent of discrete data-points.

The metaphor is wrong and the explanation is not a truthful representation of reality. We do not carry baseball tickets with us everywhere we go, 24/7, and have them scanned, repeatedly, every time we drive through a street intersection. The public knows that American businesses do not have the ability to keep collected data safe from governments, be it the American government or the Chinese.

It would appear that employees of Seattle put demands before history. Do not forget that in 1943, Census released Japanese Americans’ data. Seattle has no business collecting and tracking Seattle residents physical location data and handing it over to third parties because they cannot control the use of that data once its collected.

Say cheese! You might get kicked out

Bars and clubs are legally required to check government issued identification before allowing patrons into their establishment. This is a form of security authentication to reliably (probabilistic) determine if someone is at least 21 years old. Should we allow business owners to install government issued identification data retention and sharing technology? Should we accept being treated like a criminal before committing a crime?

Re: SPD increases efforts to put ‘shooters in handcuffs’ after East Precinct gun violence

In the wake of the shooting, Baltic Room owner Jason Brotman told CHS he and other Capitol Hill club owners are exploring a new ID scanning software that would track who has been kicked out of a club earlier in the night.

I think this is the system I was swept up in in Vancouver, Canada in 2014. I didn’t expect it. My group of friends were all going in and I couldn’t just walk out on them after spending 45 minutes in a line. Should I ask for the data retention and data sharing policies before accepting them taking a picture of me, scanning my ID, and uploading it to someone else’s servers? Should I request to audit their system’s security before feeling comfortable they or an unknown company will share my data with whoever their corporate policies and regressive laws allow?

A quick Internet search: “club id scanning who gets kicked out”

First result: http://www.patronscan.com/ (notice the company doesn’t employ website transport security)

Servall Biometrics Inc. creates cumulative reports from other data points, such as the postal code, age, and sex of the patrons in any one venue or one city, and makes these summarized reports available to venues who are paying customers. All information is confidential and no identifying data is provided.

Police Departments may request access to the database, but only when an official investigation has been launched (eg. sexual assault). They must specify their request, by providing the name of the venue, and the time frame for which they wish to review data. They have access to the first name, last name, sex, age, and photo from the identification. The police may use this to search for suspects, victims, and/or witnesses to a crime.

So police, presuming there’s a verification process, simply need “an official investigation” to hand over my data. It’s one thing for local PD to show up at a bar and inquire about events. It’s another for them to have access to a centralized database of specific data just because they were out with their friends and family.

We have a Fourth Amendment for a reason. Privacy invasions are severe because when they happen, they cause lasting effects on people and their families. Domestic violence, sexual assault, stalking — these are all problems that people, who go out to bars and clubs, already have. The Washington State Address Confidentiality Program has over 5,000 participants state wide. Why would Seattle bar owners think it’s ok to force patrons to document their locations in someone’s identification database? Shareable to police without a warrant? That’s called a search! It doesn’t excuse the warrant requirement because a third party collects the data. Victims of police brutality, or victims of people who are police officers is not uncommon. When you collect data to solve a problem, you are creating many more.

Thanks to Mikael Thalen for pointing me to this related issue in Oregon: Oregon Police Give Nightclubs ID Scanners to Datamine Customers

Exploring Cuban Internet surveillance and censorship

This research is ongoing.

After December 17, Cubans don’t have more food, more money, or more liberty. But we have more hope.

— Cuban journalist Yoani Sanchez said in May 2015

Larry Press, Professor of Information Systems at California State University, Dominguez Hills, recently asked some important questions on his blog:

  • Is the Cuban government surveilling the users?
  • Which IP addresses are blocked?
  • Are the Chinese supplying equipment, software or expertise for surveillance and content filtering?

Cuban infrastructure

Cuba’s Ministry of Communications (MIC) is responsible for approving Cuban communications infrastructure. Historically, according to TeleGeography, “Internet access in Cuba is largely restricted to legally recognized individuals and institutions considered most significant to the island’s culture and development, such as state officials and academics.”

According to Wikikeaks, “Cuba worked around the US embargo in order to deploy an undersea cable to Venezuela.” For more history, Wikileaks has available a document titled: “Radio and Television Broadcasting to Cuba: Background and Issues Through 1994.”

According to the United States Congressional Research Service in 2006, “On December 12, 2006, independent Cuban journalist Guillermo Fariñas Hernández received the 2006 Cyber Dissident award from the Paris-based Reporters Without Borders. Fariñas went on a seven-month hunger strike in 2006, demanding broader Internet access for Cubans.” Reporters Without Borders “voices its support to the members of various dissident groups who have themselves been on a rotating hunger strike since 4 June [2006] in a show of solidarity with Fariñas and to draw international attention to his condition.”

In 2007, state-owned “Telecom Venezuela” and Cuban telco “Transbit” formed a new company called “Telecomunicaciones Gran Caribe”. The company eventually completed ALBA-1 in 2011, the only submarine cable that connects Cuba to the Internet and allows for the transmission of data, video and voice (VoIP). The cable has termination points in La Guaira, Venezuela, Ocho Rios, Jamaica, Santiago de Cuba, Cuba, and Siboney, Cuba. Until 2012, most Internet users in Cuba had limited access via satellite.

According to the U.S. Department of State Bureau of Democracy, Human Rights, and Labor on Internet Freedom in 2007:

“The [Cuban] government controlled nearly all Internet access. Authorities reviewed and censored e‑mail and forbade any attachments. Authorities also blocked access to Web sites they considered objectionable. Citizens could access the Internet only through government‑approved institutions, except at Internet facilities provided by a few diplomatic offices. In August authorities shut down Internet access in four government-run Internet cafes, including one located in the Ministry of Communications. The only citizens granted direct Internet access were some government officials and certain government‑approved doctors, professors, and journalists. The government also further restricted Internet use in government offices, confining most officials to Web pages related to their work. Foreigners, but not citizens, were allowed to buy Internet access cards from the national telecommunications provider and to use hotel business centers where Internet access cost $10 (240 pesos) an hour. The government stated that 8 percent of the population had Internet access, but independent studies concluded that only 2 percent of the population had access to the Internet.

A 2004 law stipulates that all public Internet centers must register with the government, and that all such centers may be the object of control and supervision, without prior warning, by the Agency of Ministry for Information Technology and Communications. While the law does not provide for any specific punishments for Internet use, it is illegal to own a satellite dish that would provide uncensored Internet access.”

According to the United States Congressional Research Service in 2009, “On May 21, 2008, the Senate passed S.Res. 573 (Martinez) by unanimous consent, which recognized Cuba Solidarity Day and the struggle of the Cuban people. On the same day, President Bush called for the Cuban government to take steps to improve life for the Cuban people, including opening up access to the Internet. He also announced that the United States would change U.S. regulations to allow Americans to send mobile phones to family members in Cuba.”

Prior to June 2013, Internet was only available at select state institutions and 200 hotels. The Cuban government then began offering access to the Internet at 118 outlets including a small number of cybercafés. According to Agencia EFE, “On June 14, 118 new Internet establishments were opened in the country where, through the national portal Nauta, permanent or temporary accounts were made available for e-mail access, online navigating and other services.”

As of April 2015, three million Cubans use mobile phones, a figure expected to grow by 800,000 a year. The state-owned monopoly Empresa de Telecomunicaciones de Cuba (ETECSA) has over 600 base stations across the island, up from 350 in 2010.

ETECSA will host the Internet Addresses Registry for Latin America and the Caribbean (LACNIC) meeting from May 2 to 6, 2016. ETECSA, and thus the Cuban government, clearly has ultimate authority of this region.

Desoft is the largest software developer in Cuba and based in La Habana, Cuba. Desoft’s CEO, since November 2014, is Luis Guillermo Fernandez Perez. Desoft’s website describes a product called “RCTel” that is a “Solution for recording and monitoring of telephone calls and their associated costs.” ETECSA is listed as one of their primary customers.

Prior to Desoft, Perez was the CEO of Cuba’s Softel from January 2004 through October 2014. Softel, according to LinkedIn, “Provides software solutions, analytics and consultancy for the telecommunication business.” Softel is “currently developing Softel Monitoring and Management Framework,” and their best selling product is “CMTS Monitoring System,” “capable of large scale (up to few millions easy scalable) docsis 2&3 cable modem customers monitoring. Some analytics and prediction algorythms in the area.”

According to Dyn Research, “Almost all of Cuba’s international Internet traffichas been passing through the United States for as long the Internet has existed in Cuba. For example, the satellite ground stations for the satellite service they currently use are on the East Coast of the United States.” “The Telefonica and Tata service across the ALBA-1 cable eventually makes its way to Miami to reach the global Internet. For technical reasons and not necessarily political, it is very hard to avoid the gravitational pull of the United States when routing international Internet traffic in the western hemisphere.”

United States infrastructure

IDT Corporation, based out of New Jersey, U.S. and in cooperation with ETECSA, is the “only U.S. carrier to have a direct interconnection into Cuba.

SMS Cuba, a telecom startup in Florida, U.S., is a two-way provider of SMS to those wishing to send mobile texts to and from Cubans. The service is not in direct communication with Cuba and must pass through multiple other nation states meaning there are even more connection points subject to carrier surveillance. SMS Cuba advertises directly to Cubans about how cost effective it is. Further, SMS Cuba’s registration web site does not employ transport security (HTTPS), meaning the US government (at minimum) gets to record the personal information of who signs up for the service.

While writing this article, I sent an email to the founder of SMS Cuba with some questions about their infrastructure. They declined to answer any of my questions, which were mostly technical in nature.

Sprint provides voice and SMS service to Cuba, a known NSA partner, even though it is the only major carrier to push back in court.

Products

According to Gigaom, “U.S. companies banned from selling or exporting everything from smartphones, servers and networking gear will be free to bring their hardware and software into the country.” Similairy, from the White House, “The commercial export of certain items that will contribute to the ability of the Cuban people to communicate with people in the United States and the rest of the world will be authorized. This will include the commercial sale of certain consumer communications devices, related software, applications, hardware, and services, and items for the establishment and update of communications-related systems.” “Telecommunications providers will be allowed to establish the necessary mechanisms, including infrastructure, in Cuba to provide commercial telecommunications and internet services, which will improve telecommunications between the United States and Cuba.”

We Created the Very Threat We Claim to be Fighting

the United States, through its policies, created the very threat that it claims to be fighting now, and in continuing this policy, what President Obama is doing is embracing the very lies that made the Cheney-Bush Iraq War possible. And in the process, he’s creating yet another generation of people in the Islamic world who are going to grow up in a society where they believe that their religion is being targeted, where they believe that the United States is a gratuitous enemy.

As stated by Jeremy Scahill on Democracy Now!

Some awesome documentaries

My ex boyfriend really enjoyed watching documentaries (and he even got me to pronounce the word correctly!) so I’m going to start a new “documentary” section for my blog, so maybe I’ll spend more time watching them and sharing them here. A good place I’ve found to look for some good ones: https://www.reddit.com/r/Documentaries/

Me watching the North Korean documentary
Me watching the North Korean documentary

 

 

 

The very thought provoking things I’ve watched lately:

Vandana Shiva: Food, Ethics, and Sustainability

(start on 24:50. from here: http://www.yesmagazine.org/about/vandana-shiva-speaks-at-seattle-town-hall)

This Is What Democracy Looks Like (Seattle 1999 WTO)

All Wars Are Bankers’ Wars

North Korea Exposes the Western Propaganda

A local initiative for the people’s right to privacy

“Gentlemen do not read each other’s mail.”

This was said by Henry L. Stimson in 1929 in support of the US State Department’s defunding of the Black Chamber program that was used to decipher foreign ambassador communications. At that time, Stinson was the Secretary of State under President William Howard Taft. Stinson’s opinion, however, is said to have changed while he served as the Secretary of War under President Herbert Hoover and President Franklin D. Roosevelt, in which the United States government relied heavily on the enemy’s decrypted communications during wartime.

Mass surveillance is a crime against people, not just the American people. The people did not ask for it, not even the special interests behind the development of the Patriot Act. Secret mass surveillance and secret laws are instituted and accepted by people in power, to gain and maintain power, which are acts that are illegitimate of a developing democracy. They are illegitimate acts of a country that developed the Internet.

Civilly speaking, cryptographically encrypting information before transmission is the same as licking and sealing a letter before mailing it. It is the same as closing a clear glass door on a telephone booth before having a private conversation. It is the same as putting on clothes to protect things expected to remain private.

I expect that only entities that privately sign digital certificates that create the foundation for private chats, private socializing, and secure transactions on the internet can decrypt my information. It should be illegal for entities beyond the original signer of public key infrastructure certificates to have a copy of the private key in such a way that allows said entity to view or record the decrypted content that is expected to remain private between two specific parties. It should also be illegal for any entity to attempt to break or subvert encryption mechanisms on common-carrier infrastructure as long as that data is being transmitted or being stored on American soil, no matter the nationality of the person transmitting their encrypted internet content. It is time for the United States to learn from its mistakes and emerge as a civil liberties leader.

What I would like to do is identify other leaders throughout the United States that want to pass a shared city law that makes illegal the above acts. We should all vote for and approve these laws in tandem to reduce the risk of federal or state legal threats. Cities need to come together to protect local internet infrastructure.

Governance representatives are failing to protect the nature of our constitutional protections in law and debate.  They are failing to understand the importance of the Internet. Federal representatives are literally working backwards at times, with the Patriot Act, CISPA, PIPA, and the TPP as perfect examples. It is time to work from the ground up and enact local laws that affect local internet infrastructure.

We cannot let special interest groups, that bribe our representatives, write our laws for us. The interest of the people needs to be voiced through local law. Let us tell state and federal government that it is not okay to subvert public law with secret law, and that mass surveillance cannot be tolerated, period. Law enforcement has worked, successfully, for hundreds of years without mass surveillance. The city laws that I am proposing do not inhibit the normal procedure of law enforcement to acquire a warrant, through justified evidence, to obtain private information about specific individuals to prevent or punish crime.

In addition to hosting DNS root servers and the Seattle Internet Exchange, the Westin datacenter connects us to billions of un-Americans on the other side of the Pacific Ocean. Many other cities throughout the United States host similar infrastructure. These communication points are ideal for the placement of unethical surveillance equipment, and we must make this act illegal in our cities. Let us put pressure on our state by protecting local resources, the technology that ensures the security of our online communications, and the integrity of our local businesses.

From https://www.aclu.org/sites/default/files/assets/lavabit_brief_of_us.pdf, it is clear that sometimes our founding legal frameworks are not explicit.

THE FOURTH AMENDMENT DOES NOT PROHIBIT OBTAINING ENCRYPTION KEYS FOR THE PURPOSE OF DECRYPTING COMMUNICATIONS THAT THE GOVERNMENT IS LAWFULLY AUTHORIZED TO COLLECT

Let us build our own laws for our expectations of privacy. For example, as described in the book, Toward an Information Bill of Rights & Responsibilities (http://yawnbox.com/?p=283):

Preamble

Information privacy is the claim of individuals to determine what information about them is disclosed to others and encompasses the collection, maintenance, and use of identifiable information. Privacy is an important value in a democratic society. For individuals, it enhances their sense of autonomy and dignity by permitting them to influence what others know about them. For associations, privacy enhances the ability of individuals to function collectively by permitting the association to keep deliberations and membership and other activities confidential. For society, privacy fosters individual and associational contributions to society, promotes diversity, and limits undesirable conduct and abuse of authority by government and other institutions.

Privacy is not an absolute right. It must be balanced with competing values and interests, including First Amendment rights, law enforcement interests, and business or economic interests in information. The following Code of Information Rights and Responsibilities attempts to strike an appropriate balance between privacy and competing interests, in an environment shaped be technological breakthroughs in the ability of organizations to collect and disseminate personal information.

A number of characteristics of the new information environment make it imperative to adopt a Code of Information Rights and Responsibilities. These include:

  • Technological enhancements in the ability to capture, store, aggregate, exchange, and synthesize large quantities of information about individuals, their transactions, and their behavior;
  • Proliferation of powerful computing capacity to the desktop;
  • Creation of worldwide networks through which information about individuals can easily, cheaply, and quickly flow;
  • Increasing use of target marketing, modeling, and profiling;
  • New technological abilities that permit individuals to access personal data maintained by others;
  • Decreasing cost of computing technology used to manipulate data;
  • New social and cultural values and developments regarding personal information.

Two general principles apply to all of the provisions of the Code of Information Rights and Responsibilities. First, an individual is entitled to greater protection and due process when information is used to make determinations about his or her rights, benefits or opportunities. Second, the protection of privacy must be interpreted consistently with First Amendment principles. Resolving the inherent tensions between the values of privacy and the First Amendment must take place on a case-by-case basis.

The scope of the Code of Information Rights and Responsibilities is limited to individual and associational privacy as defined above, and does not cover government and corporate interests in secrecy. It addresses how activities of information keepers and processors involving the collection, maintenance, and use of personal information should be evaluated when privacy interests overlap or conflict with other interests, values, or significant community needs.

First Principles

A. Collection
There should be limits on the ability of information keepers and processors to collect personal information. Information should only be collected when relevant, necessary, and socially acceptable.

A-1.
Information should be collected directly from the individual whenever possible.

A-2.
When not collecting information directly from the individual, notice, access, correction, and other rights should be provided if the information is used to determine rights, benefits, and opportunities.

B. Notice/Transparency
Individuals providing information to an information keeper and processor have the right to receive, at the time that information is provided, a notice of information practices describing how the information will be used, maintained, and disclosed. Information keepers and processors must provide a copy of notice of information practices upon request. There should be no secret systems containing personal information. Individuals have a responsibility to make informed choices about how information about them is to be used.

C. Access and Correction
Individuals have the right to see and have a copy of any information about themselves maintained by others, consistent with the First Amendment and with other important public and private policy interests. Individuals have the right to seek correction of information that is in error. When a correction is made, the individual may require that copies of the corrected information be provided to all previous recipients. Where this is a disagreement about the accuracy of information, the individual may include along with the disputed information a statement of disagreement.

D. Use
Information may only be used for a purpose that is identified and described at the time that the information is collected. Other uses may be permitted only if they are not inconsistent with the original understanding.

E. Disclosure
Disclosures other than those described at the time of collection may be made to third parties only with the consent of the individual or where required by law. Explicit consent by the data subject shall be required for personal information of the highest sensitivity and may be implied for less sensitive personal information. (Whether consent must be express [opt-in] or may be implied [opt-out] is an open question.)

F. Accuracy
Information keepers and processors must take appropriate steps to assure the accuracy, completeness, timeliness, and security of the information. Information keepers and processors must devote adequate resources to these functions.

G. Enforcement
Rules about the collection, maintenance, use, and disclosure of information should be enforced through suitable mechanisms, such as administrative processes, professional standards, civil actions, criminal penalties, government or private ombudsmen, and other means.

H. Oversight
There is a need for an independent federal entity to conduct privacy oversight and policy-making activities.

  • Information keepers and processors and others should be encouraged to explore technical means to protect privacy.
  • There should be an exploration of other means to promote self-determination in the use of personal information, including proprietary rights and dual control mechanisms.
  • The creation of information trustees who maintain personal data on behalf of diverse information keepers and processors should be considered.
  • There is a need to explore the rights and responsibilities of individuals and information keepers and processors when changes in the use and disclosure of information are developed after the time of collection.

Together we must begin drafting a law that can be shared by the people, city governance, and our local businesses. Together we must approve these measures and begin putting a stop to mass surveillance on any and all people, not just Americans, while also demonstrating our right to privacy.