Tag Archives: Cybersecurity

Big Brother Is Not Fit To Hold My Data

wonka
[By Tamarleigh Grenfell]

Let’s say my brother and I are out on the town. He insists on holding my purse for me while I use the restroom, but then leaves my purse sitting in plain sight right on the bar, and some creep steals it. Should I trust my brother with my purse, ever again?

The U.S. Office of Personnel Management (OPM) sent me a letter this month informing me that my personal information was stolen in a “malicious cyber intrusion” earlier this year. My personal data (such as my SSN, name, address, date of birth, place of birth, residency history, employment history, educational history, personal foreign travel history, immediate family members, business acquaintances, personal acquaintances, medical history, criminal history, financial history, and more!) is all now somewhere out there in cyberspace, and like extinction and herpes, the Internet is forever.

This leak alone affected 21.5 million people, including 5.6 million people’s fingerprints,including mine. I provided that information, and my fingerprints, to the federal government long ago when I applied for a job as a research assistant at the Smithsonian Astrophysical Observatory. What started as an actual folder, somewhere along the line, got connected to Skynet – sorry, the Internet, and my fingerprints, which I can never change, were digitized and uploaded along with everything else.

What if I had found my brother two years ago photocopying my diary and circulating it to his friends for laughs, and that when confronted he just muttered something about it being to “keep me safe” because “there are dangerous people out there”? What if he then went out on the street with a bullhorn, telling everyone who will listen that we need to give him special keys to unlock all their stuff, because if we don’t, the Terrorists Will Win? What if he decided all on his own to break every lock in town, so he could access any document at any time? How much should I trust him then?

Read More →

Zen and the Art of Cybersecurity

data-retention-zen

In the hothouse of Congress, members have been sweating over the need to do something – anything – about “cybersecurity.” They were under pressure from the administration, the intelligence services, and the tech industry. But the latest news is that the Republican majority will be turning, in the few days left before the recess, from the contentious highways bill to a bill to defund Planned Parenthood, likely shifting the previously-catastrophically-urgent cybersecurity crisis through to the fall. So Congress, like my seven-year-olds in school assembly, can take a few deep breaths and imagine that they can smell a flower.

The truth is, there never was a “cybersecurity crisis.” Companies are already legally allowed to share information on hacking attempts with the government, and they usually do. This debate is not really about making US companies or the US government more secure; it’s about putting more of your information, that you have voluntarily shared with US companies, into the government’s hands, without companies being liable for violating their privacy policies for sharing personally identifiable information. All proposals on the table in Congress would immunize companies from suit in this way. In this sense, it would be perfectly all right for Congress to do nothing.

Nevertheless, there is a cybersecurity problem that is worth trying to solve. The government is not a good custodian of our data. Its networks are often poorly secured and vulnerable to outside intrusion. In the surveillance arena, there are now over five million people with security clearances, who are in a position to leak sensitive information. Cultivating a more disciplined approach to network protection and data retention would seem to be a good idea. That’s where the principle above comes in.

In this spirit, let’s calmly reflect on what a bill dealing with this real problem would look like.

Read More →

Suffolk County DA Conley logging parents’ keystrokes, for “safety”

We think our version captures the spirit of this initiative better than the original.

We think our version captures the spirit of this initiative better than the original.

Well, well. This “school safety” stuff keeps getting more interesting.

I didn’t focus on the elements of the school safety task force’s report that dealt with teaching children to “be safe” on the Internet, because, well, they sounded pretty innocuous. Turns out I wasn’t paranoid enough.

EFF reports that DAs and police departments across the country have been distributing elderly spyware called “ComputerCop” to parents as part of feel-good “Internet Safety” events at schools. This apparently includes a “service” called “KeyAlert”, which allows parents to track their children’s keystrokes. When it collects those keystrokes, it also stores them unencrypted on your hard drive (on Windows machines) and transmits them, unencrypted, to a third-party server so that the parents can be emailed when chosen keywords are typed. And, as readers of this blog will know, law enforcement can then request that keylogged data from the third party without a warrant.

Well, that’s fabulous. Sounds pretty useful. For law enforcement. Why not, then, promote keyloggers on as many computers as possible? And as with social media, it looks like offering something for free really helps members of the public surveil themselves. EFF notes:

Read More →

%d bloggers like this: