Digital Insurgency

Where Surveillance, Encryption & Privacy Collide

Monthly Archives

July 2016

Remember that scene at the end of The Bourne Identity where Brian Cox is testifying before the Intelligence Committee about Treadstone and Black Briar and describes the former as a training op and the second as a communications program despite both being covert death squads? It’s easy enough to think that stuff like that doesn’t happen in the real world, but don’t be too sure. The FBI has been running a “pilot project” to test iris scanning technology whose original stated objective was just to evaluate the technology available at the time. That started in 2013.

Now it’s easy enough to assume that the government moves REALLY slowly and that they simply haven’t gotten very far.  Unfortunately, there ability to gather scanned irises hasn’t ben quite so slow. The iris database now contains more than 430,000 iris scans, with almost half coming from San Bernardino, California. San Bernardino has become so proficient at obtaining iris scans that over the last two and a half years they have snapped up almost ten percent of the city’s population of 2 million.

That a database of nearly a half million people has been amassed by the FBI is perhaps not too surprising, but what might be shocking is the fact that as a pilot project, there has been no oversight and no privacy disclosure or assessment. As Colin Lecher at The Verge describes it, “The result amounts to a new national biometric database that stretches the traditional boundaries of a pilot program, while staying just outside the reach of privacy mandates often required for such data-gathering projects.” What is worse the gathering of iris data may be for minor offenses and is often taken pre-trial and submitted in near real-time to the FBI.

The California Justice Department, like other agencies the FBI has partnered with, can log a scan as part of the booking process, even for low-level crimes, and well before a conviction. When the scans are sent to the national database, the FBI says, they are bundled with fingerprints and mug shots.

Had you been arrested in California for a minor offense and ultimately released without charges, your iris may still be on file with the feds. Because this is ostensibly a pilot project, and not a fully functioning identification system, a complete privacy assessment was not done. It’s not even clear if one will be done as the project is part of the FBI’s Next Generation Identification database and the FBI is looking to exempt that from privacy laws.


Monthly Archives

July 2016

Over the last week there has been a lot of fretting about a decision by the US Court of Appeals for the Ninth Circuit regarding a case in which a former employee gained access to his former employer’s proprietary database using a current employee’s password. A veritable who’s who of tech blogs have been spun up claiming that the decision makes it illegal to share your Netflix password.

In his dissenting opinion, Judge Stephen Reinhardt pointed out the trouble of ambiguous phrases like “unauthorized access” is that it could be interpreted to criminalize the actions of millions of Americans who might share their Netflix passwords.

The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders, which may also be contrary to the policies of system owners. There simply is no limiting principle in the majority’s world of lawful and unlawful password sharing.

Simply put, this is nonsense. In the case, David Nosal, a headhunter, left his employer to start a new firm, and brought several other employee’s along for the ride. Together, they used the password of a current employee of their former employer to access sensitive and proprietary data belonging to their former firm. This is, quite simply, hacking. Had they used a brute force attack to compromise their former employer’s data, it would be no different. As former employees, they simply were not allowed to access the system. Period.

I have my issues with many of our cybercrime laws. For instance, the defacement of a website is essentially the equivalent of spray painting your name on a building wall. In many ways it is actually less serious as it can typically be undone with a backup restore, and has almost zero cost associated with it. Compare that to the cost of having to hire someone to paint over or sandblast your wall. Yet the defacement of a website is a serious crime and the punishment for physical vandalism is typically very minor.

In Nosal’s case, however, the comparison to the real-world equivalent of his crime is pretty spot on.

If Nosal had been employed by a department store, quit, then got his buddy the night-shift stock clerk to open the door so he could come in and steal all of their clothing to resell it, he still stole the clothing. It doesn’t matter that he had a friend on the inside. In fact, the friend on the inside should be charged as well for facilitating the burglary. The tech blogs, however, want to draw a different comparison. They want you to believe that his friend helping to steal from Target is the same as his friend simply lending Nosal the key to his house despite the fact that his roommate was home.

To be clear, nobody was charged with sharing a password. Nosal was charged with illegally accessing a proprietary database to steal something of value from a system he was not authorized to access. The facts of the case are not in dispute. The Computer Fraud and Abuse Act, under which Nosal was tried, was meant to handle exactly this sort of incident – an individual circumventing prohibitions on system access to steal something of great value.

The comparison to sharing a Netflix password, specifically, is completely ridiculous given that Netflix actively encourages you to share your account by allowing you to specify multiple account users. Nothing in this decision makes that illegal.

If the tech community wanted to make a sensationalist claim, a more apt comparison might be the sharing of an Amazon password to get a Prime discount tomorrow. Even that, however, is not an apt comparison as you are still paying for the goods, albeit at a savings. You are still paying the full price that any Prime member would pay. The CFAA does, however, give Amazon the legal authority to prosecute that if they would like to do so.

Despite the wishes of the “everything should be free” crowd, their is still a concept of ownership. The CFAA decision reinforces that concept and holds individuals (in this case Nosal) responsible for theft of goods owned by someone else. Despite the public outcry, this decision was rightly decided and is, in fact, a feature of the law, not a bug.