Security quotes of the week

[Posted June 8, 2016 by jake]

We were very concerned to hear that the Copyright Office is strongly considering recommending changing the DMCA to mandate a “Notice and Staydown” regime. This is the language that the Copyright Office uses to talk about censoring the web. The idea is that once a platform gets a notice regarding a specific copyrighted work, like a specific picture, song, book, or film, that platform would then be responsible for making sure that the work never appears on the platform ever again. Other users would have to be prevented, using filtering technology, from ever posting that specific content ever again. It would have to “Stay Down.”

— Lila Bailey for the Internet Archive

We’re able to disclose details of these NSLs [National Security Letters] today because, with the enactment of the USA Freedom Act, the FBI is now required to periodically assess whether an NSL’s nondisclosure requirement is still appropriate, and to lift it when not. We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data.

— Chris Madsen of Yahoo as part of the first-ever acknowledgment of the receipt of an NSL

For more than forty years, electronic surveillance law in the United States developed under constitutional and statutory regimes that, given the technology of the day, distinguished content from metadata with ease and certainty. The stability of these legal regimes and the distinctions they facilitated was enabled by the relative stability of these types of data in the traditional telephone network and their obviousness to users. But what happens to these legal frameworks when they confront the Internet? The Internet’s complex architecture creates a communication environment where any given individual unit of data may change its status—from content to non-content or visa-versa—as it progresses Internet’s layered network stack while traveling from sender to recipient. The unstable, transient status of data traversing the Internet is compounded by the fact that the content or non-content status of any individual unit of data may also depend upon where in the network that unit resides when the question is asked. In this IP-based communications environment, the once-stable legal distinction between content and non-content has steadily eroded to the point of collapse, destroying in its wake any meaningful application of the third party doctrine.

— The abstract of a paper by Steven M. Bellovin, Matt Blaze, Susan Landau, and Stephanie K. Pell

to post comments

Security quotes of the week

Posted Jun 9, 2016 23:02 UTC (Thu) by xtifr (guest, #143) [Link] (1 responses)

Why is Yahoo claiming the "first ever acknowledgment of the receipt of an NSL" when the Internet Archive, several years previously, had, with the help of the EFF and the ACLU, won the right to acknowledge _and publish_ a slightly redacted copy the NSL they received?

The EFF's article on the Archive's case: https://www.eff.org/cases/archive-v-mukasey

The EFF's copy of the Archive's NSL: https://www.eff.org/document/national-security-letter-int...

I assume there are some notable differences between Yahoo's case and the Archive's case, but I haven't found any sources discussing what those differences are, assuming they do exist.

Security quotes of the week

Posted Jun 10, 2016 8:47 UTC (Fri) by robbe (guest, #16131) [Link]

The full quote is
> This marks the first time any company has been able to publicly
> acknowledge receiving an NSL as a result of the reforms of the
> USA Freedom Act.
i.e. via a relatively low-key process, in contrast to lengthy per-instance lawcases (I also remember Nicholas Merrill’s „Doe v. Ashcroft“ case).

I’m not sure whether „the system is working“ is the implied message. I certainly do not consider self-oversight by the FBI ideal. But this USA Freedom Act (I can barely bring myself to type such a stupid name) seems to have pushed this in a better direction.

Metadata vs data

Posted Jun 10, 2016 9:07 UTC (Fri) by robbe (guest, #16131) [Link]

I think even in the 1950s and before this distinction between metadata and data was already suspect.

„Reasonable expectation“ is a better doctrine. As a user of communications technology, I should be aware, that, to make the system work, some things have to be known by various relaying parties that are not the intended recipient.

For a letter, the address is needed to deliver it, so nobody expects it to be very private.
With telegrams, even the content was by necessity known to two or more operators, so reasonable people did not rely on its secrecy.
In a telephone conversation, the switchboard operators had to know the number to connect you. But listening in to the conversation would be out of line.

What has changed, of course, is automation. There are no manually switched phone connections any more, no human needs to be cognisant of whom I call. If I were able to proof to my phone switch, that this call was properly paid for, it wouldn’t have to enter it into its records AT ALL. This does not prevent „active taps“ of the sort: please record (maybe with content) all calls from X to Y.