[Dave Birch] If you build a stable door, then one day you will inevitable find yourself locking it while your horse disappears over the horizon. There's been no better illustration of this in recent times than the recent hulabaloo about Google in China. Apparently, Chinese "hackers" were found it rather easy to break into the e-mail accounts of human rights activists and so forth, because Google had been forced to build a system to do precisely that.

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

[From Google attack part of widespread spying effort]

So companies are forced to build a stable door, and then when the inevitable happens, people appear shocked. The root problem is, naturally, that there is no underlying strategy: we fight using the technology of the next war but the tactics of the last one, as someone once said but I couldn't find out who by googling. If you want proof of this, you only need consider the US government's official response to the incident in a speech by the Secretary of State, Mrs. Clinton, that cofnirmed one of my most basic criticisms of government policy in this cyber age:

The speech made it obvious that State Department officials do not have a coherent view on online anonymity. On the one hand, they want to crack down on intellectual property theft and terrorists; on the other hand, they want to protect Iranian and the Chinese dissidents. Well, let me break the hard news: You can't have it both ways and the sooner you get on with "anonymity for everyone" rhetoric, the more you'll accomplish.

[From Is Hillary Clinton launching a cyber Cold War? | Net Effect]

In fact, US (and other governments') policy in this area isn't just confused and pointless, it's actually dangerous. While I was googling for references, I discovered that the always sensible security expert Bruce Schneier had used this story to make the same point.

The news here isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated — we knew that already — it's that the U.S. government inadvertently aided the hackers.

[From U.S. enables Chinese hacking of Google – CNN.com]

You can't have privacy without security, as the relatively old saying goes. Ah, you might object, but there's a greater good argument: security without privacy is the only way society can fight the bad guys. We must be able to read people's Google mail accounts because we need to track down criminals and terrorists. And, indeed, this is sort of true. If you know that Osama bin Laden is sending me e-mail, then you might want to investigate me a little further. And I imagine that obtaining the contents of all of my e-mails, from Google, might be a convenient way to do it (although, of course, if I am a terrorist and I know that government is able to read my mail, then I will send misleading e-mail and use an alternative secure channel to conference my confederates). Anyway, you think I'm a bad guy so you want to be able to go to Google and get all my mail. This already happens, in fact.

Prosecutors obtained a CD-ROM disk from Google Inc. this week of Mr. Tannin’s e-mail messages from Nov. 20, 2006, through Aug. 12, 2007. The two funds collapsed in June 2007. Mr. Cioffi, 53, and Mr. Tannin, 48, were indicted for fraud, and Mr. Cioffi also was charged with insider trading, the first managers accused of criminal charges from a company that collapsed in the financial crisis. The hedge funds’ failure cost investors $1.4 billion.

[From E-mail Shows Fear of ‘Blow-Up Risk’ at Bear Fund – DealBook Blog – NYTimes.com]

To be honest, I'm not sure what the fuss is about. If you send something in an e-mail, then as far as I am concerned you have no reasonable expectation of privacy. If you wouldn't put it on a postcard, then you shouldn't put in an e-mail (was it Phil Zimmerman of PGP who first said that?). If these hedge fund guys really wanted to send secret messages to each other then they could have used anonymous comments on an obscure blog, rolling IM accounts changing in a pattern known only to them or, ahem, encryption. Havent't they ever watched the world's best TV drama, "The Wire"?

So I'm not saying that prosecutors shouldn't try to go and get these e-mails. But should they get them from Google? I have a book on my shelf somewhere — the title won't come to mind — which says that, essentially, the government doesn't regulate books because it can't and it does regulate TV because it can (this was a few years ago). Surely this is what is going on here. It might be harder to nail those guys without a copy of their Google e-mail, but is it plausible that without the Google e-mail they will get off? Well, in this case they got off because of the e-mails, as far as I can see.

the prosecution blew it — on two counts. First, in devising the original indictment for conspiracy and securities fraud against the two defendants, Ralph Cioffi and Matthew Tannin, it relied on damning snippets of lengthy e-mail messages that when viewed in their entirety proved to be highly ambiguous. Second, the prosecution made a reductionist opening argument claiming the men were nothing more than out-and-out liars, needlessly raising the bar in terms of what it had to prove to jurors

[From Bear Stearns Trial: How the Scapegoats Escaped – DealBook Blog – NYTimes.com]

Suppose you are a policeman. If Osama bin Laden is sending me e-mail every day, but you can't get the contents of those e-mails from Google or BT, is that worse for society than Osama bin Laden being able to read all of your e-mails? The mere fact that I'm getting e-mail, text message or care packages from a cave in Afghanistan is enough for you to put me under surveillance and from then on other methods can take over. Look, I don't know what the answer is either, but I do know that there is a question, and therefore understand that there is a danger

Here's another example of that danger. In the UK national identity scheme, transgendered people are allowed to have two identity cards. Whether this is right or wrong is not the point of this post.

Transgender people will have two cards at the same time, one for their old identity and a new one for when they have completed their sex change.

[From BBC NEWS | Politics | £1,000 fine for wrong ID details]

This means that the national ID system must therefore have the capability to issue more than one card against the same set of biometrics. If it did not, then the aforementioned transgendered people could not have two cards (transgendered people do not have two sets of fingerprints). There must be software in the system that allows someone to issue another card, with different details, against a set of biometrics that already have a card outstanding. When you think about it, you can see that this kind of system must have this kind of functionality (because the government will want to issue multiple identity cards to undercover policemen, spies, citizens in witness protection programs and so forth. Since this functionality exists, it will inevitably be exploited by someone in order to get themselves two cards when they shouldn't: so, I might pay a clerk to fraudulently issue me with a transgendered female identity card, even though I'm not actually transgendered, because I want to use it to get into a pub somewhere and commit a murder. The witnesses report that the killer was a man, but when the police check the pub computer system for a list of all the men who entered the pub, I'm not on it (because I used my female card to get in). That's a great idea for an episode of Spooks, so I'll send it in.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: