In the movie plot of a spy thriller, our hero gets captured by
agents of a repressive government, and they take him into a dark
interrogation room, where the sadistic spymaster hisses at him: "We have
ways of making you talk."
Meanwhile, in real life, the director of our National Security
Agency hisses at journalists: "We have ways of keeping you from
talking." Well, not quite in those words, but Gen. Keith Alexander,
chief spook at NSA and head of US Cyber Command, did reveal a chilling
disrespect for our Constitutional right to both free speech and a free
press. In an October interview, he called for outlawing any reporting on
his agency's secret program of spying on every American: "I think it's
wrong that newspaper reporters have all these documents… giving them out
as if these – you know it just doesn't make any sense." Then came his
spooky punch line: "We ought to come up with a way of stopping it… It's
wrong to allow this to go on."
Holy Thomas Paine! Spy on us, okay; report on it, not. What
country does this autocrat represent? Alexander's secret,
indiscriminate, supercomputer scooping-up of data on every phone call,
email, and other private business of every American is what "doesn't
make any sense." It's an Orwellian, mass invasion of everyone's privacy,
creating the kind of routine, 24/7 surveillance state our government
loudly deplores in China and Russia – and it amounts to stomping on our
Fourth Amendment guarantee that we're to be free of "unreasonable
searches and seizures."
That's the real outrage we should be "stopping." But no, our
constitutionally-clueless spymaster doubles down on his dangerous
ignorance by also stomping on the First Amendment. If this were a movie,
people would laugh at it as being too silly, too far-fetched to
believe. But there it is, horribly real.
"Keith Alexander Says The US Gov't Needs To Figure Out A Way To Keep Journalists From Reporting On Snowden Leaks," www.techdirt.com, October 25, 2013.
A
long time Gadgeteer reader contacted me today through Google Hangouts
to tell me that he had a story that he thought I’d be interested in
reading. He then forwarded me a long email with a story from a very good
friend of his. It was such a surprising story that I asked if I could
have permission to post it here on The Gadgeteer. I ended up
communicating with the author of the story and have posted it here for
everyone to read…
I
have been using Google Glass for about 2 months now, and about 2 weeks
ago I got prescription lenses for the glasses. So in the past two weeks I
was wearing Google Glass all the time. There were no stories to write
about, until yesterday (1/18/2014).
I went to AMC (Easton Mall,
Columbus, OH) to watch a movie with my wife (non- Google Glass user). It
is the theater we go to every week, so it has probably been the third
time I’ve been there wearing Google Glass, and the AMC employees (guy
tearing tickets at the entrance, girl at the concession stand) have
asked me about Glass in the past and I have told them how awesome Glass
is with every occasion.
Because I don’t want Glass to distract me
during the movie, I turn them off (but since my prescription lenses are
on the frame, I still wear them). About an hour into the movie (Jack
Ryan: Shadow Recruit), a guy comes near my seat, shoves a badge that had
some sort of a shield on it, yanks the Google Glass off my face and
says “follow me outside immediately”.
It was quite embarrassing and
outside of the theater there were about 5-10 cops and mall cops. Since I
didn’t catch his name in the dark of the theater, I asked to see his
badge again and I asked what was the problem and I asked for my Glass
back. The response was “you see all these cops you know we are legit, we
are with the ‘federal service’ and you have been caught illegally
taping the movie”.
I was surprised by this and as I was obviously
just having a nice Saturday evening night out with my wife and not
taping anything whether legally or illegally, I tried to explain that
this is a misunderstanding. I tried to explain that he’s holding rather
expensive hardware that cost me $1,500 for Google Glass and over
$600 for the prescription glasses.
The response was that I was searched
and more stuff was taken away from me (specifically my personal phone,
my work phone – both of which were turned off, and my wallet).
After an
embarrassing 20-30 minutes outside the movie theater, me and my wife
were conducted into two separate rooms in the “management” office of
Easton Mall, where the guy with the badge introduced himself again and
showed me a different ID. His partner introduced herself too and showed
me a similar looking badge. I was by that time, too flustered to
remember their names (as a matter of fact, now, over 30 hours later I am
still shaking when recounting the facts).
What followed was over
an hour of the “feds” telling me I am not under arrest, and that this
is a “voluntary interview”, but if I choose not to cooperate bad things
may happen to me (is it legal for authorities to threaten people like
that?)
I kept telling them that Glass has a USB port and not only did I
allow them, I actually insist they connect to it and see that there was
nothing but personal photos with my wife and my dog on it. I also
insisted they look at my phone too and clear things out, but they wanted
to talk first. They wanted to know who I am, where I live, where I
work, how much I’m making, how many computers I have at home, why am I
recording the movie, who am I going to give the recording to, why don’t I
just give up the guy up the chain, ’cause they are not interested in
me. Over and over and over again.
I kept telling them that I
wasn’t recording anything – my Glass was off, they insisted they saw it
on. I told them there would be a light coming out the little screen if
Glass was on, and I could show them that, but they insisted that I
cannot touch my Glass for the fear “I will erase the evidence against me
that was on Glass”.
I didn’t have the intuition to tell them that Glass
gets really warm if it records for more than a few minutes and my
glasses were not warm. They wanted to know where I got Glass and how did
I came by having it. I told them I applied about 1,000 times to get in
the explorer program, and eventually I was selected, and I got the Glass
from Google.
I offered to show them receipt and Google Glass website if
they would allow me to access any computer with Internet. Of course,
that was not an option. Then they wanted to know what does Google ask of
me in exchange for Glass, how much is Google paying me, who is my boss
and why am I recording the movie.
Eventually, after a long time
somebody came with a laptop and an USB cable at which point he told me
it was my last chance to come clean. I repeated for the hundredth time
there is nothing to come clean about and this is a big misunderstanding
so the FBI guy finally connected my Glass to the computer, downloaded
all my personal photos and started going though them one by one
(although they are dated and it was obvious there was nothing on my
Glass that was from the time period they accused me of recording).
Then
they went through my phone, and 5 minutes later they concluded I had
done nothing wrong.
I asked why didn’t they just take those five
minutes at the beginning of the interrogation and they just left the
room. A guy who claimed his name is Bob Hope (he gave me his business
card) came in the room, and said he was with the Movie Association and
they have problems with piracy at that specific theater and that
specific movie.
He gave me two free movie passes “so I can see the movie
again”. I asked if they thought my Google Glass was such a big piracy
machine, why didn’t they ask me not to wear them in the theater? I would
have probably sat five or six rows closer to the screen (as I didn’t
have any other pair of prescription glasses with me) and none of this
would have happened. All he said was AMC called him, and he called the
FBI and “here are two more passes for my troubles”. I would have been
fine with “I’m sorry this happened, please accept our apologies”. Four
free passes just infuriated me.
Considering it was 11:27 P.M when
this happened, and the movie started at 7.45, I guess 3 and a half hours
of my time and the scare my wife went through (who didn’t know what was
going on as nobody bothered to tell her) is worth about 30 bucks in the
eyes of the Movie Association and the federal militia (sorry, I cannot
think of other derogatory words).
I think I should sue them for this,
but I don’t have the time or the energy to deal with “who is my boss –
they don’t want me, they want the big guy” again, so I just spilled the
beans on this forum, for other to learn from my experience.
I
guess until people get more familiar with Google Glass and understand
what they are, one should not wear them to the movies. I wish they would
have said something before I went to the movies, but it may be my
mistake for assuming that if I went and watched movies two times wearing
Glass with no incident the third time there won’t be any incident
either. As for the federal agents and their level of comprehension… I
guess if they deal with petty criminals every day, everybody starts
looking like a petty criminal.
Again, I wish they would have listened
when I told them how to verify I did nothing illegal, or at least
apologize afterwards, but hey… this is the free country everybody
praises. Somewhere else might be even worse.
Crazy
huh? His story read like something out of the Jack Ryan movie that he
and his wife had gone to see. Are there any other Google Glass users out
there that have been treated badly just for your wearable tech? If not,
are you reconsidering wearing a pair to the next movie you attend?
Update (01/21/14):
Wow,
this article has completely blown up our web server due to the traffic.
I just wanted to follow up with a few comments and info. First of all,
I’m not a journalist, I’m a tech geek writer. Posting this article has
given me a good learning lesson though, which I’ll use if I ever post a
similar article in the future.
I have been criticized for not
citing my sources and following up with the theater to verify that the
story was true. I didn’t feel the need at the time because the person
who gave me the story is a long time Gadgeteer reader and works in law
enforcement. I felt 100% confident the story was not a hoax.
I did
however call the theater in question and tried to get in touch with
someone there for a comment. My calls went unanswered.
After the
article was posted. Rob Jackson of Phandroid posted his take on the
article and asked me for the author’s contact info. With the author’s
permission, I forwarded that info and Rob followed up with some
questions and answers that he posted on his site. Take a look for more
info on this story: http://phandroid.com/2014/01/20/fbi-google-glass-movie/
Update #2:
I just received info from the author with regards to the agents that questioned him:
For the sake of having all the facts right. I have been trying to find out who the agents that “interviewed” me at AMC were, so I asked help from a guy I know at FBI. I worked with this guy in the past when I was employed at a webhosting company. He did some digging, and he tells me the “federal agents” talking to me were DHS.
Update #3:
The
title of the article has been changed to reflect the recent update from
the author that it was actually the DHS (Department of Homeland
Security) who detained him and not the FBI as he originally thought.
Update #4:
The story has been confirmed. I just received this email from the author:
Julie, Rob.
I spoke with a reporter from Columbus Dispatch, who obtained a statement from DHS and forwarded it to me. Here it is:
From: Walls, Khaalid H [mailto:Khaalid.H.Walls@ice.dhs.gov] Sent: Tuesday, January 21, 2014 1:16 PM To: Allison Manning Subject: ICE
H Ally,
Please attribute the below statement to me:
On Jan. 18, special agents with ICE’s Homeland Security Investigations and local authorities briefly interviewed a man suspected of using an electronic recording device to record a film at an AMC theater in Columbus. The man, who voluntarily answered questions, confirmed to authorities that the suspected recording device was also a pair of prescription eye glasses in which the recording function had been inactive. No further action was taken.
Khaalid Walls, ICE spokesman
Khaalid Walls Public Affairs Officer U.S. Immigration and Customs Enforcement (ICE) 313-226-0726 313-215-7657(m)
By
now, it’s well known that the National Security Agency is collecting
troves of data about law-abiding Americans. But the NSA is not alone: A
series of new reports show that state and local police have been busy collecting data
on our daily activities as well — under questionable or nonexistent
legal pretenses. These revelations about the extent of police snooping
in the U.S. — and the lack of oversight over it — paint a disturbing
picture for anyone who cares about civil liberties and privacy
protection.
The tactics used by law enforcement are aggressive,
surreptitious and surprising to even longtime surveillance experts. One
report released last month made front page news: an investigation by more than 50 journalists
that found that local law enforcement agencies are collecting cellphone
data about thousands of innocent Americans each year by tapping into
cellphone towers and even creating fake ones that act as data traps.
A new report
by the Brennan Center for Justice at NYU School of Law details how
police departments around the country have created data “fusion centers”
to collect and share reports about residents. But the information in
these reports seldom bears any relation to crime or terrorism. In
California, for example, officers are encouraged to document and
immediately report on “suspicious” activities such as “individuals who
stay at bus or train stops for extended periods while buses and trains
come and go,” “individuals who carry on long conversations on pay or
cellular phones,” and “joggers who stand and stretch for an inordinate
amount of time.” In Houston, the criteria are so broad they include
anything deemed “suspicious or worthy of reporting.” Many police
departments and fusion centers have reported on constitutionally
protected activities such as photography and political speech. They have also demonstrated a troubling tendency to focus on people who appear to be of Middle Eastern origin.
Like
the NSA – their heavy-handed Big Brother – these fusion centers cast a
wide net and risk civil liberties for paltry returns. And all of it is
happening without sufficient oversight or accountability. In other
words, no one is watching Little Brother.
How did it come to
this? In the aftermath of the Sept. 11, 2001, attacks, all levels of
government – federal, state and local – embarked on a massive effort to
improve information sharing. Federal taxpayer dollars fueled the
transition into a new role for state and local police as the eyes and
ears of the intelligence community.
The ad hoc system that has
developed — of individual police departments feeding information to
federal authorities — has been plagued by vague and inconsistent rules.
For one thing, there’s a lack of agreement about what counts as
“suspicious activity” and when that information should be shared.
The
goal, in theory, is to reveal potential terrorist plots by “connecting
the dots” of disparate or even innocuous pieces of information. But in
practice, such programs often infringe on civil liberties and threaten
safety, producing a din of data with little or no counter-terrorism
value. In Boston, for example, the regional fusion center fixated
on monitoring peace activists and Occupy Boston protesters but may have
been unaware that the FBI conducted an assessment of bombing suspect
Tamerlan Tsarnaev based on a tip from Russia, or that local authorities
had implicated him in a gruesome triple homicide on the anniversary of
9/11.
In fact, a 2012 report
by the Senate Homeland Security Committee found that much of the
information produced by fusion centers was not only useless, but also
possibly illegal. Indeed, more than 95 percent of so-called suspicious activity reports are never investigated by the FBI.
We
can do better. First and foremost, there must be a consistent,
transparent standard for state and local intelligence activities based
on reasonable suspicion of criminal activity – the traditional bar for
opening an investigation. The federal government should make this
standard a prerequisite for sharing suspicious activity reports on its
networks. State and local police should adopt it as well.
Second,
stronger oversight and accountability is necessary across the board. At
the federal level, Congress should tie continued funding for fusion
centers to regular, independent and publicly available audits to assess
compliance with privacy rules. State and local elected officials should
also consider creating an independent police monitor, such as an
inspector general, to safeguard privacy and civil rights.
To be
sure, cooperation between levels of government is essential, and state
and local law enforcement have an important role to play in keeping
Americans safe. But the current system is ineffective, wasteful and
harmful to constitutional values.
It is time to recalibrate the system and make the state and local role in national security efficient, rational and fair.
Michael Price is counsel in the Liberty and National
Security Program at the Brennan Center for Justice at NYU School of Law.
This video was recorded on September 27 and uploaded to YouTube a few
days later. It has recently made the rounds on social media and caught
the attention of major news outlets. In it, two Philadelphia police
officers stop, detain briefly and question two young black men who are
walking down the street. The reason given for the stop is that one of
the young men said “Hi” to a drug dealer.
You should watch the video in
its entirety:
There are a number of choice quotes to be pulled from this video, my
favorite among them the retort from the young man being stopped and who
managed to film the incident, “You not protecting me by stopping me when
I’m trying to go to work,” but it’s this exchange that has come to
define the encounter:
Officer: “We don’t want you here [in Philadelphia], anyway. All you do is weaken the fucking country.” Young man: “How do I weaken the country? By working?” Officer: “No, freeloading,” Young man: “Freeloading on what? I work.” Officer: “Do you? Where?” Young man: “[redacted] Country Club.” Officer: “Doing what?” Young man: “I’m a server” Officer: “A server? Serving weed?”
The officer responsible for this racist line of questioning, Philip Nace, was recently placed in the Differential Police Response Unit, a disciplinary unit, for what a police spokesman called “idiotic behavior” after another video
surfaced of him knocking down a basketball hoop and, while driving away
in a police van, telling the group that was playing “have a good day.”
He is being investigated by Internal Affairs.
“But this is one individual,” Lt. John Stanford told the Philadelphia Daily News,
“Don’t let this individual put it in your mind that this is how
officers act. The vast majority of officers give the residents of this
city 110 percent.”
The problem is, as badly as Philadelphia police may want to isolate
Nace and his poor behavior, this isn’t the result of mistakenly hiring
one racist cop. This is a racist policy supported by a racist society
doing exactly what it was designed to do.
Had Nace used softer language, had he asked politely and said
“please” and “thank you,” he still would have stopped, searched and
collected information on an innocent person for having done nothing more
than speaking to someone he passed on the street. Because that’s the
policy.
Philadelphia’s use of stop-and-frisk doubled in 2009,
two years after the election of Mayor Michael Nutter (in case anyone
were led to believe it’s only white mayors and police commissioners
responsible for implementing this tactic, both Nutter and Commissioner
Charles Ramsey are black), and in a similar fashion to what has recently
happened in New York City, it was challenged in court and the city
agreed to make adjustments to the policy.
However, it still exists, and still disproportionately targets black
and Hispanic men. And one can’t divorce this from the fact that school
budgets, affecting mostly black students, have been slashed, while hundreds of millions are being poured into a new prison facility, or the youth curfew
that was implemented a few years ago.
Through colorblind language,
there exists a concerted effort to criminalize the presence of black and
brown youth in public and shuttle them off to bigger, shinier prisons.
They can discipline Nace, even remove him from the force (and they
should), but his actions are only a symptom of the larger disease. The
more we focus our energy on the Naces of the world, the further we get
from a cure.
Mychal Denzel Smith has previously argued that institutional racism persists in the criminal justice system with or without stop-and-frisk programs.
JOSEPH BONICIOLI mostly uses the same internet you
and I do. He pays a service provider a monthly fee to get him online.
But to talk to his friends and neighbors in Athens, Greece, he's also
got something much weirder and more interesting: a private, parallel
internet.
He and his fellow Athenians built it. They did so by linking up a set
of rooftop wifi antennas to create a "mesh," a sort of bucket brigade
that can pass along data and signals. It's actually faster than the Net
we pay for: Data travels through the mesh at no less than 14 megabits a
second, and up to 150 Mbs a second, about 30 times faster than the
commercial pipeline I get at home. Bonicioli and the others can send
messages, video chat, and trade huge files without ever appearing on the
regular internet. And it's a pretty big group of people: Their Athens
Wireless Metropolitan Network has more than 1,000 members, from Athens
proper to nearby islands. Anyone can join for free by installing some
equipment. "It's like a whole other web," Bonicioli told me recently.
"It's our network, but it's also a playground."
Indeed, the mesh has become a major social hub. There are blogs,
discussion forums, a Craigslist knockoff; they've held movie nights
where one member streams a flick and hundreds tune in to watch. There's
so much local culture that they even programmed their own mini-Google to
help meshers find stuff. "It changes attitudes," Bonicioli says.
"People start sharing a lot. They start getting to know someone next
door—they find the same interests; they find someone to go out and talk
with." People have fallen in love after meeting on the mesh.
The Athenians aren't alone. Scores of communities worldwide have been
building these roll-your-own networks—often because a mesh can also be
used as a cheap way to access the regular internet. But along the way
people are discovering an intriguing upside: Their new digital spaces
are autonomous and relatively safe from outside meddling. In an era when
governments and corporations are increasingly tracking our online
movements, the user-controlled networks are emerging as an almost
subversive concept. "When you run your own network," Bonicioli explains,
"nobody can shut it down."
THE INTERNET may seem amorphous, but it's at heart
pretty physical. Its backbone is a huge array of fiber-optic, telephone,
and TV cables that carry data from country to country. To gain access,
you need someone to connect your house to that backbone. This is what's
known as the "last mile" problem, and it's usually solved by large
internet service providers such as AT&T and Comcast. They buy access
to the backbone and charge you for delivering the signal via telephone
wires or cable lines. Most developed nations have plenty of ISP's, but in
poor countries and rural areas, the last-mile problem still looms
large. If providers don't think there's enough profit in household
service, they either don't offer any or do it only at exorbitant rates.
Meshes evolved to tackle this problem. Consider the Spanish network
Guifi, which took root in the early aughts as people got sick of waiting
for their sclerotic telcos to wire the countryside. "In some places you
can wait for 50 years and die and you're still waiting," jokes Guifi
member Ramon Roca.
The bandwidth-starved Spaniards attached long-range
antennas to their wifi cards and pointed them at public hot spots like
libraries. Some contributed new backbone connections by shelling out,
individually or in groups, for expensive DSL links, while others dipped
into the network for free.
(Guifi is a complex stew of charity,
free-riding, and cost-sharing.) To join the bucket brigade, all you had
to do was add some hardware that allowed your computer's wifi hub to
pass along the signal to anyone in your vicinity. Gradually, one hub at a
time, Guifi grew into the world's largest mesh, with more than 21,000
members.
In some ways, a community mesh resembles a food co-op. Its members
crunch the numbers and realize that they can solve the last-mile problem
themselves at a fraction of the price. In Kansas City, Isaac Wilder,
cofounder of the Free Network Foundation, is using this model to wire up
neighborhoods where the average household income is barely $10,000 a
year. His group partners with community organizations that pay for
backbone access. Wilder then sets up a mesh that anyone can join for a
modest sum. "The margins on most internet providers are so ridiculously
inflated," he says. "When people see the price they get from the mesh,
they're like, 'Ten bucks a month? Oh, shit, I'll pay that!'"
In other cases, meshes are run like tiny local businesses. Stephen
Song, the founder of Village Telco, markets "mesh potatoes," inexpensive
wifi devices that automatically mesh with each other, allowing them to
transmit data and make local calls. In towns across Africa, where
internet access is overpriced or nonexistent, mom-and-pop shops buy
backbone access and then sell mesh potatoes to customers, offering them
cheap monthly phone and internet rates. Song hopes this entrepreneurial
model will lead to stable networks that don't have to rely on donations
or tech-savvy community volunteers. He set up a mesh himself in Cape
Town, South Africa. "The primary users of that tech were grandmothers,"
Song says. "Grandmothers are really dependent on their families, and
visiting is hard—it's a really hilly area. So if you have an appealing
low-cost alternative, they go for it."
WHILE MESH networks were created to solve an
economic problem, it turns out they also have a starkly political
element: They give people—particularly political activists—a safer and
more reliable way to communicate.
As activism has become increasingly reliant on social networking,
repressive regimes have responded by cutting off internet access. When
Hosni Mubarak, for instance, discovered that protesters were using
Facebook to help foment dissent, he ordered the state-controlled ISP's to
shut down Egypt's internet for days. In China, the Communist Party uses
its "Great Firewall" to prevent citizens from reading pro-democracy
sites. In the United States, authorities have shut down mobile service
to prevent activists from communicating, as happened a couple of years
ago during a protest at San Francisco subway stations. And such
reactions aren't only prompted by dissent. Some of the big phone and
cable companies have begun to block digital activities they disapprove
of, like sharing huge files on BitTorrent. In 2009, the recording
industry even persuaded France to pass a law—since declared
unconstitutional—that canceled the internet service of any household
caught downloading copyrighted files more than three times.
The last-mile problem, it turns out, isn't just technical or
economic: It's political and even cultural. To repurpose the famous A.J.
Liebling statement, internet freedom is guaranteed only to those who
own a connection. "And right now, you and me don't own the internet—we
just rent the capacity to access it from the companies that do own it,"
Wilder says.
So now digital-freedom activists and nonprofits are making mesh tools
specifically to carve out spaces free from government snooping. During
the Occupy Wall Street actions in New York City, Wilder set up a local
mesh for the protesters. In Washington, DC, the New America Foundation's
Open Technology Institute is developing Commotion—"internet in a
suitcase" software that lets anyone quickly deploy a mesh. "We're making
infrastructure for anyone who wants to control their own network," says
Sascha Meinrath, who runs OTI. In a country with a repressive
government, dissidents could use Commotion to set up a private,
encrypted mesh. If a despot decided to shut off internet access, the
activists could pay for a satellite connection and then share it across
the mesh, getting a large group of people back online quickly.
Meinrath and his group have tested Commotion in American communities,
including Detroit and Brooklyn's Red Hook neighborhood, where locals
used it to get back online after Hurricane Sandy. Now OTI is working on a
mesh that will provide secure local communications for communities in
Tunisia.
Even voice calls can be meshed. Commotion includes Serval, software
that lets you network Android phones and communicate directly via wifi
without going through a wireless carrier—sort of like a high-tech
walkie-talkie network. Created by Paul Gardner-Stephen, a research
fellow at Australia's Flinders University, Serval also encrypts phone
calls and texts, making it extremely hard for outsiders to eavesdrop.
When OTI employees tested it this spring using external "range
extenders," they were able to text one another from nearly a mile away
on the National Mall. Hopping onto the DC Metro, they found they could
trade messages while riding six cars apart. "We now know how to make a
completely distributed phone system," Gardner-Stephen says. Despite the
modest ranges now possible, there are plenty of potential uses. After an
earthquake, he notes, Serval could help citizens and aid agencies make
local calls instantly. In an Occupy-style scenario, police may try to
shut down texting via Verizon and AT&T only to discover that
activists have their own private Serval channel.
In an Occupy-style scenario, police may try
to shut down texting via Verizon and AT&T only to discover that
activists have their own private Serval channel.
Granted, Meinrath points out even encrypted systems like Commotion
aren't a privacy panacea. Encryption can be broken, and if the mesh
hooks up to the regular internet—via satellite, for instance—then you're
sending signals back out to where the NSA and others have plenty of
taps.
Even so, alternative networks are a pretty subversive idea, one that
has attracted some strange bedfellows. The State Department recently
ponied up almost $3 million to support Commotion, because officials
think it could help freedom of speech abroad. But given the revelations
about NSA spying (Commotion's developer, OTI, is considering joining a
lawsuit to challenge the agency's surveillance program), the software is
likely to gain traction among activists here at home. "It makes all the
sense in the world," Meinrath says.
THE RISE OF community meshes suggests a possibility
that is considerably more radical. What if you wanted a mesh that
spanned the globe? A way to communicate with anyone, anywhere, without
going over a single inch of corporate or government cable? Like what
Joseph Bonicioli has in Athens writ large—a parallel, global internet
run by the people, for the people. Could such a beast be built?
Down in Argentina, meshers have shot signals
up to 10 miles to bring together remote villages; in Greece, Bonicioli
says they've connected towns as far as 60 miles apart.
On a purely technical level, mesh advocates say it's super hard, but
not impossible. First, you'd build as many local mesh networks as you
can, and then you'd connect them together. Long-distance "hops" are
tricky, but community meshes already use special wifi antennas—sometimes
"cantennas" made out of Pringles-type containers—to join far-flung
neighborhoods. Down in Argentina, meshers have shot signals up to 10
miles to bring together remote villages; in Greece, Bonicioli says
they've connected towns as far as 60 miles apart. For bigger leaps,
there are even more colorful ideas: Float a balloon 60,000 feet in the
air, attach a wifi repeater, and you could bounce a signal between two
cities separated by hundreds of miles. It sounds nuts, but Google
actually pulled it off this past summer, when its Project Loon sent a
flotilla of balloons over New Zealand to blanket the rural countryside
with wireless connections. There are even DIY satellites: Home-brewed
"cubesats" have already been put into orbit by university researchers
for less than $100,000 each. That's hardly chump change, but it's well
within, say, Kickstarter range.
For stable communications, though, the best bet would be to snag some
better spectrum. The airwaves are a public resource, but they are
regulated by national agencies like the Federal Communications
Commission that dole out the strongest frequencies—the ones that can
travel huge distances and pass easily through physical objects—to the
military and major broadcasters. (Wifi uses one of the rare
public-access frequencies.) If the FCC could be convinced to hand over
some of those powerful frequencies to the public, meshes could span huge
distances. "We need free networks, and we need free bandwidth," says
Eben Moglen, a law professor at Columbia University and head of the
Software Freedom Law Center. But given the power of the telco and
defense lobbies, don't hold your breath.
The notion of a truly independent global internet may still be a
gleam in the eye of the meshers, but their visionary zeal is contagious.
It harkens back to the early days of the digital universe, when the
network consisted mostly of university scientists and researchers
communicating among themselves without corporations sitting in the
middle or government (that we know of) monitoring their chats. The goal
then, as now, was both connection and control: an internet of one's own.
Secret demands mark escalation in Internet surveillance by the federal
government through gaining access to user passwords, which are typically
stored in encrypted form.
The U.S. government has demanded that major Internet companies divulge
users' stored passwords, according to two industry sources familiar with
these orders, which represent an escalation in surveillance techniques
that has not previously been disclosed.
If the government is able to determine a person's password, which is
typically stored in encrypted form, the credential could be used to log
in to an account to peruse confidential correspondence or even
impersonate the user. Obtaining it also would aid in deciphering
encrypted devices in situations where passwords are reused.
"I've certainly seen them ask for passwords," said one Internet industry
source who spoke on condition of anonymity. "We push back."
A second person who has worked at a large Silicon Valley company
confirmed that it received legal requests from the federal government
for stored passwords. Companies "really heavily scrutinize" these
requests, the person said. "There's a lot of 'over my dead body.'"
Some of the government orders demand not only a user's password but also
the encryption algorithm and the so-called salt, according to a person
familiar with the requests. A salt is a random string of letters or
numbers used to make it more difficult to reverse the encryption process
and determine the original password. Other orders demand the secret
question codes often associated with user accounts.
"This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?" --Jennifer Granick, Stanford University
A Microsoft spokesperson would not say whether the company has received
such requests from the government. But when asked whether Microsoft
would divulge passwords, salts, or algorithms, the spokesperson replied:
"No, we don't, and we can't see a circumstance in which we would
provide it."
Google also declined to disclose whether it had received requests for
those types of data. But a spokesperson said the company has "never"
turned over a user's encrypted password, and that it has a legal team
that frequently pushes back against requests that are fishing
expeditions or are otherwise problematic. "We take the privacy and
security of our users very seriously," the spokesperson said.
A Yahoo spokeswoman would not say whether the company had received such
requests. The spokeswoman said: "If we receive a request from law
enforcement for a user's password, we deny such requests on the grounds
that they would allow overly broad access to our users' private
information. If we are required to provide information, we do so only in
the strictest interpretation of what is required by law."
Apple, Facebook, AOL, Verizon, AT&T, Time Warner Cable, and Comcast
did not respond to queries about whether they have received requests for
users' passwords and how they would respond to them.
Richard Lovejoy, a director of the Opera Software subsidiary that operates FastMail,
said he doesn't recall receiving any such requests but that the company
still has a relatively small number of users compared with its larger
rivals. Because of that, he said, "we don't get a high volume" of U.S.
government demands.
The FBI declined to comment.
Some details remain unclear, including when the requests began and
whether the government demands are always targeted at individuals or
seek entire password database dumps. The Patriot Act has been used to demand entire database dumps
of phone call logs, and critics have suggested its use is broader. "The
authority of the government is essentially limitless" under that law,
Sen. Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence
committee, said at a Washington event this week.
Large Internet companies have resisted the government's requests by
arguing that "you don't have the right to operate the account as a
person," according to a person familiar with the issue. "I don't know
what happens when the government goes to smaller providers and demands
user passwords," the person said.
An attorney who represents Internet companies said he has not fielded
government password requests, but "we've certainly had reset requests --
if you have the device in your possession, than a password reset is the
easier way."
Source code to a C implementation of bcrypt, a popular algorithm used for password hashing.
(Credit:
Photo by Declan McCullagh)
Cracking the codes
Even if the National Security Agency or
the FBI successfully obtains an encrypted password, salt, and details
about the algorithm used, unearthing a user's original password is
hardly guaranteed. The odds of success depend in large part on two
factors: the type of algorithm and the complexity of the password.
Algorithms, known as hash functions, that are viewed as suitable for
scrambling stored passwords are designed to be difficult to reverse. One
popular hash function called MD5, for instance, transforms the phrase
"National Security Agency" into this string of seemingly random
characters: 84bd1c27b26f7be85b2742817bb8d43b. Computer scientists
believe that, if a hash function is well-designed, the original phrase
cannot be derived from the output.
But modern computers, especially ones equipped with high-performance
video cards, can test passwords scrambled with MD5 and other well-known
hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated
at a conference last December tested 348 billion hashes per second,
meaning it would crack a 14-character Windows XP password in six
minutes.
The best practice among Silicon Valley companies is to adopt far slower
hash algorithms -- designed to take a large fraction of a second to
scramble a password -- that have been intentionally crafted to make it
more difficult and expensive for the NSA and other attackers to test
every possible combination.
One popular algorithm, used by Twitter and LinkedIn, is called bcrypt. A 2009 paper (PDF) by computer scientist Colin Percival
estimated that it would cost a mere $4 to crack, in an average of one
year, an 8-character bcrypt password composed only of letters. To do it
in an average of one day, the hardware cost would jump to approximately
$1,500.
But if a password of the same length included numbers, asterisks,
punctuation marks, and other special characters, the cost-per-year leaps
to $130,000. Increasing the length to any 10 characters, Percival
estimated in 2009, brings the estimated cracking cost to a staggering
$1.2 billion.
As computers have become more powerful, the cost of cracking bcrypt
passwords has decreased. "I'd say as a rough ballpark, the current cost
would be around 1/20th of the numbers I have in my paper," said
Percival, who founded a company called Tarsnap Backup,
which offers "online backups for the truly paranoid." Percival added
that a government agency would likely use ASICs -- application-specific
integrated circuits -- for password cracking because it's "the most
cost-efficient -- at large scale -- approach."
While developing Tarsnap, Percival devised an algorithm called scrypt,
which he estimates can make the "cost of a hardware brute-force attack"
against a hashed password as much as 4,000 times greater than bcrypt.
Bcrypt was introduced (PDF) at a 1999 Usenix conference by Niels Provos, currently a distinguished engineer in Google's infrastructure group, and David Mazières, an associate professor of computer science at Stanford University.
With the computers available today, "bcrypt won't pipeline very well in
hardware," Mazières said, so it would "still be very expensive to do
widespread cracking."
Even if "the NSA is asking for access to hashed bcrypt passwords,"
Mazières said, "that doesn't necessarily mean they are cracking them."
Easier approaches, he said, include an order to extract them from the
server or network when the user logs in -- which has been done before -- or installing a keylogger at the client.
Sen. Ron Wyden, who warned this week that "the
authority of the government is essentially limitless" under the Patriot
Act's business records provision.
(Credit:
Getty Images)
Questions of law
Whether the National Security Agency or FBI
has the legal authority to demand that an Internet company divulge a
hashed password, salt, and algorithm remains murky.
"This is one of those unanswered legal questions: Is there any
circumstance under which they could get password information?" said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society. "I don't know."
Granick said she's not aware of any precedent for an Internet company
"to provide passwords, encrypted or otherwise, or password algorithms to
the government -- for the government to crack passwords and use them
unsupervised." If the password will be used to log in to the account,
she said, that's "prospective surveillance," which would require a
wiretap order or Foreign Intelligence Surveillance Act order.
If the government can subsequently determine the password, "there's a
concern that the provider is enabling unauthorized access to the user's
account if they do that," Granick said. That could, she said, raise
legal issues under the Stored Communications Act and the Computer Fraud
and Abuse Act.
The Justice Department has argued in court proceedings before that it
has broad legal authority to obtain passwords. In 2011, for instance,
federal prosecutors sent a grand jury subpoena demanding the password
that would unlock files encrypted with the TrueCrypt utility.
The Florida man who received the subpoena claimed the Fifth Amendment,
which protects his right to avoid self-incrimination, allowed him to
refuse the prosecutors' demand. In February 2012, the U.S. Court of
Appeals for the Eleventh Circuit agreed, saying that because prosecutors
could bring a criminal prosecution against him based on the contents of
the decrypted files, the man "could not be compelled to decrypt the
drives."
In January 2012, a federal district judge in Colorado reached the
opposite conclusion, ruling that a criminal defendant could be compelled
under the All Writs Act to type in the password that would unlock a
Toshiba Satellite laptop.
Both of those cases, however, deal with criminal proceedings when the
password holder is the target of an investigation -- and don't address
when a hashed password is stored on the servers of a company that's an
innocent third party.
"If you can figure out someone's password, you have the ability to reuse
the account," which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.
Last updated at 8:00 p.m. PT with comment from Yahoo, which responded after this article was published.
Disclosure: McCullagh is married to a Google employee not involved with this issue.
