Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:

servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.

How? The bug allows access even to information the encryption wasn’t protecting.

ICE spokeswoman Gillian Christensen, on the license plate tracking system recently proposed by the Department of Homeland Security:

It is important to note that this database would be run by a commercial enterprise, and the data would be collected and stored by the commercial enterprise, not the government.

Because the government never compels commercial enterprises to give it data.

Ever.

I know this is an unpopular stance, but if you operate on any assumption other than that this happens all the time on myriad services you use, you’re a crazy unrealistic person lacking in the minimum amount of cynicism (read: realism) required to use the modern internet in a fully-informed manner.

While I don’t have time these days to do the digging someone should do on this, it strikes me as very likely we all gave Facebook permission to skim all of our content for ad-related and any other purposes when we signed up.

Digital privacy almost always comes with an asterisk these days, and that’s not going to change any time soon.

Lots to parse on this one, although it looks like a new chapter in the “Surveillance Wars” Edward Snowden started with his leaks.

Two choice quotes really stood out to me in this article, though, especially because they are in sequence:

Gen. Michael Hayden, former director of both NSA and the Central Intelligence Agency, said […] judges “are not really in a good position to judge the merits of intelligence collection programs.”

That’s funny, because the very next paragraph cites consistent judicial approval of the program as a defense to its continued use:

An Obama administration official said that on 35 occasions in the past, 15 separate judges assigned to the secretive Foreign Intelligence Surveillance court had declared bulk communications of telephone metadata lawful.

Which one is it? Well, as usual with the law, it’s probably both. Judges are human too, despite what some litigators may say, and their job is to decide.

Whether that decision is sufficiently informed in every case is up for debate, but if the former head of the NSA and the CIA doesn’t think judges are well-equipped to render decisions on intelligence collection programs, it’s curious the Obama administration would rely on that judgment in defending the collection programs. 

Perhaps the Foreign Intelligence Surveillance Act (FISA) should be amended to mandate an intelligence background for all judges appointed to the Foreign Intelligence Surveillance panel.

As it stands now, the Chief Justice of the Supreme Court can quite literally appoint whomever he wants to the FISA court, whether they have any experience in intelligence or not.

How intelligent is that?

Special interest groups oppose federal privacy reform to prevent onerous new regulations.

But this effort must, at some point, become counterproductive.

A multitude of state-specific privacy frameworks that, by (federal) law, can’t operate between states, must, at some point, become at least as onerous as new federal regulations. 

I thought this was interesting but not really worth mentioning here, until the Coast Guard visited, apparently, as USA Today reports, under a presumably Google-imposed gag order.

I’m an avid Google user, incredibly open on the internet, and something of an apologist for the utility of systems that know a ton about me. But I still think it’s rich that, as Michael Winters writes in the article, Google “is zealously guarding its privacy” around the barge.

So rich. 

UPDATE: It’s a party barge. No, seriously.

Stanford researcher Jonathan Mayer, in an email to the Wall Street Journal’s Elizabeth Dwoskin and Rolfe Winkler:

Courts are doing pretzel twists to slot modern electronic privacy issues into antiquated statutory schemes. Congress badly needs to update the nation’s privacy laws; we can’t leave the courts with so little guidance and expect consistent results.

The inconsistent application of the law across states suggests the issue may be ripe for appeal on both fronts, and may be on a long journey to the Supreme Court. The Delaware court saw no harm in Google’s circumvention of browser-based privacy settings and thus no cause of action.

What interests me is that the information you can collect via someone’s browsing behavior with a cookie is probably similar to the information you can collect by scanning their email, the action at issue in the North Carolina case, in which the judge denied Google’s motion to to dismiss the suit.

Thus, it’s the difference in the method of collection, even where the subject of collection is the same, that may be triggering the proliferation of multiple interpretations of privacy law.

Of course, it’s worth noting that the wiretap law refers specifically to communication interception, which applies directly to email. While browsing history can tell a great deal about someone, it’s not, strictly speaking, a mode of communication, so plaintiffs probably need to rely more on the common law.

I wish I had more time to sink my teeth into the issue, but I’ll have to settle for sharing a few useful links on privacy law for those interested in learning more:

• EFF on Privacy
• Wikipedia, particularly good for the history of privacy law in the U.S.
• Prof. Daniel Solove: The Chaos of U.S. Privacy Law
• Michael McFarland, SJ: Privacy and the Law

If you follow one link from my blog this week, make it the one above. It’s well-written and disturbingly possible-seeming.

John Shiffman and Kristina Cooke, reporting for Reuters Washington bureau:

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial.

This goes well beyond spying. This is, I would argue, exactly why people object to such domestic spying.

The logic is that those with nothing to hide have nothing to fear. However, the “Special Operations Division” probably isn’t infallible, since, well, no one is, and that means that you may have nothing to hide, and think you have nothing to fear, and be completely wrong.

Innocent people may have been convicted as a result of what appear on their face to be unconstitutional, extrajudicial practices.

Those arguing that the price for protection from terrorists and other would-be evil doers is letting the National Security Agency have a peak at our Gmail will have a much more difficult time making the same case for falsifying an evidence trail.

The defense was often held in the dark and, apparently, at least in some cases, investigators misled both the prosecution and judicial evidentiary discretion.

Oh, and as a cherry on top, here’s a gem from near the end of the Reuters story:

A DEA spokesman declined to comment on the unit’s annual budget. A recent LinkedIn posting on the personal page of a senior SOD official estimated it to be $125 million.

The monitoring of internet communications for sensitive information, it would seem, goes both ways.

With US authorities pushing for easier backdoors into electronic communications systems, a network of anti-graffiti drones looks like a good front for general state-wide surveillance. The German privacy ethic runs deep, but it may provide an interesting model for US authorities to consider in the long-term.

Charlie Savage of The New York Times:

the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work. Under the new proposal, providers could be ordered to comply, and judges could impose fines if they did not.

Concerns that this would prompt similar measures from repressive governments abroad are not overblown. If we expect foreign companies to submit to these procedures, their governments will expect US companies to do the same. I’m surprised this article doesn’t mention anything about what the Obama administration’s diplomats and international law folks think about all of this.

Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”

China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.

The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:

The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”

They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.

This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.

It may illustrate your shopping habits and your life events, but the data about what you do online and with customer loyalty cards effectively belongs to the companies that sell it. And it makes them a lot of money.

Don’t forget that.

If you’re composing an email you don’t want someone to see, consider picking up the phone instead. Your assumptions about the privacy of email are inaccurate.

Reps. Zoe Lofgren (D-Calif.), Ted Poe (R-Texas), and Suzan DelBene (D-Wash.) are pushing an amendment to the Electronic Communications Privacy Act that would require a warrant for authorities to obtain any email, instead of allowing free access to messages older than six months.

I wrote in January about Google’s decision to require a warrant even where the law does not, so the ECPA’s shortcomings in the digital age (the law is more than twenty years old) are sometimes mitigated by responsible corporate policies.

But a legitimate amendment like Lofgren’s would apply Google’s common sense approach to 4th Amendment rights to all such service providers. There’s simply no excuse not to get this done.

Cotton Delo of Ad Age:

The targeting would hypothetically enable Coca-Cola to target to teenagers who’ve bought soda in the last month, or Pampers to show ads to North Carolina residents who’ve recently bought baby products, since Facebook’s own array of demographic and interest-based targeting options can be added to further refine audience segments. But adoption will be contingent on acceptance by corporate legal departments wary of becoming embroiled in a consumer privacy scare.

It’s not something I would rush into if I was one of those “corporate legal departments.” It’s not that I have some conspiracy theory about Facebook, or those data banks. I don’t. We give data to those data banks willingly when we use those discount cards. Shame on us for not reading the fine print.

And Facebook? They’re the same: the fact that nothing private is guaranteed to stay that way on the internet is common knowledge these days, and those who don’t know should know.

What would worry me as in-house counsel is what hackers will find when they inevitably get their hands on some of this data. In other words, Facebook and data banks are the devils we know. I would keep clients out of this plan because of the devils we don’t know.

David Kravets quotes a Googler:

“Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the Constitution, which prevents unreasonable search and seizure,” Chris Gaither, a Google spokesman, said.

The Electronic Communications Privacy Act isn’t always as demanding as Google, and their assertion that the policy is based on Constitutional requirements implies that the ECPA does not comport with the same requirements. That’s a bold legal position to take, but as Mr. Kravets explains at Wired, Google isn’t necessarily alone.

Matt Brian writing at The Next Web:

In our tests, I had mixed results. Initially, my iPhone continued to remain in range, meaning that if I was to walk around the office or different rooms in the house, my Mac remained awake and usable. However, if I went outside a range of around 10-15 meters, Keycard did its thing without an issue.

I’m not sure $6.99 is a viable price for 1.0 app whose developers are still perfecting activation range and that is suffering from “random screen locks when the device is still in range,” but it’s a neat concept. I’d find it especially useful in an Apple-focused office environment or a co-working space. Here’s a direct link to the iTunes store if you want to check it out.

This is unfortunate. There are processes in place that are designed to ensure the preservation of various constitutional rights. The warrant process is one of the most important, and for many people email is far more ubiquitous than other forms of correspondence and property that do require a warrant for seizure in most situations.

Tor gets a headline at WSJ.com.

Jessica Guynn of the LA Times:

The FTC wants to know what the brokers do with the information. It also wants to know if the data brokers let consumers review and correct their personal information or opt out from having their personal information sold.

I can guess that they sell it as “background check” data to both reputable and shady services of that kind, and almost certainly none of them allow correction or opt-out.

It’s one thing to consent to tracking efforts by Amazon, Google, and Facebook, whose labyrinthine Terms of Service are at least publicly-available. It’s another thing to be tracked without consent, without even agreeing to a TOS we didn’t really read, by companies who profit by selling that information to still other companies.

We need legislation on this, as in most other areas of consumer privacy, and especially on the internet, mandating opt-in only participation in data collection like this.

Josh Constine at TechCrunch:

There no big launch event yesterday because Facebook didn’t need one. In fact, it probably didn’t want one, considering it didn’t even notify bloggers like me as it usually does.

This isn’t going to end well. I predict that a backlash will build over the next couple of weeks, nothing dire, but familiar fare by now for Facebook. They should have come out with PR about the easy privacy controls they have implemented to allow seamless and secure photo uploading. Instead they tried to sneak it in on the weekend.

Joseph Goldstein, writing for the Times:

Mr. Sussmann suggested that the Police Department could limit its subpoenas to phone calls beginning on the hour, not the day, of the theft, and ending as soon as the victim has transferred the number to a new phone.

Mr. Sussman is exactly right. I suspect the intent here on the part of NYPD is an admirable one: we have data available that can help us track thieves, so let’s use it.

But it’s not hard to limit the information requested to only the information that could possibly be of use in finding the suspect.