What "Nothing to Hide" is Hiding

As governments around the world - but particular in the UK - increase the surveillance of their hapless citizens, one argument above all is made in favour of doing so: "if you have nothing to hide, you have nothing to fear."

Of course, the rebuttal is that, indeed, we have nothing to hide, but we do value our privacy, and we should not be asked to sacrifice that for dubious government convenience. But as this excellent paper entitled "I've got nothing to hide, and other misunderstanding of privacy" points out, there is a particularly dangerous "strong" form of this argument that is harder to brush off so easily:

Grappling with the nothing to hide argument is important, because the argument reflects the sentiments of a wide percentage of the population. In popular discourse, the nothing to hide argument’s superficial incantations can readily be refuted. But when the argument is made in its strongest form, it is far more formidable.

...


The NSA surveillance, data mining, or other government information- gathering programs will result in the disclosure of particular pieces of information to a few government officials, or perhaps only to government computers. This very limited disclosure of the particular information involved is not likely to be threatening to the privacy of law-abiding citizens. Only those who are engaged in illegal activities have a reason to hide this information. Although there may be some cases in which the information might be sensitive or embarrassing to law-abiding citizens, the limited disclosure lessens the threat to privacy. Moreover, the security interest in detecting, investigating, and preventing terrorist attacks is very high and outweighs whatever minimal or moderate privacy interests law-abiding citizens may have in these particular pieces of information. Cast in this manner, the nothing to hide argument is a formidable one. It balances the degree to which an individual’s privacy is compromised by the limited disclosure of certain information against potent national security interests. Under such a balancing scheme, it is quite difficult for privacy to prevail.

One of the key arguments of the paper revolves around data aggregation (not surprisingly):

Aggregation...means that by combining pieces of information we might not care to conceal, the government can glean information about us that we might really want to conceal. Part of the allure of data mining for the government is its ability to reveal a lot about our personalities and activities by sophisticated means of analyzing data. Therefore, without greater transparency in data mining, it is hard to claim that programs like the NSA data mining program will not reveal information people might want to hide, as we do not know precisely what is revealed. Moreover, data mining aims to be predictive of behavior, striving to prognosticate about our future actions. People who match certain profiles are deemed likely to engage in a similar pattern of behavior. It is quite difficult to refute actions that one has not yet done. Having nothing to hide will not always dispel predictions of future activity.

Moreover:

Another problem in the taxonomy, which is implicated by the NSA program, is the problem I refer to as exclusion.85 Exclusion is the problem caused when people are prevented from having knowledge about how their information is being used, as well as barred from being able to access and correct errors in that data. The NSA program involves a massive database of information that individuals cannot access. Indeed, the very existence of the program was kept secret for years.86 This kind of information processing, which forbids people’s knowledge or involvement, resembles in some ways a kind of due process problem. It is a structural problem involving the way people are treated by government institutions. Moreover, it creates a power imbalance between individuals and the government. To what extent should the Executive Branch and an agency such as the NSA, which is relatively insulated from the political process and public accountability, have a significant power over citizens? This issue is not about whether the information gathered is something people want to hide, but rather about the power and the structure of government.

Finally:

A related problem involves “secondary use.” Secondary use is the use of data obtained for one purpose for a different unrelated purpose without the person’s consent. The Administration has said little about how long the data will be stored, how it will be used, and what it could be used for in the future. The potential future uses of any piece of personal information are vast, and without limits or accountability on how that information is used, it is hard for people to assess the dangers of the data being in the government’s control.

None of these will come as any surprise to people thinking about privacy and computers, but it's interesting to read a lawyer's more rigorous take on the same ideas.

Follow me @glynmoody on Twitter or identi.ca.

Open Source Sensing Initiative

Here's another interesting initiative: open source sensing.

Pervasive sensing is arriving soon — we have a short window of opportunity for guiding this technology to protect both our security *and* our privacy.

This is an open source-style project with the goal of bringing the benefits of a bottom-up, decentralized approach to sensing for security and environmental purposes.

The intent of the project is to take advantage of advances in sensing to improve both security and the environment, while preserving — even strengthening — privacy, freedom, and civil liberties.

We have a unique opportunity to steer today's emerging sensing/surveillance technologies in positive directions, before they become widespread.

What's particularly noteworthy is the fact that open source sensing is seen as a way of offering security while dealing with various threats to privacy and freedom that sensor technologies obviously present. Openness may help square the circle here, is the hope.

Why Security by Obscurity Fails, Part 674

Great story in Wired about a master lock-picker, opening what are supposedly the most secure locks in the world:

These were the same Medeco locks protecting tens of thousands of doors across the planet

...

One by one, brand-new Medeco locks were unsealed. And, as the camera rolled, one by one these locks were picked open. None of the Medeco3 locks lasted the minimum 10 to 15 minutes necessary to qualify for the "high security" rating. One was cracked in just seven seconds. By Roberson's standards, Tobias and Bluzmanis had done the impossible.

Although these are physical, rather than software locks, the lesson is the same: there is no such thing as an unpickable lock, there is no such thing as unhackable software, even if it's closed and encrypted. Since *someone* will be able to find the flaws in your software, you may as well open it open so that they can be found and fixed. Go open source.

Why It's Better With Windows...

...because it hasn't got that horrible unfamiliar environment, which has all those bizarre features like:

* freedom

* zero cost

* stability

* security

Much better to stick with the proprietary, expensive, unstable, insecure operating system you know and love....

Germany Funds Open Source Software

I missed this when it first came out a couple of weeks ago:

Der Bundesrat hat am 20.2.2009 dem Gesetz zur Sicherung von Beschäftigung und Stabilität in Deutschland zugestimmt und so den Weg für die geplanten Investitionen frei gemacht. Im „Pakt für Beschäftigung und Stabilität in Deutschland“ sind auch 500 Mio. Euro für Maßnahmen im Bereich der Informations- und Kommunikationstechnik enthalten, deren Verwendung durch den Beauftragten der Bundesregierung für Informationstechnik gesteuert wird. Von diesen 500 Mio. Euro stehen 300 Mio. Euro sofort zur Verfügung. 200 Mio. Euro wurden durch den Haushaltsausschuss des Deutschen Bundestages bis zur Vorlage konkreter Maßnahmen gesperrt.

...

„"Ziel der Maßnahmen ist es, die Bereiche Green-IT, IT-Sicherheit und Open-Source auszubauen sowie innovative zukunftsfähige Technologien und Ideen für die Verwaltung nutzbar zu machen."“ sagt Staatssekretär Dr. Beus. Hierzu gehöre auch, ergänzend in die Weiterentwicklung der zentralen IT-Steuerungsmechanismen des Bundes zu investieren, um IT-Großprojekte künftig effizienter und schneller umzusetzen.

[Via Google Translate: The Federal Council decided on 20.2.2009 to the law to secure employment and stability in Germany, and approved, paving the way for the planned investment made. In the "pact for employment and stability in Germany" are also 500 million for activities in the field of information and communications technology, whose use by the Federal Government for information technology is controlled. Of these 500 million euros 300 million immediately available. 200 million euros were fixed by the Budget Committee of the German Bundestag pending concrete actions blocked.

...
"The aim of the measures is to improve the areas of Green IT, IT security and open-source develop sustainable and innovative technologies and ideas for the administration to use." Says Secretary of State Dr. Beus.It also includes, in addition to the development of the central IT control mechanisms of the federal investment to large-scale IT projects will be implemented more efficiently and faster.]

Every little helps. (Via PSL Brasil.)

Open Proofs

The problem:

The world depends on having secure, accurate, and reliable software - but most software isn't. In some circumstances we need "high confidence" (aka "high assurance") software built on top of verified software. Verified software, in this context, is software that has been proved to have or not have some property using formal methods (formal methods apply mathematical techniques to prove properties of software). Yet developing verified software is currently very difficult to do, or improve on, because there are few fully-public examples of verified software. Verified software is often highly classified, sensitive, and/or proprietary. This lack of detailed examples impedes progress by software developers, tool developers, users, teachers, and even current practitioners.

Unlike a mathematical proof, software normally undergoes change due to changing conditions and needs. So just publishing unchangeable software, with an unchangeable proof, isn't enough. Instead, we need a number of "open proofs".

The solution:

"Open proofs" solve the problem by releasing implementation, proofs, and tools as FLOSS. With such rights, developers can build on the examples to build larger works, teachers and students can use the examples for learning and research, users can verify that the proof is valid, and tool suppliers can use real examples to improve tools. Both realistic examples (for building on and tool development) and small examples (for teaching) are needed.

Not all systems need to be revealed to the public, but we need public examples as "seed corn" to develop more verified software. To be high assurance, such software would need to come with some automated test suite, but that isn't a strict requirement to be an open proof.

Open proofs do not solve every possible problem, of course. For example: (1) the formal specification might be wrong or incomplete for its purpose; (2) the tools might be incorrect; (3) one or more assumptions might be wrong. But they would still be a big improvement from where we are today. Many formal method approaches have historically not scaled up to larger programs, but open proofs may help counter that by enabling tool developers to work with others.

Firefox (In)Security Update Dynamics Exposed

One of the great things about Firefox is its automatic update scheme. Here's some interesting research on the subject:

Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP useragent header information stored in anonymized logs from Google's web servers, we measured the patch dynamics of about 75% of the world's Internet users for over a year. Our focus was on the Web browsers Firefox and Opera. We found that the patch level achieved is mainly determined by the ergonomics and default settings of built-in auto-update mechanisms. Firefox' auto-update is very effective: most users installed a new version within three days. However, the maximum share of the latest, most secure version never exceeded 80% for Firefox users and 46% for Opera users at any day in 2007. This makes about 50 million Firefox users with outdated browsers an easy target for attacks. Our study is the result of the first global scale measurement of the patch dynamics of a popular browser.

What's interesting, too, is that this was research done using data drawn from Google: there must be a lot of really useful info there to be mined - suitably anonymised, of course. (Via Bruce Schneier.)

Why Adware Authors Love IE and Windows

An adware author explains:

Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do– which means basically anything. We would have a Browser Helper Object that actually served the ads, and then we made it so that you had to kill all the instances of the browser to be able to delete the thing. That’s a little bit of persistence right there.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it.

(Via Bruce Schneier.)

Security Vendors Will Log the Police Keyloggers

Kudos to Kaspersky Labs and Sophos: they understand that once you compromise a computer's security, there *is* no security:

The Home Office on Friday said it was working with the European Parliament on plans to extend police powers to conduct remote searches of computers. UK police already have the power to hack into suspect systems without a warrant, due to an amendment to the Computer Misuse Act, which came into force in 1995.

However, security vendors Kaspersky Labs and Sophos told ZDNet UK that they would not make any concession in their protective software for the police hack.

...

Em said that while police could provide details of the software it used so Kaspersky could avoid blocking it, the police software could also be used by cybercriminals. "While we wouldn't want to scupper police attempts to catch bad guys, police [hacking] software could end up in the wrong hands," Em said.

Kaspersky would not put a backdoor in its software to enable the police to bypass its protections, Em added. "If we provided a backdoor, it could be used by malware authors," Em said. "People would be able to drive a coach and horses through our security."

Once again, the experts have spoken: will the politicians listen? (Will they, heck....)

Abandon Hope, All Ye (IE) Users

Interesting that when the BBC dares to carry a negative story about Microsoft, it immediately becomes the most-read and most-emailed - perhaps they should do it more often:

Users of the world's most common web browser have been advised to switch to another browser until a serious security flaw has been fixed.

Good advice, by why only until fixed: surely, the logical thing to do would be to abandon IE altogether, thus avoiding future problems too?

(Sigh): Another BBC Ad for Microsoft

I suppose I should expect this now:

In a surprise move, Microsoft has announced it will offer a free anti-virus and security solution from the second half of next year.

...


Amy Barzdukas, senior director of product management in the online services division at Microsoft, said: "This new, no-cost offering will give us the ability to protect an even greater number of consumers, especially in markets where the growth of new PC purchases is outpaced only by the growth of malware."

Ah, bless 'em.

Of course, this move couldn't possibly have anything to do with the fact that the security of Windows is so poor as to make the operating system unusable without this kind of anti-virus crutch. Well, that's certainly the impression you get from benign old Auntie.

As usual, Mike Masnick gets it in one. His headline? "Microsoft Realizes No One Wants To Pay Microsoft To Fix Its Own Security Flaws."

ContactPoint: A Contradiction in Terms

People have been pointing out that the government's child database, ContactPoint, will actually make it *more* dangerous for children. Now the government is slowly cottoneing on:

Data on about 55,000 children will need to be protected from estranged and abusive family members, or because they are under police protection, according to figures from local authorities.

The protected information - part of the forthcoming ContactPoint child protection database - will include their address and details of the school they attend. ContactPoint users, who The Register revealed yesterday could easily number more than a million, will only be able to access basic data about "shielded" children: their name, age and gender.

In other words, some of the most vulnerable children must be excluded from ContactPoint, because its security is now recognised as insufficient - even though the whole point of ContactPoint was to *enhance* protection.

ContactPoint - and any centralised database - is simply not fit for its purpose: chuck it, people.

Open Enterprise Interview: Dirk Morris, Untangle

One of the reasons the open source development methodology is so powerful is because of the modularisation that lies at its heart. This allows those with a particular expertise to work on the module they are best able to improve, and for all such modules to be slotted together thanks to the clean interfaces between them. And at a higher level, the open source world is made up of many independent projects – unlike the world of Windows, say, where the ecosystem revolves around and is dependent on Microsoft's strategic decisions to a high degree - each able to proceed at a speed and in a direction that suits them best....

On Open Enterprise blog.

Cracking the GNU/Linux Security Cliché

One of the jibes about GNU/Linux from the closed-source crowd is that the only reason there so few security exploits against it is that its market share is too small for crackers to care. Against that background, the following development must represent some kind of milestone....

On Open Enterprise blog.

ContactPoint: What is it Good For?

Scrapping:

Anderson disagrees: "If you allow large numbers of people access to sensitive data it's never going to be secure. You can't protect it. ContactPoint should simply never have been built."

This is Prof Ross Anderson, and he knows whereof he speaketh.

PA Consulting? Pah!

Since we now know this:

Home Secretary Jacqui Smith has blamed a private contractor for losing the details of thousands of criminals, held on a computer memory stick.

Ms Smith said the government had held the data securely but PA Consulting appeared to have downloaded it, contrary to the rules of its contract.

...it's clear they don't have the foggiest idea about security or managing personal information, giving us yet another reason to scrap the doomed ID card project which they have played a major part in driving.

W(h)ither the UK Database Nation?

Interesting:

The court’s view was that health care staff who are not involved in the care of a patient must be unable to access that patient’s electronic medical record: “What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place.” (Press coverage here.)

A “practical and effective” protection test in European law will bind engineering, law and policy much more tightly together. And it will have wide consequences. Privacy compaigners, for example, can now argue strongly that the NHS Care Records service is illegal.

To say nothing of the central ID card database that permits all kinds of decentralised access....

Apple, the Security Paragon

Not:

Apple just gave out my Apple ID password because someone asked

IDiotic or What?

The chief executive of the Identity and Passport Service has said the ID cards database will not be completely secure.

James Hall said on Thursday that, after a string of high-profile data breaches in the past year, people should be concerned about the security of their personal information held by the government.

"You would rightly be concerned about the integrity and security of the information held about you," said Hall in a speech at the Homeland & Border Security Conference 2008 in London. "The issue has been heightened by recent events. I won't stand in front of you and say there will never ever be a breach of information."

Oh, that's alright, then.

Insecurity is Bad for Your Health

Outrageous:

A shocking article appeared yesterday on the BMJ website. It recounts how auditors called 45 GP surgeries asking for personal information about 51 patients. In only one case were they asked to verify their identity; the attack succeeded against the other 50 patients.