2009 – That’s a wrap!

Wait, I hear it again
Don’t turn on the lights until we
Hear the way it ends
from Peruvian Skies by Dream Theater

During the course of 2009 I wrote about a number of issues that have had recent developments. So by way of winding down 2009 [yeah I’m glad it’s over too] here are updates if not possible conclusions to some of these long running sagas.

In posts entitled Does encryption imply expectation of privacy? and No privilege for you! the basic issue involved was reasonable expectation of privacy or rather legal confusion regarding same when applied to digital communication. According to this article in the Washington post the U.S. Supreme Court will be ruling on the issue of expectation of privacy in the spring of 2010.

The case the court accepted Monday involves public employees, but a broadly written decision could hold a blueprint for private-workplace rules in a world in which communication via computers, e-mail and text messages plays a very large role.

A federal appeals court in California decided that a police officer in the city of Ontario had a right to privacy regarding the texts he sent on his department-issued pager, even though his chief discovered that some of them were sexually explicit messages to his girlfriend. That court said the chief’s decision to read the messages without a suspicion of wrongdoing on the part of the officer violated Fourth Amendment protections against unreasonable searches.

Most employers routinely tell their workers that they have no expectation of privacy when it comes to e-mail and other communications that involve company equipment, and the city of Ontario is no different. It says it “reserves the right to monitor and log all network activity including e-mail and Internet use, with or without notice.”

But the police officer in the case, said the department sent a different message when it handed out pagers to SWAT team members. The department said that the devices were limited to 25,000 characters each month, but that officers also using them for personal purposes could pay for any overage charges.

When the police chief wondered whether the devices were being used mostly for personal messages, the company that provided the texting service, Arch Wireless, turned over transcripts. They showed that a large portion of [the officer’s] messages were personal and many of them were sexually explicit. According to court documents, a review of one month’s use showed that 57 of 450 messages were business related.

A lawyer who often represents employers in workplace issues, said the issue is “one of increasing importance to employers.” Though the case before the court involves government employees, case law in the private workplace often evolves from such decisions.

In the world of laptops, cellphones and BlackBerrys, the line between business and personal communications is often blurred and that employers are tolerant “within the realm of reason.”

But often they are under legal obligation to monitor computer use. And when employers monitor the computer use of their workers, it is often because of complaints from co-workers.

The case, Ontario v. Quon, will be heard in the spring.

While this case does not explicitly address either encryption or privileged communication it does serve to illustrate that this is far from a done deal. And the Supreme court ruling will only be one small step towards clarifying the issue. So I’m guessing we can expect lots more on this in the coming years.

In a series of posts about ID Theft, Privacy, Fear and Loathing in Colorado [also in this post and this post] I discussed “Operation Numbers Game”. Here’s a quick recap of the controversial investigation.

“Operation Numbers Game” began after a Texas man told Greeley [Colorado] authorities someone there was using his identity. The suspect in that case alerted law enforcement to the firm that prepared his taxes. Investigators obtained a search warrant [and] seized the returns last year from a tax preparation firm that catered to Latinos in Greeley, where Hispanics make up about a third of the population.

A District Court judge halted the investigation in April. He ruled Weld County authorities violated people’s privacy rights and had no probable cause to inspect the tax returns, which were used to file charges of criminal impersonation and identity theft against more than 70 people.

Weld County appealed the decision.

Weld County District Attorney Ken Buck, a Republican U.S. Senate candidate who advocates stricter immigration laws, has maintained the investigation was about identity theft, not illegal immigration.

Well this little fishing expedition may actually be over. As reported by the Denver channel, the Colorado Supreme Court has ruled against Weld County.

The Colorado Supreme Court says Weld County authorities violated privacy rights of immigrants when sheriff’s deputies seized thousands of tax returns to investigate them for identity theft.

The Court’s Monday ruling affirmed a decision by a Weld County District judge who suppressed evidence against one of the defendants. That judge said authorities had no probable cause to search the man’s tax returns and that the documents are confidential.

The Colorado Immigrant Rights Coalition praised the Supreme Court ruling, saying Weld County’s attempt to enforce federal immigration law was “wrong-headed, costly and did great damage to the community.” The Coalition also said the cases “demonstrates why we need solutions to our broken immigration system.”

“Today’s ruling confirms Operations Number Games to have been an egregious abuse of power by Weld County officials,” the Coalition said in a prepared statement. “Paying taxes is not a crime and should not be made to seem like one. Rather, it is what the U.S. government asks of its residents. Those targeted had their privacy rights violated. The ruling goes to show that the Constitution protects the basic rights of all U.S. residents, regardless of suspected immigration status.”

No word yet on how this ruling will effect Weld County District Attorney Ken Buck’s senate bid and I’m smart enough to not hazard guesses involving politics.

In a series of entries that are shaping up to be the most popular of 2009 I wrote about Colorado Weirdness and the subsequent followup Back to normal in Colorado wherein the primary weirdness was the “balloon boy” incident. This just kept getting stranger as it turned out that the whole thing was a hoax perpetrated with the idea of getting a reality TV show. Well, according to the Denver Post this saga may finally have run it’s course. For now.

Richard and Mayumi Heene, the Fort Collins couple who briefly duped law enforcement and the television-watching world this fall by claiming their son was adrift in a home-made balloon, were sentenced to jail time today for perpetrating the publicity stunt.

Richard Heene, who last month pleaded guilty to a felony charge of attempting to influence a public servant and who took blame today as the brains of the hoax, was sentenced to 90 days in jail. He will have to serve 30 days of the sentence full-time in the Larimer County jail, with the remaining 60 days served on work-release. He must also serve four years on probation.

Mayumi Heene, who helped hatch the scheme and who pleaded guilty to a misdemeanor charge of false reporting, was sentenced to four years probation and 20 days of jail, to be served through a program that allows her to perform jail-supervised community service a couple days a week and return home at night.

The Heenes must also pay a still-to-be-determined amount of restitution, a figure a prosecutor said today could be $47,000 or more. Richard Heene’s lawyer said he intends to challenge that figure.

“In summary,” [Larimer County Court Judge Stephen] Schapanski said in imposing Richard Heene’s sentence, “what this case is about is deception, exploitation — exploitation of the children of the Heenes, exploitation of the media and exploitation of people’s emotions — and money.”

Asked after the hearings whether the Heenes have now given up the pursuit of television notoriety, [Richard Heene’s attorney David] Lane was ambiguous.

“I don’t know if they’re done with reality TV,” he said. “Is reality TV done with them?”

And finally there’s this pair of posts about the medical marijuana gold rush in Colorado, Once I was a caregiver and didn’t even know it and Caregivers in Colorado: the saga continues. This has well and truly hit the big time with international coverage by CNN. Take this story by Jim Spellman for instance.

Driving down Broadway, it’s easy to forget you are in the United States. Amid the antique stores, bars and fast-food joints occupying nearly every block are some of Denver’s newest businesses: medical marijuana dispensaries.

The locals call this thoroughfare “Broadsterdam.” As in Amsterdam, Netherlands, these businesses openly advertise their wares, often with signs depicting large green marijuana leaves.

“The American capitalist system is working,” said attorney and medical marijuana advocate Rob Corry.

It’s a matter of supply and demand.

“The demand has always been there,” he said, “and the demand is growing daily because more doctors are willing to do this, and now businesses, entrepreneurs, mom-and-pop shops are cropping up to create a supply.”

Colorado voters legalized medical marijuana in 2000. For years, patients could get small amounts from “caregivers,” the term for growers and dispensers who could each supply only five patients. In 2007, a court lifted that limit and business boomed.

Between 2000 and 2008, the state issued about 2,000 medical marijuana cards to patients. That number has grown to more than 60,000 in the last year.

State Sen. Chris Romer, a Democrat whose south Denver district includes Broadsterdam, said the state receives more than 900 applications a day.

“It’s growing so fast, it’s like the old Wild West,” Romer said. “This reminds me of 1899 in Cripple Creek, Colorado, when somebody struck gold. Every 49er in the country is making it for Denver to open a medical marijuana dispensary.”

Wild West indeed. Everywhere in Colorado counties and municipalities are rushing to declare moratoriums on new medical marijuana dispensaries until somebody figures out how to regulate them. “Why is that a problem?”, you ask. Well let me give you some examples. I’ve already mentioned that in the People’s Republic of Boulder there are now twice as many reefer shops [err… dispensaries] as coffee shops. While this may may not be particularly surprising for Boulder, how about the town of Windsor, Colorado (population 18000) where there are more medical marijuana dispensaries than coffee shops, gas stations, grocery stores and liquor stores combined. At this point I’m thinking that maybe the Federal government should wake up, smell the reefer, legalize pot and tax the heck out of it. Everybody wins. And in this economy just think of all the jobs for caregivers that will be created. That’s right, just suck it up and torch that spliff (or vice versa). You know you want to.

Does encryption imply expectation of privacy?

Recently Chris Webster, a law student at the University of Maryland Baltimore School of Law, started this email thread which I will present here with minimal editing in hopes that some experts or interested parties among you, dear readers, can chime in. Just so everyone is clear, a disclaimer: I’m fascinated by e-discovery and legal issues surrounding security and privacy and blog about these subjects fairly often. I’m not, however, an expert in this area. And I’m certainly not a lawyer. Having said that, let’s begin.

This article from the Wall Street Journal Law Blog Newsletter about an opinion Re United States, – F.Supp.2d -, 2009 WL 3416240 (D.Or. 2009) handed down by District Judge Mosman earlier this year is what started the exchange.

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you? According to [District Judge Mosman] the answer is yes.

The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. . . . This is strong privacy protection for homes and the items within them in the physical world.

When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

It is clear that notice is an essential part of the reasonableness calculus in judging searches and seizures under the Fourth Amendment. The Federal Public Defender has argued that this constitutional notice requirement supports [the view] that the copy of the warrant and receipt . . . must be provided to the subscriber to the e-mail account, rather than just to the ISP. The notice must be provided to the subscriber because the ISP “has a far lesser privacy interest in the content of its subscriber’s e-mails than the subscribers themselves.”

This argument fails to take into account the third party context in this case. If a suspect leaves private documents at his mother’s house and the police obtain a warrant to search his mother’s house, they need only provide a copy of the warrant and a receipt to the mother, even though she is not the “owner” of the documents. (citations omitted). In such a case, it is irrelevant that the suspect had a greater privacy interest in the content of the documents than did his mother. When he left the documents in her possession he no longer has a reasonable expectation of privacy in their contents.

Chris:

I think I found a judge who reads your blog…

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

I am concerned about the legal effect of this misunderstanding – are we entering a world in which all data storage is online, and so not protected by the constitution? For example, we just bought a scanner to upload our contracts and family records (bills, medical records, insurance and such).  I thought I was being a “good” lawyer when I decided to upload these to an online account. This way a disaster striking my home would not leave me without my vital records and contracts – my primary evidence in a contractual dispute. Now I am rethinking this. I never had the intention of opening those documents up to search and seizure without notification. Now my records live on a DVD in the bank vault – where the constitution still applies. DVDs in a bank vault, it’s a 19th century solution to a 21st century problem.

Very dicey topic. Thought you might want to weigh in.

Joe:

This judge is saying that on the internet you essentially have no reasonable expectation of privacy. While I agree wholeheartedly with his assessment, I would submit that the act of encrypting data that is sent into the cloud does, in fact, give you a reasonable expectation of privacy – that being the sole purpose of encrypting the data. Therefore, while I’m not sure what the legal standing is on this, it would seem like encrypted data that requires a privately held key, explicitly excluding routine data transmission encryption (e.g. HTTPS and SSL), is no different than a safe deposit box at the bank where you hold the key. In other words, while you may be compelled to provide the key subject to a court order, that court order would require probable cause.

I can certainly offer some advice with respect to the offsite archive of your personal data.

I have a Verisign OpenID (which you can get for free here). In the process you setup a “Personal Identitly Portal” which includes an encrypted “File Vault” that holds 2 GB. That’s a lot of documents. I’m exceedingly paranoid so I encrypt everything prior to putting it in my file vault using SecureZip (which you can get for free here*) so there is minimal chance of exposure.

[* update 17-November-2010: SecureZip Express (free version) is no longer available. There is a 30-day trial available for free but the full product starts at $39US]

Chris:

If the Government seizes documents which are encrypted can they then seize the key from you? The request for the key would be effective notice of sorts, but would you have to provide it? I know this is a purely legal question, but I thought you might know the answer.

Joe:

Legally the answer is “yes” the government can compel you to reveal your password. Practically there are so many ways around it that the answer is “fat chance”. A really simple workaround would be for you to have an encrypted data store where only your wife has the key. A private key escrow. As you know your spouse can’t be compelled to testify (i.e. provide the key) against you.

The other point is that any encrypted data store whether online or not is not amenable to search. In other words you can’t even see what’s there so there is no way to know know what’s in it. From the point of view of Google, a Verisign file vault doesn’t exist.

If you are really paranoid, Bruce Schneier has this article all about plausible deniability. The article is about securing laptops but the principles apply anywhere.

The bottom line is, sure the government can try to compel you to reveal encrypted data, but only if they know it exists. TrueCrypt has this guidance on plausible deniability. So to be completely safe and secure you could create a “hidden encrypted volume” inside an encrypted volume and upload the encrypted container to a Verisign file vault. With a little creative key management, you would be untouchable in any practical sense.

Now you may end up doing time for contempt of court or some bogus DHS charge but your data will be safe.

Chris:

Ok, this is heading into some really interesting legal waters. Building on your last comment,  I am not an expert on the criminal side, but I can tell you that on the civil side a judge can compel discovery. If you do not comply the Judge can order the jury to draw the negative inference (meaning that they will be instructed that the encrypted document is what the plaintiff says it is, and that it says what they say it says). There is however a safe harbor for electronic documents destroyed in the course of regular maintenance – I would be interested to see if this would include encryption keys which are time sensitive, or single use.

Switching to the criminal example we are working with – if my wife had a physical copy of the key (on a hard drive or otherwise) a judge could compel production of this in the same way he could make her give over a murder weapon. If it was memorized, I suppose she could refuse.

My concern wasn’t really with the compulsion to turn it over, it was the fact that you get no notice. This allows for secret searches (fishing expeditions)  to take place. Also, presumably they have probable cause, or the warrant in this case would not have been issued.

I do find the distinction between encrypted data and non-encrypted data, and the differing expectations of privacy intriguing. However, would your expectation of privacy survive the fact that the data is housed on another person’s machine. In the example the case offers, a letter on your mother’s table can be taken into evidence without your notice if your mother’s house is searched under a valid warrant. In that case the only one who gets notice is dear old mum. It is hard to argue the ruling would be different if you had the papers in a safe at mom’s place – the result would be the same, notice to mom, none to you.  Would the same be true for packets of encrypted information on internet servers? Maybe you have an expectation of privacy with encrypted data (like with the safe) but the reality is governed by the physical location of the “evidence”. Once they have the encrypted data can they subpoena you, or your mom, or others, to compel the production of a key? I acknowledge this would give you notice. This is more proof that the internet is absolutely non-private, even when encryption leads to an expectation of privacy.

The problem is, the conclusion that the internet is a group of guest houses through which your packets pass, and at any given time are subject to ownership by the individual who runs the house, is a troubling roadblock for the development of the net. In order to streamline our society, the internet must at some point be viewed as an instant “post-office” type service. While people sometimes use the mail to do bad things, or even steal it, the Feds and suing parties can’t. In fact messing with people’s mail, even by carriers and third parties, is a crime. Shouldn’t the same model be imposed on the internet, even if it is a legal fiction? Wouldn’t such a model be better for the ISP’s and users?

Joe:

The salient feature of encrypted data is that it is useless (i.e. random noise) without the decryption key. If you hold that key then clearly you must be notified in order to compel you to provide the key, otherwise there is no evidence.

For example, let’s say that the letter you left on mom’s table was encoded using a one-time-pad. The letter is seized under a valid court order. What have they got? Diddley. Just some weird random text on a page that is meaningless until the key – which only you have – is applied to it.

Now they can try to decode it, but the chances of success are exceedingly unlikely. They may attempt to compel you to provide the key, at which point if you refuse, you may get slapped with contempt or adverse inference but either way you get notified.

So unless they can make the case that some random collection of bits is anything more than just that, it will be impossible to use it for a fishing expedition. The point being, who cares if they seize it, it’s useless.

The original court opinion was with respect to GMail type services where your data is stored in cleartext for anyone who has the legal authority or technical prowess to see. But even the U.S. government would have a hard time deciphering AES 256 encrypted data without the key in your lifetime.

As for the instant “post-office” model legal fiction you suggest, that’s called “Net Neutrality” and the main groups opposed to it are the entertainment industry who wants to control their copyrighted content (same clowns, different circus) and some large ISPs that would like to give precedence to their own content over competitors (everybody thinks they can be Microsoft). Of course that’s not what they’re saying, but it essentially boils down to that. For the record, I agree that net neutrality would be much better for ISPs and net users alike. Whether they recognize it or not.

Keys to the kingdom

You think we’d have gotten past this by now. After all the research, mathematical and technological advancement almost all of our most valuable digital – and ultimately real – assets are protected by one little word. Usually something lame like our dog’s name or favorite team mascot. That’s right, I’m talking about passwords. In spite of efforts by Payment Card Industry (PCI) Security Standards Council and others to promote multi-factor authentication – i.e. some combination of

• something you know (like a password)
• something you have (like an access card)
• something you are (biometrics like fingerprints or retinal scan)

Even most financial institutions can only manage a password and some personal questions (which incidentally is not really multi-factor it’s multiple single-factor, i.e. several things that you know) to authenticate us for the most sensitive and important transactions. And forget about web sites. Everybody wants you to have a password. Presumably a good – and unique – one for each.

By now most people have heard the about the guidelines for good passwords. For example Wikipedia lists the following common guidelines.

Guidelines for strong passwords

Common guidelines for choosing good passwords are designed to make passwords less easily discovered by intelligent guessing:

• Include numbers, symbols, upper and lowercase letters in passwords
• Password length should be around 12 to 14 characters
• Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, or biographical information like names or dates.

I can see heads start spinning! How in the world can I remember only one 12-14 character password that contains nothing I can remember, and is more or less random? Much less the 50 or so passwords I need for all my web sites and financial stuff? Yeah – that’s a problem. And it’s exacerbated by the fact that as the need for passwords has proliferated, the practicality (i.e. horsepower) of password crackers has improved exponentially. Oh and by the way, to really achieve decent security (i.e. mitigate the threat of exposure) you should really change your passwords at least annually and preferable more often.

Yikes! So how exactly can a person possibly memorize 50 pseudo-random character strings that all change every year? Well, in a nutshell – you can’t. No one can. Well maybe someone with an eidetic memory, but not you or me. There is, however, hope. SecurePuter has a great post on “How to Create and Remember Multiple Secure Passwords” wherein an easy to remember but hard to guess formula is presented that will allow you to calculate what your password is so it removes the randomness and requirement to memorize many different things. It’s a great idea, and be sure to read all of the comments as further refinements are suggested.

Still, if you’re like me and make an actual effort to forget things as soon as possible, this might not be an optimal solution. So how do I manage to remember 50 (or in my case more like 150) dynamic random character strings. It’s easy – I don’t even try. I use a password generator and storage system. There are quite a few good packages out there. The one I use is the open source package Password Safe partly because Bruce Schneier started the project, partly because it runs on all of the platforms I use, partly because it has great encryption but mostly because I’m cheap and it’s free (as in free speech and free beer). I keep my fully encrypted password safe database file on a USB thumb drive so all of my passwords are available on whatever device I’m using – except my iPhone (which is a rant for another time). Basically the way it works is that I make an entry for whatever web site or computer I need a password for and then let it generate one for me. There are all sorts of policy options so you can get insanely long and complex passwords. When I save the new password, it is encrypted using the one and only password I need to remember. That’s it. So not only do I not remember my 150 different passwords, I never knew what they were to begin with. Now there are situations where this kind of password safe mechanism will have an issue, specifically you can run into a race condition with computer logons that require a regularly changing password (e.g. most corporate networks) whereby you must be able to type in the password to log in so that you can get access to the password safe. I get around this by generating a random 12-character password that I can remember for the 90 days that it will be valid. So I guess I really have to remember 2 passwords. But even I can do that. And so can you.