Search
Navigation
Andrew Clearwater

Reveal... @BinaryLegal.com

P.O. Box 837
Brunswick, ME 04011
Call 207.274.0945

Download vCard
Blog Post Navigation
Twitter
Wednesday
May082013

Legally Mandated Backdoors for Wiretapping

AuthorAndrew Clearwater Posted on DateWednesday, May 8, 2013

The New York Times reported yesterday that the administration is preparing to back an FBI plan to legally mandate a capacity to comply with wiretap orders through the threat of fines for non-compliance with a wiretap order. This is based on fear that the FBI is "going dark" which is unwarranted and inaccurate. I agree with Gregory T. Nojeim of the Center for Democracy and Technology who stated “I think the F.B.I.’s proposal would render Internet communications less secure and more vulnerable to hackers and identity thieves.” 

Image by Daquella Manera

Christopher Soghoian, a privacy researcher and activist, covered this topic in his Ph.D. Dissertation "The Spies We Trust: Third Party Service Providers and Law Enforcement Surveillance [pdf]."  The following table from his research provides strong evidence that encryption has not been interfering with wiretapping and law enforcement access to content.  

The Communications Assistance for Law Enforcement Act (CALEA) of 1994 originally required “telecommunications carriers” to deploy intercept solutions in their networks but over the years the Federal Communications Commission has interpreted the statute to include Internet access and Voice over Internet Protocol (VoIP) services that are connected with the telephone network.  Despite this broad reach, the FBI is concerned that there are still Internet-based communications that are not covered by CALEA which inhibits their communications access. To be clear, law enforcement is able to get court orders for access but they are worried that not all providers of services will be ready to provide them with what they are requesting. 

The current standard for wiretap compliance requires companies to make a good faith effort to comply. Requiring all systems to be exposed to wiretaps is a great way of making systems more vulnerable to computer criminals. The proposed series of escalating fines outlined by the Washington Post is a solution in search of a problem.  Cybersecurity is a real problem which the administration characterized as "one of the most serious economic and national security challenges we face as a nation.” Let's not make things even easier for criminals by mandating backdoors into every Internet service!

CommentPost a Comment
Thursday
May022013

LD 1377 - An Act To Protect Cellular Telephone Privacy

AuthorAndrew Clearwater Posted on DateThursday, May 2, 2013

I testified today before the Joint Standing Committee on Judiciary in support (with some concerns) of Maine's LD 1377 - An Act To Protect Cellular Telephone Privacy. Soon the testimony of those that attended should be posted on the website maintained by the Legislative Information Office. I was impressed with the thoughtfulness of the testimony I heard and the acuteness of the questions that were asked. It was nice to see democracy at work. What follows is my written testimony.  

TESTIMONY OF ANDREW CLEARWATER
In Support of LD 1377 - An Act To Protect Cellular Telephone Privacy
JOINT STANDING COMMITTEE ON JUDICIARY
May, 2, 2013

Senator Valentino, Representative Priest, and esteemed members of the Joint Standing Committee on Judiciary:

My name is Andrew Clearwater and I practice law in Maine.  I teach Information Privacy Law and advise a think tank in DC on privacy matters.  

As our use of technology changes, we must reevaluate whether the legal tools we use continue to work the way we intended.  87% of American adults have a cell phone.   Not only does the majority now use cell phones but they also use cell phones differently.  73% of American adults send and receive text messages and 31% said they preferred texts to talking on the phone.  If this is true, then text messages are quickly replacing phone calls.  The explosive growth in the use of this technology and the very personal nature of the data that is generated and stored have created a policy gap.  The goal of LD 1377, as I see it, is to close that gap by reacting to the changes in technology in a way that preserves privacy while enabling the state government to enforce the laws and protect the public.

The Fourth Amendment of the U.S. Constitution states that it is “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated....”  The question posed by this and case law interpreting it is: What is society is prepared to recognize as ‘reasonable’?  It is important for privacy protections to be applied in a clear and consistent way and LD 1377 allows that by making clear what we want to recognize as reasonable.

States have an opportunity to lead in this space.  If you look to the primary federal legislation, the Electronic Communications Privacy Act (ECPA)  , it hasn’t been updated since 1986.  Just for reference, the movie Ferris Bueller's Day Off came out in 1986. Think about how much technology has changed since then.  Think about the computer he used to change his grades.  Think about the size of the phone he used to call his friend Cameron.  Today, under federal law, law enforcement must get a warrant to access texts that have been stored 180 days or less. After 180 days have passed, as long as prior notice is given, this requirement is reduced to a subpoena or court order. The reasoning for this reduction in privacy is that the communications have been abandoned.  This abandonment does not reflect the expectations of users and LD 1377 improves upon this approach by providing consistent warrant protections.

One of my concerns with LD 1377 is that by grouping the less sensitive meta data with the more sensitive message content, the law leaves no room for less privacy invasive investigations.  For example, as the law stands now, law enforcement might choose to request meta data first because they see that information as relevant to their case.  That initial inquiry might end if nothing of interest is found.  By raising the bar for accessing this less sensitive meta data, it becomes more likely that law enforcement will request all of the data including the message content once they have demonstrated probable cause.  If there is a less invasive way to rule innocent people out of an investigation, we should not get rid of it.

This is a chance for Maine to step out in front on this issue to protect the citizens of this state in a way that meets our sense of reasonableness while preserving the tools that law enforcement needs to keep us safe.  While I have concerns about the approach of grouping the data as LD 1377 proposes, I support the clarity and consistency that LD 1377 brings to warrant requirements for text messages.  I have included a chart to outline some of the key changes in treatment that LD 1377 proposes. The goal, moving forward, should be clarity.  LD 1377 makes it easier to identify the standard for legally requesting data from an electronic communication service.

[This table is provided for informational purposes only and does not constitute legal advice]

CommentPost a Comment
Friday
Dec282012

Attorney Use of Dropbox: Reducing the Risk

AuthorAndrew Clearwater Posted on DateFriday, December 28, 2012

As a partial follow up to the "PUTTING CLIENT DATA IN THE CLOUD" post, it is worth highlighting a technical solution to some of the risks of the cloud: client‐side encryption. Many cloud services offer encryption while files are at rest and HTTPS:// for secure encrypted access over the web. A possible concern with this approach is that while you can set a password to limit access to an account, if the cloud service provider encrypts the information you upload, then the provider can access the data. This data access is governed by the terms of service agreement but it often means that the cloud service provider will release your data upon service of a warrant or even to third party vendors depending on the terms of the agreement.

A simple solution to this problem, if you are under an obligation to keep the documents stored under the service confidential, is to make sure that the cloud service provider never has access to the necessary keys to encrypt and decrypt the data. By doing this, a service like Dropbox would merely be holding a container of scrambled information which would only be useful to you, the holder of the keys, to encrypt and decrypt the data.

There are many solutions that allow you to keep control of your keys that encrypt and decrypt the data. Two are worth highlighting here for lawyers that are interested in using Dropbox or a similar service.

First, a good secure solution that mirrors many of Dropbox's features is SpiderOak. The service is slightly more complex to set up than Dropbox but it comes with client‐side encryption options built in which increases security but also the risk of data loss. If you elect to keep your own encryption keys make sure you are backing up that information or you may be opening up your data to new risks!

Second, a program called BoxCryptor can be used in conjunction with Dropbox to manage an encrypted container within Dropbox. This tools pre‐encrypts the data before sending it to Dropbox but be aware that only the data put into this specific folder is protected. The tradeoff of BoxCryptor is that it allows lawyer to continue to use a service that they may already be familiar with but it adds another layer of complexity to have to use another tool.

All of this information has to come with the usual disclaimer that this is not legal advice but rather information that you can use after investigating the rules and regulations applicable to your business and the obligations you must meet regarding data confidentiality. For a more comprehensive article addressing the topic of client‐side encryption, check out this article in LawPractice Today. 

CommentPost a Comment
Page 1 2 3 4 5 ... 11 Next 3 Entries »