Wednesday, December 10, 2014

The NSA is Coming to Town

Uncomfortably funny seasonal music video from the ACLU, The NSA is Coming to Town


Note to Virgin Media Web Safe team re APPG website block

On the advice of Virgin Media Twitter responder LB, I've written to their Websafe people at websafefeedback@virginmedia.co.uk
Hi folks,

Just to let you know Virgin Media WebSafe seems to be blocking my access to the website of the All Party Parliamentary Group on Extraordinary Rendition. One of your folk on Twitter suggested I email you about it.

Twitter, if it's any help, is also blocking me posting tweets including the url of the site, 

http://www.extraordinaryrendition.org/

Both your bots and Twitter's seem to think the site is compromised with malware. If so it would be appropriate to alert them. If not, given the publication of the US Senate report on torture yesterday, it is an inopportune time to be blocking a parliamentary site connected with such subject matter.

Regards,

Ray Corrigan

-- Ray Corrigan, Senior Lecturer in Maths, Computing and Technology, Open University -------------------------------------------------------------------------------- IMPORTANT: Please be aware that this message has, quite likely, been harvested and possibly processed by the NSA, under §1881 FISAAA (now s702 FISA as amended) and by GCHQ neatly bypassing the Regulation of Investigatory Powers Act (RIPA) via Tempora and other bureaucratic means. In relation to the NSA, I accept that I am, after all and in fairness to the good guys in the NSA, entirely guilty of the charge of not being a US citizen. By reading this email, you agree, on behalf of your employer and associates, to release me from all obligations and waivers arising from any and all non negotiated agreements, licenses, terms-of-service, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any such "agreements" on behalf of your employer and relevant associates. My small print trumps yours and any and all attempts to circumvent the letter and spirit of the UK Unfair Contract Terms Act 1977 and equivalent level-the-playing-field statutory instruments in other jurisdictions. I particularly reject the Uniform Computer Information Transactions Act (UCITA). This email is intended for the use of the individual addressee(s) named above and may contain information that is confidential privileged or unsuitable for overly sensitive persons with low self-esteem, no sense of humour or irrational religious beliefs. If you are not the intended recipient, any dissemination, distribution or copying of this email is not authorised (either explicitly or implicitly) and constitutes an irritating social faux pas. Unless the words absquatulation, witzelsucht, strikhedonia and pneumonoultramicroscopicsilicovolcanoconiosis have been used in their correct context somewhere other than in this warning, they do not have any legal or grammatical use and may be ignored. No animals were harmed in the transmission of this email. The cats treating my garden as Grand Toilet Central, however, are courting a super soaker blasting. Those of you with an overwhelming fear of the unknown will be gratified to learn that there is no hidden message revealed by reading this warning backwards, so just ignore that Alert Notice from Microsoft. However, by pouring a complete circle of salt around yourself and your computer you can ensure that no harm befalls you and your pets. If you have received this email in error, please add some nutmeg and egg whites, whisk and place in a warm oven for 40 minutes. Thank you for your cooperation -------------------------------------------------------------------------------- This e-mail has not been scanned for all known viruses.

Note to chair of APPG on extraordinary rendition

I've written to the chairman of the All-Party Parliamentary Group on Extraordinary Rendition, Andrew Tyrie MP, explaining Virgin Media and Twitter appear to be still blocking access to their website.

Dear Mr Tyrie,

Just a short note to let you know that my efforts to access the website of your All Party Parliamentary Group on Extraordinary Rendition last night proved futile, since my communications service provider, Virgin Media, were blocking access to it. I basically got re-directed to a page saying:

"Sorry, Web Safe has blocked this site
This site has been blocked by Web Safe because it's listed as having malicious content. It could put your personal and financial information at risk or cause damage to your files.
Find out more about Web Safe Sign in to My Virgin Media to change your Web Safe settings If you don’t think this page should have been blocked, let us know.”

Additionally when I attempted to post a couple of notes about this on Twitter, Twitter blocked those too with the following message:

"This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later."

I then noted on Twitter what had happened without using your website address and it accepted that.

Virgin Media have informed me via Twitter today that they are not blocking your website. I nipped home from the office at lunchtime to check that and found my home computer still being redirected to their warning about malicious content when I attempted to access the APPG site. Twitter also appears to be continuing to block posts containing the web address of your site http://www.extraordinaryrendition.org/

I suspect the problem is automated filtering software rather than any deliberate attempt by these companies to deny access to the APPG materials. Nevertheless, I would suggest asking your technical experts to look into the problem and perhaps follow up with Virgin Media and Twitter.  The irony of the APPG being censored, accidentally or otherwise, on the day the Senate Intelligence committee released the executive summary of their report into CIA interrogation and detention programmes will not be lost on you. The work you are doing in the APPG is extraordinarily important and it would be unfortunate if public access to it is inappropriately curtailed.

Regards,

Ray Corrigan

Tuesday, December 09, 2014

Virgin Media blocking website of Parliamentary group on rendition

Virgin Media appear to be blocking the website of the All-Party Parliamentary Group (APPG) on Extraordinary Rendition. As Chair of the group, Andrew Tyrie says, the
"APPG is a Parliamentary body with over sixty members, both Members of the House of Commons and the House of Lords.
You can visit the APPG’s website here"
Except you can't as a Virgin Media customer since you get re-directed to a page saying

Sorry, Web Safe has blocked this site

This site has been blocked by Web Safe because it's listed as having malicious content. It could put your personal and financial information at risk or cause damage to your files.
Find out more about Web Safe Sign in to My Virgin Media to change your Web Safe settings If you don’t think this page should have been blocked, let us know.
For information, Virgin Media, your web labyrinth is too tortuous for sentient human beings so I'm letting you know from here.

Interestingly, when I attempted to post two separate messages on Twitter about this, Twitter blocked me too:
"This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now. Please try again later."
 My messages:
" blocking website of All-Party Parliamentary Group on Extraordinary Rendition  Tell Andrew Tyrie MP?"
and
"Twitter blocked me posting  blocking website of All-Party Parliamentary Group on Extraordinary Rendition "
I've made several later attempts to post the message all resulting in the same blocking message - the Twitter bot accusing me of spamming or engaging in malicious activity.

Is it possible the APPG website has been compromised and Twitter and Virgin Media are right?

Either way Mr Tyrie, who I heard doing a valiant job of trying to educate some BBC broadcast journalists on extraordinary rendition this evening, should be informed.

Wednesday, December 03, 2014

Cory Doctorow on practical privacy


Privacy as Innovation with Cory Doctorow from Lovisa on Vimeo.

Cory has:
  • An encrypted hard drive on his computer
  • An encrypted phone
  • He installs a jail broken version of Android (CyanogenMod) which has lots of better privacy stuff built in
  • He uses Cryptocat to have sensitive real-time communications
  • He uses PGP for email (full disclosure - it was Cory that finally prompted me some years ago to dust off my PGP keys)
  • He tries to use PGP routinely with everyone he knows who has a PGP key hence routine email traffic is all encrypted and any interceptions can't been instantly filtered as the potentially interesting or sensitive ones because they happen to be the only ones encrypted
  • He uses The Pirate Bay's Peter Sunde's IPREDator proxy service to proxy his traffic especially on untrusted networks
  • He uses SSL and TLS on his server, craphound.com to allow him to communicate with it securely and the same with boingboing
  • All his passwords are very long, randomly generated strings; ideally 128 printable characters, all kept on a file separately encrypted on his computer hard drive but nowhere else (apart from a backup). When he needs to enter a password he goes to that file and copies and pastes the passwords but doesn't remember them. He has only one password he can remember - to access the encrypted file of passwords
  • He has an encrypted hard drive he backs up to at the office and another that he backs up to at home
Things need to be a bit simpler for ordinary people... 

He does believe though we have not reached peak surveillance, we may have reached peak indifference to surveillance. So people may now start asking for built in privacy features in technology to a degree that will rein in the dominant surveillance business model of the internet and the surveillance state.

Monday, December 01, 2014

Email to MP re Counter Terrorism and Security Bill

The 2nd reading of Counter Terrorism and Security Bill is due in the House of Commons tomorrow.

Prompted by the Open Rights Group I've written to my MP, Nicola Blackwood, about it. Copy of my email below. Some of ORG's concerns are outlined in their briefing on the Bill.
Dear Nicola,

The latest government proposal, the Counter Terrorism and Security Bill, gives me cause for significant concern.

The ill-judged Data Retention and Investigatory Powers Act was, as you know, rushed through as emergency legislation without proper parliamentary scrutiny in the summer, the week before MPs went on holiday.  The use of the murder of Fusilier Lee Rigby as an excuse for introducing these new measures, expanding DRIPA and the further expansion of additional surveillance powers, is unconscionable.

With an election round the corner, we should hardly be surprised that party managers might be encouraging senior figures to ramp up their “tough on terrorism” rhetoric. However, Lee Rigby, who dedicated his life to defending the freedoms we enjoy in the UK, deserves better from our political leaders.

The UK survived two world wars, the cold war, multiple other military adventures and domestic bombing and violence orchestrated by groups like the IRA. Yet in the face of small numbers of violent religious extremists, successive UK governments, in the past 15 years, have normalised mass surveillance and done more damage to the legal infrastructure protecting our fundamental freedoms than any collection of deranged vicious clowns with access to dangerous weapons could do in a lifetime.

The Counter Terrorism and Security Bill is unfortunately building further on that trend.

1.       It introduces an obligation on public bodies including universities, schools, nurseries and councils to prevent terrorism. I've read this section 21 provision of the Bill repeatedly in the hope of making some sense of it. Yet the truth is, as a university educator with an interest in law and technology, I have genuinely no idea of what it is going to mean in practice.
   
2.       It expands the kind of meta-data that ISPs are being required to hold onto to help identify our IP addresses. This fundamentally misses the subtlety that an IP address denotes a device, not a human being.

3.       Mobile Phone companies do not currently log IP addresses because of differences in the technology to mainline broadband providers. They have been told they have to find a way. This will cost the taxpayer £100m over 10 years.

4.       The problems with the Bill are much wider than digital rights concerns. It also includes temporary exclusion orders, banning suspects from Britain for two years, even if they are British citizens.

5.       We are not currently facing a national emergency, so Parliament should not rush through this kind of legislation. We need proper scrutiny by MPs, Peers and civil society.

6.       The European Court of Justice (in the Digital Rights Ireland case this year) ruled that blanket data retention was incompatible with of articles 7, 8 and 52(1) of the Charter of Fundamental Rights of the EU. New laws should comply with that judgment. Neither DRIPA nor this proposed new Bill do so.

7.       The ECJ said that there should be a relationship between the data being retained and a threat to public security. However there are no restrictions to time, place or people in this Bill.

8.       DRIPA is even now the subject of a legal challenge, brought by the Open Rights Group and Liberty challenge. It may well be found illegal, while these new provisions are still being paid for.

Could I recommend for your review, the same Open Rights Group's analysis of the proposals in this Bill, available at https://www.openrightsgroup.org/ourwork/reports/briefing-on-counter-terrorism-and-security-bill  

Again you will not be surprised, given our previous correspondence, that I'm of the view that existing mass surveillance activities and powers need reigning in not expansion. Indeed the coalition government came to power on a promise of cracking down of the worst excesses of the previous government's database state. Rather than fulfilling that promise the current government has normalised and expanded these operations and powers. I hope when history comes to be written it will not judge the coalition's performance favourably on that score. Only then will we be sure that fundamental freedoms, under sustained attack by comparatively tiny numbers of terrorists and the bulk of the current, often well-intentioned but scientifically, mathematically and technically illiterate mainstream political classes, have survived intact.

Regards,

Ray

Sunday, November 30, 2014

Unconscionable political exploitation of Lee Rigby murder

Copy of my article in The Conversation about the ISC report into Fusilier Rigby's murder below.

The Intelligence and Security Committee (ISC) of Parliament has now released its 191-page report into Lee Rigby’s murder. The report concludes that even though the ISC “discovered a number of errors,” the murder could not have been prevented by the intelligence and security services.

Instead, the blame seems to have been put decisively on Facebook, which one of Rigby’s killers apparently used to discuss “killing a soldier” several months prior to the murder. This despite the fact that the security services were apparently well aware of the killers and their motives, independent of their social media presence.

Michael Adebolajo, the controlling mind in the murderous attack on Fusilier Lee Rigby, was first arrested in 2006 at a protest against Danish cartoons he perceived to be insulting to the prophet Muhammad. By the autumn of 2008, he was on MI5’s radar as having potential connections with al-Qaeda and by 2011 was the object of close surveillance.

Between then and April 2013 – when the intensive surveillance of Adebolajo was cancelled since there was “no indication of a national security concern” – he had multiple encounters with police and security services. A month later, Rigby was brutally murdered.

 

Counter-claims

Adebolajo claims MI5 attempted to recruit him as an informant – claims the UK government refuses to comment on, citing national security – and accuses MI6 of tacit complicity in alleged beatings and torture threats he received when detained by Kenyan police in 2010. He had travelled to Kenya with the apparent intention of joining extremists in Somalia.

Adebolajo’s partner in the murder, Michael Adebowale, came to MI5’s attention in August 2011 as a result of his interest in online extremist material and the intelligence services were aware of the two’s close connections. They nevertheless eventually considered Adebowale a low-level threat unworthy of their continuing attention.

By detailing various communications problems between police and security services and between the various branches of the intelligence services themselves and the inferences drawn from knowledge of the activities of Lee Rigby’s attackers, the report does a decent job of illustrating that security and intelligence systems are imperfect.

We can never be 100% secure, because these systems and agencies can and do fail – they fail naturally through human and technical and communications errors and they can be made to fail by actors with malign and, in this case, murderous intent.

What seems odd about the report and the ensuing media frenzy, however, is how Facebook has been framed as the single entity that could have prevented the murder.

Paragraph 17 of the report notes:
We have found only one issue which could have been decisive. This was the exchange – not seen until after the attack – between Adebowale and an individual overseas (FOXTROT) in December 2012. In this exchange, Adebowale told FOXTROT that he intended to murder a soldier. Had MI5 had access to this exchange, their investigation into Adebowale would have become a top priority. It is difficult to speculate on the outcome but there is a significant possibility that MI5 would then have been able to prevent the attack.
Paragraphs QQ to VV of the recommendations and conclusions go into this claim in a little more detail, saying: “Adebowale expressed his desire to murder a soldier “in the most explicit and emotive manner.” It then criticises US big tech companies for their lack of cooperation with government on fighting terrorism.

Happy though I usually might be to criticise Facebook or big tech – if more for their own anti-privacy practices than their lack of co-operation in counter-terrorism – it’s a bit of a stretch to suggest a giant beam of enlightenment would have engulfed the security services if Facebook had only shouted loudly enough, “look at this!”.

They were already aware of extreme views expressed by Adebowale on the net – and even Adebolajo, considered the more dangerous of the pair, was providing no continuing indication of a national security concern.

Brazen

For David Cameron and Theresa May to turn the deranged murder of a young soldier by damaged extremists into a political device for rehashing discredited surveillance proposals is unconscionable. It’s also not supported by the report: two members of the ISC have already criticised the notion that their work supports the further expansion of surveillance powers the government is now proposing.

Of course, with an election round the corner, we should hardly be surprised that party managers might be encouraging senior figures to ramp up their “tough on terrorism” rhetoric. The sad thing is to see how the media has uncritically swallowed the “blame Facebook” mantra hook, line and sinker.

Lee Rigby, who dedicated his life to defending the freedoms we enjoy in the UK, deserves better from our political leaders, from our media outlets and frankly, from all of us.

Friday, November 28, 2014

The computer says no - algorithmic auto-dialer credit card security?

An acquaintance was telling me they had their credit card refused recently when attempting to purchase a couple of items online.

Minutes later the phone rang. Lucky enough they were at home to receive the call. It was an automated dialer claiming to be from the bank that the credit card was issued by. The automated voice asked if they were the holder of the credit card.

They were the joint holder of the card but the auto-dialer was asking if they specifically were the other card holder...

If yes press 1, if no press... you get the picture.

No was pressed, called ended, card continued to be blocked.

Later in the evening the auto-dialer tried again. This time the other joint cardholder happened to be the one at home and answered the phone.

Are you Jo Soap? If yes press 1, if no...

Jo pressed 1.

On it went with verification questions -

  • Here's three years, we'd like you to pick the one you were born in
  • Enter the day and month of your birth
  • Confirm whether the following transactions or attempted transactions were at your instigation
There followed, in quick succession, details of 4 transactions using the credit card in the previous couple of weeks which they were asked to verify or disown. My acquaintance's partner verified and got an automated message to say the card would now be unblocked and could be used again.

Now I don't know about you but I have very little recollection of my precise credit card transactions of the past couple of weeks. There have been some fuel purchases but I couldn't tell you exactly how much - somewhere in the £50 to £60 ballpark. Anything online? When did I get that obscure maths book via Amazon? What about the trip to the dentist? Months ago surely? Christmas presents - not organised enough for that? Don't recall exactly?

At no point did Jo speak to a real person. The machine made the decision. What would have happened s/he had not been able or prepared to verify the listed items who knows, other than having the block on the card continue and the need to get into telephone tag hell with the credit card company, through one or other of their "help"-lines.

Can credit card or security folks familiar with current practices tell me if this is for real?

What happens, particularly at this busy time of the year, if someone under pressure on the phone cannot instantly remember or confirm the precise details of recent purchasing or attempted purchasing transactions?


What happens if the card is jointly held by two card holders and the person automatically dialed is not the card holder whose transactions are being doubted?

What happens if unbeknownst to one partner, another is arranging a surprise purchase?

What happens if one partner is overseas and has their card blocked and the one home alone is not allowed to verify and can't reasonably be expected to instantly verify attempted transactions?

What happens if the person automatically dialed doesn't recollect the full details of recent credit card transactions sufficiently confidently to verify the list the auto-dialer requires an instant response to?

Well in all these circumstances the card will inevitably be blocked and the card holder gets to experience pariah-hood, inconvenience, stress and embarrassment.

All because an algorithm didn't like the look of that transaction they were innocently attempting to expedite and treated them like a criminal.

Incidentally on the other end of the scale, what happens if in the thick of the pressure of this, er, security check, the card holder confirms/verifies a purchase on which there was an overcharging error by the retailer?

I'd guess the credit card company would highlight the cardholders mistake in refusing and responsibility if the error was later noticed...

So, Dear Mr credit card company,

If you'd like to do a security check that's fine. But running it via autonomous algorithms and auto-dialers absolutely does not cut-it.

Signals and algorithmic intelligence is all very fine and dandy, really useful indeed if appropriately deployed when it comes to security. However, when it comes to people there is no match for caring human intelligence.

Thursday, November 27, 2014

UK government seek to ban extremist speech in educational institutions

One of the little commented upon sections of the UK government's latest tough-on-terrorism proposed law, the Counter-Terrorism and Security Bill (HC Bill 127), is Section 21 General duties on specified authorities. This reads (or part thereof at least);

21 General duty on specified authorities

(1) A specified authority must, in the exercise of its functions, have due regard to
the need to prevent people from being drawn into terrorism.
(2) A specified authority is a person or body that is listed in Schedule 3.
(3) In the case of a specified authority listed in Schedule 3 in terms that refer to a
particular capacity that it has, the reference in subsection (1) to the authority’s
functions is to its functions when acting in that capacity.
The "specified authorities" as detailed in Schedule 3 of the Bill includes educational institutions -

"Education, child care etc

The governing body of an institution within the higher education sector
within the meaning of section 91(5) of the Further and Higher Education Act
1992.
A person with whom arrangements have been made for the provision of
education under section 19 of the Education Act 1996 or section 100 of the Education and Inspections Act 2006 (cases of illness, exclusion etc).
The proprietor of—
(a) a school that has been approved under section 342 of the Education
Act 1996,
(b) a maintained school within the meaning given by section 20(7) of the School Standards and Framework Act 1998,
(c) a maintained nursery school within the meaning given by section
22(9) of that Act,
(d) an independent school registered under section 158 of the Education
Act 2002,
(e) an independent educational institution registered under section
95(1) of the Education and Skills Act 2008, or
(f) an alternative provision Academy within the meaning given by
section 1C of that Act.
A person who is specified or nominated in a direction made in relation to the exercise of a local authority’s functions given by the Secretary of State under
section 497A of the Education Act 1996 (including that section as applied by
section 50 of the Children Act 2004 or section 15 of the Childcare Act 2006).
A person entered on a register kept by Her Majesty’s Chief Inspector of
Education, Children’s Services and Skills under Part 2 of the Care Standards Act 2000.
The governing body of a qualifying institution within the meaning given by
section 11 of the Higher Education Act 2004.
The provider of education or training—
(a) to which Chapter 3 of Part 8 of the Education and Inspections Act 2006 applies, and
(b) in respect of which funding is provided by, or under arrangements
made by, the Secretary of State or the Chief Executive of Skills
Funding.
A person registered under Chapter 2, 2A, 3 or 3A of Part 3 of the Childcare Act 2006 or under section 20 of the Children and Families (Wales) Measure
2010 (nawm 1).
A body corporate with which a local authority has entered into
arrangements under Part 1 of the Children and Young Persons Act 2008.
The governing body of an educational establishment maintained by a local authority in Wales.
The governing body or proprietor of an institution (not otherwise listed) at
which more than 250 students, excluding students undertaking distance
learning courses, are undertaking courses in preparation for examinations
related to qualifications regulated by the Office of Qualifications and Examinations Regulation or the Welsh Assembly Government."
So all these bodies associated with education in some form
"must, in the exercise of its functions, have due regard to the need to prevent people from being drawn into terrorism."
Can anyone tell me what that actually means?

The good folk at the Guardian seem to think it will require universities, for example, to ban extremist speakers. The Bill doesn't actually say that but I guess might be interpreted as such.

Additionally the Bill, if enacted in its current form, would provide the Secretary of State with Henry VIII powers to amend schedule 3 - i.e. unilaterally decide if any other institutions should fall within the scope of the obligation to "have due regard to the need to prevent people from being drawn into terrorism."

Under section 21(4), however, parliamentarians are excused the duty to  "have due regard to the need to prevent people from being drawn into terrorism."

21 General duty on specified authorities

[...]
(4) Subsection (1) does not apply to the exercise of—
(a) a judicial function;
Counter-Terrorism and Security BillPage 14
(b) a function exercised on behalf of, or on the instructions of, a person
exercising a judicial function;
(c) a function in connection with proceedings in the House of Commons or
the House of Lords;
(d) a function in connection with proceedings in the Scottish Parliament;
(e) a function in connection with proceedings in the National Assembly for
Wales.
No obligation, then, to stop introducing extremist, overreaching draconian police-state legal infrastructures, causing untold grief and havoc to us and future generations. Specks and planks in eyes come to mind, as does the notion that what we need is not another Counter-Terrorism and Security Bill (HC Bill 127) but, given the incumbent Home Secretary, a Counter Theresa-ism And Security Bill.