Quoted in an article by SC Magazine concerning the State Department’s silence on matters of global privacy and cybersecurity practices, Alexander Urbelis opined that his silence is “hardly surprising” given the inconsistent messaging from the administration, executive, and legislative components of federal and state government.
Going further, Urbelis stated that “If State takes a laudatory position on the UN resolution that offline human rights should be similarly protected online, then State is implicitly endorsing the work of digital rights activists, which could be seen to be at loggerheads with the administration's position on whistleblowers.”
The article, published by SC Magazine, is entitled 'State Dep't Crippled by Cyber Practices, Inconsistent Messaging from US Agencies' and was inspired, in part, by comments about cybersecurity made by President Obama made this past weekend at two separate event.
The DHS Intelligence Unit was scalded by an Inspector General report for lack business continuity and disaster recovery planning. Alexander Urbelis was quoted by SC Magazine in an article addressing these failures, plans for improving business continuity preparedness, and the reasons for the major backlog of DHS Freedom of Information Act requests.
The SC Magazine article is entitled, 'Report: DHS Intelligence Unit Lacks Adequate Oversight for Continuity Capabilities' and was based on the DHS Office of the Inspector General report of 16 May 2016, entitled 'Office of Intelligence and Analysis Can Improve Transparency and Privacy.'
As a correspondent for the Oxford Martin Cybersecurity Capacity Portal, Alexander Urbelis published an article on impact on corporate defenses that the debate over encryption regulation and legislation is likely to have.
Blackstone Law Group will also be speaking about this topic later this week at the Inside the Dark Web conference in New York City. Please contact us if you would like to attend the conference as our guest.
On 12 May 2016, at the ‘Inside the Dark Web’ conference held in New York, Black Chambers will weigh in on the long-lasting and largely undiscussed implications of the ongoing legal battles over encryption.
Taking center stage at the debate over whether encryption should be regulated on the device level, was the federal court repartee between the FBI and Apple. Much has been said about the merits of the arguments on both sides, but little has been discussed about the long-term unintentional consequence of weakening corporate defenses to malicious activity ongoing on the dark web. Our panel will address three components of this direct collision of law and information security.
First, we will first address the disposition of the FBI v. Apple legal battle. Two of our panel participants were intimately involved in the legal battle between 2600 Magazine and the MPAA (Universal Studios v. Reimerdes), being cited for the somewhat shaky proposition that source code should be protected by the First Amendment.
Second, our talk will delve into the often-overlooked State legislation that proposes to regulate encryption on mobile devices and elsewhere and the status of the UK's Investigatory Powers Bill. The focus on this portion will be on the breadth of the legislation, and possible negative effects on corporate security.
Finally, options for securing and protecting data using existing encryption products and services will be explored. Whether the FBI v. Apple legal battle and whether State or international legislation will impact such services will be assessed. Critically, however, this portion will focus on the policies and practices of cloud service providers, and the best options for a company to legally secure its own data, both from the prying eyes of malicious actors and from governmental or regulatory overreach.
Black Chambers, together with the Blackstone Law Group, spoke about the ongoing battle between ISPs and copyright holders at the first annual BloomCon Digital Forensics Conference held at Bloomsburg University on 5 February 2016.
Focusing on the landmark decision coming out of the US District Court for the Eastern District of Virginia between Cox Communications and BMG Rights Management, Black Chambers discussed the information security and legal implications of the decision and jury verdict that removed DMCA immunity from Cox Communications and held them accountable for the copyright infringing activities of their customer case to the tune of 25,000,000 USD.
Stepping through the legal reasoning of the decision to remove DMCA immunity from Cox, Black Chambers provided a detailed account and analysis of the internal Cox e-mails that articulated sham “under the table” DMCA compliance policies designed to “collect a few extra weeks of payment” that were directly attributable to Cox’s loss. A clear takeaway was that had these legal DMCA compliance discussions occurred with an attorney – i.e., within the zone of protection of the attorney-client privilege – the damaging e-mails that led to Cox’s loss would not have been made public, and Cox would have very likely prevailed.
Going further, Black Chambers and Blackstone Law Group discussed the information security and compliance issues facing communications carriers resulting from this decision, the effects of enhanced DMCA accountability and user monitoring, and the anti-forensic countermeasures expected to be employed to stymie such efforts.
For a copy of our slide deck and presentation, or to speak further about this issue, please contact us.
The Consumer Fraud Protection Bureau issued its first enforcement action for misrepresenting data security practices. In the simplest terms possible, the CFPB has made it clear that if companies are going to ‘talk the talk’ about data security practices, they also have to ‘walk the walk.’ In addition to a $100,000 fine, the CFPB ordered online payment systems operator Dwolla to take immediate steps to ramp up its security practices on many fronts.
Though hitherto never exercised in the data security context, the CFPB derives its authority to regulate from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Dodd-Frank provides the CFPB power to take action against institutions engaged in “unfair, deceptive or abusive acts or practices.” Signalling data security practices are within their jurisdiction and in their sights, the CFPB’s scathing press release about Dwolla’s deceptive practices indicates further enforcement is sure to come.
Several facts make this action and especially interesting and relevant to data security planning and practices:
1. There was no data breach. Historically, any regulation or fine was a direct result of some form of breach, that leads a regulator to inquire about company practices. This is an enforcement action without any such pre-cursor, and means that any company with public-facing statements about data security practices can be subject to scrutiny.
2. Dwolla’s policies made explicit statements that their practices “exceed[ed]” or “surpass[ed]” industry data security practices, including PCI-DSS. On examination, Dwolla’s practices fell far short of anything even beginning to resemble sound data security practices, and included misrepresentations about the amount of data encrypted, security implemented, and transmission of sensitive data as clear text.
3. Dwolla management now has an ongoing reporting requirement to the CFPB for a period of five (5) years about its security practices and posture. It also established an affirmative obligation of the Dwolla Board of Directors to review all “plans, reports, programs, policies, and procedures,” before these documents are submitted to the CFPB. Obliging the Board is an overt demand for responsibility and accountability on CFPB’s part, and is likely to be part of any future enforcement action.
This is a blaring wake-up call to companies housing, collecting, or processing personal or financial data. In the words of the CFPB, “deception about security and security practices is illegal.” Review, revision, and auditing of security policies is a must.
Government regulation of data security is on the rise. And there is the possibility of regulatory scrutiny from multiple federal and state agencies with often overlapping and unclear jurisdictional boundaries.
These are necessary and sufficient reasons for a company’s data security practices and planning to be performed in a legally privileged context and overseen by experienced attorneys who are themselves information security professionals.
Sometimes the signal to noise ratio can unintentionally function as a security feature. In other words, if you are a needle hiding in a haystack, the hay protects and provides the cover of camouflage. E-Discovery turns this analogy on its head, which is why information security for law firms and e-Discovery vendors is a pressing and critical issue.
The very nature of the expansive disclosure obligations amongst parties to a litigation under US and UK law mean that vast quantities of data are going to be transferred between the players. The process by which this occurs is familiar to lawyers, especially younger associates who have been delegated the unenviable task of sifting through thousands of e-mails, documents, and reports to identify the very high-grade ore amongst the rubble dumped on their firm. As for the side doing the dumping, e-mails, documents, and reports which are considered trade secrets, privileged, or otherwise confidential and non-responsive have been tagged and culled, before the exchange of data.
In short, the hay has been sifted and all the needles identified.
If these needles are the digital equivalent of trade secrets, privileged communications, confidential business plans, or any other sort of data that should not make it way to the public domain, then perimeter security surrounding this data at rest should be – at a minimum – viewed as a best practice.
In an article published recently by Bloomberg BNA, Gabe Friedman makes several excellent recommendations for drafting protective orders that require a receiving party be responsible for reasonable information security practices when receiving and handling data during the discovery phase of a litigation.
Friedman recommends litigants should require their adversaries to do the following:
1. Sign a protective order attesting that the receiving law firm meets certain basic cybersecurity protocols and that it indemnifies the disclosing party company against any risk of breach;
2. Use a trusted e-Discovery vendor; or
3. If all else fails, the party must access the data through a separate trusted e-Discovery vendor.
These recommendations, however, raise several additional issues for law firms and litigants, especially in light of the alarming prediction that 80% of the top 100 law firms have already been compromised. Namely:
1. What are the basic cybersecurity protocols a law firm should apply as a matter of best practices?
2. Are law firm practices case-specific, meaning do some matters require additional information security precautions than others; and if so, which?
3. What is a trusted e-Discovery vendor, and what are the e-Discovery best practices designed to enhance information security?
Add to this the complex issue of auditing the security of your adversary or e-Discovery vendor and you have a hydra-like combination of information security, law, compliance, and judicial economy. And with information security concerns on the rise for litigants and firms alike, these issues are sure to be raised frequently and fervently.
These mixed questions of law and security are the reason why Black Chambers exists. We are here to help establish best information security practices for your firm, and will be there if your organization needs to find a trusted e-Discovery vendor, or audit your adversary.
The San Francisco Chronicle interviewed and quoted Black Chambers CEO, Alexander Urbelis, about a the fallout from a controversial injunction ordered against German security research firm, ERNW, days before they were to detail vulnerabilities in FireEye's popular malware detection boxes at 44CON in London.
The injunction from a German court essentially functioned as a gag order and required censorship of major portions of the proposed presentation. In the article, Alexander Urbelis discussed the validity of the injunction and the reasons why this type of heavy-handed use of legal process does not sit well with the InfoSec community.
Addressing novel legal theories to combat revenge porn and the technical means available to reduce the risk explicit photos are retained and shared, Black Chambers CEO, Alexander Urbelis, recently published in article in the NY State Bar Association publication 'Perspectives' entitled, 'The (Il)legalities and Practicalities of Revenge Porn.'
If you watch the The Newsroom, you may recall the Season 2 horror, when comely business news anchor, Sloan Sabbith, suddenly realizes that salacious photos of her have been posted on a “revenge porn” site, and were trending on social media.1 Fiction aside, revenge porn, “or sexually explicit media that is publicly shared online without the consent of the pictured individual,”2 is a real world problem and becoming increasingly common. The law is reacting, but as is often the case with novel, tech-driven wrongs, most le- gal redress is cumbersome, ill-fitting, and insufficient.
There are, however, novel legal theories to combat revenge porn at the federal level, and criminal statutes—though of questionable efficacy—at the state level. And, as a practical matter, if a person does share intimate photos, there are technical measures to reduce the likelihood they will remain in another’s possession or subject to misuse.
Revenge Porn and the Law at the Federal Level
A particularly heinous instance of revenge porn involving a current law student has found its way into the U.S. District Court for the Central District of California. Filed by attorneys from K&L Gates, appearing pro bono on behalf of a pseudonymous plaintiff, the complaint alleges that the victim’s ex-boyfriend posted sexually explicit material to revenge porn websites, then contacted the victim’s friends and colleagues to provide direct links to the obscene material.3
This unique federal litigation, seeking injunctive relief and dam- ages, relies on copyright law for jurisdiction. The theory is that since the victim created the images, it is she who owns their copyright. The ex-boyfriend, by posting the images without her consent, is violating the Copyright Act of 1976, entitling the victim to injunctive relief.
There is, however, a major hitch to this approach: relying on copy- right law requires that the explicit images be registered with the U.S. Copyright Office. This process is not only cumbersome, but unrealistic and painful for the victim. What is more, assuming the injunction is effective as to the ex-boyfriend, no legal relief can prevent further dissemination of the images. A court can grant relief only regarding a single defendant, and cannot enjoin down- stream websites from displaying or transferring the offending images, or prevent search engines, such as Google, from displaying disparaging search results that point to these sites.
Another legal tactic, combating revenge porn with Digital Millennium Copyright Act (DMCA) take- down requests, has sometimes had the opposite of the intended effect. Websites have displayed takedown requests with pride to draw more attention (and clicks) to the offending material. The obvious intent behind this brazen disregard is to discourage future DMCA requests, and it is likely that this audacious tactic is effective.
In sum, copyright law may in- deed provide a partial remedy for some patient victims willing to jump through the hoops required of the U.S. Copyright Office, but it is hardly a silver bullet.
Criminalizing Revenge Porn
Defining revenge porn as a criminal act is the clearest signal that this conduct will not be tolerated. Only 13 states criminalize revenge porn, and, technically, New York is not one of them.4 On the international front, Israel was the first to pass a revenge porn statute and the U.K. the latest to tackle the issue.5 The mere existence of such laws may be a powerful deterrent. But there are practical considerations for successful prosecutions, and the possibility of foreseeable but unintentional consequences on several fronts.
Chief among practicalities, the law must fit the crime. In New York, the first prosecution of revenge porn failed, largely because existing laws did not reach this sort of conduct.6 Harassment was not an option be- cause the material was not sent to the victim herself; unlawful surveillance was inapplicable because the images were created consensually; and the display of offensive materials was similarly inconsonant because nudity is not, per se, offensive.
Responding to this and other failed prosecutions, on 1 November 2014, an amended version of New York’s unlawful surveillance statute went into effect, criminalizing the recording or broadcast of images of the sexual or private parts of another which are created without consent.7 Critics have argued that this amendment does not go far enough to protect victims. As a matter of fit, the law is still not a revenge porn statute—it is a re-engineered version of a peeping tom law. As such, the statute does not extend to sexual material created by mutual consent but distributed without the consent of the victim.
Carrie Goldberg, a board member of the Cyber Civil Rights Initiative, who is active in its ‘End Revenge Porn’ campaign, notes that: “In New York it’s criminal to share credit card numbers8 and pirated music,9 yet we have no such protections for the far more personal and devastating distribution of private sexual pictures.” Legislation10 introduced by New York Assemblyman Edward Braunstein would change this, and, according to Goldberg, protect victims regardless of the motive of the distributor, “whether for revenge, entertainment, money, ‘lulz,’ or no reason at all.”11
Another practical reason prosecutions fail is for a lack of resources. Revenge porn is a fast-moving, cross-border offense that occurs on several different technological plat- forms: cameras, smart phones, and web servers. Most local law enforcement and prosecutors do not have the financial, technical, or human resources to track and collect transient forensic evidence across several jurisdictions.
Disappearing Evidence and False Flags
A clear-cut case would look like this: a victim is notified of offending material that can be traced back to an image sent to an ex-boyfriend. The mobile device of that ex-boyfriend contains the image distributed with- out consent, and distribution can be traced to his IP address and his mobile device. Prosecutions, however, are rarely so straightforward.
The first stumbling block is the image itself. If neither the victim nor the ex-boyfriend have a record or copy of the image (perhaps both upgraded their devices or deleted old messages), then only their mobile carrier(s) will have a record of the initial transmission. Acquiring that data is time-consuming and resource-intensive.
But assuming no problem with the above, the next evidentiary hurdle is proof of distribution. Some exes may be so incensed as to throw caution to the wind, but a thoughtful offender would use a new device and public wi-fi for distribution. Technically astute offenders would use a throwaway device and a virtual private network (VPN), to make it seem as if the distribution originated from China or Russia. Acquiring logs and connection data from a foreign VPN provider (if such records are even kept) is both a crapshoot and a herculean task.12 But in the prosecutorial context, if you combine this type of anti-forensic behavior with the fact that mobile devices are often lost or stolen, and add to that the prevalence of data breaches and malware, you have something that begins to look very much like reasonable doubt.
With evidence difficult to collect and resources scarce, failed prosecutions may have serious unintentional consequences: discouraging victims from coming forward, deterring further prosecutions, and emboldening potential offenders.
Practical Advice for Cautious Couples
The best way to ensure images never make their way to revenge porn sites is obvious: do not create them. If, however, a person chooses to take and share intimate photos, there are technical measures that can decrease the likelihood of the image being retained and misused.
First: do not send intimate pictures through text message, iMessage, Whatsapp, or any other messaging platform that creates a continuous historical record of activity. Doing so makes it easy for a spurned lover to scroll backwards in time and find revealing photos exchanged during better times.
Second: if you do share private photos, use third-party messaging applications such as Wickr, Silent Circle, or Snapchat that “burn” images after a specified period of time. With these apps, it is possible to specify that the message or image remain with the recipient for as little as ten seconds. While this does not prevent screen captures of images, it does prevent a person from retrieving previously sent images. Further, apps such as Wickr and Snapchat make executing the screen capture function on an iPhone a more cumbersome process, reducing the likelihood that an image will be stored. Snapchat, by the far the most popular app for sharing intimate photos, alerts senders when an image has been screen captured.13
Third: if sharing is not the goal, do not use an Internet-enabled device to capture private moments. Recall the standalone digital camera, the long-forgotten device used to take pictures and nothing more. Placing several steps between yourself and transmission of a private photo will make it less likely to occur.
Fourth: do not back up intimate photos to a cloud. Many devices, including iPhones, are configured, by default, to keep photos in a cloud’s central repository. Weak passwords and angry exes are an awful combination, and the cloud is an all too easy target.
Fifth and finally: Though unsexy, keep a detailed log of images sent and to whom they are sent. If the relationship devolves into a revenge porn fiasco, those contemporaneous records could be critical to a successful prosecution when evidence from other sources is lacking.
* * *
Technology will always outpace legislation. It is, therefore, no surprise that the legal remedies avail- able to victims of revenge porn are inadequate. Federal remedies are slow, burdensome, expensive, and only partially effective. Criminalizing revenge porn is a strong statement, but also an imperfect solution be- cause of the under-inclusive nature of the proscribed conduct and the ease with which evidence can be destroyed and prosecution frustrated.
What is clear, however, is that victims of revenge porn are seriously and irreparably harmed. The elements and mechanics of criminal
statutes and the civil remedies avail- able require further consideration and study. Unless and until such a time, the best defense is a good of- fense. The more we understand the permanence of our digital footprints and the technical measures at our disposal to reduce them, the better able we, as users, are to avoid the problem of revenge porn altogether.
1. Alan Everly, ‘The Newsroom’ Recap: Sloan’s Nude Photos Go Viral; Maggie’s Losing It, L.A. TIMES, 12 August 2013, http://lat.ms/1DCD0gz.
2. Revenge Porn, WIKIPEDIA, http://bit. ly/1u7p46r.
3. Civil Lawsuit on Revenge Porn, N.Y. TIMES, http://nyti.ms/1AKnHMA.
4. Revenge Porn: U.S. Laws, WIKIPEDIA, http://bit.ly/1MNupZG.
5. Rick Kelsey, Revenge Porn is Being Made a Specific Criminal Offence, BBC NEWSBEAT, http://bbc.in/1FB7HjL.
6. People v. Barber, 42 Misc. 3d 1225(A) (N.Y. City Crim. Ct. 2014).
7. N.Y. PENAL LAW § 250.45.
8. N.Y. PENAL LAW § 165.17.
9. A7811B-2011 (N.Y. 2011); N.Y. PENAL LAW § 275.00.
10. B. A571, 2015 Assem., Reg. Sess. (N.Y. 2015).
11. New York’s proposed revenge porn law establishes as the crime of non- consensual disclosure of sexually explicit images as a class A misdemeanor. The bill is available at http://bit. ly/1GuN3Sy.
12. TorGuard, a prominent VPN provider, advertises that it does not keep logs of activity associated with an IP address. Further, it notes that hundreds of users are using any server at any particular time, making attribution of activity nearly impossible. See, Do You Keep Any Log Files, TORGUARD, http://bit. ly/1B5UMlv.
13. A cottage industry of third party applications that surreptitiously capture Snapchat images has developed. However, in recent months, Snapchat has implemented more sophisticated alert measures to combat this. Nothing, however, would detect whether a separate device, such as a camera, was used to photograph the screen of the recipient’s phone while the image was displayed.
Alex Urbelis is a lawyer and hacker with over 20 years of experience with information security. He has worked for the U.S. Army, the Institute for Security Technology Studies at Dartmouth, the CIA, the U.S. Court of Appeals for the Armed Forces, Steptoe & Johnson, and as information security counsel and CCO of Compagnie Financière Richemont SA (Richemont). Alex holds a BA, summa cum laude, in Philosophy from Stony Brook University, a JD, magna cum laude, from Vermont Law School, and the BCL from New College, University of Oxford.
In the wake of the NY Times revelations about a longstanding partnership between the NSA and AT&T, Black Chambers CEO, Alexander Urbelis, published an op-ed on The Intercept arguing that there is nothing novel nor illegal about telecom and intelligence partnerships. As a matter of ethics, efficiency, and integrity, however, Urbelis argued for new limits and protections for the processing of foreigners' data within US borders.
There is something disquieting and unwholesome about telecoms feeding our communications to government agencies. It was headline news, again, last month when we learned that AT&T has had a longstanding partnership with the National Security Agency. Unfortunately, this form of private-public intelligence collusion is neither new nor, in my view, illegal. Whether it is immoral is an entirely separate question.
U.S. communications carriers first became partners in the intelligence game shortly after World War I. Diplomatic and military affairs transmitted via telegram to home countries were intercepted and decrypted by the Black Chamber, the NSA’s precursor. Obtaining telegrams then was eerily similar to how communications are obtained today: The government simply asked.
The Western Union Telegraph Company and the Postal Telegraph Company allowed intelligence officers to copy telegrams, and this partnership persisted in peacetime. In 1929, however, Secretary of State Henry Stimson defunded the Black Chamber. His concise, and seemingly naïve, rationalereportedly being: “Gentlemen do not read each other’s mail.”
World War II exigencies overruled Stimson’s moral objections and the United States resumed telegram interception. Starting in 1945, just after the end of the war, this interception widened, and Western Union, RCA, and ITT provided the government, via the NSA and its predecessors the Army Security Agency and the Armed Forces Security Agency, with paper tape, microfilm, and later magnetic tape copies of most international telegrams. This continued unabated for decades after the war and was known as Project SHAMROCK.
NSA shared this data with law enforcement, including the FBI and Secret Service. Project SHAMROCK, however, suffered from classic function creep, the gradual extension of a system beyond the purposes for which it was conceived. In the 1960s and 1970s, names of American citizens and organizations were added to watch lists. Anti-war activists, Martin Luther King Jr., Muhummad Ali, and Jane Fonda were among the nearly 1,700 U.S. individuals and organizations targeted for domestic surveillance. This was known as Project MINARET.
Presciently, in 1975 on Meet the Press, Senator Frank Church (he himself a target of MINARET) stated:
In the need to develop a capacity to know what potential enemies are doing, the United States government has perfected a technological capability that enables us to monitor the messages that go through the air. … That capability at any time could be turned around on the American people, and no American would have any privacy left. … There would be no place to hide.
The Foreign Intelligence Surveillance Act, codifying a warrant requirement with judicial oversight for electronic surveillance, with particularly strong protections for U.S. persons, was born of the eponymous Church Committee.
This was a philosophical shift in the perception of intelligence activities. Despite infringing privacy of U.S. residents — and undeniably going beyond the degree of intrusion at issue with the Black Chamber — there was no Stimson-like categorical condemnation of surveillance itself. Communications interception was a necessary evil to detect and deter existential threats to the United States. It was crucial, therefore, to safeguard U.S. persons from harm occasioned by this necessary evil.
Foreigners were viewed in a different light, with considerably less protection under FISA as it exists today. Foreigners’ communications have always been legitimate targets of collection, from the time of the Black Chamber and despite fallout from Projects SHAMROCK and MINARET. As an NSA presentation indicates, AT&T even withheld domestic communications before delivering anything to the NSA. The intelligence game in the United States has not changed in over 100 years, so what is the source of the outrage?
As a nation, we are uncomfortable with the morality of the degree (not kind) of intelligence collection that occurs as a result of secret partnerships. In the busiest of MINARET’s six years of operations, there were only 600 domestic and 6,000 foreign targets. Contrast that with the billions of emails flowing across the networks to which AT&T has provided the NSA access. It is the quantity, not the type, source, or method of collection, that produces visceral unease.
Linking this sense of unease to a chilling effect on freedom of speech and association, the ACLU and the Wikimedia Foundation, which runs Wikipedia, have sued to try and halt bulk collection of communications. Our federal courts, however, are not the proper forum. Legal standing and damages requirements mire the process in preliminary motions, and perhaps rightly so because, at root, the question of how surveillance is to be carried out in our names is more of an ethical and political question than a legal issue.
Stimson’s moral prescription that we should not “read each other’s mail” was anachronistic when uttered in 1929. It is ridiculous to suggest we halt foreign intelligence collection derived from U.S. telecoms. It is not outrageous, however, to expect our intelligence be derived more efficiently and fairly. Technologies used to exclude domestic communications can also be adapted to minimize foreigners’ data. Given the quantities of data collected daily, we must expect more to be done to prevent the same function creep that allowed SHAMROCK and MINARET to spiral out of control.
There is a perception that our infrastructure — critical to free expression and global commerce — is exploited and untrustworthy. Our moral compass, again, tells us that this is wrong: Privacy is a right that is universal and fundamental, which ought to apply to all.