[liberationtech] Registration open: Privacy Enhancing Technology Symposium - July 16-18 2014 Amsterdam

2014-05-13 Thread Caspar Bowden (lists)

*

Privacy Enhancing Technology Symposium -July 16-18, 2014

Royal Tropical Institute, Amsterdam, The Netherlands

*

The 14th Privacy Enhancing Technologies Symposium addresses the design 
and realization of privacy services for the Internet and other data 
systems and communication networks by bringing together anonymity and 
privacy experts from around the world to discuss recent advances and new 
perspectives. Additional information about the conference can be found 
at http://petsymposium.org/2014.


*Registration is open* at 
https://www.petsymposium.org/2014/registration.php, travel information 
can be found here: https://www.petsymposium.org/2014/travel.php, 
including information for Visa application.


*Important dates*:

Early bird registration:until June 24th

Hotel special rates: until May 30th

The conference will be a 3-day event featuring technical presentations 
of papers, judged based on their quality and relevance through 
double-blind reviewing. The Symposium will include an invited talk by 
Martin Ortlieb (Google Zurich) and the rest of the program can be found 
here: https://www.petsymposium.org/2014/program.php


The third day of the symposium will be devoted to HotPETs — the hottest, 
most exciting research ideas still in a formative state. The program for 
HotPETs includes an invited tal byWilliam Binney, former intelligence 
official with the United States National Security Agency, and 
specialized talks on hot topics related to privacy. The program will be 
announced here: https://www.petsymposium.org/2014/hotpets.php


PETS will be collocated with the GenoPri Workshop 
(https://genomeprivacy.org/workshop) that will take place on July 15th. 
The event will explore the privacy issues raised by genomics and the 
main envisioned solutionsIt will include a keynote and a tutorial on 
genomics for computer scientists by a geneticist.


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

2014-05-06 Thread Caspar Bowden (lists)

On 06/05/14 13:37, Fabian Keil wrote:

Caspar Bowden (lists) li...@casparbowden.net wrote:


I downloaded Ponemon/Thales new survey of n=4275 IT managers (United
States, the United Kingdom, Germany, France, Australia, Japan, Brazil,
and Russia)  a couple of days ago by registering here
https://t.co/8rI2Z8vy1j, but they appear to have now pulled the report.

It is remarkable that one third IT managers not only think that it is
possible to compute with encrypted data, but that they are doing so already.

Here's the relevant text (red is my emphasis) and screenshot with graphs

[If they don't understand this, what else don't they understand about
their organization's security?]

CB

 *Who controls the encryption keys*

I don't doubt that (at least) one third of the questioned IT managers
don't understand their organisation's security, but without a definition
of control I'd assume that Ponemon/Thales were merely asking who
legally controls the encryption keys.


that is the root of the trouble, the pre-crypto legal concept of 
processing (e.g. in EU and CoE108) subsumes storage+computing, and 
legal control doesn't pass to a mere data processor even if has 
capability to read and disclose data to a foreign jurisdiction



Otherwise one would also have to mention the people who wrote
the OS, the firmware, the application, people who provide software
and hardware updates, cleaning personal, successful attackers etc.,
even when not looking at cloud environments.


The power of compulsion in e.g. FISA 702 is over a service provider to 
(effectively) backdoor their running stack. Authors of the OS or lower 
in the stack are not in that service provider firing line (and an 
unremarked amendment in FISA 702 in 2008 extended the scope beyond 
telcos/ISPs to Cloud providers)


@CasparBowden
--
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.


[liberationtech] One third IT managers think can Cloud compute with encrypted data

2014-05-04 Thread Caspar Bowden (lists)
I downloaded Ponemon/Thales new survey of n=4275 IT managers (United 
States, the United Kingdom, Germany, France, Australia, Japan, Brazil, 
and Russia)  a couple of days ago by registering here 
https://t.co/8rI2Z8vy1j, but they appear to have now pulled the report.


It is remarkable that one third IT managers not only think that it is 
possible to compute with encrypted data, but that they are doing so already.


Here's the relevant text (red is my emphasis) and screenshot with graphs

[If they don't understand this, what else don't they understand about 
their organization's security?]


CB

   *Who controls the encryption keys*

   Figure 24 examines the issue of control over encryption keys in the
   cloud environment for both encryption of data
   at rest and encryption of data at the application level. Thirty-four
   percent of respondents believe their organization
   is in control of encryption keys for *both* data encrypted at the
   *application level* and at rest in the cloud
   environment. Another 28 percent and 29 percent believe control of
   encryption keys is a *shared activity between**
   **the organization and the cloud provider*. Only 19 percent and 17
   percent of respondents, respectively, view the
   cloud provider as having control over encryption keys for either
   encryption at the application level or for data at
   rest

   [Figure 24]

   Figure 25 shows German organizations are the most likely to say
   their organizations have control of encryption
   keys *at the application level *and for data at rest in the cloud.
   Brazilian respondents are the least likely to say their
   organizations have control over encryption keys at the application
   level and for data at rest in the cloud.

   *Figure 25. Percentage of respondents who say their organization is
   in control of encryption keys*
   Consolidated analysis for encryption at *both the application level*
   and for data at rest in the cloud by country
   sample

   [Figure 25]
   screenshot of Fig.24/25 of pdf




-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

2014-05-04 Thread Caspar Bowden (lists)

On 04/05/14 17:19, Caspar Bowden (lists) wrote:
I downloaded Ponemon/Thales new survey of n=4275 IT managers (United 
States, the United Kingdom, Germany, France, Australia, Japan, Brazil, 
and Russia)  a couple of days ago by registering here 
https://t.co/8rI2Z8vy1j, but they appear to have now pulled the report.


It is remarkable that one third IT managers not only think that it is 
possible to compute with encrypted data, but that they are doing so 
already.


Here's the relevant text (red is my emphasis) and screenshot with graphs

[If they don't understand this, what else don't they understand about 
their organization's security?]


CB

*Who controls the encryption keys*

Figure 24 examines the issue of control over encryption keys in
the cloud environment for both encryption of data
at rest and encryption of data at the application level.
Thirty-four percent of respondents believe their organization
is in control of encryption keys for *both* data encrypted at the
*application level* and at rest in the cloud
environment. Another 28 percent and 29 percent believe control of
encryption keys is a *shared activity between**
**the organization and the cloud provider*. Only 19 percent and 17
percent of respondents, respectively, view the
cloud provider as having control over encryption keys for either
encryption at the application level or for data at
rest

[Figure 24]

Figure 25 shows German organizations are the most likely to say
their organizations have control of encryption
keys *at the application level *and for data at rest in the cloud.
Brazilian respondents are the least likely to say their
organizations have control over encryption keys at the application
level and for data at rest in the cloud.

*Figure 25. Percentage of respondents who say their organization
is in control of encryption keys*
Consolidated analysis for encryption at *both the application
level* and for data at rest in the cloud by country
sample

[Figure 25]



Hmm, that didn't work embedded - trying as attachment

CB
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] One third IT managers think can Cloud compute with encrypted data

2014-05-04 Thread Caspar Bowden (lists)
Nope, not attachment either, should have used *link 
https://twitter.com/CasparBowden/status/462967989495558144/photo/1/large* 
in the first place


CB

-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

2014-04-24 Thread Caspar Bowden (lists)

On 24/04/14 19:21, Zooko Wilcox-OHearn wrote:

On Tue, Apr 22, 2014 at 11:47 AM, Caspar Bowden (lists)
li...@casparbowden.net wrote:

TAHOE is also cool, but doesn't claim to provide confidentiality. A TAHOE
service provider would have no choice but to round-up/backdoor the necessary
keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) legislation [or
Indian IT Acts etc. etc.]

Oh, by the way, this part was incorrect. An example of a Tahoe-LAFS
service provider is my company, https://LeastAuthority.com.
LeastAuthority.com does not have any ability to acquire our
customers's keys, nor to backdoor our customers.


This is semantics. If you provide the service to a customer, you can be 
forced to backdoor http://www.wired.com/2007/11/hushmail-to-war/ 
(let's define terms Customer, Provider, user, individual  data 
subject if want to continue, else will get ourselves hopelessly 
confused - or if you point me at the part of the spec you think 
invulnerable will show you how FISA or RIP can round-up keys)


It's in FISA 702 expressly, and as we now know, key disclosure can even 
be forced under S.215. Not saying this to knock TAHOE, but often in 
Cloud discussions, people are looking at a conventional threat model - 
protecting against external attack and insider *un*authorized access. 
But the new part of the threat model, relevant post-Snowden, is 
authorized insider access lawfully required by the jurisdiction to which 
that Cloud is exposed.


The UK law RIPA Pt.3 (2000) was even written with extreme (and correct) 
detail to give powers to round up arbitrary number of key fragments 
(whether this might be defeated by lots and lots of fragments is debatable)
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

2014-04-24 Thread Caspar Bowden (lists)

On 24/04/14 21:09, Zooko Wilcox-OHearn wrote:

On 24/04/14 19:21, Zooko Wilcox-OHearn wrote:

Oh, by the way, this part was incorrect. An example of a Tahoe-LAFS
service provider is my company, https://LeastAuthority.com.
LeastAuthority.com does not have any ability to acquire our
customers's keys, nor to backdoor our customers.

On Thu, Apr 24, 2014 at 6:13 PM, Caspar Bowden (lists)
li...@casparbowden.net wrote:

This is semantics. If you provide the service to a customer, you can be
forced to backdoor

No, this is wrong. I can understand why you say this, because you've
looked at dozens — perhaps hundreds — of services which made claims
like those above, and in every case it turned out that the service
actually had the technical capability to backdoor its customers. Am I
right? The Hushmail case that you cite was an early and famous
example, and the recent Lavabit case is an example.

But LeastAuthority.com is different from that, for a very specific
technical reason.

That reason is that not *only* is our operation free from customer
plaintext and customer encryption keys, but *also* we don't deliver
software to our customers.

When new customers sign up at https://LeastAuthority.com, we send them
a nice email explaining that now they need to go acquire the Free and
Open Source software named Tahoe-LAFS. We recommend that they get it
from their operating system provider, e.g. Debian, Ubuntu, or the
pkgsrc system (http://www.pkgsrc.org/).


So I had not realized that and, that is a very good idea generally, for 
these types of legal attack, and would be even better idea if we had 
deterministic compilers



Therefore if a government, or a murderous mafia, compelled us to
cooperate with them, we would then say Well… okay, but… have you
figured out how your target users acquires the software? Because, you
know, if they're getting it from Debian, or from Tails, or something,
then there's not a whole lot we can do to help you backdoor your
target users….

Here's an open letter on this topic that I wrote to the Silent Circle
folks when they shut down their mail service after the Lavabit story
broke:

https://leastauthority.com/blog/open_letter_silent_circle.html


I agree.

Inadvertently, I muddied the waters by referring to Hushmail, since the 
storage providers in your system don't (and don't purport to) provide 
confidentiality


Caspar
--
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change 
to digest, or change password by emailing moderator at compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

2014-04-22 Thread Caspar Bowden (lists)

On 17/04/14 20:29, David Solomonoff wrote:
This blog post was inspired by a recent breakthrough in homomorphic 
encryption at MIT:


In 2010 I asked Professor Eben Moglen 
https://en.wikipedia.org/wiki/Eben_Moglen to speak to the Internet 
Society of New York http://isoc-ny.org about software freedom, 
privacy and security in the context of cloud computing and social 
media. In his Freedom in the Cloud http://isoc-ny.org/?p=1338%20 
talk, he proposed the FreedomBox https://freedomboxfoundation.org 
as a solution 


[Now] data can be encrypted at every point until it is accessed by 
its legitimate owner, combining privacy and security with the 
flexibility and scalability of cloud computing.


No longer confined behind a locked down private data center or hidden 
under the end user's bed, a virtual FreedomBox can finally escape to 
the clouds.


Full article:
http://www.davrola.com/2014/04/17/secure-cloud-computing-virtualizing-the-freedombox/ 



(I am not a cryptographer, but disillusioned former FHE-enthusiast, 
until I realized was irrelevant to real Cloud policy)


Fully homomorphic encryption uses techniques utterly different to 
conventional encryption and is a ~trillion times slower. Even the 
integer version ~million times slower


Apropos the blog, Mylar is cool, but doesn't use FHE. It sends the Cloud 
conventionally encrypted blobs to and fro - and the Client does all the 
work (thus neutralizing main vaunted benefit of Cloud, elastic and 
parallel CPU power). It also uses an encrypted search technique for 
indexing (which is also cool)


TAHOE is also cool, but doesn't claim to provide confidentiality. A 
TAHOE service provider would have no choice but to round-up/backdoor the 
necessary keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) 
legislation [or Indian IT Acts etc. etc.]


There are partial homomorphic solutions coming along useful to specific 
scenarios, but using them will be state-of-the-art crypto engineering 
research.microsoft.com/pubs/148825/ccs2011_submission_412.pdf for 
foreseeable future


FHE cannot rescue confidentiality in the Cloud.

Caspar Bowden
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Secure Cloud Computing: Virtualizing the FreedomBox

2014-04-22 Thread Caspar Bowden (lists)

On 22/04/14 14:05, Tom Ritter wrote:

On 22 April 2014 07:47, Caspar Bowden (lists) li...@casparbowden.net wrote:

TAHOE is also cool, but doesn't claim to provide confidentiality. A TAHOE
service provider would have no choice but to round-up/backdoor the necessary
keys under existing US (FISA/PATRIOT) or UK (RIPA Pt.3) legislation [or
Indian IT Acts etc. etc.]

I'm pretty sure that TAHOE does provide confidentiality - the keys
don't leave your device (more correctly, the gateway running on your
device) unless you distribute them.  Which you can, you can send the
decryption key granting read-capability to anyone, but you don't have
to.


Yes, the fragments of data are brought together on your device (or a 
gateway someplace), in that sense it is no different from a pure 
storage Cloud (do it yourself crypto) but with better availability


 * Users do not rely on storage servers to provide */confidentiality/*
   nor */integrity/* for their data -- instead all of the data is
   encrypted and integrity-checked by the gateway, so that the servers
   can neither read nor modify the contents of the files.
   (https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/about.rst)

It's a storage solution, and therefore not what actually Cloud is about 
in a business/industry sense, who want Cloud compute power to crunch 
usefully on encrypted data.


CB
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] European privacy regulators' excellent paper on Anonymisation Techniques

2014-04-16 Thread Caspar Bowden (lists)
It's been a remarkable few days for the Committee of European privacy 
regulators (the Art.29 Working Party)


In their first opinion on Data Protection law and national security 
http://t.co/itKVGpDI1L, they grudgingly sort of admit it is their job 
to stop NSA spying, but then the next day they approve contracts for 
PRISM's first corporate partner 
https://twitter.com/CasparBowden/status/456366945512599552 for Cloud 
processing (although they aren't really a mere processor at all 
https://twitter.com/CasparBowden/status/456413628392939520)


..and today they issued the highest quality paper I have ever read from 
them - No.216, on Anonymisation Techniques


Storified version *here 
wden/art-29-wp-opinion-216-on-anonymisation-techniques* for gist, full 
text (37 pages) in first tweet


If anyone knows of a regulatory text that comes close on this topic, 
would like to know...


The relevance to LiberationTech is that if they enforce this, then a 
whole bunch of worries about commercial and state spying through BigData 
will go away, in Europe at least


Caspar


-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] CORRECTION: European privacy regulators' excellent paper on Anonymisation Techniques

2014-04-16 Thread Caspar Bowden (lists)

Please disregard previous, main highlighted link got mangled
=

It's been a remarkable few days for the Committee of European privacy 
regulators (the Art.29 Working Party)


In their first opinion on Data Protection law and national security 
http://t.co/itKVGpDI1L, they grudgingly sort of admit it is their job 
to stop NSA spying, but then the next day they approve contracts for 
PRISM's first corporate partner 
https://twitter.com/CasparBowden/status/456366945512599552 for Cloud 
processing (although they aren't really a mere processor at all 
https://twitter.com/CasparBowden/status/456413628392939520)


..and today they issued the highest quality paper I have ever read from 
them - No.216, on Anonymisation Techniques


Storified version *here 
https://storify.com/CasparBowden/art-29-wp-opinion-216-on-anonymisation-techniques* 
for gist, full text (37 pages) in first tweet


If anyone knows of a regulatory text that comes close on this topic, 
would like to know...


The relevance to LiberationTech is that if they enforce this, then a 
whole bunch of worries about commercial and state spying through BigData 
will go away, in Europe at least


Caspar
-- 
Liberationtech is public  archives are searchable on Google. Violations of 
list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

[liberationtech] CFP: IFIP Summer School 2014

2014-04-13 Thread Caspar Bowden (lists)

I recommend this conference (am on PC) - Caspar

---

CALL FOR PAPERS

Ninth International Summer School organised jointly by the IFIP Working Groups 
9.2, 9.5, 9.6/11.7, 11.4, 11.6, Special Interest Group 9.2.2

IFIP Summer School on Privacy and Identity Management for the Future Internet 
in the Age of Globalisation



Computer Technology Institute and Press Diophantus, Patras , Greece, 7-12 
September 2014
In cooperation with the FP7 EU projects ABC4Trust, A4Cloud,  FutureID, PRISMS.

INTRODUCTION
Much research in privacy and identity in recent years has focused on the 
privacy issues associated with new technologies such as social media, cloud 
computing, big data, ubiquitous and ambient technologies. Due to the fact that 
many of these technologies operate on a global scale their use not only touches 
the countries where they originate (in many cases, the US), but individuals and 
groups around the globe.
The recent revelations regarding the surveillance practices of the National 
Security Agency (NSA), USA, and Government Communications Headquarters (GCHQ), 
UK, (and undoubtedly others that we will hear about since writing this Call for 
Papers) have put state surveillance firmly back on the table. Here, too, the 
operations by agencies in one country affect individuals and groups around the 
globe. Indeed, the NSA is primarily tasked with intercepting and processing the 
communication of non-US citizens, within the US and abroad.
Privacy and identity management issues have hence become global issues 
requiring the attention of multiple disciplines, both technical (computer 
science, cryptography) and non-technical (law, ethics, social sciences, 
philosophy) and the need to look beyond national borders.
Regulators are trying to readjust the legal frameworks in which the information 
society operates, both in Europe (think of the data protection reform that 
should in 2014 culminate in the General Data Protection Regulation), the US 
(the Federal Trade Commission initiatives with respect to big data, Consumer 
Privacy Bill of Rights), and elsewhere. Leading Internet engineers have also 
agreed to upgrade standards to improve Internet privacy and security.
Questions facing the research community include: How can individuals’ privacy 
rights be achieved effectively in a globalising information society in which 
both states and private enterprises exhibit great data hunger? What 
technologies, frameworks and tools do we need to gain, regain and maintain 
informational self-determination and lifelong privacy? Do we have to advance 
the concepts of privacy and identity management in this evolving world?
These questions and many others will be addressed by the IFIP Summer School 
2014 on Privacy and Identity Management for the Future Internet in the Age of 
Globalisation. The Summer School organisation will be a joint effort of IFIP 
(International Federation for Information Processing, Working Groups 9.2, 9.5, 
9.6/11.7, 11.4, 11.6, Special Interest Group 9.2.2) and several European and 
national projects. The IFIP Summer School 2014 will bring together junior and 
senior researchers and practitioners from multiple disciplines to discuss 
important questions concerning privacy and identity management and related 
issues in a global environment.
We are especially inviting contributions from students who are at the stage of 
preparing either a master’s or a PhD thesis. The school is interactive in 
character, and is composed of keynote lectures and workshops with master/PhD 
student presentations. The principle is to encourage young academic and 
industry entrants to the privacy and identity management world to share their 
own ideas, build up a collegial relationship with others, gain experience in 
making presentations, and potentially publish a paper through the resulting 
book proceedings. Students that actively participate, in particular those who 
present a paper, can receive a course certificate which awards 3 ECTS at the 
PhD level. The certificate can certify the topic of the contributed paper so as 
to demonstrate its relation (or non-relation) to the student’s master’s or PhD 
thesis.

BASIC ELEMENTS OF THE SUMMER SCHOOL
The Summer School takes a holistic approach to society and technology and 
supports interdisciplinary exchange through keynote lectures, tutorials, 
workshops, and research paper presentations. In particular, participants’ 
contributions that combine technical, legal, regulatory, socio-economic, social 
or societal, ethical, anthropological, philosophical, or psychological 
perspectives are welcome. The interdisciplinary character of the work is 
fundamental to the school. The research paper presentations and the workshops 
have a particular focus on involving students, and on encouraging the 
publication of high-quality, thorough research papers by students/young 
researchers. To this end, the school has a two-phase review process for 
submitted papers. In the first 

Re: [liberationtech] Call for Tenders SMART 2013/N004 “European Capability for Situational Awareness” (ECSA) - European Federation for cyber-censorship and human rights monitoring

2013-09-04 Thread Caspar Bowden (lists)

Dear Camino

On 09/04/13 08:39, camino.man...@ec.europa.eu wrote:

It is not out department in charge of blocking Tor users from accessing content 
hosted under Europa,eu.

Conversations with the DG In charge (DG DIGIT) as most of you know, have been 
long and unfruitful so far.

I am on leave now but at my return I will retake conversations with the 
officials in charge of the internal EC security to see the chances to lift the 
ban.


(If you are in a position to answer), this seems like something EU civil 
society should get more focussed on:


*) Is there an official channel (web page? email?) for individuals to 
complain about this policy ? (there's only a general email here 
http://ec.europa.eu/dgs/informatics/contact/index_en.htm and 
@stephen_quest https://twitter.com/stephen_quest did not answer me)


*) does this fall under DIGIT A/B/C (not obvious)?

*) has DG DIGIT made any official public statement so far about Tor 
blocking (apart from this 
https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/spyblog/2013/02/08/the-great-firewall-of-europe---european-commission-website-blocks-tor-users-just.html)?


many thanks

Caspar
(Tor Board member but not speaking that capacity or representing Tor)
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

2013-09-02 Thread Caspar Bowden (lists)

On 09/01/13 21:49, Michael Rogers wrote:

On 01/09/13 10:00, Caspar Bowden (lists) wrote:

AFAIK Deleuze, Foucault et al. did not say anything specifically
about covert (mass-)surveillance, or analyse how the inherently
secret nature of such organizations might be a causal element in
theories of social control. Secret surveillance organizations are
NOT Panoptic in a technical sense - they normally don't want you to
know or fear they are watching (with tactical exceptions).

Is there anyone who's aware of overt surveillance and who doesn't at
least suspect that some form of covert surveillance also exists? And
isn't that suspicion enough to create a panoptic effect?


to some *unconscious* extent yes, but I have never seen any 
psychological studies into this. There ought to be an effect where even 
solid citizens become inhibited from communicating (or thinking! much 
harder experiment) certain ideas, depending on the level of ambient 
NSA-phobia, and this indeed might function as a form of social control. 
Never seen any studies on that idea. [Of course the STASI and others 
would make the surveillance obvious for the purpose of intimidation as a 
standard tactic in particular cases, but in general the watchers don't 
want the watched to know true capabilities]


However on the face of it, that isn't the classical Panopticon, where 
discipline is maintained by fear of detection by the unseen warden



The prisoners don't know whether they're being watched at any moment,
or whether the watchtower is even occupied; the secret surveillance
organisation, the existence of which cannot be confirmed, corresponds
to the warden who may or may not be in the watchtower.


In Jeremy Bentham's original proposal, his idea was that prisoners who 
break discipline wilfully or transgress otherwise are singled out (at 
random possibly) and then publicly punished in the sight of all the rest 
as an example, but only a few days after the transgression, to magnify 
the prisoner's demoralisation after thinking they have got away with it. 
Incidentally, Bentham envisaged this system becoming a dynastic 
livelihood for him and his family, and petitioned the government to 
build a prison, and make him the warder! Nice work if you can get it, 
plenty of time for scholalry pursuits between semi-random episodes of 
exemplary punishment.


However, a possible Waiting-for-Godot variant of this idea would be that 
nasty things happen to prisoners in a more ambiguous way, so that 
prisoners never know if the watching warden even exists at all - it 
might all be random misfortune (of course well-behaved prisoners would 
also have to be punished sometimes randomly to maintain the 
uncertainty). It isn't clear why this is a better strategy for the 
wardens, except perhaps the uncertainty makes it harder for enough 
resentment to crystallize for a rebellion to occur.



Wasn't the NSA closer to the panoptic ideal when it was No Such Agency
than now, when we know we're being watched?


Yes, absolutely, but I don't think NSA wanted that, although a grimly 
conspiratorial interpretation of current events is that it is a vast 
planned PR gambit to effect transition to a global neo-Panoptic society, 
after all civil libertarians have exhausted themselves in protest...


Caspar
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.


Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

2013-09-02 Thread Caspar Bowden (lists)

On 09/01/13 22:21, Guido Witmond wrote:

...
Before the revelations and the subsequent confirmations, many people
would rather believe the old truth (having nothing to hide) than to live
with the new truth that they've been misled.

Truth hurts. That's the reason why so many people claim they have
nothing to hide. It's emotional.


And often the people claiming this most loudly are politicians, because 
the clamour for transparency into every detail of a political 
candidate's private life has made this imperative.


We should be afraid of that tendency, because if the only people 
prepared to go into public life are those whose interior life is so dull 
or non-existent that they really have nothing to hide, then it is 
certain we will be ruled by philosophical zombies with a sub-normal 
sense of empathy and self-awareness. I'd rather elect a hypocrite any day


Caspar
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.


Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

2013-09-02 Thread Caspar Bowden (lists)

On 09/02/13 08:46, Caspar Bowden (lists) wrote:

On 09/01/13 21:49, Michael Rogers wrote:
...

Wasn't the NSA closer to the panoptic ideal when it was No Such Agency
than now, when we know we're being watched?


Yes, absolutely, but I don't think NSA wanted that, although a grimly 
conspiratorial interpretation of current events is that it is a vast 
planned PR gambit to effect transition to a global neo-Panoptic 
society, after all civil libertarians have exhausted themselves in 
protest...


Sorry I misread, that was a non-seqitur, i.e. the NSA is *now* the 
warden of a Panoptic Internet in consequence of the revelations. When it 
was No Such Agency, the Panoptic effect only occurs with paranoids or 
(as above speculatively) unconsciously


CB
--
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.


Re: [liberationtech] Sociological studies of covert mass-surveillance organisations

2013-09-01 Thread Caspar Bowden (lists)

Many thanks Yosem, Luis Felipe  Greg

On 08/31/13 07:14, Luis Felipe R. Murillo wrote:

On 08/30/2013 01:54 PM, Yosem Companys wrote:

From: Caspar Bowden li...@casparbowden.net

  I realize this is an improbable request (I think), but is anyone aware of
any Surveillance Studies research on the organisations conducting *
covert/secret* mass-surveillance (a securitocracy)

many thanks any pointers

I am not particularly familiar with this literature, but I know of a few
pointers.

This seminar in Brazil brought together researchers studying
surveillance and social control. They had three panels of interest
('Internet and Surveillance', 'New Technologies of Surveillance', and
'Institutional Surveillance'):

http://www2.pucpr.br/ssscla/


Yes - that is in the mainstream Surveillance Studies tradition


These two references are central in the debate (so Caspar must be super
familiar with them):

- Foucault, Michel. Discipline and Punish (redefining the debate on
the nature of power and the nature of state power):

http://www.foucault.info/documents/disciplineandpunish/foucault.disciplineandpunish.panopticism.html

- Deleuze, Gilles. Society of Control (updating Foucault's treatment
of surveillance to the contemporary 'society of control'):


Yes :-)

AFAIK Deleuze, Foucault et al. did not say anything specifically about 
covert (mass-)surveillance, or analyse how the inherently secret nature 
of such organizations might be a causal element in theories of social 
control. Secret surveillance organizations are NOT Panoptic in a 
technical sense - they normally don't want you to know or fear they are 
watching (with tactical exceptions).


In the sense that it aims to remain un-knowable by society, it seems 
academic Surveillance Studies neglects covert surveillance to a large 
extent becuase (a) it's very hard to study (!) , and (b) because it 
doesn't (overtly and ordinarily) interact with Society like overt 
surveillance it is less of interest to Sociologists (!)


To share back, one interesting reference so far:

 *

   Bridget Nolan (PhD thesis) 'Information sharing and collaboration in the 
United States Intelligence Community: An Ethnographic Study of the National 
Counterterrorism Center'

 o est.sandia.gov/consequence/docs/JICRD.pdf

Caspar
-- 
Liberationtech is a public list whose archives are searchable on Google. 
Violations of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, 
change to digest, or change password by emailing moderator at 
compa...@stanford.edu.

Re: [liberationtech] Defund Domestic Spying

2013-07-23 Thread Caspar Bowden (lists)
So the spying on the rest-of-the-world's data sent to the US, including 
information with respect to a foreign-based political organization _or_ 
foreign territory that _relates_ to the _conduct of the foreign affairs_ 
of the United States, that's totally fine is it? When the US domestic 
spying problem is fixed everyone can go home...


(slide 5) 
https://sigint.ccc.de/schedule/system/attachments/2068/original/How_to_wiretap_the_Cloud_without_anybody_noticing_-_SIGINT_7.7.2013.pdf


CB

On 07/23/13 23:56, Jonathan Wilkes wrote:

To any U.S. citizens out there, this might be a good time to act:

https://www.eff.org/deeplinks/2013/07/tomorrow-congress-votes-amendment-defund-spying-heres-how-you-can-help 



-Jonathan
--
Too many emails? Unsubscribe, change to digest, or change password by 
emailing moderator at compa...@stanford.edu or changing your settings 
at https://mailman.stanford.edu/mailman/listinfo/liberationtech




--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Microsoft Accesses Skype Chats

2013-05-18 Thread Caspar Bowden (lists)

On 05/17/13 12:31, Rich Kulawiec wrote:

...
And incidentally, the proffered rationale for this doesn't fly, given
that (a) they're only sending HEAD: actually scanning destination URLs
for malware et.al. would require fetching the whole page and (b) they're
only retrieving HTTPS URLs (per Heise) which is not what someone actually
looking for malware would do.  Moreover (c) even if they classified
a URL as malicious, let's sayhttps://example.net/blah, the recipient
of said URL is likely to access it via a data path outside their control,
thus -- unless they blocked it *inside* Skype -- they have no way to
prevent access to it and delivery of whatever malware payload awaits.


(delurking)

A) it would very interesting if a bunch of people filed a complaint with 
the Data Protection Authority of Luxembourg (where Skype is registered 
in Europe) making this argument above in well-crafted detail, and report 
back on response


http://www.cnpd.public.lu/fr/support/contact/index.php
(gotta love their address BTW)
(they have a dumb webform, so suggest use info at cnpd.lu instead)

B) FYI all, in Feb I managed to exercise my right of access to personal 
data from Skype under EU Data Protection Law. They ducked this for 
months, but after 6 emails to Luxembourg DPA, finally complied. Because 
I deliberately did this on an account I hadn't used for a while, it's 
not clear how much Internet call/chat metadata they retain, so I have a 
new request running


If anyone wants a suggested template for how to do (A) and or (B) 
contact me offlist (I'll post details if a lot of interest)


N.B.
1. you don't have to be European to do this (but probably helps if an EU 
resident or can cite chats/calls with those who are). Interesting also 
to what happens if a US-based user tries to get call metadata citing EU 
law (in theory this could work if that data is held in EU)


2. FYI Skype in Europe maintains they aren't a telco 
http://www.itworld.com/networking/347950/french-regulator-says-skype-must-register-telco-or-risk-prosecution, 
and thus not subject to the notorious EU Data Retention Directive. 
However this may actually be worse, becuase they would also not be 
obligated to delete metadata after a some period (6 mths to 2 years 
depending on various vagaries)


3. would be interesting to ask about whether Skype voice crypto is 
(still ?) genuinely end-to-end as well, as this not mentioned in privacy 
statement and finessed in FAQs, becuase will trigger test of whether DPA 
can force Skype to specify that (I did this already - awaiting answers)


4. the Luxembourg DPA website is in French  German but you can write to 
them in English


5. To make a subject access request to Skype, seems like best email is 
cro at skype.net, but also instructive to go through the website and 
see if you can figure out how to contact them electronically in the 
circular maze of their support info. Procedure is then to complain to 
DPA if they ignore of fob off.


Caspar Bowden
@CasparBowden

--
Too many emails? Unsubscribe, change to digest, or change password by emailing 
moderator at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech