Apple’s #gotofail weekend


In case you spent your weekend watching closing ceremonies and not reading tech news, there was a lot of buzz around a security problem in Apple products. On Friday, Apple released an emergency update for iOS7 that fixed a severe vulnerability in their SSL/TLS implementation on the iPhone.

For those who are not technically inclined, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the encryption protocols underlying, among many things, the little lock icon you see in the upper right corner of your browser. This encryption protects you from eavesdroppers when logging into any secure site, like your bank account. It also protects you from actors like the NSA (and other governments) scooping up your emails in bulk when you’re … well … anywhere. After Apple released the emergency update for iPhone, security firm CrowdStrike examined the patch and reverse engineered the vulnerabilities it was addressing, only to find out that it repaired some pretty significant parts of the iPhone operating system. They also found that the same vulnerability exists in Apple’s OS X operating system meaning that the problem extends to Mac OS X laptops/desktops, not just iPhones. [Read more…]

PostTV: For NSA, Google cookies allow ‘laser-guided’ targeting

explains NSA cellphone collection

Intelligence agencies follow targets using cookies installed by Google, typically to track users for commercial advertising purposes, to follow suspects online and target them with malware. You can read more about this story here.

PostTV: Reporter explains NSA collection of cellphone data

laser guided targeting

In this video I discuss the NSA’s ability to use massive numbers of cell location records to determine if anyone, including US citizens, are co-traveling with targets of surveillance. You can read more about this story here

TLS – A simple step to improve cloud email security


The Washington Post published a new piece by Barton Gellman and myself on Wednesday that revealed new insights into how the NSA conducts surveillance on US technology companies. Specifically, we described how the NSA captures data flowing between the private data centers of companies like Google and Yahoo. Google announced last month that it’s beginning to encrypt these links (possibly based on some precinct paranoia) and the WSJ reports that other firms are “racing to encrypt data.” This is a great development, in my opinion, as even if the NSA weren’t monitoring these links, it’s safe to assume that other foreign governments are.

However, as the firms begin to beef up their own internal security, its also important to note that links BETWEEN companies are still unencrypted.  For example, when Google users send email to Yahoo users, that communication is still entirely “cleartext” and accessible in bulk to anyone listening. I had researched this question a few months ago and found that, of the four US webmail providers (Google, Hotmail, Yahoo, and AOL), only Gmail supports encrypted email transport (see the graphic above).

[Read more…]

Why Apple’s claim that it can’t intercept iMessages is largely semantics

This op-ed originally appeared in the Washington Post last Saturday in response to Apple’s claims about the security of iMessage.

A lively debate is brewing over the security of Apples iMessages. I was recently quoted on this issue, but Apple has since responded, and it seems important to clarify that the argument now seems to be largely a matter of semantics.
In case you missed it, a group of researchers at Quarklab recently analyzed the iMessage protocol, including the trust model and key exchange, and found some mistakes that leave iMessages open to attacks. I had also previously demonstrated that iCloud backups, including backed-up iMessages, could easily be accessed by Apple. This news is important because previous reports suggested that iMessage encryption was a major impediment to law enforcement, and Apple specifically described iMessage data as “protected by end-to-end encryption so no one but the sender and receiver can see or read them” in response to their reported participation in the NSA’s PRISM program.

Apple stands by its claim that its software can’t be intercepted and that it is not reading iMessages. In that article, Apple spokeswoman Trudy Muller said: “iMessage is not architected to allow Apple to read messages. The research discussed theoretical vulnerabilities that would require Apple to re-engineer the iMessage system to exploit it, and Apple has no plans or intentions to do so.”

But Apple’s response that it cannot intercept messages is a bit misleading.

Apple controls the entire stack: the phone operating system (iOS), iMessage application, the SSL certificates, and key exchange. Quarklab’s researchers demonstrated that if they could obtain (or fake) a trusted Apple SSL certificate AND man-in-the-middle the iMessage key exchange, they would be in a position to intercept or tamper with iMessage. Basically, that means iMessage could be vulnerable if an actor is able to convince the application that they are authorized to carry the data and to insert themselves between the users.
[Read more…]

A Group of Geeks Submitted Questions on NSA Activities


I recently submitted comments to the President’s Review Group on Intelligence and Communications Technologies along with 46 other leading technologists.  The mission of this Review Group is to assess whether technological advances, specifically technical data collection capabilities, have undermined the public trust.  (Spoiler alert: they have.)

Our comments focused on the need for a technical expert to advise the panel on how online systems work and what the implications are of tapping into them.  We also expressed our concern that the NSA’s efforts to subvert encryption and to plant backdoors undermine security for everyone online.  Most importantly, our comments include a number of technical questions that we feel this panel should focus on and, when possible, ask that the intelligence community provide answers.  You can read the full comments here.

The panel’s work was affected by last week’s government shutdown.  It’s not clear how this delay will impact their timeline for a final report, if at all, but I don’t expect to hear answers to our questions soon.

CIR/NPR Collaboration – Your Data and Who Has Access to It

I collaborated with NPR and the Center for Investigative Reporting to develop this script describing who is tracking you throughout your day.  The video shows how your digital trail can be assembled into a pretty complete picture of who you are.  Some of the script may seem pretty far fetched, but every example was vetted by yours truly and occurs every day (in the US).

You can read the corresponding CIR story here.
NPR’s 4 part series on “All Tech Considered” below called “Your Digital Trail” below:

Part 1: How It Can Be Used Against You
Part 2: Privacy Company Access
Part 3: Does The Fourth Amendment Protect Us?
Part 4: Data Fuels Political And Legal Agendas

Bits of Freedom: The Dutch Perspective

The Bits of Freedom Crew

I was recently invited to be a visiting fellow at Bits of Freedom in Amsterdam. This was a great opportunity to gain insight into the European privacy debate, not to mention escape the DC summer and visit an amazing city full of bicycles.

Bits of Freedom is a digital rights organization, not unlike the EFF in the United States. They are a mix of lawyers, activists, and tech folk who work at the intersection of technology and human rights. BoF focuses on issues such as transparency, active hacking, net neutrality, and the Transatlantic Trade and Investment Partnership. The staff employ a variety of tools to meet their goals including FOIA, government transparency reports, advocacy campaigns, and direct lobbying to, “influence legislation and self-regulation” both in the Netherlands and across the EU.

My visit focused on learning from the experts here as well as providing some of my own perspective. [Read more…]

Is Electronic Surveillance Out of Control? KCRW’s To The Point

KCRW | July 10, 2013

On July 10, I was a guest on KRCW’s daily show, To The Point.  Reacting to recent revelations of NSA surveillance issues and comments made by witnesses at the Privacy and Civil Liberties Oversight Board (PCLOB) meeting on Tuesday, I talked about the need for more oversight and transparency of NSA programs by technically minded individuals that can understand the underlying technology and its implications.

Listen to the show. My comments start at about 32 minutes.

Privacy and Civil Liberties Oversight Board

Washington DC | July 9, 2013

On July 9, I joined a few technical experts on a panel to field questions from the Privacy and Civil Liberties Oversight Board.

The panel footage is available from CSPAN here, with a clip of my remarks here. A draft of my written comments is posted here.

Comments for the Privacy and Civil Liberties Oversight Board

I am speaking today at the PCLOB meeting on Sections 215 and 702 of the PATRIOT Act.  My panel begins at 12:30 and you can watch it live here.

I will be commenting on the role of technology in these programs, focused on how the limits of technology suggest that claims that surveillance programs can avoid targeting Americans are probably overstated. [Read more…]

As Technology Changes, So Should Law

Improved technology enabled the NSA’s mass surveillance programs and future improvements will make collecting data on citizens easier and easier.

Recent revelations about the extent of surveillance by the U.S. National Security Agency come as no surprise to those with a technical background in the workings of digital communications. The leaked documents show how the NSA has taken advantage of the increased use of digital communications and cloud services, coupled with outdated privacy laws, to expand and streamline their surveillance programs. This is a predictable response to the shrinking cost and growing efficiency of surveillance brought about by new technology. The extent to which technology has reduced the time and cost necessary to conduct surveillance should play an important role in our national discussion of this issue.

The American public previously, maybe unknowingly, relied on technical and financial barriers to protect them from large-scale surveillance by the government. These implicit protections have quickly eroded in recent years as technology industry advances have reached intelligence agencies, and digital communications technology has spread through society. As a result, we now have to replace these “naturally occurring” boundaries and refactor the law to protect our privacy.
[Read more…]

Computers Freedom and Privacy Conference

Washington DC | June 25, 2013

My panel focused on PRISM.  We discussed what the program might look like based on publicly available information as well as whether the intelligence gained through the program is worth the risk to American’s privacy.


You can watch the day’s events here. PRISM Panel begins around 2:10:00.

Intercepting Skype?

I recently came across what looks to be a ‘pitch deck’ by a company claiming it can provide (and has patents on) the Legal Interception of Skype communications.  They claim they’re currently ‘Deployed within US government and overseas in telecom infrastructure supporting 30+ million people’.

I tried looking for the two patents they reference but came up empty although I’m told JCJ is a pseudonym for this Canadian/American company and that it’s possible that they’ve opted to hide their patents.

Anyone have thoughts on whether this is real/vaporware and which ‘8 person company’ this could be? [Read more…]

PRISM: Solving for X


Figure 1: PRISM

I thought it would be a fun exercise to describe PRISM  based on information publicly available through the press, private companies, and the DNI. Specifically, how would this system look if we took all the statements made at face value?  This might be a stretch, but it seems like a worthwhile exercise  — not unlike a multivariate equation when one or more of the variables are unknown.

While PRISM is potentially the least troubling with respect to its legality and the type/volume of information of the 4 programs we’ve learned about, it is also the most technically puzzling. There have been many theories on the architecture of PRISM and I’ve been inundated with requests to help press/advocates understand it — so here goes. [Read more…]

Privacy Law Scholars Conference

Berkeley, CA | June 6 – 7, 2013

I presented a paper I co-authored with Kevin Bankston on the cost of surveillance. Our research provides data on the decreasing cost to the government of surveilling its citizens as a result of new technology. We looked at the hourly cost of various methods of location surveillance to provide a mathematical foundation for a discussion on fourth amendment rights.

Circumvention Tech Summit

Hong Kong | April 26-28, 2013

I participated in the third annual Circumvention Tech Summit.  This meeting of developers and activists is focused on increasing dialogue among circumvention tech developers and providing them with the knowledge and resources they need to create and develop better tools.

The Kojo Nnamdi Show: Using Facial Recognition Software

The Kojo Nnamdi Show at WAMU
Washington, DC | August 22, 2012

I discussed facial recognition software with Laura Donohue, a law professor at Georgetown University, on The Kojo Nnamdi Show.  We discussed how the technology works and the implications of its increasing quality and availability.  

Defcon: Can You Track Me Now? Government and Corporate Surveillance of Mobile Geo-Location Data

Defcon 20 Hacking Conference
Las Vegas, NV | July 26 – 29, 2012

In July 2012, I took part in a panel at the 20th annual Defcon Conference. I joined tech experts Christopher Soghoian from the Open Society Institute and Catherine Crump, staff attorney with the ACLU’s Project on Speech, Privacy, and Technology, for a briefing on the current technological and legal landscape of location data tracking. The panelists explored how consumer location tracking efforts weave a story about the systemic privacy vulnerabilities of smart phones and the legal ways in which law enforcement has been able to hitch a ride. The panel was moderated by the Director of the ACLU’s Project on Speech, Privacy, and Technology, Ben Wizner.

View video archive

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

New York University School of Law
New York, NY | April 13, 2012

The age of ubiquitous computing is here. People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. On Friday, April 13, 2012, New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy will hosted a technology and policy dialogue about the new world of mobile and location privacy. The gathering aimed to bring together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I did a technology demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

The Global Internet and the Free Flow of Information

Media Access Project Forum
Washington, DC | February 7, 2012

On February 7, 2012, I joined other experts for a discussion about freedom of expression issues, cyber security issues and surveillance tech issues in the context of how they affect online users’ free speech rights.

View video archive

When Zombies Attack – a Tracking Love Story

OWASP AppSec USA 2011 Conference
Minneapolis, MN | September 20 – 23, 2011

In this talk,  Gerrit Padgham and I talked about the current state of online tracking and highlight current practices such as “cookie respawning” and non-cookie based tracking that popular websites and mobile applications engage in. We discussed theories on why the platforms we use do not adequately protect users from these threats and highlight the proposed solutions, such as additional transparency tools and Do-Not-Track that are intended to help mitigate these issues. We also demonstrated MobileScope, a technical solution we have been developing to give the end user ultimate visibility into the traffic their device is sending. Finally, we discussed open questions surrounding the ability to adequately assess risk drawing from behavioral economics and risk management theories for cues as to potential outcomes in this space.

When Zombies Attack: A Tracking Love Story with Ashkan Soltani & Gerrit Padgham from OWASP on Vimeo.

Additional video archives on YouTube.

PDF of slides

Pii2011: Privacy Identity Information Conference

Santa Clara, CA | May 19-20, 2011

Privacy Identity Innovation is the only tech conference focused on exploring how to protect sensitive information while enabling new technologies and business models. Over 250 attendees from around the world participated in the second Privacy Identity Innovation conference, which took place May 19-20, 2011 at the Santa Clara Marriott hotel in Silicon Valley.

On May 19, I participated in a roundtable discussion called Pii and Location: Can You Find Me Now?

pii2011: pii and Location: Can You Find Me Now? from Marc Licciardi on Vimeo.

Listen to audio archive

On May 20, I was part of a panel discussion on Simplifying Privacy Notice.

pii2011: Simplifying Privacy Notice from Marc Licciardi on Vimeo.

Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy

Senate Committee on the Judiciary, Subcommittee on Privacy, Technology and the Law
Washington, DC | May 10, 2011

On May 10, 2011, I testified in front of the Senate Judiciary Committee on Privacy Technology and the Law regarding mobile privacy. The other witnesses included representatives from Apple, Google, Center for Democracy and Technology, and the Association for Competitive Technology.

Read prepared testimony.

USA Today live blogged the hearing.

senate testimony
Video archives on CSPAN include my delivered testimony, answers to questions about what “location” means, and a question from Senator Franken about the most serious threat regarding mobile devices and privacy. View CSPAN footage of entire hearing

[Read more…]