Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications | (a blue ribbon committee) Abelson, et al.

Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael Specter, Daniel J. Weitzner;
Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
; MIT-CSAIL-TR-2015-026; Massachusetts Institute of Technology (MIT); 2015-07-06; 34 pages; landing.

Abstract

Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels “going dark,” these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates.

We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

Promotion

16 mobile theses (a compendium, review & overview of 2015) | Benedict Evans

Benedict Evans; 16 mobile theses; In His Blog; 2015-12-18; podcast.

Listicle

  1. Mobile is the new central ecosystem of tech
  2. Mobile is the internet
  3. Mobile isn’t about small screens and PCs aren’t about keyboards
    Mobile means an ecosystem and that ecosystem will swallow ‘PCs’
    It is the ARM ecosystem, not the Wintel ecosystem.
  4. The future of productivity
  5. Microsoft’s capitulation
  6. Apple & Google both won, but it’s complicated
  7. Search and discovery
  8. Apps and the web
  9. Post Netscape, post PageRank, looking for the next run-time
  10. Messaging as a platform, and a way to get customers.
  11. The unclear future of Android and the OEM world
  12. Internet of Things
  13. Cars
  14. TV and the living room
  15. Watches
  16. Finally, we are not our users

Referenced

Previously

In archaeological order.

Techno-skeptics’ objection growing louder (at The New School’s conference entitled Platform Cooperativism) | The Washington Post

Techno-skeptics’ objection growing louder; Joel Achenbach; In The Washington Post; 2015-12-26.

tl;dr → A conference report.  The dissidents met, ate, drank, talked (in the argot of the times: they shared, networked, bonded). A good time was had by all.

Original Source

Platform Cooperativism: The Internet, Ownership, Democracy; a conference; The New School; 2015-11-13 & 2015-11-14.

Separately noted.

Some lenders are judging you on much more than finances | LAT

Some lenders are judging you on much more than finances; James Rufus Koren; In The Los Angeles Times (LAT); 2015-12-10.

tl;dr → alternative scoring products, propensity scoring, (not-)credit reports.

Mentions

Quoted

For color, background & verisimilitude

  • Douglas Merrill, founder and chief executive, ZestFinance
  • Asim Khwaja, professor of international finance and development, Kennedy School, Harvard University.
  • Chi Chi Wu, attorney, National Consumer Law Center.
  • Teresa Jackson, vice president of credit, Social Fiance (SoFi).
  • Alfonso Brigham, exemplar; customer of Social Fiance (SoFi).
  • Phil Marleau, CEO, IOU Financial.
  • Eric Haller, executive vice president, Experian Data Labs.

Cohort

Basix, ZestFinance

  • Basix, a lender
  • ZestFinance,
  • a holding company
  • Hollywood, CA
  • owns & operates Basix
  • Douglas Merrill, founder and chief executive
  • “All data is credit data”
  • Customers
    • JD.com, CN
  • Scheme
    • <quote>ZestFinance collects thousands of pieces of consumer information — some submitted in an online application, some obtained from data brokers — and runs them through algorithms that judge how likely it is a borrower will repay.</quote>
  • Douglas Merrill
    • founder and chief executive, ZestFinance
    • ex-Google, role unspecified.
    • ex-Rand Corp, a research role.

Social Finance (SoFi)

  • Social Finance (SoFi)
  • San Francisco, CA
  • a lender (a loan broker?)
  • founded 2011
  • 4 co-founders
    backgrounds in finance, software and business consulting.
  • Teresa Jackson, vice president of credit, SoFi.
  • Funding
    • $1B (with a ‘b’)
    • “including” SoftBank
  • Scheme
    • does not monitor social media
  • Exemplars
    • Alfonso Brigham
      • bachelor’s degree, business administration, USC 2005.
      • has a job
      • acquired for a mortgage
        • $711,000 loan
        • one-bedroom condo in Nob Hill, San Francisco

IOU Financial

  • IOU Financial
  • Montreal, CA
  • publicly traded (where?)
  • online (only?)
  • B2B
  • a lender (a loan broker?)
  • Scheme
    • monitor social media
    • count & correlate bad reviews
  • Phil Marleau, CEO

Experian

  • Experian Data Labs, “a research unit”
  • San Diego, CA
  • Eric Haller, executive vice president, Experian Data Labs
  • Scheme
    • monitor social media
  • <quote>The firm’s data scientists took business credit information and combined it with information from Twitter, Facebook, Yelp and others. Based on that analysis, the firm is working on a credit-scoring system that could be based solely on social media information.</quote>

EPIC Urges FTC to Protect Consumers Amid Surge in Cross-Device Tracking

Comments of the Electronic Privacy Information Center to the Federal Trade Commission on the Cross-Device Tracking Workshop; 2015-12-16; 11 pages.

Promotion

EPIC Urges FTC to Protect Consumers Amid Surge in Cross-Device Tracking; press release; Electronic Privacy Information Center (EPIC); 2015-12-17.

Demands

For regulatory oversight by the FTC

  • limit “cross-device tracking”
  • limit linking <quote>what a person types on their phone with what they see on their laptop or television</quote>
  • investigate device tracking practices; construe them as deceptive practices.
  • prohibit the cross-device tracking of minors, construe COPPA to cover.

Who

The signatories of the Electronic Privacy Information Center (EPIC):

  • Marc Rotenberg, Executive Director
  • Khaliah Barnes, Associate Director, Administrative Law Counsel

Bragging

EPIC is active:

Referenced

Related

Facebook is scared of Android because Facebook doesn’t control the Google Cloud Messaging API | AndroidAuthority

Why Facebook is scared of AndroidJohn Dye; In AndroidAuthority; 2015-12-17.

tl;dr → Google runs APIs & services, specifically the (Cloud) Messaging API; Facebook must build their business within the constraints of that platform.

Mentions

Hook: <quote>A series of discussions between Google and Facebook took place over the course of this summer, and Facebook walked away from them a little shaky. </quote>

Derivation

  • Google APIs
    • are a choke point
    • are a meterable point
  • Marshmellow
    • has tiers of messaging & message platooning (batching)
    • ostensibly for battery savings
  • Facebook
    • forces Androids to use Google Cloud Messaging
    • the most expensive tier for everything it sends.
    • …because.
  • Comcast
    • is a proxy for any long-haul network operator
    • could charge.
    • could “zero rate”

Insights

  • Google Replacement Suite
    Facebook abandoned the concept
  • <quote>Once you start using someone else’s service as your platform, you become subject to their rules and changes. If you become rivals, this gives the hosting party a massive upper hand. The only way to completely escape this dynamic is to create a competitive analogue platform of your own.</quote>
  • Google Chrome is Google’s attempt to free itself from control by Microsoft Internet Explorer.

The CIA Secret to Cybersecurity That No One Seems to Get is (confidentiality, integrity, availability) | Wired

The CIA Secret to Cybersecurity That No One Seems to Get; Mike Gault; In Wired; 2015-12-20.

tl;dr → linkbait; (confidentiality, integrity, availability); attributed to “The CIA” but without citation.

Mentions

  • Bad
    • Public Key Infrastructure (PKI)
    • “encrypt everything”, attributed to the Electronic Frontier Foundation (EFF)
  • Good
    • Merkle hash trees, In Jimi Wales Wiki.
    • Scalable Provable Data Possession (SPDP)
    • Dynamic Provable Data Possession (DPDP)
  • Quotes from public figures thrown in for color, background & verisimilitude

Referenced