Digital Undercurrents

The EFF has filed a friend of the court brief in a Colorado federal courtroom, asserting that compelling a defendant to reveal the password to her computer’s encrypted hard drive is a violation of the Fifth Amendment. This will be an interesting legal precedent; I don’t think that the British tactic of holding someone in contempt until their password is revealed has been used here in the USA.

From this article at the Wall Street Journal:

The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force… Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say.

As Lauren Weinstein pointed out on the IP list, you couldn’t possibly come up with a better challenge to incite black hats. “You think only a foreign government can take out a power grid? Well, watch _this_!”

Popular online storage and backup provider Dropbox has changed their terms of service – apparently they want to reserve the right to decrypt the data that you’re storing on their service if the US government asks them to do so.

Independent of how intrusive this must be for non-US users, it’s an interesting reminder of how little control you have over data that resides “in the cloud”. Don’t worry, though. I’m sure that the software and process for decrypting user data is very secure, and complex, and will never be used by an outside intruder or a disgruntled insider. Safe as houses.

The National Strategy for Trusted Identities in Cyberspace, or NSTIC, will be publicly launched at an event at the Commerce Department this morning. The concept behind the initiative is simple: create a standardized authentication framework so that users don’t need to leave PII, or Personally Identifiable Information, in the hands of every web site where they need to handle personal matters.

There’s even an adorable little animation explaining the concept. A user can establish an account with any of a number of registrars, some of which are public and some of which are private. The registrar then issues an authentication token that can be used as proof of identity on sites that conform to the standard. Obviously, this depends heavily on maintenance of proper security at the registrar – but that’s still better than the current situation, where your doctor, your bank(s), your employer, etc. all have copies of your personal information, shielded only by a simple password.

It seems that the feds have really gone out of their way to make this vendor-neutral and decentralized; I hope it takes off. I’m sick of seeing headlines about massive data breaches harvesting tons of PII.

According to the law currently on the books, email stored for more than 180 days in a hosting environment – including on so-called “cloud” servers like those of Hotmail or Gmail – is considered “abandoned” and can be obtained without a warrant. Efforts to rectify this mid-1980s legislative situation are being actively opposed by the Obama administration, who apparently feel that due process is a bit of a hassle and would rather not deal with the realities of how people now use email.