What’s Classified, Doc? (The Clinton Emails and the FBI)

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes:

From the group of 30,000 e-mails returned to the State Department, 110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received. Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were “up-classified” to make them Confidential; the information in those had not been classified at the time the e-mails were sent.

For example, seven e-mail chains concern matters that were classified at the Top Secret/Special Access Program level when they were sent and received. These chains involved Secretary Clinton both sending e-mails about those matters and receiving e-mails from others about the same matters. There is evidence to support a conclusion that any reasonable person in Secretary Clinton’s position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation.

Separately, it is important to say something about the marking of classified information. Only a very small number of the e-mails containing classified information bore markings indicating the presence of classified information. But even if information is not marked “classified” in an e-mail, participants who know or should know that the subject matter is classified are still obligated to protect it.

I will state that there is information which is both classified and available to the public. For example, the Snowden documents are still classified, and I have friends with clearances who need to leave conversations when they come up. They are, simultaneously, publicly available. There is a legalistic position that such information is only classified. Such rejection of reality is uninteresting to me.

I can read Comey’s statements two ways. One is that Clinton was discussing Snowden documents, which she likely needed to do as Secretary of State. The other is that she was discussing information which was not both public and classified. My assessment of her behavior is dependent on knowing this.

Are facts available to distinguish between these cases?

Regulations and Their Emergent Effects

There’s a fascinating story in the New York Times, “Profits on Carbon Credits Drive Output of a Harmful Gas“:

[W]here the United Nations envisioned environmental reform, some manufacturers of gases used in air-conditioning and refrigeration saw a lucrative business opportunity.

They quickly figured out that they could earn one carbon credit by eliminating one ton of carbon dioxide, but could earn more than 11,000 credits by simply destroying a ton of an obscure waste gas normally released in the manufacturing of a widely used coolant gas. That is because that byproduct has a huge global warming effect. The credits could be sold on international markets, earning tens of millions of dollars a year.

That incentive has driven plants in the developing world not only to increase production of the coolant gas but also to keep it high — a huge problem because the coolant itself contributes to global warming and depletes the ozone layer.

Writing good regulation to achieve exactly the effects that you want is a hard problem. It’s not hard in the “throw some smart people” at it sense, but hard in the sense that you’re generally going to have to make hard tradeoffs around behavior like this. Simple regulations will fail to capture nuance, but as the regulation becomes more complex, you end up with more nooks and crannies full of strange outcomes.

We as people and as a society need to think about how much of this we want. If we want to regulate with a fine-toothed comb, then we’re going to see strange things like this. If we want to regulate more broadly, we’ll likely end up with some egregious failures and frauds like Enron or the mortgage crisis. But those failures are entirely predictable: companies occasionally fake their books, and bankers will consistently sell as much risk as they can to the biggest sucker. For example, Bush administration’s TARP program or Seattle taking on $200 million in risk from a hedge fund manager who wants to build a new sports stadium. At least that risk isn’t hidden in some bizarre emergent effect of the regulation.

That aside, long, complex regulations are always going to produce emergent and chaotic effects. That matters for us in security because as we look at the new laws that are proposed, we should look to see not only their intended effects, but judge if their complexity itself is a risk.

I’m sure there’s other emergent effects which I’m missing.

“Quartering large bodies of armed troops among us..”

So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near the Olympic park, and the residents objected.

However, the courts have ruled that such a decision is not subject to judicial review. (“London tower block residents lose bid to challenge Olympic missiles“) I think it’s a bit of a shame it didn’t happen here in the US, where it would be a rare opportunity for a bit of third amendment law:

No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.

It’s not clear that a missile battery is a soldier, nor that on a house is equivalent to in a house, and I suspect those are two of the few remaining words in the Bill of Rights that haven’t been hyper-analyzed.

Kind of Copyrighted

This Week in Law is a fascinating podcast on technology law issues, although I’m way behind on listening. Recently, I was listening to Episode #124, and they had a discussion of Kind of Bloop, “An 8-Bit Tribute to Miles Davis’ Kind of Blue.” There was a lawsuit against artist Andy Baio, which he discusses in “Kind of Screwed.” There’s been a lot of discussion of the fair use elements of the case (for example, see “Kind of Bamboozled: Why ‘Kind of Bloop’ is Not a Fair Use“). But what I’d really like to talk about is (what I understand to be) a clear element of copyright law that is fundamental to this case, and that is compulsory mechanical licensing.

In TWIL podcast, there’s a great deal of discussion of should Baio have approached the photographer for a license or not. He did approach the copyright holders for Kind of Blue, who were “kind” enough to give him a license. They gave him a license for the music, but he didn’t need to approach them. Copyright law gives anyone the right to record a cover, and as a result, there is a flourishing and vibrant world of cover music, including great podcasts like Coverville, and arists like Nouvelle Vague, who do amazing bossa-nova style covers of punk. (Don’t miss their cover of Too Drunk to Fuck.) And you can listen to that because they don’t have to approach the copyright holder for permission. Maybe they would get it, maybe not. But their ability to borrow from other artists and build on their work is a matter of settled law.

I’m surprised this difference didn’t come up in the discussion, because it seems to me to be kind of important.

It’s kind of important because it’s a great example of how apparently minor variations in a law can dramatically change what we see in the world. It’s also a great example of how constraining rules like mechanical licensing can encourage creativity by moving a discussion from “allow/deny” to “under what circumstances can a copyright holder use the courts to forbid a copy.” If we had mechanical licensing for all copyrighted materials, Napster might still be around and successful.

Outrage of the Day: DHS Takes Blog Offline for a year

Imagine if the US government, with no notice or warning, raided a small but popular magazine’s offices over a Thanksgiving weekend, seized the company’s printing presses, and told the world that the magazine was a criminal enterprise with a giant banner on their building. Then imagine that it never arrested anyone, never let a trial happen, and filed everything about the case under seal, not even letting the magazine’s lawyers talk to the judge presiding over the case. And it continued to deny any due process at all for over a year, before finally just handing everything back to the magazine and pretending nothing happened. I expect most people would be outraged. I expect that nearly all of you would say that’s a classic case of prior restraint, a massive First Amendment violation, and exactly the kind of thing that does not, or should not, happen in the United States.

But, in a story that’s been in the making for over a year, and which we’re exposing to the public for the first time now, this is exactly the scenario that has played out over the past year — with the only difference being that, rather than “a printing press” and a “magazine,” the story involved “a domain” and a “blog.”

Read the whole thing at “Breaking News: Feds Falsely Censor Popular Blog For Over A Year, Deny All Due Process, Hide All Details…

“Can copyright help privacy?”

There are semi-regular suggestions to allow people to copyright facts about themselves as a way to fix privacy problems. At Prawfsblog, Brooklyn Law School Associate Professor Derek Bambauer responds in “Copyright and your face.”

Key quote:

One proposal raised was to provide people with copyright in their faceprints or facial features. This idea has two demerits: it is unconstitutional, and it is insane. Otherwise, it seems fine.

As an aside, Bambauer is incorrect. The idea has a third important problem, which he also points out in his post: “It’s also stupid.”

Read the whole thing here.

California gets a strengthened Breach Notification Law

Governor Brown of California has signed a strengthened breach notification bill, which amends Sections 1798.29 and 1798.82 of the California Civil Code in important ways. Previous versions had been repeatedly vetoed by Arnold Schwarzenegger.

As described[.DOC] by its sponsor’s office, this law:

  • Establishes standard, core content — such as the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies — for security breach notices in California;
  • Requires public agencies, businesses, and persons subject to California’s security breach notification law, if more than 500 California residents are affected by a single breach, to send an electronic copy of the breach notification to the Attorney General; and,
  • Requires public agencies, businesses and persons subject to California’s security breach notification law, if they are utilizing the substitute notice provisions in current law, to also provide that notification to the Office of Information Security or the Office of Privacy Protection, as applicable.
  • senatorsimitian.com

    This makes California the fifteenth (!) state with a central notification provision on the books, the others being: Hawaii, Iowa, Maryland, Massachusetts, Minnesota, New Hampshire, New York, North Carolina, Oregon, Vermont, Virginia, West Virginia, Wisconsin, and Wyoming. Puerto Rico also has such a requirement. Ibid.

    I’m looking forward to the resulting information, and I hope California’s Attorney General has the good sense to post all received notification letters. This will undoubtedly be easier for the state than dealing with the inevitable FOIA requests, and serves the public interest by increasing transparency.

    “Pirate my books, please”

    Science fiction author Walter John Williams wants to get his out of print work online so you can read it:

    To this end, I embarked upon a Cunning Plan. I discovered that my work had been pirated, and was available for free on BitTorrent sites located in the many outlaw server dens of former Marxist countries. So I downloaded my own work from thence with the intention of saving the work of scanning my books— I figured I’d let the pirates do the work, and steal from them. While this seemed karmically sound, there proved a couple problems.

    Read more in “Crowdsource, Please.”

    What’s the PIN, Kenneth?

    There’s a story in the New York Times, “To Get In, Push Buttons, or Maybe Swipe a Magnet” which makes interesting allusions to the meaning of fair trade in locks, implied warranties and the need for empiricism in security:

    In court filings, Kaba argued that it had “never advertised or warranted in any way that any of its access control products are impenetrable.” Locksmiths learn techniques to defeat all kinds of locks, and “thieves and others who want to defeat locks can obtain the same tools and learn the same techniques locksmiths use,” the filings said. “Indeed, any thief — even the most clumsy — can use a sledgehammer, a pry bar or bolt cutter to bypass essentially any lock.”

    In a statement, Mr. Miller added that the company had “never received any confirmed report of a break-in” because of a magnetic bypass, and that it heard about the potential for magnetic mischief only in August 2010. Kaba is preparing a free kit to modify the locks and make them magnet-proof, he said.

    All of which is really an excuse to share with you this picture. I have no idea if it’s a Kaba lock or not, and I’m reasonably confident that the sign is not Kaba’s fault.
    IMG 0356

    Microsoft Backs Laws Forbidding Windows Use By Foreigners

    According to Groklaw, Microsoft is backing laws that forbid the use of Windows outside of the US. Groklaw doesn’t say that directly. Actually, they pose charmingly with the back of the hand to the forehead, bending backwards dramatically and asking, “ Why Is Microsoft Seeking New State Laws That Allow it to Sue Competitors For Piracy by Overseas Suppliers? ” Why, why, why, o why, they ask.

    The headline of this article is the obvious reason. Microsoft might not know they’re doing it for that reason. Usually, people with the need to do something, dammit because they fear they might be headed to irrelevancy think of something and follow the old Aristotelian syllogism:

    Something must be done.
    This is something.
    Therefore, it must be done.

    It’s pure logic, you know. This is exactly how Britney Spears ended up with Laurie Anderson’s haircut and the US got into policing China’s borders. It’s logical, and as an old colleague used to say with a sigh, “There’s no arguing with logic like that.”

    Come on, let’s look at what happens. I run a business, and there’s a law that says that if my overseas partners aren’t paying for their Microsoft software, then Microsoft can sue me, what do I do?

    Exactly right. I put a clause in the contract that says that they agree not to use any Microsoft software. Duh. That way, if they haven’t paid their Microsoft licenses, I can say, “O, you bad, naughty business partner. You are in breach of our contract! I demand that you immediately stop using Microsoft stuff, or I shall move you from being paid net 30 to net 45 at contract renegotiation time!” End of problem.

    And hey, some of my partners will actually use something other than Windows. At least for a few days, until they realize how badly Open Office sucks.

    Questions about a Libyan no-fly zone

    With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces.

    There are strong calls to move quickly, such as “Fiddling While Libya Burns” in the New York Times. But I think there are some important questions that I haven’t heard answered. A no-fly zone is a military intervention in Libya. It involves an act of war against the current government, and however bad that government is, we need to consider the question not of a “no-fly zone” but an “act of war” and its implications.

    Some questions I’d love to hear answered include:

    • What if it doesn’t work? Are we willing to put soldiers on the ground to support the rebels?
    • What if it does? Who’s in charge?
    • What if it half works? We imposed a no fly zone in Iraq in 1991, and then invaded 11 years later because we hadn’t thought through the question of what we do to remove the no-fly zone. If the rebels end up with a Kurdistan, how do we finish? Another invasion? Fly walk away and let the Libyan air force to bomb in 2 years?
    • What does success look like? What’s our goal? Do we support offensive operations? If the rebels end up with some aircraft, do we let them fly?

    There are other questions, about sovereignty, but I think there’s a good tradeoff to be made between preventing democide and respecting sovereignty. But I haven’t seen a proposal which seems to have considered what happens after a no-fly zone is imposed. Is there one?

    Copyrighted Science

    In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals.

    Matt concludes:

    So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse to publish in IEEE or ACM venues, but that stance is complicated by my obligations to my student co-authors, who need a wide range of publishing options if they are to succeed in their budding careers. So instead, I will no longer serve as a program chair, program committee member, editorial board member, referee or reviewer for any conference or journal that does not make its papers freely available on the web or at least allow authors to do so themselves.

    Please join me. If enough scholars refuse their services as volunteer organizers and reviewers, the quality and prestige of these closed publications will diminish and with it their coercive copyright power over the authors of new and innovative research. Or, better yet, they will adapt and once again promote, rather than inhibit, progress.

    I already consider copyright as a factor when selecting a venue for my (sparse) academic work. However, there’s always other factors involved in that choice, and I don’t expect them to go away. Like Matt, my world is not perfect, and in particular, I’m on the steering committee of the Privacy Enhancing Technologies Symposium, and we publish with Springer-Verlag. I regularly raise the copyright question with the board, which has decided to stay with Springer for now [and Springer does allow authors to post final papers].

    There’s obviously a need for a business model for the folks who archive and make available the work, but when many webmail providers give away nearly infinite storage and support it with ads, $30 per 200K PDF is way too high for work that was most likely done on a government grant to improve public knowledge.

    I’m not sure what the right balance will be for me, but I’d like to raise one issue which I don’t usually see raised. That is, what to do about citing to these journals? I sometimes do security research on my own, or with friends outside the academic establishment. As a non-academic, I don’t have easy access to ACM or IEEE papers. Sometimes, I’ll pick up copies at work, but that’s perhaps not an appropriate use of corporate resources. Other times, I’ll ask the authors or friends for copies. We need to understand what’s been done to avoid re-inventing the wheel.

    If our goal is to ensure that scientific work paid for by the public is not handed over to someone who puts it behind a paywall, perhaps the next step is to apply pressure by only reviewing open access journals and conferences? When I first thought about that, I recoiled from the idea. But the process of looking for previous and related work is a process which must be bounded. There’s simply too many published papers out there for anyone to really be aware of all of it, and so everyone limits what they search. In fact, there are already computer security journals, including Phrack and Uninformed, which are high quality work but rarely cited by academics.

    So I’m interested. Does being behind a paywall suffice as a reason to not cite work? If you answer, “no, it’s not sufficient,” how much time or money do you think you or I should reasonably spend investigating possibly related work?

    Rights at the “Border”

    “I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester.

    Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration documents. Through the window, Mr. Santomauro said, he could see three black passengers, standing with arms raised beside a Border Patrol van.

    “As a citizen I’m offended,” he said. But he added, “To say I didn’t want to answer didn’t seem a viable option.”

    From the NYTimes, “ Border Sweeps in North Reach Miles Into U.S..”

    If you think this is ok, where in the US should it not be legal for the armed agents of the state to demand your papers without any grounds for suspicion of wrongdoing?

    Similarly, if a law student doesn’t see not answering police questions as a “viable option,” what do we do to restore balance to the Constitution?

    Previously on Emergent Chaos: “100 Mile Constitution Free Zone.”


    Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.”

    I think that was the wrong warning. Wikileaks is poking at a very dangerous system. We went to war with Iraq, claiming it had links to Al Qaida and chemical weapons programs. (I think there were good reasons for both Iraqi citizens and Western democracies to want a well planned and executed regime change in Iraq, and even better reasons to expect that attempts to do so would descend into chaos. But that’s besides the point.) Since then, we have publicly announced that we have death squads targeting US citizens. Does Wikileaks expect any less?

    The American system of classifying documents is seriously flawed. That’s been the conclusion of every blue ribbon panel that studies it. Transparency and accountability are key tools that we the people use to constrain the power of government. But people in power never like transparency. They don’t like oversight and second-guessing. So over-classification is a natural outcome. Insofar as leaks help to constrain that, they’re useful to us, the governed. To the extent that leaks force a conversation about “why was this document classified,” they’re useful.

    Now, leaking the names of informers is clearly problematic. It seems that, like many news organizations, Wikileaks asked the Pentagon for advice on redaction. They were rebuffed.

    But that’s not the point of this post. The first point of this post is to say that the Leviathan is an angry and mean son of a bitch that’s now going to attack Wikileaks as hard as it can. If discrediting works, great. If not, expect escalation. Whatever their personal failings may or may not be, more transparency and accountability in government is a worthy goal, and we should support that goal. We should support that goal even as we can see flaws in Wikileaks. And despite their flaws, Wikileaks is making more transparency in less comfortable areas than anyone else.

    The right response to the Afghan war diary would be for the Pentagon and for each of our allies to review what they have classified and why, and release more of it. Little of what was released was really surprising, and much of it should have been officially released with minor redaction. But instead of that review, we see the Leviathan lashing out at Wikileaks.

    To the extent that Wikileaks pushes governments to become more transparent, we all benefit. If But more transparency not the reaction we’re seeing, and to distract us from that is the dirtiest trick so far.

    If you think government has too much power, you should support Wikileaks. If you think that America’s overseas entanglements are hurting America or the world, you should support Wikileaks. If you think military adventurism is hurting the world, you should support Wikileaks. Because whatever Wikileak’s faults, their goals are important ones.

    Which brings us to the second point of this post, which is to remind you, when you read negative stories about Wikileaks, ask yourself “who benefits?” The answer isn’t going to be “you and me.”