Questions about a Libyan no-fly zone

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces.

There are strong calls to move quickly, such as “Fiddling While Libya Burns” in the New York Times. But I think there are some important questions that I haven’t heard answered. A no-fly zone is a military intervention in Libya. It involves an act of war against the current government, and however bad that government is, we need to consider the question not of a “no-fly zone” but an “act of war” and its implications.

Some questions I’d love to hear answered include:

  • What if it doesn’t work? Are we willing to put soldiers on the ground to support the rebels?
  • What if it does? Who’s in charge?
  • What if it half works? We imposed a no fly zone in Iraq in 1991, and then invaded 11 years later because we hadn’t thought through the question of what we do to remove the no-fly zone. If the rebels end up with a Kurdistan, how do we finish? Another invasion? Fly walk away and let the Libyan air force to bomb in 2 years?
  • What does success look like? What’s our goal? Do we support offensive operations? If the rebels end up with some aircraft, do we let them fly?

There are other questions, about sovereignty, but I think there’s a good tradeoff to be made between preventing democide and respecting sovereignty. But I haven’t seen a proposal which seems to have considered what happens after a no-fly zone is imposed. Is there one?

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals.

Matt concludes:

So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse to publish in IEEE or ACM venues, but that stance is complicated by my obligations to my student co-authors, who need a wide range of publishing options if they are to succeed in their budding careers. So instead, I will no longer serve as a program chair, program committee member, editorial board member, referee or reviewer for any conference or journal that does not make its papers freely available on the web or at least allow authors to do so themselves.

Please join me. If enough scholars refuse their services as volunteer organizers and reviewers, the quality and prestige of these closed publications will diminish and with it their coercive copyright power over the authors of new and innovative research. Or, better yet, they will adapt and once again promote, rather than inhibit, progress.

I already consider copyright as a factor when selecting a venue for my (sparse) academic work. However, there’s always other factors involved in that choice, and I don’t expect them to go away. Like Matt, my world is not perfect, and in particular, I’m on the steering committee of the Privacy Enhancing Technologies Symposium, and we publish with Springer-Verlag. I regularly raise the copyright question with the board, which has decided to stay with Springer for now [and Springer does allow authors to post final papers].

There’s obviously a need for a business model for the folks who archive and make available the work, but when many webmail providers give away nearly infinite storage and support it with ads, $30 per 200K PDF is way too high for work that was most likely done on a government grant to improve public knowledge.

I’m not sure what the right balance will be for me, but I’d like to raise one issue which I don’t usually see raised. That is, what to do about citing to these journals? I sometimes do security research on my own, or with friends outside the academic establishment. As a non-academic, I don’t have easy access to ACM or IEEE papers. Sometimes, I’ll pick up copies at work, but that’s perhaps not an appropriate use of corporate resources. Other times, I’ll ask the authors or friends for copies. We need to understand what’s been done to avoid re-inventing the wheel.

If our goal is to ensure that scientific work paid for by the public is not handed over to someone who puts it behind a paywall, perhaps the next step is to apply pressure by only reviewing open access journals and conferences? When I first thought about that, I recoiled from the idea. But the process of looking for previous and related work is a process which must be bounded. There’s simply too many published papers out there for anyone to really be aware of all of it, and so everyone limits what they search. In fact, there are already computer security journals, including Phrack and Uninformed, which are high quality work but rarely cited by academics.

So I’m interested. Does being behind a paywall suffice as a reason to not cite work? If you answer, “no, it’s not sufficient,” how much time or money do you think you or I should reasonably spend investigating possibly related work?

Rights at the “Border”

“I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester.

Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration documents. Through the window, Mr. Santomauro said, he could see three black passengers, standing with arms raised beside a Border Patrol van.

“As a citizen I’m offended,” he said. But he added, “To say I didn’t want to answer didn’t seem a viable option.”

From the NYTimes, “ Border Sweeps in North Reach Miles Into U.S..”

If you think this is ok, where in the US should it not be legal for the armed agents of the state to demand your papers without any grounds for suspicion of wrongdoing?

Similarly, if a law student doesn’t see not answering police questions as a “viable option,” what do we do to restore balance to the Constitution?

Previously on Emergent Chaos: “100 Mile Constitution Free Zone.”

Wikileaks

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.”

I think that was the wrong warning. Wikileaks is poking at a very dangerous system. We went to war with Iraq, claiming it had links to Al Qaida and chemical weapons programs. (I think there were good reasons for both Iraqi citizens and Western democracies to want a well planned and executed regime change in Iraq, and even better reasons to expect that attempts to do so would descend into chaos. But that’s besides the point.) Since then, we have publicly announced that we have death squads targeting US citizens. Does Wikileaks expect any less?

The American system of classifying documents is seriously flawed. That’s been the conclusion of every blue ribbon panel that studies it. Transparency and accountability are key tools that we the people use to constrain the power of government. But people in power never like transparency. They don’t like oversight and second-guessing. So over-classification is a natural outcome. Insofar as leaks help to constrain that, they’re useful to us, the governed. To the extent that leaks force a conversation about “why was this document classified,” they’re useful.

Now, leaking the names of informers is clearly problematic. It seems that, like many news organizations, Wikileaks asked the Pentagon for advice on redaction. They were rebuffed.

But that’s not the point of this post. The first point of this post is to say that the Leviathan is an angry and mean son of a bitch that’s now going to attack Wikileaks as hard as it can. If discrediting works, great. If not, expect escalation. Whatever their personal failings may or may not be, more transparency and accountability in government is a worthy goal, and we should support that goal. We should support that goal even as we can see flaws in Wikileaks. And despite their flaws, Wikileaks is making more transparency in less comfortable areas than anyone else.

The right response to the Afghan war diary would be for the Pentagon and for each of our allies to review what they have classified and why, and release more of it. Little of what was released was really surprising, and much of it should have been officially released with minor redaction. But instead of that review, we see the Leviathan lashing out at Wikileaks.

To the extent that Wikileaks pushes governments to become more transparent, we all benefit. If But more transparency not the reaction we’re seeing, and to distract us from that is the dirtiest trick so far.

If you think government has too much power, you should support Wikileaks. If you think that America’s overseas entanglements are hurting America or the world, you should support Wikileaks. If you think military adventurism is hurting the world, you should support Wikileaks. Because whatever Wikileak’s faults, their goals are important ones.

Which brings us to the second point of this post, which is to remind you, when you read negative stories about Wikileaks, ask yourself “who benefits?” The answer isn’t going to be “you and me.”

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” numbers. Unfortunately, credit issuers do not currently have the ability to verify if a SSN belongs to an adult or a minor. If they knew that the SSN presented belonged to a minor they would automatically deny opening a credit account.

Years ago, the Identity Theft Resource Center envisioned a simple solution to this problem. It is called the Minors 17-10 Database and ITRC has been talking with various government entities and legislators about this concept since July 2005. (…)

The creation of a Minors 17-10 Database would provide credit issuers the tool to verify if the SSN provided belongs to a child. This proposed SSA record file would selectively extract the name, month of birth, year of birth, and SSN of every minor from birth to the age of 17 years and 10 months. This record file, maintained by SSA, would be provided monthly to approved credit reporting agencies. When a credit issuer calls about the creditworthiness of a SSN, if
the number is on the Minors 17-10 Database, they would be told that the SSN belongs to a minor.

That’s from a press release mailed out by the normally very good Identity Theft Resource Center. Unfortunately, this idea is totally and subtly broken.

Today, the credit agencies don’t get lists from the SSA. This is a good thing. There’s no authorization under law for them to do so. The fact that they’ve created an externality on young people is no reason to revise that law. The right fix is for them to fix their systems.

The right fix is for credit bureaus to delete any credit history from before someone turns 18. Birth dates could be confirmed by a drivers license, passport or birth certificate.

Here’s how it would work:

  1. Alice turns 18.
  2. Alice applies for credit and discovers she has a credit history
  3. Alice calls the big three credit agencies and gets a runaround explains she’s just turned 18, and apparently has credit from when she was 13.
  4. The credit agency asks for documents, just like they do today (see “when do I need to provide supporting docs”)
  5. The credit agency looks at the birthday they’ve been provided, and substracts 18 years from the year field.
  6. The credit agency removes the record from the report

It’s easy, and doesn’t require anything but a change in process by the credit bureaus. No wonder they haven’t done it, when they can convince privacy advocates that they should get lists of SSN/name/dob tuples from Uncle Sam.

Dear England, may we borrow Mr. Cameron for a bit?

Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture by UK security services. (“
Britain Pledges Inquiry Into Torture
.”

And yes, it’s certainly more fun to investigate the opposition, but…I’d really like to bring Mr. Cameron over here for a little while. Some investigations would do us, and our fight against al Qaeda, a great deal of good.

Why we need strong oversight & transparency

[The ACLU has a new] report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade.

The survey provides an outline of, and links to, dozens of examples of Cold War-era snooping in the modern age.

“Our review of these practices has found that Americans have been put under surveillance or harassed by the police just for deciding to organize, march, protest, espouse unusual viewpoints and engage in normal, innocuous behaviors such as writing notes or taking photographs in public,” Michael German, an ACLU attorney and former Federal Bureau of Investigation agent, said in a statement.

Via Wired. Unfortunately, (as Declan McCullagh reports) “Police push to continue warrantless cell tracking,” and a host of other surveillance technologies which we have yet to grapple with.

For example, it seems FourSquare had an interesting failure of threat modeling, where they failed to grok the information disclosure aspects of some of their pages. See “White Hat Uses Foursquare Privacy Hole to Capture 875K Check-Ins.” To the extent that surveillance is opt-in, it is far less worrisome than when it’s built into the infrastructure, or forced on consumers via contract revisions.

Between an Apple and a Hard Place

So the news is all over the web about Apple changing their privacy policy. For example, Consumerist says “Apple Knows Where Your Phone Is And Is Telling People:”

Apple updated its privacy policy today, with an important, and dare we say creepy new paragraph about location information. If you agree to the changes, (which you must do in order to download anything via the iTunes store) you agree to let Apple collect store and share “precise location data, including the real-time geographic location of your Apple computer or device.”

Apple says that the data is “collected anonymously in a form that does not personally identify you,” but for some reason we don’t find this very comforting at all. There appears to be no way to opt-out of this data collection without giving up the ability to download apps.

Now, speaking as someone who was about to buy a new iphone (once the servers stopped crashing), what worries me is that the new terms are going to be in the new license for new versions of iTunes and iPhones.

Today, it’s pretty easy to not click ok. But next week or next month, when Apple ships a security update, they’re going to require customers to make a choice: privacy or security. Apple doesn’t ship patches for the previous rev of anything but their OS. iTunes problem? Click ok to give up your privacy, or don’t, and give up your security.

Not a happy choice, being stuck between an Apple and a hard place.

Where’s the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.]
The New York Times headlines “
Britain’s New Leaders Aim to Set Parliament Term at 5 Years
.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament.

As I understand things, the primary check on the Prime Minister is that if their choices are sufficiently unpopular, their party defects and votes against them, leading to a new election. This threat of government collapse is a major check on the power of Parliament, as evidenced by how both Cameron and Clegg are repeating that “this government will last 5 years.”

So if Parliament will last 5 years, what are the checks on its power?

[Edit: Steps on scrapping ID cards and ContactPoint are very positive, but to my mind, those are symptoms of the already barely-checked power of the Prime Minister.]

Showing ID In Washington State

Back in October, I endorsed Pete Holmes for Seattle City Attorney, because of slimy conduct by his opponent. It turns out that his opponent was not the only one mis-conducting themselves. The Seattle PD hid evidence from him, and then claimed it was destroyed. They have since changed their story to (apparent) lies about “computer problems.” See “Local computer security expert investigates police practices” in the Seattle PI. Some choice quotes:

…a charge was leveled against him in Seattle Municipal Court for obstructing a public officer. Controversial laws known as obstruction, “stop and frisk” and “stop and identify” statutes have been abused in other cities like New York, studies and news stories show. An obstruction case cited in a 2008 Seattle Post-Intelligencer investigation ended with a federal jury hitting Seattle police with a six-figure penalty.

Rachner’s criminal defense attorney sought dismissal of his gross misdemeanor charge, citing the Washington State Supreme Court decision that says arresting a person for nothing more than withholding identification is unconstitutional. One reason cited by the court: This practice allows police too much discretion to pick targets and punish with arrest. Also, the state constitution is more protective of these rights than the U.S. constitution.

The microphone picks up Letizia explaining the arrest to Rachner and a police sergeant, citing only the failure to provide identification as the reason Rachner was in handcuffs. No other provocations before the arrest were documented.

“The explanation is our servers failed,” said Seattle Police spokesman Sgt. Sean Whitcomb. “Data was lost, more than his, and it took some time to recover it.” “There is absolutely nothing in the activity log to support that claim,” said Rachner. “Moreover, if the video was unavailable, it was dishonest of them to claim the video could no longer be obtained because it was past the 90-day retention period. It is completely at odds with what they told me in writing.”

I say these are lies because their story keeps changing.

I hate paying the salaries of people who can’t tell me the truth, and I think I’ll be writing city hall for an explanation. If you live in Seattle, I suggest you do the same.