My dissertation is about internet security and internet privacy issues. The fact that they are both such large parts of everyone’s online experience and yet they seem to constantly battle against each other for supremacy. Can there be harmony or is there an inherent paradox between them meaning they can never function in equilibrium?

As part of the dissertation process interviews were conducted, one of which with the global IT manager of Premier Oil, to establish what issues are involved in business as well as consumer experiences and what guidelines they have to adhere to. More importantly if any of them are working or not.

Read my dissertation here ›

There is simply not enough debate about it. The fact that this has been rushed through the troubles me greatly but is not at all surprising regardless of the ‘wash period’ the current government are in. The faster they can move bills like this along, the less time anyone has to find out what is really going on and hold a balanced debate about it.

My dissertation was written on a similar subject – online privacy, are we forfeiting privacy to pay for security.

The fact that you can have your internet connection cut off is an interesting theory but how would it work in practice

1. What would happen if someone hacks into my wireless and downloads illegally? Would I get cut off or a strike against my name?
2. What if someone at my company downloads illegally, does the company’s internet get cut off?
3. If I’m a freelance web designer and my little sister downloads a film, do I lose my internet connection which I need in order to do my job? What is the justification for strangling my livelihood?
4. What about a public wireless network, will that get disconnected?

What is the differentiation between someone actively distributing content and someone who downloads an episode of Lost that has already aired? Is there even a distinction in the governments eyes?

The scope of this is too large for the government to understand and as a result the only thing the Digital Economy Bill will do is driving people to use encryption and proxys to avoid having their traffic inspected.

There are services like TorrentPrivacy already available for a negligible fee. This whole thing boils down to the music and film industry being money hungry. Show me a ratio of what I pay for a song or film against how much the artist gets and you will see why so many people torrent copyrighted materials. Then half of that goes to the government in tax anyway.

The cynic in me wants to say that the only reason the government cares about copyright infringement is because they make so much money in tax from the sale of content and income of the artists / labels.

How do they monitor this anyway? The last I heard ISPs said it was nearly impossible to do. The only ISP quoted as saying they were for this bill was Sky! And they’re a content distributer first!

The government are fearful of losing control and refuse to accept and embrace new technologies. This whole thing is a step closer to the situation with the Great Firewall of China and it disgusts me.

Declare that you don’t recognise the Digital Economy Bill, and your name will be added, just tweet: (make sure to keep the #whatdebill hashtag to be counted)

If you would like to help me out and fill it out, it’s just 10 questions and the link is below.

http://www.surveymonkey.com/s.aspx?sm=z9I4F5ll_2b_2bZgd_2fY1SSx8EA_3d_3d

A test on this scale is normally to work out any final bugs out and produce a final system that will then be rolled out across the rest of a network. There will be a few problems with this for our beloved UK gov.

To start with, facial recognition technology has NEVER been accurate, throwing up false-negatives and false-positives so this appears to be as much a test of the technology as it is of the security system and as far as I can tell it is based on existing technology. Concerns by the Biometrics Assurance Group (pdf) [show] that there is still work to do on both the facial recognition standards and the format in which facial images are stored.

This means the government is committing to a system upon which there are NO standards to adhere to, basically making this a very risky operation. Considering the biometric chip in passports may be incompatible with other systems, or at the very least when a standard is agreed UK residents with the chipped passports may end up having to get yet another passport. Normally standards are agreed before any large-scale testing goes ahead so this seems rather fool-hardy.

Now lets consider people who have gone before. There have been many tested applications of facial recognition and nearly all have been scrapped after only a few years in service as they proved impractical and inaccurate.

“Boston’s Logan Airport also ran two separate tests of facial recognition systems at its security checkpoints using volunteers. Over a three month period, the results were disappointing. According to the Electronic Privacy Information Center, the system only had a 61.4 percent accuracy rate, leading airport officials to pursue other security options.”

If this is supposed to be another layer of security, to augment the already ludacris systems that are in place, then passengers will see no benefit at all. Did I mention that the whole process will be overlooked by securities staff who can step in at any time and take you to a real person to match your picture.

If all goes well and the system works then it will be truely remarkable and may indeed speed up entry through immigration. However, I feel that given the problems many people have with technology the so-called speed may be just an illusion, a target, similar to the fiasco at Heathrow Terminal 5. Not to mention the fact the system may fall flat on it’s face irrispective of whether people can use it. I predict an amalgation of both which will troublingly create some of the longest queues, the opposite of the desired effect.

The first post is about how thoroughly targeted I felt on the journey, how my privacy was invaded at every opportunity and how nobody seemed to want to listen to reason – nobody with any authority anyway.

To get to the Bahamas you have a few choices to make as there is not yet a direct flight to the island of Exuma where we stayed. Do you go to Nassau then on to Exuma or do you go through Miami then on to Exuma? The only difference is that going though Miami is much cheaper but I advise caution if you are a white, British family of four.

The first leg of the journey started at Heathrow which was fairly quick I suppose but for some reason there were four or five people telling us on the way to the security checkpoint that we were not allowed liquids over 100ml, fair enough but after the third person reels of a list of things that could be over 100ml (how stupid am I?) it got quite tedious. By number five I was already making jokes about their job descriptions and CVs. Passport control and signing up for IRIS recognition (more about that in another post) was fast and relatively stress free.

Once in Miami International however, things took a dramatic turn for the worse. The Queue to get into the country was long… the queue to even get into that queue streched right back to an escelator making for some difficult negotiation of luggage and bodies to avoid being dragged back down on the underside. After an hour or so we finally got to immigration where we were interigated (Are you a terrorist? Are you involved in espionage? Real head scratchers…) and were forced to give our fingerprints. You either do it or you don’t come in… I asked.

Now we get to the crux of my complaint. Getting out of America is fatastically difficult and I must say absolutely retarded. To start you have to swipe your passport to get your tickets printed, fine, but if it doesn’t scan and you enter it manually then you have to seek out an attendant type person to ‘approve’ you. Even the one standing right next to us needed plenty of encouragement to even come near us. Then when you have your ticket you have to go to ‘baggage drop’. I must point out this is the same in the UK with Virgin and some other airlines. So we now have to join another queue to drop our bags off, which we do and show our tickets and passports and are asked again if we are terrorist etc. Then for some reason we have to take our bags away, yes that is right, we queued to drop our bags off only told we have to take them back after they’re weighed. This caused no end of confusion and delays for everyone as you have to negotiate the queue back the way you came… to drop your bags at a ‘special’ TSA screening booth.

TSA is the unit that is responsible for the searching of people and bags for things that might be a hazzard, like hand creame, and do so with an obvious lust for power. After being motioned to another queue after dropping our bags of at the bag drop, bag drop… we were then told we had ‘randomly’ been selected for secondary screening or SSSS as it was printed on our tickets. The guy who told us about this was very shocked to see us in this queue as we were a family of four white, British, middle-class holiday go-ers. After being stuck in this queue for half an hour we saw where it went… a ‘special’ area for ‘specially selected’ people of interest. Oh and so show how random it was, there were no Americans in this queue, no Muslims, no Arabs, no Turbans or Burkhas of any kind. Now I’m not suggesting that these people are going to be dangerous but given the way america views the world, I was very surprised. The people in this section were not organised and didn’t care. My family was split up, sent around in circles, asked to point out our luggage that we couldn’t see, and treated pretty poorly. Just like everyone else in this large supposedly random queue. We went through an explosive residue detector, a metal detector and had our shoes and bags scanned… My dad and my sister were put in a special glass ‘pen’ with a locked door and then asked to point to their bags, then searched one by one, frisked, wanded and made to walk through another series of metal detectors. After which they then had to find their shoes and bags (which contained the valuables they had to remove) in a sea of everyone elses. My dad made a very good point that this area would be an ideal target for a suicide bomber as there was so much confusion and so many people it would be easy and result in serious casualties. My mum was wearing a bracelet that went off in every metal detector and every time she was asked to take it off and every time she replied with “I can’t because the clasp screws on” and every time she was met with a puzzled look and asked to take all her other jewellery off (which doesn’t make the machine bleep) and put it in her bag. Then her bag was thrown into the sea of other bags and all she could do was hope that no one saw her put all her gold in it. Then she was searched but of course it had to be by a woman so for the next ten minutes all you could here was “female assist” which went without reply.

It was at this point I read the signs saying “verbal or physical threats or abuse of TSA staff is a breach of federeal law” or words to that effect. It was all I could do to restrain myself from screaming at them “do you actually have any common sense you complete retard!”. So the signs in fact fuelled this sensation.

After all of that was over one guy said “thanks for your patience” and I actually laughed at him saying “it’s not like I had a choice”… he wasn’t happy, I’m surprised he didn’t take me into a back room and perform another kind of search… cough cough.

Then our plane was delayed, delayed again, delayed again then cancelled. Then it took an hour to speak to someone who actually cared and sent us to Fort Lauderdale to get another flight leaving fairly soon.

When we go there and got our tickets you can guess what they said… ‘SSSS’ so we went through the whole process again, albeit much faster as it was a smaller airport, it was the same story with my mum and her bracelet. My comments about organisation and such were not appreciated by the guy searching my bag and pulling out the bottle of water I’d bought after the screening in Miami, not having enough time to think about it before rucshing accross the city to another airport. When he finished he said something about the key to organisation being communication… it made little sense and had little relevance to the situation at hand but he had thought about it for several minutes so he must have felt I needed to hear it. He also wouldn’t let my dad try and find his passport until he had finished looking through his bag.

When we actually went to board the plane, there was another TSA desk that was picking people out of the line and guess what, my sister (the evil and sisnister looking girl that she is) was ‘selected’ and given another rigourous search.

Is the UK not worried about terrorism as much as the US? Are we less of a target? Or is it simply that we seem to be much more pragmatic about the whole process? All I know is that I hope I never go to Miami Interational in a hurry, or maybe I should wear a turban if I do?

In no way do I want this to me misconstrood as belittlement of terrorism of the efforts of people trying to prevent it… but this expericence felt like targeted victimisation. Maybe it was articles like that that got us in the special selection in the first place. I think my name has just moved up a few places in the rankings.

Next time, my fun with IRIS recognition.

There is an inherent paradox with security and privacy issues surrounding the internet. They seem to be unable to work in harmony even though their definitions are exclusive of each other. Could this be due to pressures from the music and film industries with regard to file? A look into other areas where privacy and security issues have been addressed, possibly in the area of terrorism, something to which file sharers have been accused of.

A large part of this and in fact what has brought this to light is file sharing and the problems & controversy that it is causing. ISPs are being forced to take responsibility for what their customers are downloading which means they are forced to void their subscribers’ privacy through ‘deep packet inspection’ which has issues within itself. To try and combat this, the ‘three strike rule’ was proposed which was narrowly defeated. Neither the government nor the music / film industries know how to combat illegal file sharers or ‘unauthorised distribution of copyrighted material’ so they are trying to see what EVERYONE is downloading in order to catch those few who with nefarious purposes.

Historically there has been a problem with security and privacy, none more so than during times of war. The privacy of other nations was being invaded but it was needed to ensure the security of the home nation. Is this the reason people when we examine privacy vs security within the borders of a nation? Is the problem now an international one and should it be dealt with on an international scale with all countries signing a document? There is a possible reference to the enigma machine, message encryption and code breaking. Has anything really changed since then and is it just the technology that has advanced on both sides of the current ‘cyber war’?

Why is illegal or copyright file-sharing so prolific? Is the government to blame or is it the greed of the industries which are being infringed?

Sony BMG has released their entire music collection for free, with a 10 second advert at the start of each song. It is free to download and listen to but costs to transfer to an mp3 player, for which one would hope they would have removed the advert. This is a sign that things are changing and industries are realising they cannot simply BAN everyone who they suspect is illegally getting their content. Instead they are seeing that there are other financial models that gives users’ and themselves what they want, without pressuring governments and regulatory bodies into taking foolhardy ‘seen to be taking action’ actions.

The aim is to find out why we need security and why we want privacy. The key difference is in the need vs want. Security is paramount as without it we are vulnerable yet we want privacy which seems to be infringed upon by security. Can we ever find a way that we are being protected and anonymous?

People to Contact

Torrent Users – as part of the Bit Torrent community I am able to easily contact people about how they use the service. Some of the largest copyright infringement lawsuits are aimed at the users directly or at the people who provide ‘trackers’.

Torrent Trackers – such as Torrent Leech and The Pirate Bay the latter of which is a more prominent name and is currently undergoing a legal battle in Sweden which started by the Swedish police confiscated 180 servers. The site remains operational.

Phorm - internet advertising agency that have been in the media recently about violating internet privacy laws even though they tried to make their targeted ad system anonymous. Their video indicated that it was anonymous so I would be interested as to what they have violated.

ISPs – internet service providers such as BT, Virgin, Tiscali, Pipex etc. would be a great source of information with regard to the pressures they faced recently with the government’s proposed ‘three strike ban’. Luckily this was voted out, but only narrowly.

Government – contacting any area of the government that deals with this area would be very beneficial as the argument needs to have an official line in order to get both sides and ensure a balance and having a direct quote from a government official would be a fantastic example.

Sony BMG – it would be interesting to find out how long they have been thinking about their move to freely distribute their content. They are in partnership with one site which would also be worth contacting to find out how they managed to get a huge distributor to do what no one said could be done.

While discussing password security and allowing Firefox to save username and password combinations so you dont have to with a colleague the other day I became aware that if my laptop got stolen… there was a hell of a lot of stuff people could access as Firefox held the login details.

I was about to delete all passwords from the system to ensure security I chanced upon the ‘Master Password’ button in the ‘Security’ tab in the options menu. Once set I assumed it would just protect the passwords stored which, while a step in the right direction, would still allow people to click my bookmarks and bypass the login screens as Firefox retained the login details.

I was wrong, it is in fact very clever. When a master password is set Firefox does indeed protect the saved passwords from being shown in the options menu but it also provides a pop-up box requiring the master password when you click on a site that has saved login details. So for example if I click on Facebook with the master password enabled, Firefox asks me for the master password before loading the page. Once entered Firefox then pre-fills the login details for me to click ‘login’. If I get the master password wrong or click cancel, the page still loads but the login form is empty!

The form only needs to be filled in once per session then all form fields are filled from then on.

64 random hexadecimal characters (0-9 and A-F)
63 random printable ASCII characters
63 random alpha-numeric characters (a-z, A-Z, 0-9)

Check it out, it says its good for WiFi Security and “potentially unbreakable”

” ..our server generates a unique set of custom, high quality, cryptographic-strength password strings..”

You’ve heard of key-loggers for keyboards right? That log keystrokes made on a target keyboard and send the retrieved data to a USB key or via the internet to anyone. Well this new ‘gadget’ does the same thing but captures images of fingerprints from keyboard users which could then be used to create a replica fingerprint and used to access biometric-protected areas.

This just goes to show that not even your fingerprints are safe. Imagine if you will, that the government gets it’s way and introduces its identity card scheme, you use a computer that has a ‘bio-logger’ attached… hackers’, thieves and general undesirables then have your fingerprints. Which they can then use to potentially steal all of your data from anywhere that (in the future) uses biometrics as a security system. Off the top of my head I would imagine using it instead of chip-n-pin, passports, starting your car and even general identification if stopped by the police.

This reminds me of a 5 part drama that was on recently called ‘The Last Enemy’ set in the not to distant future and featuring things. But that’s another post entirely.

Just another reason why the government’s identity card system would fail miserably.

Feel free to view my essay here.