With cybersecurity threats looming, the government shutdown is putting America at risk TechCrunch
Putting political divisions and affiliations aside, the government partially shutting down for the third time over the last year is extremely worrisome, particularly …
Last year, hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn’t new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like like ordinary carrier to carrier chatter among a sea of other, “privileged peering relationships.”
Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren’t even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.
Again the flaw isn’t new; a group of German hackers revealed the vulnerability in 2008 and again in 2014. It’s believed that the intelligence community has known about the vulnerability even earlier, and the hackers note that only modest headway has been made since German hacker Karsten Nohl first demonstrated it. But the flaw has gained renewed attention in recent weeks after Senator Ron Wyden sent a letter to the FCC (pdf) complaining that the agency isn’t doing enough (read: anything) to address it:
“One year ago I urged you to address serious cybersecurity vulnerabilities in U.S. telephone networks. To date, your Federal Communications Commission has done nothing but sit on its hands, leaving every American with a mobile phone at risk.”
Apparently, shoring up national security wasn’t as big of a priority as gutting net neutrality or eliminating consumer privacy protections at Comcast and AT&T’s behest. Wireless carriers have been downplaying the flaw, in part because of the cost of fixing it. But they also worry it will be used to justify more meaningful privacy protections here in the States. When the DHS published a 125 page report (pdf) detailing the scope of the problem, lobbyists for the industry called the problem “theoretical,” and the report “unhelpful,” calling the report’s advocacy for regulatory and legislative solutions “alarming.”
And while carriers have implemented some security standards to address the SS7 probem, at its core SS7 lacks a mechanism to ensure that carriers sending data requests are who they claim to be. And while some of the firewall solutions carriers have adopted can protect some of their own consumers, these fixes don’t extend to users who may be roaming on their networks. By and large, a large chunk of the problem is that these companies don’t want to spend the necessary time and money to engineer a real solution, especially if their intelligence partners are benefiting from it.
In a follow up report over at the Washington Post, the paper notes how the flaw at this point is far from theoretical, and is routinely exploited en masse by numerous intelligence agencies (including the United States):
“Wyden said the risks posed by SS7 surveillance go beyond privacy to affect national security. American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance, experts say, and private-sector vendors have put systems within the reach of dozens of other governments worldwide. Sophisticated criminals and private providers of business intelligence also use the surveillance technology.
Other experts said SS7 surveillance techniques are widely used worldwide, especially in less developed regions where cellular networks are less sophisticated and may not have any protection against tracking and interception. But the experts agreed that Americans are significant targets, especially of rival governments eager to collect intelligence in the United States and other nations where Americans use their cellphones.
And again, that’s a particular problem for a country whose President thinks basic phone security is too much of a hassle. For a country that’s currently spending an ocean of calories trying to blacklist Chinese network vendors under breathless claims of national security, you’d think a massive problem with global privacy and security implications would get a little more attention.
Permalink | Comments | Email This Story
Techdirt.
This was not unexpected, but earlier today the Senate easily passed SESTA/FOSTA (the same version the House passed a few weeks ago) by a 97 to 2 vote — with only Senators Ron Wyden and Rand Paul voting against it. We’ve explained in great detail why the bill is bad. We’ve explained in great detail why the bill won’t stop sex trafficking and will actually put sex workers’ lives in more danger, while also stomping on free speech and the open internet at the same time (which some see as a feature rather than a bug). The Senate declined to put any fixes in place.
Senator Wyden, who had originally offered up an amendment that would have fixed at least one big problem with the bill (clarifying that doing any moderation doesn’t subject you to liability for other types of content) pulled the amendment right before the vote, noting that there had been a significant, if dishonest, lobbying effort to kill those amendments, meaning it had no chance. He did note that because of the many problems of the bill, he fully expects that these issues will be revisited shortly.
As for the many problems of the bill… well, they are legion, starting with the fact that multiple parts of the bill appear to be unconstitutional. That’s most obvious in the “ex post facto” clause that applies the new criminal laws to activities in the past, which is just blatantly unconstitutional. There are some other serious questions about other parts of the bill, including concerns about it violating the First Amendment as well. It seems likely that the law will be challenged in court soon enough.
In the meantime, though, the damage here is real. The clearest delineation of the outright harm this bill will cause can be seen in a Twitter thread from a lawyer who represents victims of sex trafficking, who tweeted last night just how much damage this will do. It’s a long Twitter thread, but well worth reading. Among other things, she notes that sites like Backpage were actually really useful for finding victims of sex trafficking and in helping them get out of dangerous situations. She talks about how her own clients would disappear, and the only way she could get back in touch with them to help them was often through these platforms. And all that will be gone, meaning that more people will be in danger and it will be that much harder for advocates and law enforcement to help them. She similarly notes that many of the groups supporting SESTA “haven’t gotten their hands dirty in the field” and don’t really understand what’s happening.
That’s true on the internet side as well. Mike Godwin highlights the history before CDA 230 was law and the kinds of problems that come about when you make platforms liable for the speech of their users.
In Cubby, a federal judge suggested (in a closely reasoned opinion) that the proper First Amendment model was the bookstore – bookstores, under American law, are a constitutionally protected space for hosting other people’s expression. But that case was misinterpreted by a later decision (Stratton Oakmont, Inc. v. Prodigy Services Co., 1995), so lawyers and policy advocates pushed to include platform protections in the Telecommunications Act of 1996 that amounted to a statutory equivalent of the Cubby precedent. Those protections, in Section 230, allowed platform providers to engage in certain kinds of editorial intervention and selection without becoming transformed by their actions into “publishers” of users’ content (and thus legally liable for what users say).
In short, we at EFF wanted platform providers to be free to create humane digital spaces without necessarily acquiring legal liability for everything their users said and did, and with no legal compulsion to invade users’ privacy. We argued from the very beginning, about the need for service providers to be just, to support human rights even when they didn’t have to and to provide space and platforms for open creativity. The rules we worked to put into place later gave full bloom to the World Wide Web, to new communities on platforms like Facebook and Twitter and to collaborative collective enterprises like Wikipedia and open-source software.
Meanwhile the Senators who passed the bill will completely forget about all of this by next week, other than to pat themselves on the back and include 3 seconds in their next campaign ad about how they “took on big tech to stop sex trafficking.” And, of course, people in Hollywood are laughing at how they pulled a fast one on the internet, and are already strategizing their next attacks on both CDA 230 and DMCA 512 (expect it soon).
None of those celebrating realize how much damage they’ve actually caused. They think they’ve “won” when they really did astounding levels of damage to both victims of sex trafficking and free speech in the same effort.
Permalink | Comments | Email This Story
Techdirt.
|