Europe votes to end data privacy

Europe votes to end data privacy

Law will allow police to spy on phone and net traffic

Stuart Millar
Friday May 31, 2002
The Guardian,7369,725204,00.html

European law enforcement agencies were given sweeping powers yesterday to monitor telephone, internet and email traffic in a move denounced by critics as the biggest threat to data privacy in a generation.
Despite opposition from civil liberties groups worldwide, the European parliament bowed to pressure from individual governments, led by Britain, and approved legislation to give police the power to access the communications records of every phone and internet user.

The measure, which will be approved by the 15 EU member states, will allow governments to force phone and internet companies to retain detailed logs of their customers’ communications for an unspecified period. Currently, records are kept only for a couple of months for billing purposes before being destroyed.

Although police will still require a warrant to intercept the content of electronic communications, the new legislation means they will be able to build up a complete picture of an individual’s personal communications, including who they have emailed or phoned and when, and which internet sites they have visited.

From mobile phone records, police will also be able to map people’s movements because the phones communicate with the nearest base station every few seconds. In urban areas, the information is accurate to within a few hundred metres, but when the next generation of mobiles comes on stream it will pinpoint users’ locations to within a few metres.

Tony Bunyan, editor of Statewatch, said: “This is the latest casualty in the war against terrorism as far as civil liberties are concerned. The problem with wanting to monitor a few people is that you end up having to keep data on everybody.”

The British government, which played a key role in driving through the new measures, has already introduced such powers as part of the anti-terror bill rushed through in the immediate aftermath of September 11, although the data retention measures have yet to be implemented.

UK civil liberties groups had hoped that if MEPs rejected data retention, it would open up the possibility of a legal challenge to the British legislation on the grounds that it was incompatible with European data protection law. After yesterday’s vote they now expect the government to press ahead with implementing the act.

The measure is contained in an amendment to a bill originally intended to improve the security of e-commerce transactions. “Looking at the results, it amounts to a large restriction on privacy and increases the power of the state,” said Italian independent MEP Marco Cappato, the bill’s author who tried to prevent the amended clause being added.

Last night, the Home Office welcomed the result. “The UK is very pleased that the [European”> council and parliament have reached agreement on a text that will ensure that the fight against terrorism and other crime will be given the appropriate weight. It is, of course, very important to protect people’s fundamental rights and freedoms, but, as the tragic events of September 11 show, this must be balanced with the need to ensure that the law enforcement community can do its job.”

But critics said the move amounted to blanket general surveillance of the whole population. The communications industry has also opposed data retention, questioning the feasibility and cost of storing such vast amounts of information.

John Wadham, director of Liberty, said: “This violates a fundamental principle of privacy, which is that data collected for one purpose should not be used for another.

“The police and other authorities will be able to trawl through all the details of the communications of millions of innocent people merely because there is a possibility that they might come across something suspicious.”


The right to information

Information Resilience and Homeland Security
Freedom of information may be a double-edged sword, but restricting information has only one edge – and it cuts off the lifeblood of a healthy democracy.
By Richard Forno May 09, 2002

In the current security-conscious environment, many people seem willing to sacrifice their most fundamental democratic rights to support anything that is promoted as good for homeland security. In many cases, an unwillingness to do so is perceived as being ‘unpatriotic’. However, as has been pointed out in this column many times since September 11, we must make sure that we are not throwing out the baby with the bathwater. More to the point, while fulfilling reasonable patriotic duty, we must be sure that we continue to hold our government and corporations accountable for their actions, despite the fact that current challenges may appear to demand unflappable unity in the face of external attack.

Post September 11, there has been a strong push by government security and law enforcement agencies to restrict or withhold any sort of information that could possibly used to engage in or further terrorist activities. Of course, in a society whose primary political and legal principle is supposed to be freedom of speech, this can quickly become problematic.

Particularly problematic is the fact that much of the contentious information is available on the Web sites of some of the large corporations that operate America’s critical infrastructures. Why is this a concern? Because the government is currently proposing laws that will give such companies exemption from Freedom of Information Act (FOIA) requests for certain information. In other words, the government is proposing protecting certain corporate information from prying eyes, including yours and mine.

The public has a right to know information that may directly affect their lives.
Sound far-fetched? Remember the weeks after 9/11 when news reports surfaced that the US government was asking libraries to destroy CDs and databases that contained information about various critical infrastructures in America. How about when the Bush Administration asked federal agencies to review and remove potentially damaging information from their Web sites? Or when the government asked watchdog groups like the Federation of American Scientists to remove sensitive information from their sites.

For example, chemical plants and nuclear power facilities removed ‘sensitive’ reports and documentation about public health, environmental safety, and facility security from their websites, allegedly to preclude a terrorist from obtaining information for malicious purposes. Absent many such reports, how will the public, watchdog groups, or regulatory or enforcement agencies be able to monitor for potential problems that affect the public? The fear here is that, under the guise of ‘national security’ the government is actually allowing corporations to avoid scrutiny by and accountability to the taxpaying public that is, in effect, paying for the critical infrastructures. Come to think of it, perhaps Enron was getting a head start by shredding documents in the name of homeland security to avoid anyone discovering how it really operated large parts of America’s critical energy infrastructures?

The attempt to provide national security by obscuring corporate information has resonance in the information security world. It brings to mind the full disclosure debate, which pits the security community’s need to know about problems as quickly as possible against corporations’ interests in maintaining positive public perception and market share. Without the real-time information-sharing ventures that full disclosure enables, system administrators are placed in a ‘holding pattern’, and are kept in the dark until (umm, errr, if…) a vendor decides to acknowledge and address a reported problem.

Both the attempt to circumvent the FOIA and to muzzle full disclosure sound very effective at thwarting evil, but in reality neither effectively enhances public security. The community in general – be it computer users or society at large – must be able to obtain raw information about issues that potentially affect their well-being, whether that means chemical spills or the latest Windows exploits. The general public cannot be solely dependent on any one entity for information. Going down that path creates an environment of security through ignorance.

Despite the sensational management hype calling for this approach, it rarely works in reality. People quickly forget that anything that a person can use (from a knife to airplanes to automobiles and knowledge) can be used to endanger others, provided malicious intent is present. However, dealing with the tiny number of people capable of such malice should not mean forcing the remaining majority into a society in which information of public interest is withheld out of fear. Law abiding citizens in a healthy democracy should not be destined to live in ignorance that is encouraged by corporations and enforced by governments.

In the United States, and elsewhere in the world, the public has a right to know information that may directly affect their lives. If a GAO report says airport security is bad, travelers should know about it. If a safety report says that it’s too easy for someone to break into a chemical plant and cause an accident, the local residents should know about it. If a dangerous vulnerability is discovered in a widely utilized operating system, systems administrators should know about it. The list goes on. The right to self-protection is fundamental to the right to self-determination. By allowing corporations to withhold crucial infrastructure information, the government may be complicitous in depriving its citizenry of its most fundamental right. Indeed, as Paul McMasters wrote in a Freedom Forum article, denial of access shushes the democratic dialogue that is part of what makes America so attractive to its citizens and those wishing to come here.

Terrorism, by its very definition, is unconventional. Contrary to popular belief, there’s no way to guard against every single form of attack. Nor is it possible, or desirable, to withhold from public view all knowledge that could be used for malfeasance. Information – like knowledge – is a double-edged sword. The vast majority of those interested in information regarding America’s critical infrastructures are not terrorists. They should not be branded as potential terrorists or evildoers by government actions that restrict their ability to access such materials. It may be trite to say it at this point in time, nearly eight months after the September attacks, but it is true nevertheless: if we use the events of September 11 to deny the basics rights and freedoms of a healthy democracy, the terrorists will have won.

Funny olde world – Vegas/Hacker/Porn/US Infrastructure security…

Commission Hearing Probes Vegas Vice Hacks
Nevada officials have begun public hearings on claims that a shady conspiracy of super hackers rules Las Vegas’ telecom infrastructure.
By Kevin Poulsen, Mar 18 2002 1:48AM

The only hint that Larry Duke Reubel is 63-years-old is his slow step as he ambles to the witness chair and takes a seat behind the microphone. Once seated he looks fifteen years younger. He’s dapper in a sports coat and a black shirt buttoned to the top, the overhead florescent lights glint off his gold watch, which matches his earring and peroxide hair. In the hearing room in this anonymous Las Vegas office building there’s a trace of weariness etched into Reubel’s sunburned face, as he recounts his story of a high-flying life in the adult entertainment industry — driven slowly and inexorably into the ground by hackers.

Watching from across the room is Eddie Munoz, 43, the plaintiff in the case, who summoned Reubel from Ogden, Utah to testify here. Piled against the wall nearest Munoz is a mountain of plastic document bins stuffed with hundreds of filings, news articles, trouble tickets, police reports, and four thousand pages of call logs from Munoz’s business. It’s a monument to his tenacity; it’s taken Munoz ten years to get this hearing in front of the Public Utilities Commission of Nevada (PUC) — the regulatory body that oversees the state’s electric, gas, water and telecommunications companies.

The PUC is where utilities come to request rate increases or ask for permission to offer a new service. But in this unprecedented hearing that began last week, and continues through Tuesday, the commission is taking a hard look at a bizarre complaint that’s bubbled up from this town’s nocturnal fringe economy again and again for the past ten years, from outcall service operators, bail bondsman and private eyes: that Vegas’ telecommunications infrastructure is secretly controlled by super hackers working for a few powerful players in the vice biz; mobbed-up cyberpunk puppet masters pulling strings right under the nose of the local phone company
If staffers are skeptical of Munoz’s complaint, they’re equally incredulous over Sprint’s assertion that the phone company takes computer security seriously.
That phone company, Sprint of Nevada, is effectively on trial here, accused by Munoz and his allies of turning a blind eye to the abuse. Commissioner Adriana Escobar Chanos, one of three PUC commissioners appointed by Nevada’s governor, is judge and jury in these proceedings; eventually, likely months from now, she’ll make a recommendation to the full commission based on what she sees, hears and reads. She’s guided by the PUC staff, which has its own lawyer and investigator in the room, and by three advisors on her panel. If Munoz prevails, the commission could impose monetary fines and sanctions on Sprint.

Reubel is one of the alleged victims, and his story typifies the complaints. Until he gave up four years ago, Reubel published Show World West, an advertisement magazine distributed by hand to thousands of passing tourists up and down Las Vegas Boulevard each day. Like the other papers, glossy cards and printed magazines competing for eyeballs on the Strip, Reubel’s publication was all about sex, spotlighting a bevy of in-room “entertainers” — blonds, brunettes, redheads — each of them only a phone call and a few hundred dollars away from visiting the hotel room of some randy tourist looking for a private dance. Reubel got a piece of every call, and for years business was brisk.

“Then, all of a sudden, the phones stopped ringing,” says Reubel, gravel in his voice. “There’s no reason for the phones to stop ringing.”

The Long Nothing
The quiet phones are a common thread described by all the alleged victims. Sometimes calls appear to be tapped by competitors, other times they’re diverted outright. More often, they’re simply blocked, and the caller receives dead air or a circuit-busy signal. A 1996 report by a private investigator describes a test call he placed from the Monte Carlo hotel to the “Perfect Bodies” outcall service — an alleged victim of the scheme. “The phone rang 4 times, there was a pause of short duration then a sound similar to rushing air, then a tone and a long nothing.” In 1998, word of the supposed scheme reached mobsters affiliated with the Gambino crime family, according to an FBI affidavit, and six of them were snared by an undercover investigation as they tried to muscle in on the phone racket.

Throughout it all, Sprint of Nevada, the incumbent local exchange carrier, has denied any culpability. Now, sitting catty-corner from Reubel in the hearing room, dressed in business suits, are three representatives of Sprint, which fought tooth and nail to prevent the hearing from taking place: Scott Collins from the regulatory affairs department, Ann Pongracz, Sprint’s general counsel, and outside counsel Patrick Riley, who handles Reubel’s cross examination with the aplomb of an experienced corporate litigator.

“Going over your testimony, you seem to blame Sprint for the loss of your business,” Riley says, with mock bewilderment. “Is that correct?”

“They’re providing a service to me, and they’re not providing the security they should,” Reubel replies. “So, yes.”

Riley counters by carefully outlining all the steps the phone company took to investigate Reubel’s complaint when he first raised it in 1995: Sprint made test calls to Reubel’s numbers, and they all went through. They ran a script at their switching control center that periodically checked his lines for covert call-forwarding, never finding any. They examined his lines for physical taps, and there were none. “Doesn’t it look like Sprint went to an awful lot of trouble to investigate your complaint?,” Riley asks reasonably.

Reubel smiles without humor, leans into the microphone and speaks slowly. “I was making a quarter million dollars a year. I’m making ten dollars an hour now. Whatever they did, it wasn’t enough.”

And so it goes, with a procession of Munoz’s witnesses sharing their own tales of ruin. Former “Perfect Bodies” operator Hilda Brauer, gray-haired and matronly, peers over her glasses and testifies that the entertainers she dispatched to Vegas hotel rooms often found women from a particular competing service already there — as though the competitor was listening in. One of the women even “trick-rolled” a client — stole from him — leaving Brauer holding the bag. Former bail bondman Peter Vilencia says he effectively caught the call burglars in the act, but was still powerless to stop them “I personally called my own phone number and got connected to other bail bonds companies,” says Vilencia. “I feel this hearing is justified, and something needs to be done to correct the problem.”

Finally, Munoz begins his testimony. Like Reubel, Munoz is a publisher. He owns nearly half of the five hundred licensed news racks on the Strip, which he crams with stacks of the Las Vegas Informer — twelve gritty newsprint pages advertising in-room entertainers. Ten years ago, the ads would result in fifteen or twenty outcalls a night; now, it’s more like one or two, and Munoz is having trouble paying his bills. His phone problems are similar to the others’ — callers from outside Vegas, or from payphones and cell phones, get through, he says, but hotel callers frequently get false busy signals, or reach silence, driving them into the arms of competing services. He filed his first complaint with the PUC in 1994. It took two more complaints and an abortive federal writ before the commission staff launched an investigation, which led them a year ago to recommend this full hearing.

Munoz testifies that he’s stayed in business this long by selling ad space to competitors, and by employing his own crude countermeasures against his invisible adversaries. “What I’ve learned to do in order to survive this phone problem is continuously change the numbers, continuously change locations, because after a while they don’t ring any more,” he says.

Munoz isn’t his own best advocate. Commissioner Escobar Chanos frequently has to admonish him for his long rambling answers under cross examination. He often alludes to his personal theory on the nature and methodology of his enemies, which, like a piece of gum stuck to the bottom of a shoe, seems to pick up bits and pieces of everything he walks through. These days it ties together the New Jersey mafia, corrupt phone company employees, a telco billing company in Los Angeles, several hackers, and a 1999 takeover robbery at a southwest Vegas Sprint office, in which masked gunmen made off with 233 telephone line cards.

The only documented tests that have been conducted weigh against Munoz’s complaint. When AT&T called his lines from Vegas hotels in 1997, the calls went through without incident. In August of 2001, a PUC staffer made several test calls from a Vegas hotel with the same results. And in November of 2000, at the direction of the PUC, Sprint ran three days of test calls from five different Las Vegas hotels. Of 205 calls, all but 23 went through, and none were diverted to competitors. Further investigation of the 23 incomplete calls turned up innocent explanations.

The Phone Cop
Munoz believes that test was compromised, and the hackers cleverly arranged for him to receive the test calls, while still blocking the other hotels. In fact, a switch report he subpoenaed from Sprint includes some mysterious entries during the test period — a dozen calls were placed from hotels not involved in the test, and most of them had a duration of “0 seconds.” But it’s hard not to wonder how a phenomenon capable of crippling Munoz’s business could be so difficult to reproduce.

It’s against that backdrop that the PUC staff — the only players in the room without their own chips in the game — have adopted the position that Munoz hasn’t proven his case, and that no fines or other sanctions should be imposed on Sprint.

But if staffers are skeptical of Munoz’s complaint, they’re equally incredulous over Sprint’s assertion that the phone company takes computer security seriously. PUC staff attorney Louise Uttinger summoned a witness of her own to the hearing — former Vegas phone cop Larry Hill, who, up until his retirement in 2000, was in charge of investigations involving “Sprint’s various internal systems” in Las Vegas, according to a company affidavit.

The gaunt and grizzled Hill is a former NYPD captain, and he testifies like a pro, giving short quick answers and volunteering little. “I remember investigating many cases of this nature,” Hill says. “We would generally check to see that all the programming on the complainant’s line was in order… We determined in every case that there was no unauthorized call-forwarding.”

Under cross examination by Uttinger and Munoz’s attorney Peter Alpert, Hill testifies that when he retired from the company all of his files on those cases disappeared. He also says that nobody was hired to replace him when he left. Perhaps there was no need: in his twelve years with Sprint, Hill never once saw a hacker in the company’s network. “To my knowledge there’s no way that a computer hacker could get into our systems,” says Hill.

If Sprint of Nevada is hack-proof, the achievement would make it a rarity among regional phone companies. But a report written by a technical consultant hired by the PUC staff concluded otherwise. “[W”>hile I have encountered several capable Sprint employees, each an excellent specialist, some have clearly never considered the presence of a sophisticated hacker, the kind routinely found on the Internet nowadays,” wrote Ron Bardarson, a former system administrator at a Reno ISP. “Additionally, I have not yet encountered anyone thinking about ‘breaking into your own system,’ which is the best way to improve a system’s security. If such a person exists, I cannot help wondering why she/he is not a witness in this docket.”

Bardarson says he discovered what appears to be computer security weakness in Sprint’s infrastructure. He’s not the only one. As SecurityFocus Online reported last year, former hacker Kevin Mitnick claims extensive penetrations into Sprint’s Las Vegas systems from approximately 1992 until his February, 1995 arrest — smack dab in the middle of the call diversion complaints. Mitnick’s access gave him the power to monitor or reprogram any phone line in town. Following that story, Munoz retained Mitnick as a technical consultant in his case, only to give him up later. Munoz says Mitnick wanted to run too many pointless tests; Mitnick says Munoz stiffed him and a partner for thousands of dollars in fees and expenses.

Citing Bardarson’s findings and Mitnick’s statements, the PUC staff is recommending that the commission open a new investigatory docket to explore Sprint’s security issues, and to force the company to undergo security audits, and report back to the PUC annually on the results. If the commission follows that recommendation it will set a remarkable precedent — regardless of its action on Munoz’s complaint.

At a time when official Washington is emphasizing the link between the United States’ “critical infrastructures” and national security, it may be a state regulatory body more accustomed to tariffs than cyber terrorists that first takes on oversight of an infrastructure provider’s network security. And all because a ragtag lineup of lost and struggling peddlers of vice wouldn’t fade quietly into the neon glow of the Las Vegas night.

Kevin Poulsen is editorial director at SecurityFocus.