A Panel of speakers will tackle many information technology security and privacy issues culled from today's headlines.

We are hoping for a lot of interaction with the audience. You may have your own issues that you wish to have highlighted or perhaps you may want to join the panel. That would give you the opportunity to give a short introduction to the topic as opposed to introducing it cold as a question from the audience.

If so contact: Mike Walsh at mp_walsh@acm.org .
You can also call him at (818) 785-5056, but email contacts are preferred.
prepared by Paul Schmidt
 

The panel was composed of Mike Walsh, Rodney Hoffman, John Cosgrove and Lee Schmidt who made their presentations in that order. These were talks on social aspects of computers and society on subjects of choice chosen by each speaker.

Mike Walsh led off with "Big Brother Is Listening and I Think He Should Be."

ACM Tech news of April 17, 2006 had an article from the Atlantic Monthly by James Bamford that he quoted from:

Technological advancements have widened the scope of National Security Agency (NSA) surveillance, while the legal barriers to such eavesdropping have been lowered with a White House mandate that permits NSA to place Americans on watch lists and monitor their communications without first obtaining permission from the Foreign Intelligence Service (FISA) court. Previously a court order was required, and could only be secured if the NSA showed that it had probable cause to eavesdrop on people suspected of involvement with terrorist organizations. Now people can be placed on watch lists by NSA shift supervisors who have a "reasonable belief" of involvement and the number of Americans targeted by the NSA has consequently ballooned from perhaps 12 annually to 5,000 over the last 4 years, according to sources. If innocent people are marked because they fulfill these highly subjective criteria, they may be denied visas, federal jobs, or other services and privileges without ever knowing why. The NSA's surveillance methodology is signals intelligence, in which electronic communications containing vast quantities of emails and phone calls are intercepted and run through computers that flag specific words, phrases, names, phone numbers, and Internet addresses, and forward these communications to analysts. Also clearing the way for greater NSA surveillance is the FCC's extension of the 1994 Communications Assistance for Law Enforcement Act (CALEA) to cover "any type of broadband Internet access service" and new Internet phone services, while the two congressional committees tasked with protecting the public from privacy abuses have abnegated their responsibilities. The NSA likes to hire people away from providers of critical telecommunications system components, offering them the opportunity to work with state-of-the-art equipment and contribute to national security. Furthermore, a great deal of the telecommunications industry secretly cooperates with the NSA in its eavesdropping efforts.

That completes my quote from James Bamford as it was carried in ACM Tech News. As far as I know, he is accurate on the technical information he gives. I do not know who his sources are, or if his information on what NSA is doing is accurate, but it does sound credible. His accusation that two congressional committees are not doing their duty to protect the public from privacy issues is an opinion of Mr. Bamford that has been certainly voiced by Democrats in Congress, but also by a number of Republicans.

From the Sunday Los Angeles Times I note that the Electronic Frontier Foundation has filed a law suit accusing AT&T of unlawful collaboration with NSA in its surveillance program to intercept telephone and e-mail communications in the US involving people allegedly linked to Al Queda and affiliated groups. The US Government has asked Federal Judge Vaughn Walker to throw out the suit because the case could reveal military and state secrets.

There seem to be two sets of concerns, one is the range of signal intelligence that should be carried out at all, and the other is what type of authorization should be required. My opinion is that if a government organization is going to do effective signal intelligence it has to intercept almost the total number of transmissions and analyze them all, to some degree. Most of the analyses would be to determine "signals of interest" and then the other signals will be ignored. I don’t believe that today’s computer technology has the capability to analyze an entire world of signals, although you might keep that in mind as a worry for tomorrow. I note that the big rise in Americans targeted in the last 4 years has occurred after a rather big event on September 11, 2001.

The technology is such that NSA has to monitor all these signals, make fast judgments on which ones contain dangerous information, and then zero on the people who are involved in the communications. It is going to be hard enough to do that without complicating the matter by requiring NSA to determine the citizenship of the communicating parties. If you are concerned about limits on the CIA and NSA investigating Americans as opposed to foreign citizens I presume you can avoid that problem by giving the job to the FBI and reassigning all the technical people to them.

This is a job that I believe is necessary and has to be done. Yes, there should be effective oversight of this highly sensitive area where the technology doesn’t care whether it is being used for defense of liberty or suppression of civil rights. It is a tricky area, because if even if the oversight is quite effective it will in turn; require secrecy so the general public may never be certain.

A more direct threat to the public may come from the private sector where private investigators like Pellicano are using technology to bug citizens for their own gain. Others have perpetrated new schemes or old schemes in new packages. Scams and phishing are rife on the Internet. I have personally received hundreds of emails telling me something bad will happen to my account unless I contact them immediately and give them personal information. So far I haven’t had any of the accounts mentioned, so if any are legitimate I hope another Mike Walsh out there isn't suffering damage. I suspect not. I have also won many lotteries and received many offers of millions of dollars just for the use of my bank account. In a lighter vein, I get offers of degrees for "my life experience." It is almost a bit insulting to be offered degrees that I already hold that required a good deal more effort to get. I suppose they could give me a bogus PhD so I could add Doctor to my name.

I believe where we really need "Big Brother" is to rein in some of the "Little Brothers" out there in the world who are after our money and identification to defraud us. And, yes we should be quite worried about oversight of the government snooping that I believe is really necessary.

The second speaker was Rodney Hoffman of CPSR (Computer Professionals for Social Responsibility). He suggested that people take a look at http://www.cpsr.org. He announced that he would present two topics, privacy and voting technology. He said that the government could lawfully perform surveillance activities on U.S. citizens without a warrant if it was urgent, but was required to get a warrant within 72 hours and they have not been doing it. They should be following that law and they are not. The European Parliament is working on a law requiring that companies keep detailed records on all phone calls made for between six months and two years. Companies must keep detailed records on transactions, but no content retention is required. The law passed by a 400 to 200 vote. There is new interest by the U.S. Government in requiring Internet data retention. Attorney General Gonzales said erasure of data limits ability to prosecute child pornography cases. Congress wants data kept until 1 year after an account is closed. At this time it is not clear what the extent of the bill is but it concerns people who believe there is no privacy left on the web.

Voting technology is another topic of interest. Los Angeles County uses Ink-a-Vote to mark ballots except for people who seek out touch screen electronic voting machines. Electronic machines have had problems getting certified. California has certified Diebold machines, decertified them, and then certified them after some changes. One report on electronic voting noted that when errors were discovered that changes could not be deleted except by a recount of paper ballots. In some cases machines could be altered in a manner that would affect future elections. Insuring that electronic voting machines are secure is still very much a problem.

John Cosgrove was the third speaker. He says he is a "Compusauras" and has been around forever. His current job is litigation support and he is concerned about the ethics and responsibilities of computer people. He gives lectures on software engineering ethics, professionalism and liability. A lot of his business now involves liability and working with lawyers. He has a message for us: Lawyers have discovered you. What should you as computer people regard as your ethical requirements? Avoid criminal activity, especially as it is a lot easier to get prosecuted today. Government sometimes wrongly prosecutes people so you don’t have to deliberately do anything wrong to be charged. They have said up web sites to entrap people into downloading things and then prosecuting them. Avoiding criminal behavior is the obvious thing. Less obvious is hacking for competitive purposes. This is not necessarily criminal, but can have civil liability. This may be done to get business information by accessing a company’s proprietary data. Frequently people do whistle blowing on wrong doing and the wrong doing doesn't necessarily have to be clear. One company was considering saving money by replacing hardware interlocks on a weapons system with a software equivalent which is not a safe way to do things. You as a software engineer find this is a problem and know it isn’t good, but what are your obligations? You might push against management, but you also might get fired. We have moved from criminal problems to the less obvious ones. There are risks caused by dubious behavior of upper management. There was a recent air traffic control failure in Southern California that was the result of two bad management decisions. The problem was caused when software was rehosted from Unix machines to machines with Microsoft Windows software. A counter overflow problem was discovered while the installation was in progress. A last minute fix was done, but was installed in only one system out of a total of 21. A workaround was also developed to reboot the machines periodically so the counter would not overflow. Somehow the required reboot was not done in California airspace and the system was down for some hours. Fortunately the airliners all had collision avoidance equipment so disaster was avoided. Suppose you were directed to put in an upgrade in 1999 that you know will blow up in 2000. What is your responsibility? It isn't critical and may not be dangerous but it is wrong. Should software designers be professionally designated? Mr. Cosgrove believe that this is an important issue. The IEEE Computer Society believes in certifying software engineers and ACM does not. Mr. Cosgrove believes ACM is wrong.

Lee Schmidt, also a Compusauras and said he saw a few others in the room. He says that strange things happen every day when he opens his door. He gets messages from Chinese speakers, ads for Viagra, loans and told about his bank problems. In among the lot are some good and necessary messages. His door is his email on the Internet and the interlopers are spam. People have been claiming that the problem is going to get better but Lee's observation is that it is only getting worse. He especially resents other people using his address to send out spam and he gets mail supposedly from himself. Lee would like to get people to use the Internet ethically. There are protective measures, you can use acm.org to filter your messages for spam which helps, but what can you do when someone claims to be you and isn’t? Also companies will download tracking cookies when you visit a website without telling you and Lee regards this as minor theft. Lee isn't sure new laws or required, just re-definition of old laws such as applying trespassing laws to intrusions on your computer. The recording industry is a big complainer about software piracy and claim losses of billions of dollars, but are these claimed large losses real? Their count estimates that each instance of improper downloading costs them a sale, but this is highly unlikely. A lot of people who get it free would never buy it if it cost them money, and sometimes getting exposure over the web causes people to get interested and actually buy things that are available legally. The recording industry is trying to enforce ways of protecting their product and sometimes uses practices that can damage user's computers. There is also the matter of "unauthorized software." Can a software store legally sell surplus software rather than delivering it with a computer? What is the legitimacy of that kind of a contract? Is it ethical for Microsoft to require that Windows be installed on delivered computers or is it just good business? Lee says he is just asking.

This was followed by a wide ranging question and answer session.

John Cosgrove was asked whether like the medical profession, lawyers and airline pilots; software professionals had a "standard of care." John said he believes we have an implicit standard, but not explicitly and they should have one, but the ACM doesn't believe we should. Software has become so much a part of our daily life and affects our safety that we need to have an explicit standard. There is not one currently. There was a discussion about the need for having a legal standard of care for software professionals. John said that lawyers in a legal case claim that critical systems should have been carefully reviewed and tested and if they are not will claim it is negligence. He said the auto companies had to face the necessity of designing for crash resistance after losing cases in court. There were comments on the desirability of having software professionals propose standards rather than waiting it to happen by default. John said that implied standards get set up after a series of court decisions and in balance something rational usually emerge. This has happened with crash resistance in the auto industry. John said if software professionals don’t do this the same thing will happen and be imposed by lawyers winning cases against software developers. ACM claims we are not ready to set standards, but John believes an attempt should be made to do this. Safety considerations resulting from software problems are starting to emerge as well as problems resulting from poorly developed software that causes difficult problems even if they are not safety issues. If ACM doesn't help to set standards then they will be set by others and it will be a more expensive way to learn a lesson. There are bodies that are attempting to set standards and if ACM doesn't join them then it will be done without them.

Are we independent enough to be professional? Most software professionals work for organizations that don't allow them to make the final decisions. Software professionals will typically agree to things they know are impossible because they will be removed if they speak up and be replaced by someone else.

There was a discussion about the value of being able to post anonymously which is good for civil liberties versus the problem of posting fraudulently. Being anonymous is fine as long as it doesn't involve misrepresenting who you are or claiming the identity of another person. There is also the problem of anonymous email being used to send spam, some of which contain viruses. The viruses are normally not sent from the listed sender. The discussion moved on to rules against blogs containing political items within a period of time before the election, with private parties having limits and the media having an exemption. This is not fair to individuals who wish to post their views and it was remarked that how can blogs be treated this way when they aren't pushed on people as ads, but people have to look for them to read them.

Rodney Hoffman was asked about what should be done about voting machines. In California there has been a fairly open process, but it varies from location to location. The questioner did not believe that having a paper trail was not the complete answer. It was mentioned that any voting machine with a chip in it could have wireless capability in it that might allow alterations from a distance. Problems with computerized voting equipment are not new; they date back to systems using paper tape as an input that were used to tabulate ballots. Also, there were earlier problems with mechanical voting machines. Rodney says it still takes a lot of eyes watching the process to make certain it is done honestly and correctly. All of the systems have flaws, but one of the concerns is that some of the computerized systems either can’t be audited afterwards or are difficult to audit.

John Cosgrove said he believes that Software Engineers should be required to be certified as Professional Engineers. Right now the only state where this is done is Texas. California is proceeding in a different direction as the state opposes requiring certification except where the professional interacts directly with people. Software engineers can get Professional certification in other fields such as Electrical or Mechanical engineering.

Software companies claim although they sold software it still belongs to them, but they aren't really responsible as to whether it works or not. In some cases, when free downloads are provided you have to carefully navigate through screens trying to sell you additional software. Microsoft provides automatic updates, but also checks your system to see if you have any improperly obtained and unregistered software on your computer. Since there are quite a few spam emails offering suspiciously cheap Microsoft software it seems to be a real problem.

John Cosgrove said the U.S. Government used software provided by Microsoft to set up a sting website. People were encouraged to download the software illegally and the site logged in detail their operations. None of the individuals were interested in profiting by reselling the software but they are being prosecuted for criminal behavior. John is helping in the defense of these individuals. He believes it is overkill and the main reason for prosecution is as a warning to others. Why is the government spending resources on these people when there are some really bad operators out there? John remarked that then these people will be on somebody's watch list, which Mike Walsh thinks is OK.

(In a way this is correct, as I see no injustice in keeping a list of people who have performed even somewhat minor criminal acts for future reference. I would call them repeat offenders. I do agree with John that the case he is defending sounds like overkill and hope he can obtain leniency, if not acquittal for them. However, I have less empathy and good feeling for them if they repeat their activities-Mike Walsh).

After the meeting Rodney Hoffman provided some of his sources:

About data retention laws in Europe and the U.S.

http://news.com.com/2102-1028_3-6066608.html

http://news.com.com/2102-7350_3-5995089.html

I was able to reach the appropriate articles on both web pages. It seemed to provide a reasonably objective approach to quite a bit of interesting information.

About voting technology:

http://www.opednews.com/articles/opedne_joan_bru_ 060331_a_bit_of_a_quandary.htm

I was unable to access this article. I was able to access the www.opednews.com web page and found numerous articles on problems of electronic voting machines, particularly Diebold. I note that this is what I call an extreme liberal website so don’t expect to read anything good about President Bush or the Republicans on this page.

(This comment is my personal opinion, not necessarily an objective rating of the site.)

As the writer of this article I have the opportunity of giving a comment on my own presentation that I did not make very clear during my part of the meeting presentation. My point about the government surveillance is that I believe it needs to be done and that to be effective it should be wide ranging and cover as many communications sources as possible. In the electronic communications world this must be done quickly and I don't see how it can be done effectively if a warrant is required before monitoring an American citizen. I also oppose the EFF's attempt to stop the Government from collaborating with communications companies (specifically AT&T) and prevent them from installing hardware and software to increase the effectiveness of the monitoring.

I do believe that effective oversight should be done. President Bush and Attorney General Gonzales have claimed in news reports I have read that the President has the authority to accomplish the monitoring without additional oversight or the necessity of getting even retroactive warrants. This I regard as a dangerous practice. My belief is that the monitoring is a necessity in this dangerous world, but that effective judicial oversight is required and that it requires more than setting up a tame judge who will rubberstamp an after-the-fact approval. Doing oversight effectively without compromising necessary secrecy is a difficult problem, but should be done.

We would be quite interested in getting comments on the reports contained in this article on any of the subjects covered by the panelists. Send them to me at mp_walsh@acm.org and I will gather them up for a future article in DATA-LINK.

This was another of the regularly scheduled meetings of the Los Angeles Chapter of ACM. Our next regular meeting will be held on June 7, 2006. This was eighth meeting of the LA Chapter year and was attended by about 15 persons.
Mike Walsh, LA ACM Secretary