Tuesday, November 21, 2006

British RFID Passports Easily Hacked. British RFID Passports Easily Hacked. New passports issued in the UK contain Radio Frequency Identification (RFID) chips, supposedly for purposes of increased security. But a report in the British newspaper The Guardian found the passports surprisingly easy to read and copy. Using a device purchased for £250, a Guardian reporter was able to view and copy information from several of the new passports. Although the new passports use a strong crypto algorithm to protect their biometric data, the encryption key is easy to steal. As the ICAO's website reveals, the key consists of the passport number, the holder's date of birth, and the expiration date. Obtain those details -- or even brute force them (the University of Cambridge's Ross Anderson says the RFID's do not lock themselves after even high numbers of repeated attempts) -- and you can read out enough data to create a cloned passport. Phil Booth, from the organization NO2ID, took part in the newspaper's investigation. "This is simply not supposed to happen," says Booth. "This could provide a bonanza for counterfeiters because drawing the information from the chip, complete with the digital signature it contains, could result in a passport being passed off as the real article. You could make a perfect clone of the passport." Since a reader can potentially scan a passport from as much as 30cm away, a passport could be read and cloned without the passport ever leaving the victim's pocket. Click here for more information on EFF's work to prevent RFID tags in ID cards and elsewhere. EFF: Deep Links] 11:59:44 PM  PermaLink   / trackback []

California Supreme Court Rules in Favor of Free Speech on the Internet. California Supreme Court Rules in Favor of Free Speech on the Internet. San Francisco - In what is a victory for free speech on the Internet, the California Supreme Court ruled today that no provider or user of an interactive computer service may be held liable for putting material on the Internet that was written by someone else. In doing so, the Court overruled an earlier decision by the Court of Appeal. Today's ruling affirms that blogs, websites, listservs, and ISPs like Yahoo!, as well as individuals like defendant Ilena Rosenthal, are protected under Section 230 of the federal Communications Decency Act (CDA), which explicitly states that "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." "By reaffirming that Congress intended to grant protection under Section 230 to those who provide a forum for the views of others, the Court has ensured that the Internet will remain a vibrant forum for debate and the free exchange of ideas," said Ann Brick, staff attorney at the ACLU of Northern California. "Any other ruling would have inevitably made speech on the Internet less free." The issue raised in Barrett v. Rosenthal was whether Section 230's protection applies to individuals who frequently use the Internet to pass on information obtained elsewhere, whether by forwarding an email written by someone else or, as was the case in Barrett, posting an email from someone else to a newsgroup. The ACLU-NC and the Electronic Frontier Foundation (EFF) filed an amicus brief in the California Supreme Court arguing that Section 230 means what it says and applies to "users" of interactive computer services as well as "providers." "Courts have consistently interpreted Section 230 to provide broad protections for the platforms upon which free speech has flourished online," said EFF Staff Attorney Kurt Opsahl. "By reversing the Court of Appeal, the California Supreme Court has brought California back in line with other jurisdictions and reaffirmed the critical rule that the soapbox is not liable for what the speaker has said." In January 2004, in Barrett v. Rosenthal, the Court of Appeal for the First District overruled the dismissal of a defamation lawsuit filed against an activist for her re-publication on the Internet of someone else's words. The court refused to extend any protection under Section 230, which was expressly enacted "to promote the continued development of the Internet and other interactive computer services," in a manner "unfettered by Federal or State regulation." "The Supreme Court's opinion strengthens protection for speech on the Internet" said Mark Goldowitz, director of the California Anti-SLAPP Project and counsel for Rosenthal. "Justice Corrigan's opinion protects against the 'heckler's veto' chilling speech on the Internet." For the full decision, see EFF's website at: http://www.eff.org/legal/cases/Barrett_v_Rosenthal/ruling.pdf Contacts: Kurt Opsahl Staff Attorney Electronic Frontier Foundation kurt@eff.org Stella Richardson Media Relations Director ACLU of Northern California srichardson@aclunc.org [EFF: Breaking News] 11:56:22 PM  PermaLink   / trackback []

EFF Files Suit for Answers About New International Air Passenger Data Deal. EFF Files Suit for Answers About New International Air Passenger Data Deal. Department of Homeland Security Dodges Records' Disclosure Washington DC - The FLAG Project at the Electronic Frontier Foundation (EFF) filed suit against the Department of Homeland Security (DHS) today, demanding information about a new agreement on the handling of air passenger data from flights between the European Union (EU) and the United States. Two years ago, the U.S. and EU made a controversial deal requiring airlines to give DHS access to detailed passenger information from EU flights to and from the U.S. In May, the European Court of Justice struck down the agreement, finding it at odds with EU law. But the U.S. and EU reached a new agreement last month that will give U.S. law enforcement and intelligence agencies greater access to the data than the previous deal did. EFF filed its suit after DHS failed to respond to a Freedom of Information Act (FOIA) request for records about the handling of data under the new agreement, including how they are maintained, used, disclosed, and secured. "Travelers may give up a lot of personal information when they make flight reservations," said EFF Staff Attorney Marcia Hofmann. "Those traveling between Europe and the United States deserve to know who gets to see that data, how the information is protected, and whether those practices comply with EU law." EFF's FLAG Project uses FOIA requests and litigation to expose the government's expanding use of technologies that invade privacy. Previous lawsuits have demanded information about the FBI's huge database of personal information, as well as records on the FBI's electronic surveillance systems. "When federal agencies don't comply with the FOIA's requirements, they may conceal activities and programs that raise serious legal issues and put Americans' privacy at risk," said Hofmann. "The Department of Homeland Security must abide by the law and give the public information about the new passenger data agreement." For the FOIA complaint filed against the Department of Homeland Security: http://www.eff.org/flag/dhs/dhs_complaint.pdf For more on the FLAG Project: http://www.eff.org/flag Contact: Marcia Hofmann Staff Attorney Electronic Frontier Foundation marcia@eff.org [EFF: Breaking News] 11:54:17 PM  PermaLink   / trackback []

FCC delivers a swift kick in the Mass(port). FCC delivers a swift kick in the Mass(port). Rules for Wi-Fi freedom Comment In a decision with significant ramifications for the travelling public, the FCC has ruled that the Massachusetts Port Authority (Massport) cannot block a Wi-Fi access point in the Continental Airlines lounge at Boston's Logan International Airport. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:50:33 PM  PermaLink   / trackback []

Shock, horror, outrage - biometric passport data snooped, again. Shock, horror, outrage - biometric passport data snooped, again. Insecurity as a design feature... The biometric passport has been 'cracked' again - but it's the same crack as the old crack (which is not exactly a crack). This time it's the new UK passport, and Liberal Home Affairs spokesman Nick Clegg is calling for the urgent recall of all the 3 million that have already been issued. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:48:15 PM  PermaLink   / trackback []

Bushies push NSA wiretap extravaganza. Bushies push NSA wiretap extravaganza. Freedom's just another word for nothing left to hide Comment True freedom is protecting Americans by letting the NSA monitor their email and phone calls by the millions without a warrant, US Attorney General Alberto Gonzales explained to Air Force Academy cadets in a speech last week. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:45:33 PM  PermaLink   / trackback []

Microsoft makes claim on Linux code. Microsoft makes claim on Linux code. And sets alarm bells ringing in open source community Microsoft CEO Steve Ballmer has said that every user of the open source Linux system could owe his company money for using its intellectual property. The statement will confirm the worst fears of the open source community. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:29:56 PM  PermaLink   / trackback []

Craigslist ruling: Why the EFF is right to be pissed. Craigslist ruling: Why the EFF is right to be pissed. Keep our websites free! Silicon Justice Is this the dawning of the age of the defamation take-down notice? [...] The case involved claims by an Illinois civil rights group that Craigslist violated the Fair Housing Act by publishing housing postings expressing discriminatory preferences based on race, religion, ethnicity, etc. Craigslist argued that Section 230 of the Communications Decency Act granted them immunity from the suit, and moved to have the case dismissed. The district court - the lowest spot in the totem pole of US federal courts - granted Craigslist's motion, but did so while adopting a new, limited interpretation of Section 230's scope. Until recently, all courts that have dealt with issues involving the liability of "interactive computer services" for information posted by others have followed an earlier case. That previous case read Section 230 as granting a broad federal immunity from liability for information posted on sites by users. That began to change when the 7th Circuit - the middle spot on the federal court totem pole, and the appellate circuit responsible for Illinois - opined in a non-binding portion of an opinion (what we lawyers pompously call dicta) that Section 230 does not create a broad grant of immunity at all. Instead, the court argued, it only exempted sites from liability for claims that required a publication element. Thus, the sites would remain immune from suits over defamation, discriminatory housings postings or other similar claims, but would remain liable for everything else. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:28:25 PM  PermaLink   / trackback []

Websites not liable for third party posts - court. Websites not liable for third party posts - court. Lawyers stunned by common sense ruling The California Supreme Court issued a unanimous ruling on Monday stating that websites can't be sued over third-party content, the Associated Press reports. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 11:24:16 PM  PermaLink   / trackback []