Explainer: Rule 41 and its dangers

The EFF brings news of an innocuous-sounding — yet Orwellian — Rule 41. The proposal has two main segments; from the article:

The first part of this change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one's location.

The second part...would grant authorization to a judge to issue a search warrant for...infiltrating computers that may be part of a botnet. This means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation.

This means that any judge in the US — perhaps one with a history of granting warrants without much consideration of evidence — can issue a search warrant for any computer in the world, regardless of jurisdiction. Combine that with the language of the second segment, and this is effectively a rubber-stamp to intrude every connected device on the planet with a single warrant.

Congress has until December 1 of this year to block these changes to Rule 41. See EFF’s write up for an in-depth on the the legal ramifications. 

Hardware security and healthcare

Today, readwrite brings some attention to the dangers of data without security in a growing market. According to the article, we’ve passed the inflection point in security incidents where malicious attacks now out-number the classic PEBCAK, with healthcare as the most-targeted industry. From the article:

[C]oncerns are increasing that current data management and security among both private and public organizations are woefully ill-prepared to defend private data from hackers increasingly targeting sensitive personal health information.

A good warning to be thoughtful about with whom you share your data. 

When IoT subscription service turns shady

The Internet of Things! It allows us to connect nearly every device in our lives in a meaningful and useful way, glean new insights from sensors, and utilize hardware as never before. What could go possibly wrong?

Today, Kit Walsh from the EFF provides that answer with a review of a disappointing update from Nest/Google. From the article:

"...[B]ricking the Hub sets a terrible precedent for a company with ambitions to sell self-driving cars, medical devices, and other high-end gadgets that may be essential to a person’s livelihood or physical safety."

This news is frustrating on many levels, but I will stay in my wheel house of hardware, data, and privacy.

  • Hardware: once you purchase a device, it's your's and you own it. End of story. With this decision, Nest/Google effectively went into the homes of every lifetime member and poured water on their laptop. Sure, you could reclaim some parts, but your home isn't a chop shop and customers aren't scavengers.
  • Data: certainly the people who purchased a Hub are interested in their data, but after the shutdown date, the data will be deleted.
  • Privacy: getting back to the laptop analogy -- borrowing from Newton, every possession in your home remains in a state unless acted on by an outside force. Most customers probably wouldn't be happy about Nest/Google entering their homes.

So what recourse to consumers have in the emerging field of IoT? In general, you can count on me to be against compelling an entity to "do the right thing" through regulation or similar means. But  how can we react against behemoths like Alphabet at al when they make decisions against the interests of **paying** customer base? Again from the article:

"But there's another way to push back against untrustworthy devices, and that's refusing to buy electronics and software that prioritize the manufacturer's wishes above your own."

In the Internet of Things, who really owns hardware after purchased? Without a doubt, the customer. However, stripping people of their right to use their property as they choose and denying access to their data shows people in this case don't actually own said hardware and data -- they've subscribed to it! While subscription works fantastically well in some cases (Netflix, Spotify, etc), it's counter-intuitive and wrong for this use case in IoT. Something to keep in mind the next time you're building out your smart-home.