A version of this post was orignally published on AVNation.tv
Once again, the Federal Communications Commission is changing the way that Internet traffic will be handled within the United States. FCC Chairman Ajit Pai at the Newseum in Washington, D.C. on April 26, 2017, gave a speech entitled, “The Future of Internet Freedom.” During this speech (transcripts) Chairman Paj put forth the idea that Internet Broadband communication should not be covered under Title II. This statement means that the broadband or Internet Service Providers can treat different data, differently.
Currently, under Title II many of the services we use as part of the AV Industry are covered and protected as it prevents service providers from throttling the speed of connections for most traffic. Virtual Private Networks (VPN) and other services are not part of this protection. What this means is that your local Internet provider must deliver all the network traffic with limited traffic shaping or control, it is called the common carrier principle, and it is what applies to the phone system. That principle is what allows one to dial from an AT&T connection to a Sprint connection. Through the suggested repeal of Title II for Internet traffic, that is no longer the case. The service provider can change the rates of data and which data gets through based on almost any criteria they chose. Now comes the question that everyone is thinking, “Sure Bradford, you and Josh talk quite often about Net Neutrality and Privacy quite a bit. How does this impact me? Why do I care?”
am glad you asked. Allow me to provide a simple real world example. Comcast offers packages of bundling certain applications and services with their high-speed Internet connectivity. For example, if you look at the Comcast Business Internet pages you will see packages for some services that they offer. I am going to use the backup services in this model as it is something I have done already for myself. On the product page, they talk about “Cloud Based Solutions℠ – Online Backup and Storage.” The services that they offer packages with for Online Backup are Carbonite and Mozy; I can not find Comcast’s storage solutions. There is a difference between backup and storage. Backup indicates that the data on a device will be regularly copied to a separate location. If the original is deleted, it will also be removed from the archive or backup after a period of time. Online storage means the storing of data whether deleted from the original or not. A user may remove it manually, but it will not be purged automatically if the original is removed.
For that reason, as well as others such as data durability, I decided not to use either of these services; I use JungleDisk. I have a single account and application that supports both data backup and data storage. I place files that I need easy access to on the JungleDisk Storage; I configured JungleDisk Backup software to backup my computer once a day.
Here is where Net Neutrality comes into play. Under the Title II ruling that Internet connectivity is a utility, most Internet traffic is processed equally. However with the repeal of the Title II that would change. It would mean that Comcast would have the ability to throttle or slow my communication with JungleDisk, reducing my success with the service. At the same time, they could prioritize traffic to their partners at Mozy and Carbonite. I am not indicating that they have or that they would, I am saying that they can. It would basically force me to use one of Comcast’s partners’ service instead of the one that I chose if I want an efficient process.
Without the protection of Title II, it would fall to me to prove that my traffic is impacted. One would also have to document that it violates the agreed upon terms of service from the Internet provider. After those two hurdles, it would be up to the Federal Trade Commission to investigate if the issue is an unfair trade practice.
All of these items are retroactive, except for Title II engagement. Under Title II it is proactively indicated that the favoring of traffic has a much more stringent set of guidelines and is designed to prevent the problem from happening in the first place.
During my “day job”, I work on many projects that are subject to Nondisclosure Agreements (NDA). These projects range from new product development to new projects that have not been announced to details of clients and project contents. There are various levels of diligence called out in each agreement. I am not giving any legal advice on enforcement and application of NDA’s I am sharing some of the principles and practices that are common and I have found helpful. If in doubt, check with your legal advisor or company counsel.
“The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.”
Bradford Benn with a hat tip to Chuck Palahniuk
The level of “paranoia” for lack of a better word you want to follow is up to you. I follow the most stringent NDA policies for all of my NDA projects. The reason is that remembering the nuances of each one is difficult. Some people find it humorous my personal level of privacy and security awareness, however these practices apply and help me be aware of things not typically considered. Some of the things I worry about may not be practical for your scenarios but it is still good to think about for things beyond projects. Confidentiality of things such as payroll, checking account balances, insurance information… etc. are still a part of daily life. The most effective practice I use is both simple and often overlooked. Chuck Palahniuk said it most succinctly, “The first rule of Fight Club is do not talk about Fight Club.” Seems rather simple, but it is often forgotten. The version that applies in this situation, “The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.” I work within a large company [Harman] there are multiple teams and departments, about 28,000 employees total. Not everyone needs to know everything, engineering does not need to know that I am working with Bob’s Country Bunker on their expansion. If an engineer comes to me as they go to the Bunker every weekend and asks about the expansion, my answer is simple. “Sorry, I don’t know anything about it.” Yes, a lie or a fib. It also means that you are not as likely to be asked as many questions by friends looking for information. It also means not talking about the project in public, especially at industry conventions. However what I get out of this approach is I do not have to worry about someone else leaking the information.
People think it is odd that I have specific USB flashdrives or thumbdrives for different purposes and projects. Using a thumbdrive to share data can easily lots of data being shared unexpectedly. I hand person A a thumbdrive with person B’s data on it (that is covered by a non-disclosure agreement). Person A would then know about the project and if unscrupulous could have person B’s data. People don’t always think about it, but by sharing a USB drive one is basically sharing part of their computer’s hard drive. There are of course the other reasons such as not wanting to get a virus. My solution is that I format the thumbdrive when appropriate. Typically it is after a customer visit or a system commissioning. I will also backup and then erase the contents of the drive often during the process. None of us have ever lost a thumbdrive with key information on it.
This same approach holds for network storage and sharing solutions. Most people will think about Dropbox, SpiderOak, Google Drive, Box … etc. but these are not the only sharing services to be aware of. A standard computer attached to a network has the same issues at times. A company typically has a network server for storing and sharing project data, very often in addition to that the sharing feature on a laptop will be enabled as well. The shared drive or directory on a computer is most likely the largest liability of these items. If you want to know why, use the network in a hotel, coffeehouse, or even in an airplane. Depending on the security settings of the network one might be able to see other computers on the same network. Very often to make the computer user’s experience simpler shared directories or folders will advertise itself. Now everyone connected to the network is aware that there is a share on the network.
These services are very powerful and convenient. However misconfiguration can be very bad. The sharing features typically get set and forgotten, so data is just sitting around all over the place. Did you remember to change who has access to what within Dropbox? Is your Shared directory still active for everyone to see and edit documents. Did you turn off the sharing for the person that left the company? Is your network storage at home available via the Internet, does it have a strong password and current firmware? Are you using Two Factor Authentication (2FA), if not – why not?
There is the specter of e-mail and how easy it is to not redact or remove information before forwarding it. This issue becomes more and more important as the projects are more and more complex. I often will read an e-mail and store it, some contracts require that. If I need to gather more information from another party I do not simply forward the e-mail, I rewrite it to be as generic as possible. Part of this process is to make sure I understand the question I am asking. Part of it is just preventing information from being shared. Yes, we might work for the same company but I am the one who was given the information, often the NDA indicates that I can only share information when necessary.
I can continue with such things as lock your computer when you are not using it. Don’t carry information you don’t need to on your laptop; especially when you travel. That seems easy to say I know, and it is more realistic than ever to do. I can connect to a server that is secure via VPN connection and retrieve the documents I need when I need them. (This approach can also be helpful and preventative if a laptop is lost or a hard drive fails.)
Encrypt important data. Yes, the encryption word. It is important. It is not new. In the late 1990’s I was working on a theme park project just as e-mail was becoming common. To transmit documents electronically we were required to send them encrypted using Pretty Good Privacy or PGP encryption. I am not going into all the details, the Electronic Frontier Foundation has written a good article providing an overview. This process meant that I would compress a file, then encode it via PGP, then attach it to a message and send it. This process still exists and is still very viable. I encrypt data on my hard drive and on the cloud using PGP encryption, sometimes called GPG on Mac and Linux. Beyond just the encryption the fact that the email has a much higher probability of not being spoofed is reason enough to use it for me. If you want to test it out, my key can be found at my blog post.
Now that everyone is concerned, how to make things better so that you are not the leak? The first item is the Fight Club rule. The second task is I encrypt my connections and data whenever possible (check with your company’s IT department as the last thing that anyone wants is to have data be inaccessible). Find secure solutions for hosting data on the cloud. There are many solutions, I am not going to endorse one or claim one is better than the other, the key item I look for is 2FA. This process means that the person trying to gain access to an account will not only need the password, but a second piece of information to gain entry. Typically this is a numerical value, it can either be generated on a device such as a handheld digital device or sent via e-mail or text. There is more information about 2FA available from EFF as well. I have enabled it on the AVNation website administration tools and everywhere else I can, including Google and Apple cloud solutions. I think that this would go without saying, but just in case; do not click the remember me or have the browser remember your password. That basically means if someone has your computer they have access to all the site.
I am sure by this point I sound paranoid, however I will say that adhering to Non-Disclosure Agreements is valuable for business. No one wants to know as the person who leaked information. It is easier to make sure no one leaks the information by not letting them know about the project. Keeping projects secret and being digitally accessible is very possible. It requires attention to detail and understanding the processes. Do not let it scare you.
Some of you may already be aware that the Electronic Frontier Foundation (EFF) is one of the groups I support. Privacy, security, and freedom for the individual is one of my touchstones. I have written about these topics previously, both here and at AVNation.tv. (Yes, there will be overlap between this post and the one over there. My opinion hasn’t changed.)
There are proposed rule changes within the Federal Rules of Criminal Procedure that the EFF has made me aware of. I do not claim to be an expert on all the legalities and intricacies, however from the comments that the EFF have provided I immediately felt it was important to comment on. The proposed amendment to procedural Rule 41 would allow a judge to issue a warrant allowing law enforcement to remotely enter (hack) a computer when “the district where the media or information is located has been concealed through technological means,” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.”
The first portion of this means that if one uses a means to hide their location, for any reason, a search warrant would be allowed. At AVNation I spoke about how this applies to business environments where Virtual Private Networks (VPN) are used to provide a secure connection between remote users and the office. A byproduct of that process is that one’s location is incorrect quite often, sometimes on purpose. When I travel to China I use VPN for personal use. I purposely set my VPN to connect me to a point of presence located in the US. This decision allows me to access my e-mail as well as other sites, such as news sites like New York Times or Los Angeles Times. I can continue on about the Great Firewall of China, but these couple of links should help provide background https://en.wikipedia.org/wiki/Great_Firewall or https://www.eff.org/search/site/china%20firewall.)
I also use a VPN connection, as well as other tools, when I am using a public hotspot. In fact I am using one right now as I sit in Starbucks using their WiFi. This approach prevents eavesdroppers to my communication. I will say that Google and Starbucks do a good job keeping things safe, however not everyplace is as secure. I want to keep my data encrypted as long as I can. Yes, there is Hyper Text Transfer Protocol Secure (HTTPS) that is secure and I use it as much as possible, but not every site supports it or for all traffic.
I can continue on as to why I use VPN, the important thing to take away is that there are legitimate legal reasons to use VPN. The fact that I use it should not change the way my data/privacy is viewed by the courts. To overly simplify it would be like saying, you locked the door to your car so you have given us a reason to issue a search warrant.
The second portion of the new procedure is also damaging in that it allows for innocent computers to be searched if they have been remotely hacked. If a computer is an unwitting member of a botnet that would meet a qualification for a search warrant. The infected or innocent computer could be searched even if the owner is not involved or suspected of wrong doing. Basically if someone has already broken into your computer, the government can break into it again as your computer might be doing bad things.
To me there is a third reason that this issue is important – this process is being done under the guise of procedural rules. There is no debate, no review by elected officials, just a procedural change to allow more access. Yes, Congress has to vote to approve the rules, but there was very little notice of the process. Luckily groups such as EFF and others are around to alert people to the changes. There is the comment of, “Well if you aren’t doing anything wrong, you have nothing to worry about.” I agree and understand that sentiment, but I also believe that once the first domino has fallen the erosion of privacy will continue. To quote James Madison, “There are more instances of the abridgement of freedom of the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.” This procedural step is a gradual and silent move to most people.
Also if there is nothing to worry about, please send me your laptop or phone without clearing the history first. I will be more than happy to inspect it for you.