This piece was originally published at AVNation.tv September 7, 2017. I have updated it to reflect my personal opinions.
Bradford September 18, 2020

During the week of August 25, 2017 Dreamhost, a hosting company, was under a Distributed Denial of Service (DDoS) attack. The attack resulted in basically everything AVNation.tv and my domains not working. In total I had about 45 domains and subdomains that were non functioning. I was also in China on a business trip.

The reasons for this attack has not been formally announced nor has anyone taken responsibility for the attack. There are two likely causes. Dreamhost had been in the news for two stories during that week; the first was telling the US Department of Justice that it would not supply IP addresses of who visited a site. The second reason was that “The Daily Stormer” used the automated registration process to start a new site, “Punished Stormer” after being denied hosting by other companies. For those that are not familiar, these sites are aimed toward spreading hate speech.

I indicated these reasons to AVNation and that I did not plan on changing hosting or DNS (Domain Name Server) services. There were practical reasons, but more importantly I support the decisions that Dreamhost made. I explained to AVNation that if the business risk was too high I would start changing once I got back to the United States. I would not be changing my personal hosting as I believe the issues causing the problems are important. Yes, there was no debate within AVNation that it was the right thing to do.

The first reason I decided that three years ago was a federal judge signed a search warrant against DreamHost. The Department of Justice (DoJ) was looking for information sought by federal prosecutors investigating the disturbances that occurred in Washington, D.C. during President Trump’s inauguration. The DoJ wanted the IP address of anyone who had visited the website http://www.disruptj20.org/. If you looked at the website the government wanted to know. I liken the situation to looking at the cover of a book or magazine, not peruse or purchase, the government wanted to know that you looked at it. Librarians for years have been fighting this issue, http://www.ala.org/aboutala/offices/oif. The government knowing what you are reading is not appropriate in my opinion. Dreamhost’s account of the situation can be found here https://www.dreamhost.com/blog/we-fight-for-the-users/ as well as EFF https://www.eff.org/deeplinks/2017/08/j20-investigation-doj-overreaches-again-and-gets-taken-court-again.

The Daily Stormer being denied service by Dreamhost and others is not a 1st Amendment issue. The government did not make a law banning the Daily Stormer; multiple hosting companies, GoDaddy, Cloudflare, and Google to name a few, did not want to host them. The Daily Stormer had quietly registered the new domain, Punished Stormer, using an online signup form. IOnce Dreamhost became aware of the domain they terminated the website. “Unfortunately, determined internet vigilantes weren’t willing to wait for us to take that action,” DreamHost said in a statement to Ars Technica. “They instead launched a DDoS attack against all of DreamHost. We were ultimately able to declaw that attack, but the end result was that most of our customers experienced intermittent connectivity issues to their sites today.”

I believe that The Daily Stormer has the right to free speech as well. The government is not censoring them. The companies refusing to host or support a website under their terms of service is mostly legal. [Yes, discrimination is not legal.] If it becomes Hate Speech and inciting violence it is no longer free speech. [Yes, also a slippery slope.]

I am supporting my beliefs even if it means an occasional problem, not all financial decisions are made solely by dollars.

Bradford
September 20, 2020

This post was originally written in May 2017 and posted at AVNation.tv. I am reposting this piece as I believe it is extremely important. It is more of an issue with the COVID pandemic and the amount of children learning at home.
Bradford – September 17, 2020

Many of you know, I am a proponent of online privacy. Recently I received an article about the implications of Educational Technology (EDTech) and the use of it and how it impacts privacy. While I don’t have children, I believe that their education is important. Part of that education is learning about privacy, what is appropriate for online, and that surveillance is not standard.

Much of this information is sourced from the report “EFF Releases Spying on Students Ed Tech Report” by the Electronic Frontier Foundation. I found various things interesting, a child enrolled in Google Apps for Education (GAFE) much of the privacy decisions are taken away from the parent and given to the school system through the GAFE administrator. Under the agreement, Google makes with the school system many of the decisions are made for the student by the education department without checking with the parent. Some will say I am a cranky old person with this next phrase, “When I was in school, we needed a permission slip for a field trip. Now the school is deciding the online presence of their students – without any permission.”

The school system can create a Google account with personally identifiable information for a minor without the parental consent. If the parent (or guardian) asks for the information to be deleted, it is the decision of the school administrator whether or not it will be honored. Yes, the parents don’t get to chose. There are hundreds of pieces of education software or services in use. There are multiple terms of service and privacy to review for these services; I do not want to think about how long it would take to read these agreements. Some of these services are owned by Google and will share information with GAFE. Once again the majority of these services can be configured by the school system, not the parents.

The EFF has collected case studies to help illustrate the concerns and challenges. You can find them here https://www.eff.org/issues/student-privacy.

Right about now you are asking why I am talking about this topic. Many students are learning from home.. There are various software and technologies being used. Not many will think about how the privacy of students is considered. Asking a question such as, “Does this require signing up for an account?” or “Can one plug a USB storage device in or use a local network connection?” These simple questions can assist in the evaluation of the solutions.

Just as one would ask about security for a corporation or a government project, one should think about it for education and their home network. More often that it should occur, the technology provider is helping to educate the schools to understand the complex issues of using newer technology. Are you ready to ask questions?

Think about how you would feel if your child is being watched by Google without your permission. Not just teenagers, children just starting school.

Hat tip to EFF for their open source student privacy logo

My involvement with the EFF and AVNation have also included comments about privacy: AVNation Privacy & EFF Mail Links.

Something I realized while thinking about this subject is that if one sends very few encrypted e-mails, the ones that are encrypted will stand out in the mail being sent. Now you might wonder what I am doing that requires encrypting. It is more practical than you might think, a simple example is to transmit financial information.

I have an additional reason now, confuse the government and anyone else monitoring traffic. This idea is discussed in Cory Doctorow’s book Little Brother http://craphound.com/littlebrother.The section below is used under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. This quote below came from line 1826 in the HTML version available on Mr. Doctorow’s website.

“So how come you weren’t on Xnet last night?”
I was grateful for the distraction. I explained it all to him, the Bayesian stuff and my fear that we couldn’t go on using Xnet the way we had been without getting nabbed. He listened thoughtfully.
“I see what you’re saying. The problem is that if there’s too much crypto in someone’s Internet connection, they’ll stand out as unusual. But if you don’t encrypt, you’ll make it easy for the bad guys to wiretap you.”
“Yeah,” I said. “I’ve been trying to figure it out all day. Maybe we could slow the connection down, spread it out over more peoples’ accounts –“
“Won’t work,” he said. “To get it slow enough to vanish into the noise, you’d have to basically shut down the network, which isn’t an option.”
“You’re right,” I said. “But what else can we do?”
“What if we changed the definition of normal?”
And that was why Jolu got hired to work at Pigspleen when he was 12. Give him a problem with two bad solutions and he’d figure out a third totally different solution based on throwing away all your assumptions. I nodded vigorously. “Go on, tell me.”
“What if the average San Francisco Internet user had a lot more crypto in his average day on the Internet? If we could change the split so it’s more like fifty-fifty cleartext to ciphertext, then the users that supply the Xnet would just look like normal.”
“But how do we do that? People just don’t care enough about their privacy to surf the net through an encrypted link. They don’t see why it matters if eavesdroppers know what they’re googling for.”
“Yeah, but web-pages are small amounts of traffic. If we got people to routinely download a few giant encrypted files every day, that would create as much ciphertext as thousands of web-pages.”

My action is a relatively small action and is rather simple to do. However, the fact that it will change the traffic view could be helpful for others. It will prevent other PGP/GPG encrypted traffic from being such an outlier as to be noticed. As EFF posted on Data Privacy Day, privacy is a team sport. There are additional directions for how to do this task at https://ssd.eff.org/, hover over the tutorials section. If you want to test if it worked, My public key identifier is C93A52C6. You can download my public key from directly from my site. I also will freely admit, I am not sure if it will make a difference, but it could not hurt.

The post originally appeared on AVNation.tv April 27, 2017

At the time I wrong this piece I was employeed by Harman Professional which was a competitor of Bose. Harman has similar policies I disagree with. As a result while I have both brands’ products I do not run their software – September 13, 2020


This time last week (April 18, 2017) a class action lawsuit was being filed in the United States District Court for the Northern District of Illinois, Eastern Division claiming that Bose collected data without telling their users that they were. You can read the complaint (17-cv-2928) on the Sribd service. My previous writings have shown my preference for privacy in the digital age. I do not like that Bose is collecting that much information about its users. It might be legal and an accepted business practice at the moment, I still don’t like it. [Bradford’s note: I do work for a competitor. This discussion is about data tracking not products. I don’t use some of my employer’s software because of the data tracking policies.]

When I started this piece, I indicated that I was going to come out supporting Bose and their situation. However, in doing research for the column, I have changed my mind. Bose was very close to having done the right thing, telling people what they were monitoring. However, they did not quite get it right as they had inconsistent information available. What they are currently collecting through Bose Connect is your listening habits; what are you listening to, how long are you listening for, when are you listening, where are you listening and other things. The crux of the case in my opinion is this statement in the filing: “Bose Connect collects and record the titles of the music and audio files its customers choose to play through their Bose wireless products. They also transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.” In my view that last sentence is false completely and should be removed from the conversation. Bose does indicate that they use a third-party.

Something to consider as you examine this issue is that this application is just one part of the entire digital media playback system. Using iTunes one can know the last time a media file was accessed and if it was listened to completely, that information is shared with Apple. There is a massive part of me that says, as soon as one became part of the digital media ecosystem one must work to stay private. The amount of data about customers that is available can be mind boggling. All of the information that the plaintiff is worried about is likely available already from other sources. Additional information such as where and when was the content was acquired is easy to gather if one uses the typical online services.

After I finished reading the filing,  I started reading was on the Bose website. There is a link to their privacy policy at the bottom of basically every page within their website.  I clicked the link in Bose’s footer and was directed to here; it is confusing as they do not directly indicate or discuss the Bose Connect App. However reading through I found this section that would have caused me pause:

"If you use a Bose SoundTouch system or the SoundTouch software or mobile app, Bose also collects additional information about you, including technical information (such as your IP address, computer attributes and system ID); location information derived from your IP address; and product usage information (such as system presets and recently played content)."

While reading the document, I started getting confused. Is the Bose Connect App the “mobile app” listed in the policy? It is a mobile application, but they don’t call it out explicitly. Other hardware and software is listed by name.  More research was required. I figured the best way to understand the experience and information provided to the user is to install the Bose Connect application and read the documentation.

I went to the Google Play store to look at the Android version. That was interesting as the information provided there was minuscule. There was the Google Permission information that indicated the application is granted access to:

  • bind to an accessibility service
  • view network connections
  • pair with Bluetooth devices
  • access Bluetooth settings
  • full network access

There was also a link to the Privacy Policy, https://downloads.bose.com/ced/bose_connect/privacy_policy.html. I created a PDF of it to read later.
I next went to the iTunes/App Store to do the same thing. I am traveling with an iOS device, so that was a more realistic experience.  On the iTunes product page there is a link to the privacy policy and the license agreement. The privacy policy also directs one to the same location as the Google Play store. iTunes embeds the license agreements within the application window, so I have simply combined captures (click here) so I could read it all.

I was now ready to review all of the documentation. I started with the privacy policy. This section quickly jumped out at me [yes there are errors, I took this section verbatim from the Bose site]:

What Information We [Bose] Collect About You

The app does not collect any information that Bose or our service providers can use to identify you personallyAs discussed below, however, the app does automatically collect certain information from the mobile phone, tablet, or other device that you use to access the app.

Log data. When you use the app, we or our service providers may automatically receive and record certain information from your mobile phone, tablet, or other device. This may include such data as your software and hardware attributes (including device OS version and hardware model information), the date and time you use the app, whether and when you update the app and your Bose products, and certain other tracking information. To do this, we may use web logs or applications that recognize your device and gather information about its online activity.

Analytics and related tracking mechanisms. We may use mechanisms to track and analyze how you use the app. We also may partner with third parties who do so on our behalf (see below in the section entitled “How We Share Information with Third Parties”). These mechanisms can be used, for example, to collect information about your use of the app during your current session and over time, when and why the app crashes on your device, and a variety of information about the mobile phone, tablet, or other device that you use to access the app. Such mechanisms may include software developer kits (“SDKs”), pixels, scripts, or other tracking mechanisms. Some of these mechanisms involve storing small files on your mobile phone, tablet, or other device. Others involve transmission of information to a third-party server through other means.”

Portion of the Bose EULA

That was when my opinion changed from Bose educated the user about data collection to they made a mistake. I believe that Bose clearly documented for the end user that a third-party is being used to analyze the data. The fact they listed incompletely what items they are collecting is where the problem occurs in my mind. In the general privacy policy they spelled out more clearly what they are collecting. The Bose Connect policy differs from the general privacy policy so it would appear that there are different conditions of data collection for each software. Whether the user was informed correctly now comes down to the question, “What conclusion would a reasonable person create from this information?”

That moment was also when Josh Srago and I started to disagree. Initially, we agreed that we thought Bose was in the clear, not necessarily right but had met their obligations to inform. We both still believe tracking the information is bad and should be stopped. We both think that clearly spelled out that they are using a third-party service. The disagreement started when Josh referred to the End User License Agreement (EULA) and pointed out a paragraph that states the user consents to Device Data Usage collection.

Josh indicates that he believes Device Data Usage includes what content or data you are using on your device. I do not think that most people, i.e. not me or Josh, would consider that approach. Most people would process that phrase as if they transferred or use 2GB of data or 3GB of data that month.
Josh and I both agree that tracking is wrong. We both know EULA and privacy policies are purposely written to be as vague as possible. Collecting usage information has value to product development, such as is there enough battery life for the person to use the headphones in a typical day. We also agree it is very rare for a user to read the EULA or Privacy Policy.
What we disagree on is what amount of information was provided to the user. That is something for the courts to decide.

A few notes I want to include that just didn’t flow in writing:

  1. The use of the application is not required as indicated in this video from the Bose site.  Yes, you get more functions, the payment is Bose gets more data about you. Think of it as a frequent shopper card or a Starbucks registered card.
  2. If you want to review the documents of the case yourself and you don’t like the privacy policy used by Scribd, you may also view the filing at https://ecf.ilnd.uscourts.gov/doc1/067119015846p.

Thank you for reading.
Bradford

Previously I wrote about the protection I am adding to my mail by using PGP or GPG. You can find the article by clicking here. My involvement with the EFF and AVNation have also included comments about privacy: AVNation Privacy & EFF Mail Links.

Something I realized while thinking about this subject is that if one sends very few encrypted e-mails, the ones that are encrypted will stand out in the mail being sent. Now you might wonder what I am doing that requires encrypting. The previous blog post explains why I am encrypting my mail.

I have an additional reason now, confuse the government and anyone else monitoring traffic. This idea is discussed in Cory Doctorow’s book Little Brother http://craphound.com/littlebrother.The section below is used under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. This quote below came from line 1826 in the HTML version available on Mr. Doctorow’s website.

“So how come you weren’t on Xnet last night?”
I was grateful for the distraction. I explained it all to him, the Bayesian stuff and my fear that we couldn’t go on using Xnet the way we had been without getting nabbed. He listened thoughtfully.
“I see what you’re saying. The problem is that if there’s too much crypto in someone’s Internet connection, they’ll stand out as unusual. But if you don’t encrypt, you’ll make it easy for the bad guys to wiretap you.”
“Yeah,” I said. “I’ve been trying to figure it out all day. Maybe we could slow the connection down, spread it out over more peoples’ accounts –“
“Won’t work,” he said. “To get it slow enough to vanish into the noise, you’d have to basically shut down the network, which isn’t an option.”
“You’re right,” I said. “But what else can we do?”
“What if we changed the definition of normal?”
And that was why Jolu got hired to work at Pigspleen when he was 12. Give him a problem with two bad solutions and he’d figure out a third totally different solution based on throwing away all your assumptions. I nodded vigorously. “Go on, tell me.”
“What if the average San Francisco Internet user had a lot more crypto in his average day on the Internet? If we could change the split so it’s more like fifty-fifty cleartext to ciphertext, then the users that supply the Xnet would just look like normal.”
“But how do we do that? People just don’t care enough about their privacy to surf the net through an encrypted link. They don’t see why it matters if eavesdroppers know what they’re googling for.”
“Yeah, but web-pages are small amounts of traffic. If we got people to routinely download a few giant encrypted files every day, that would create as much ciphertext as thousands of web-pages.”

This action is a relatively small action and is rather simple to do. However, the fact that it will change the traffic view could be helpful for others. It will prevent other PGP/GPG encrypted traffic from being such an outlier as to be noticed. As EFF posted on Data Privacy Day, privacy is a team sport. There are additional directions for how to do this task at https://ssd.eff.org/, hover over the tutorials section. If you want to test if it worked, My public key identifier is C93A52C6. You can download my public key from https://www.bradfordbenn.com/BradfordBenn-C93A52C6.asc

I also will freely admit, I am not sure if it will make a difference, but it could not hurt.

Bradford Benn
January 31, 2017

During my “day job”, I work on many projects that are subject to Nondisclosure Agreements (NDA). These projects range from new product development to new projects that have not been announced to details of clients and project contents. There are various levels of diligence called out in each agreement. I am not giving any legal advice on enforcement and application of NDA’s I am sharing some of the principles and practices that are common and I have found helpful. If in doubt, check with your legal advisor or company counsel.

“The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.”

Bradford Benn with a hat tip to Chuck Palahniuk

The level of “paranoia” for lack of a better word you want to follow is up to you. I follow the most stringent NDA policies for all of my NDA projects. The reason is that remembering the nuances of each one is difficult. Some people find it humorous my personal level of privacy and security awareness, however these practices apply and help me be aware of things not typically considered. Some of the things I worry about may not be practical for your scenarios but it is still good to think about for things beyond projects. Confidentiality of things such as payroll, checking account balances, insurance information… etc. are still a part of daily life.
The most effective practice I use is both simple and often overlooked. Chuck Palahniuk said it most succinctly, “The first rule of Fight Club is do not talk about Fight Club.” Seems rather simple, but it is often forgotten. The version that applies in this situation, “The first rule of Nondisclosure Agreements is do not talk about Nondisclosure Agreements.” I work within a large company [Harman] there are multiple teams and departments, about 28,000 employees total. Not everyone needs to know everything, engineering does not need to know that I am working with Bob’s Country Bunker on their expansion. If an engineer comes to me as they go to the Bunker every weekend and asks about the expansion, my answer is simple. “Sorry, I don’t know anything about it.” Yes, a lie or a fib. It also means that you are not as likely to be asked as many questions by friends looking for information. It also means not talking about the project in public, especially at industry conventions. However what I get out of this approach is I do not have to worry about someone else leaking the information.

People think it is odd that I have specific USB flashdrives or thumbdrives for different purposes and projects. Using a thumbdrive to share data can easily lots of data  being shared unexpectedly. I hand person A a thumbdrive with person B’s data on it (that is covered by a non-disclosure agreement). Person A would then know about the project and if unscrupulous could have person B’s data. People don’t always think about it, but by sharing a USB drive one is basically sharing part of their computer’s hard drive. There are of course the other reasons such as not wanting to get a virus. My solution is that I format the thumbdrive when appropriate. Typically it is after a customer visit or a system commissioning. I will also backup and then erase the contents of the drive often during the process. None of us have ever lost a thumbdrive with key information on it.

This same approach holds for network storage and sharing solutions. Most people will think about Dropbox, SpiderOak, Google Drive, Box … etc. but these are not the only sharing services to be aware of. A standard computer attached to a network has the same issues at times. A company typically has a network server for storing and sharing project data, very often in addition to that the sharing feature on a laptop will be enabled as well. The shared drive or directory on a computer is most likely the largest liability of these items. If you want to know why, use the network in a hotel, coffeehouse, or even in an airplane. Depending on the security settings of the network one might be able to see other computers on the same network. Very often to make the computer user’s experience simpler shared directories or folders will advertise itself. Now everyone connected to the network is aware that there is a share on the network.

These services are very powerful and convenient. However misconfiguration can be very bad. The sharing features typically get set and forgotten, so data is just sitting around all over the place. Did you remember to change who has access to what within Dropbox? Is your Shared directory still active for everyone to see and edit documents. Did you turn off the sharing for the person that left the company? Is your network storage at home available via the Internet, does it have a strong password and current firmware? Are you using Two Factor Authentication (2FA), if not – why not?

There is the specter of e-mail and how easy it is to not redact or remove information before forwarding it. This issue becomes more and more important as the projects are more and more complex. I often will read an e-mail and store it, some contracts require that. If I need to gather more information from another party I do not simply forward the e-mail, I rewrite it to be as generic as possible. Part of this process is to make sure I understand the question I am asking. Part of it is just preventing information from being shared. Yes, we might work for the same company but I am the one who was given the information, often the NDA indicates that I can only share information when necessary.

I can continue with such things as lock your computer when you are not using it. Don’t carry information you don’t need to on your laptop; especially when you travel. That seems easy to say I know, and it is more realistic than ever to do. I can connect to a server that is secure via VPN connection and retrieve the documents I need when I need them. (This approach can also be helpful and preventative if a laptop is lost or a hard drive fails.)

Encrypt important data. Yes, the encryption word. It is important. It is not new. In the late 1990’s I was working on a theme park project just as e-mail was becoming common. To transmit documents electronically we were required to send them encrypted using Pretty Good Privacy or PGP encryption. I am not going into all the details, the Electronic Frontier Foundation has written a good article providing an overview. This process meant that I would compress a file, then encode it via PGP, then attach it to a message and send it. This process still exists and is still very viable. I encrypt data on my hard drive and on the cloud using PGP encryption, sometimes called GPG on Mac and Linux. Beyond just the encryption the fact that the email has a much higher probability of not being spoofed is reason enough to use it for me. If you want to test it out, my key can be found at my blog post.

Now that everyone is concerned, how to make things better so that you are not the leak? The first item is the Fight Club rule. The second task is I encrypt my connections and data whenever possible (check with your company’s IT department as the last thing that anyone wants is to have data be inaccessible). Find secure solutions for hosting data on the cloud. There are many solutions, I am not going to endorse one or claim one is better than the other, the key item I look for is 2FA. This process means that the person trying to gain access to an account will not only need the password, but a second piece of information to gain entry. Typically this is a numerical value, it can either be generated on a device such as a handheld digital device or sent via e-mail or text. There is more information about 2FA available from EFF as well. I have enabled it on the AVNation website administration tools and everywhere else I can, including Google and Apple cloud solutions. I think that this would go without saying, but just in case; do not click the remember me or have the browser remember your password. That basically means if someone has your computer they have access to all the site.

I am sure by this point I sound paranoid, however I will say that adhering to Non-Disclosure Agreements is valuable for business. No one wants to know as the person who leaked information. It is easier to make sure no one leaks the information by not letting them know about the project. Keeping projects secret and being digitally accessible is very possible. It requires attention to detail and understanding the processes. Do not let it scare you.

Some of you may already be aware that the Electronic Frontier Foundation (EFF) is one of the groups I support. Privacy, security, and freedom for the individual is one of my touchstones. I have written about these topics previously, both here and at AVNation.tv. (Yes, there will be overlap between this post and the one over there. My opinion hasn’t changed.)

There are proposed rule changes within the Federal Rules of Criminal Procedure that the EFF has made me aware of. I do not claim to be an expert on all the legalities and intricacies, however from the comments that the EFF have provided I immediately felt it was important to comment on. The proposed amendment to procedural Rule 41 would allow a judge to issue a warrant allowing law enforcement to remotely enter (hack) a computer when “the district where the media or information is located has been concealed through technological means,” or when the media are on protected computers that have been “damaged without authorization and are located in five or more districts.”

The first portion of this means that if one uses a means to hide their location, for any reason, a search warrant would be allowed. At AVNation I spoke about how this applies to business environments where Virtual Private Networks (VPN) are used to provide a secure connection between remote users and the office. A byproduct of that process is that one’s location is incorrect quite often, sometimes on purpose. When I travel to China I use VPN for personal use. I purposely set my VPN to connect me to a point of presence located in the US. This decision allows me to access my e-mail as well as other sites, such as news sites like New York Times or Los Angeles Times. I can continue on about the Great Firewall of China, but these couple of links should help provide background https://en.wikipedia.org/wiki/Great_Firewall or https://www.eff.org/search/site/china%20firewall.)

I also use a VPN connection, as well as other tools, when I am using a public hotspot. In fact I am using one right now as I sit in Starbucks using their WiFi. This approach prevents eavesdroppers to my communication. I will say that Google and Starbucks do a good job keeping things safe, however not everyplace is as secure. I want to keep my data encrypted as long as I can. Yes, there is Hyper Text Transfer Protocol Secure (HTTPS) that is secure and I use it as much as possible, but not every site supports it or for all traffic.

I can continue on as to why I use VPN, the important thing to take away is that there are legitimate legal reasons to use VPN. The fact that I use it should not change the way my data/privacy is viewed by the courts. To overly simplify it would be like saying, you locked the door to your car so you have given us a reason to issue a search warrant.

The second portion of the new procedure is also damaging in that it allows for innocent computers to be searched if they have been remotely hacked. If a computer is an unwitting member of a botnet that would meet a qualification for a search warrant. The infected or innocent computer could be searched even if the owner is not involved or suspected of wrong doing. Basically if someone has already broken into your computer, the government can break into it again as your computer might be doing bad things.

To me there is a third reason that this issue is important – this process is being done under the guise of procedural rules. There is no debate, no review by elected officials, just a procedural change to allow more access. Yes, Congress has to vote to approve the rules, but there was very little notice of the process. Luckily groups such as EFF and others are around to alert people to the changes. There is the comment of, “Well if you aren’t doing anything wrong, you have nothing to worry about.” I agree and understand that sentiment, but I also believe that once the first domino has fallen the erosion of privacy will continue. To quote James Madison, “There are more instances of the abridgement of freedom of the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.” This procedural step is a gradual and silent move to most people.

Also if there is nothing to worry about, please send me your laptop or phone without clearing the history first. I will be more than happy to inspect it for you.

Notes:
Much of this information was gathered from the webpage https://www.eff.org/deeplinks/2016/06/help-us-stop-updates-rule-41.
The lock pick image is public domain from Wikimedia. More information about it at https://commons.wikimedia.org/wiki/File%3ALockpicking_Pickset.jpg.