Redaction vs CTRL-C CTRL-V

Print Friendly

User error is ever the bane of security. It has plagued the digital world since the first user taped their password to their monitor, an event likely to have occurred shortly after the first passwords were given out. While the existence of user error continues its endless march, the form it takes mutates as technology advances. Recently, the Department of Homeland Security mistakenly released a manual on its screening procedures (user error 1) and failure to properly redact certain sections (user error 2). The internet, in its vast never sleeping glory, found this document and scattered it to the four winds to preserve it against censorship. (As a side note, I often speak of the internet metaphorically as if it were a living entity. I feel it better captures the internet’s essence that we are each but parts of a larger metaphorical mental organism.)

The document can be found at cryptome.org and on wikileaks.org.

The mistake was a fairly simple one, and a common governmental gaff. In redacting the document, the reviewer simply placed black boxes over the offending text without “burning in” the redaction. “Burning in” is a process of re-rendering the post-script data so instead of rendering a block of text with a black bar on top of it (e.g. layered) it renders just the black bar. The layered rendering they released can then have the redaction box deleted or the data simply cut and pasted out of the document.

This post is not specifically about the redaction mistake as such mistakes are hardly new or interesting. Instead I wanted to write about what will be my rant of the year for 2010. (For those not familiar with me, I generally stumble upon a topic which I end up talking about over and over for the remainder of the year. 2008 was improper use of hashing and the weaknesses of MD5, 2009 is abstraction vs implementation causing issues in legal contexts from a conceptual perspective, and now 2010 will be the inability of governments to inhibit the distribution of information on the internet.)

First, let me examine this story from wired.com. Some of our congressmen sent a letter to the Secretary of Homeland Security requesting, amongst other things:

6. How has the Department of Homeland Security and the Transportation Security Administration addressed the repeated repostings of this security manual to other websites and what legal action, if any, can be taken to compel its removal.

7. Is the Department considering any new regulations pursuant to its authority in section 114 of title 49, United States Code, and are criminal penalties necessary or desirable to ensure such information is not reposted in the future?

Of course the first reaction of a government is to seek redress through the courts, to stop the material’s spread, isolate the breach, and seal it. If we were dealing with a physical document before the internet age, the duplication and distribution of this manual would be constrained by the time required for the physical components of those two actions. In the internet age, duplication and distribution takes mere moments for such a small quantity of data. Of the two websites with copies I mentioned, let us examine wikileaks.

What is wikileaks?

Wikileaks is a multi-jurisdictional organization to protect internal dissidents, whistleblowers, journalists and bloggers who face legal or other threats related to publishing.

Wikileaks opens leaked documents up to stronger scrutiny than any media organization or intelligence agency can provide. Wikileaks provides a forum for the entire global community to relentlessly examine any document for its credibility, plausibility, veracity and validity. Communities can interpret leaked documents and explain their relevance to the public.

We believe that it is not only the people of one country that keep their government honest, but also the people of other countries who are watching that government. That is why the time has come for an anonymous global avenue for disseminating documents the public should see.

Put another way, Wikileaks is the worst nightmare of anyone attempting to mitigate inadvertent disclosure. It provides an anonymous method to post documents, distributes those documents to servers in multiple countries, and actively fights to keep those documents available. How feasible is it for a government as large and powerful as the US to stop the distribution of one document? I have constructed the following time line of events:

December 6, 2009 – A blogreports on the TSA’s badly redacted document, and the recovery of its contents
December 7, 2009 – TSA removes the document from public access
December 8, 2009 12:03 am – A link on Slashdot.org points to the unredacted document hosted on Cryptome
December 8, 2009 3:12 am – The documents appear on Wikileaks.org
December 9, 2009 – Members of the U.S. House of Representatives, Committee on Homeland Security send a letter to the Secretary of Homeland Security regarding the incident
December 10, 2009 – By this point the documents have been distributed all over the world, read by countless individuals, saved to other locations, printed, distributed, and so forth.

By the time the breach is realised and documents removed, it is too late. This is an existence problem, if there exists at least *1* copy of the document in the hands of an individual wishing to make it public, then that document cannot be suppressed. Before congress could draft a letter, a physical letter mind you, the document was housed across the world in the hands of many, many people. In the time it takes to think about point 6, it becomes moot.

What then of point 7? What good does this serve? Shall we now restrict information the public has access to? Censor it with criminal penalties to stem the tide? Set in place a firewall to prevent its spread? This solves nothing. Sure, a few may be punished as an example to others but the data itself will still get out. One has only to look at the RIAA debacle over the last few years – so much money, time, and effort to stamp out peer2peer sharing starting with napster and still every site to be shut down causes another to spawn and take up the slack. The internet is too vast, too quick to change, too easy to hide in for any legal remedy short of a total Orwellian crack down to stop.

I for, for one, am glad of its resiliency. How ironic the very same system designed by the government to be impossible to take down, frustrates its own censorship attempts with the same ease.

Posted in News & Commentary Tagged with: ,