The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 27 Issue 33

Thursday 6 June 2013


Re: BA plane's emergency landing at LHR caused by maintenance error
Clive Page
Data protection in the EU: the certainty of uncertainty
Cory Doctorow
NSA collecting phone records of millions of Americans daily
Paul Owen via Dave Farber
"In digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous"
Al Gore
"The BYOD Mobile Security Threat Is Real"
Tom Kaneshige via Gene Wirchenko
Re: The Hazards of Gambling
Re: Risks of spreadsheets—and leap seconds
Bob Frankston
Re: Apple says you can't use the iTunes/App Store ... abroad
Steve Wildstrom
Info on RISKS (comp.risks)

Re: BA plane's emergency landing at LHR caused by maintenance error

Clive Page <>
Wed, 05 Jun 2013 19:04:44 +0100
Regarding the BA plane which took off with both engine cowls unlatched.

The bit of the story that frightened me most was from one of the BBC
accounts which said:

  “Last July Airbus said there had been 32 reported fan cowl door
  detachment events, but none of the cases resulted in a fire.''

This suggests to me that maintenance crews are not paying anything like
enough attention to this.  If the cowl comes loose it might, as in this
case, cause a fire and an emergency landing.  But it could even be worse.
A lump of metal falling from a preceding plane is now thought to have caused
the Concorde disaster at Paris some years ago.

Data protection in the EU: the certainty of uncertainty (Cory Doctorow)

"Peter G. Neumann" <>
Wed, 5 Jun 2013 9:37:27 PDT
Cory Doctorow, *The Guardian*'s technology blog, 5 Jun 2013
"As I write this, the European Parliament is involved in a world-beatingly
gnarly wrangle over the new General Data Protection Regulation.''

Cory's blog item on the relative ease of de-identifying supposed
anonymizations should be no surprise to RISKS readers.  It is a very nice
assessment of some of the risks.  Ed Felten (Princeton) and Seth David
Schoen (EFF) are quoted, among others.  It is very well worth your reading,
as it opens up some gigantic cans of worms (although quite unlike the Diet
of Worms).  PGN

NSA collecting phone records of millions of Americans daily

dfarber <>
Wed, 5 Jun 2013 19:53:05 -0400
Revealed: NSA collecting phone records of millions of Americans daily
Paul Owen, *The Guardian*, 6 Jun 2013

Under the terms of the order, the numbers of both parties on a call are
handed over, as is location data and the time and duration of all calls.

The National Security Agency is currently collecting the telephone records
of millions of US customers of Verizon, one of America's largest telecoms
providers, under a top secret court order issued in April.

The order, a copy of which has been obtained by the Guardian, requires
Verizon on an "ongoing, daily basis" to give the NSA information on all
telephone calls in its systems, both within the US and between the US and
other countries.

The document shows for the first time that under the Obama administration
the communication records of millions of US citizens are being collected
indiscriminately and in bulk—regardless of whether they are suspected of
any wrongdoing.

The secret Foreign Intelligence Surveillance Court (Fisa) granted the order
to the FBI on April 25, giving the government unlimited authority to obtain
the data for a specified three-month period ending on July 19.

Under the terms of the blanket order, the numbers of both parties on a call
are handed over, as is location data, call duration, unique identifiers, and
the time and duration of all calls. The contents of the conversation itself
are not covered.

The disclosure is likely to reignite longstanding debates in the US over the
proper extent of the government's domestic spying powers.

Under the Bush administration, officials in security agencies had disclosed
to reporters the large-scale collection of call records data by the NSA, but
this is the first time significant and top-secret documents have revealed
the continuation of the practice on a massive scale under President Obama.

The unlimited nature of the records being handed over to the NSA is
extremely unusual. Fisa court orders typically direct the production of
records pertaining to a specific named target who is suspected of being an
agent of a terrorist group or foreign state, or a finite set of individually
named targets.

The Guardian approached the National Security Agency, the White House and
the Department of Justice for comment in advance of publication on
Wednesday. All declined. The agencies were also offered the opportunity to
raise specific security concerns regarding the publication of the court

The court order expressly bars Verizon from disclosing to the public either
the existence of the FBI's request for its customers' records, or the court
order itself.

"We decline comment," said Ed McFadden, a Washington-based Verizon spokesman.

The order, signed by Judge Roger Vinson, compels Verizon to produce to the
NSA electronic copies of "all call detail records or 'telephony metadata'
created by Verizon for communications between the United States and abroad"
or "wholly within the United States, including local telephone calls".

The order directs Verizon to "continue production on an ongoing daily basis
thereafter for the duration of this order". It specifies that the records to
be produced include "session identifying information", such as "originating
and terminating number", the duration of each call, telephone calling card
numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI)
number, and "comprehensive communication routing information".

The information is classed as "metadata", or transactional information,
rather than communications, and so does not require individual warrants to
access. The document also specifies that such "metadata" is not limited to
the aforementioned items. A 2005 court ruling judged that cell site location
data—the nearest cell tower a phone was connected to—was also
transactional data, and so could potentially fall under the scope of the

While the order itself does not include either the contents of messages or
the personal information of the subscriber of any particular cell number,
its collection would allow the NSA to build easily a comprehensive picture
of who any individual contacted, how and when, and possibly from where,

It is not known whether Verizon is the only cell-phone provider to be
targeted with such an order, although previous reporting has suggested the
NSA has collected cell records from all major mobile networks. It is also
unclear from the leaked document whether the three-month order was a
one-off, or the latest in a series of similar orders.

The court order appears to explain the numerous cryptic public warnings by
two US senators, Ron Wyden and Mark Udall, about the scope of the Obama
administration's surveillance activities.

For roughly two years, the two Democrats have been stridently advising the
public that the US government is relying on "secret legal interpretations"
to claim surveillance powers so broad that the American public would be
"stunned" to learn of the kind of domestic spying being conducted.

Because those activities are classified, the senators, both members of the
Senate intelligence committee, have been prevented from specifying which
domestic surveillance programs they find so alarming. But the information
they have been able to disclose in their public warnings perfectly tracks
both the specific law cited by the April 25 court order as well as the vast
scope of record-gathering it authorized.

Julian Sanchez, a surveillance expert with the Cato Institute, explained:
"We've certainly seen the government increasingly strain the bounds of
'relevance' to collect large numbers of records at once—everyone at one
or two degrees of separation from a target—but vacuuming all metadata up
indiscriminately would be an extraordinary repudiation of any pretence of
constraint or particularized suspicion." The April order requested by the
FBI and NSA does precisely that.

The law on which the order explicitly relies is the so-called "business
records" provision of the Patriot Act, 50 USC section 1861. That is the
provision which Wyden and Udall have repeatedly cited when warning the
public of what they believe is the Obama administration's extreme
interpretation of the law to engage in excessive domestic surveillance.

In a letter to attorney general Eric Holder last year, they argued that
"there is now a significant gap between what most Americans think the law
allows and what the government secretly claims the law allows."

"We believe," they wrote, "that most Americans would be stunned to learn the
details of how these secret court opinions have interpreted" the "business
records" provision of the Patriot Act.

Privacy advocates have long warned that allowing the government to collect
and store unlimited "metadata" is a highly invasive form of surveillance of
citizens' communications activities. Those records enable the government to
know the identity of every person with whom an individual communicates
electronically, how long they spoke, and their location at the time of the

Such metadata is what the US government has long attempted to obtain in
order to discover an individual's network of associations and communication
patterns. The request for the bulk collection of all Verizon domestic
telephone records indicates that the agency is continuing some version of
the data-mining program begun by the Bush administration in the immediate
aftermath of the 9/11 attack.

The NSA, as part of a program secretly authorized by President Bush on 4
October 2001, implemented a bulk collection program of domestic telephone,
Internet and e-mail records. A furore erupted in 2006 when USA Today
reported that the NSA had "been secretly collecting the phone call records
of tens of millions of Americans, using data provided by AT&T, Verizon and
BellSouth" and was "using the data to analyze calling patterns in an effort
to detect terrorist activity." Until now, there has been no indication that
the Obama administration implemented a similar program.

These recent events reflect how profoundly the NSA's mission has transformed
from an agency exclusively devoted to foreign intelligence gathering, into
one that focuses increasingly on domestic communications. A 30-year employee
of the NSA, William Binney, resigned from the agency shortly after 9/11 in
protest at the agency's focus on domestic activities.

In the mid-1970s, Congress, for the first time, investigated the
surveillance activities of the US government. Back then, the mandate of the
NSA was that it would never direct its surveillance apparatus domestically.

At the conclusion of that investigation, Frank Church, the Democratic
senator from Idaho who chaired the investigative committee, warned: "The
NSA's capability at any time could be turned around on the American people,
and no American would have any privacy left, such is the capability to
monitor everything: telephone conversations, telegrams, it doesn't matter."

Additional reporting by Ewen MacAskill and Spencer Ackerman

Al Gore "In digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous"

David Farber <>
Thu, 6 Jun 2013 08:57:55 -0400
Al Gore, 6 Jun 2013,

The former vice president slammed the overreach of the NSA's surveillance
powers on Twitter.

"The BYOD Mobile Security Threat Is Real" (Tom Kaneshige)

Gene Wirchenko <>
Wed, 05 Jun 2013 11:26:44 -0700
Tom Kaneshige, *CIO*, 30 May 2013
Cloud storage, text messaging, poor accountability and the "Bad Leaver"
open the doors to data breaches in a BYOD environment, says a cyber-crime
expert in this interview.

Re: The Hazards of Gambling (Drewe, RISKS-27.32)

spam trap <>
Wed, 05 Jun 2013 10:29:10 +0100F
> If the Government takes money off rich people and gives it to poor people,
> this may seem to be "fairer" and reduce inequality,

It does.  A previous poster has eloquently explained this.

> but it rewards people who rely on welfare and punishes those who provide
> for themselves

I would not use the term 'reward' or 'punish'. People on low incomes who
rely on benefits are often struggling to afford the basics.  Many are not
able to find well-paid work.  OTOH taking a little from the wealthiest will
not hurt them.

> (hence in the UK a lifetime on welfare is quite a popular career option).

This is a myth often spread by certain elements in the media.  In truth the
majority of benefits goes to those who do work but are on low-incomes.

Describing a lifetime on welfare as a 'popular' career option is
insulting to the majority who would get a (better) job if they could.

Re: Risks of spreadsheets—and leap seconds (Kaiser, RISKS-27.32)

"Bob Frankston" <>
Tue, 4 Jun 2013 20:43:28 -0400
Hidden dependencies are a risk with any program. And then we get
dependencies on the bug. We get away with this because if typically doesn't
matter in a world that isn't very precise. I wonder how many financial
instruments depended on the 1-2-3 bug which treated 2000 as a leap year. I
happened to be well-aware of the problem because my very first program in
1963 calculated leap years on an IBM 1620.

We often get away with accepting these problems because proportionality
rules in the analog arena. And typically the models we are using are indeed
in the analog domain. But when we operate in the digital domain we can run
into trouble. (I posted related comments about big data as

This is why I keep complaining about the leap second. In the analog world
it's just a pesky second but in the digital world we don't round "1/2/2020
23:59:59" because we know that that is really 1/2/2020 though using
epoch+seconds it might not be. For that matter essentially none of the
date/times in databases for the last 40 years are correct since they just
pretend leap seconds don't exist. They can't because time function simply
don't have the information to do interval calculations.

Re: Apple says you can't use the iTunes/App Store ... abroad (R-27.32)

Steve Wildstrom <>
Wed, 5 Jun 2013 07:47:31 -0400
This has to do with content licensing issues and the blame falls on the
content owners, not Apple. In a sense, it is related to the DVD zone
problem. Content owners license Apple to distribute movies and other content
on a country-by-country basis. To comply with the terms of these agreements,
Apple has to limit sales to the customer's home country, thus the ToS
restrictions. And the EU doesn't help here; licensing, like much else, is
still on a national basis.

Steve Wildstrom

Please report problems with the web pages to the maintainer