Sunday, November 11, 2007

.. [ how Arizona's HB 2734 invades your privacy ] ..

One of the most important things to recognize is that every email sent, has a return address automatically attached from where that email came. That address comes in the form of the client machines Internet connection First, when reading the legislation you have to read it in its entirety, add to it the context from which the law was written while being legislated, then review the effects of the implementation of the legislation . This test of intent to effect helps law makers stay in balance and hopefully figure out if both the law and its effects are Constitutionally sound. In Constitutional speak, this is called, the "intent-effect" test. Used primarily in this context, HB 2734, a recent trend to drive already convicted sex offenders back to prison, help determine if a statue has been drafted off its intent. Regulatory over punitive! (Now of course since this a tech-speak-illustration ,I am leaving out all the law, that supports my general statement.) But, what I can reveal, as a sex offender, who is a graduate of Arizona State University, and justly recently returning to the campus to peruse the ASU law library, I find it intriguing to look at this legislation, and difficult to not apply my computer engineering background to the effects of this law. When I do, I cannot but not recognize an old saying, 'the devil is in the details.'

Getting to the nitty gritty! How does HB 2734, which on its surface, appears to just collect a pool of sex offender email address effect the ability for anyone designated as an "ELECTRONIC BUSINESS OR ORGANIZATION THAT OFFERS ELECTRONIC COMMUNICATION SERVICES FOR COMPARISON WITH INFORMATION THAT IS HELD BY THE REQUESTING BUSINESS OR ORGANIZATION" to retrieve and compare all information collected within their infrastructure, of everyone sex offender associates with via email?

Let me show you how this happens.

There is an assumption in this legislation, or a piece of ignorance, that an email address is some type of unique identifier, called an Online Identifier (OI) in this bill, from which something has a unique and distinctive association with a SEX OFFENDER. This naiveness assumes, or conveniently turns its head in wanting to believe, that the OI, is tangently similar to a sex offenders home address, or telephone number, or birthmark, or tattoo on that offenders forearm.

But, as I walk past the fancy new computer engineer building, which is ominous in its own right, and makes me smile in comparison to the building its humble beginnings across from the math department, I can only conceptualize how this can be true in a few scenarios. This being when that OI-email address has arrived at its EMAIL server, within the confines of some data center, which is coincidentally shared by countless other non-sex offenders, and when that OI-email address arrives within that server and ready for you to download to your local computer to be read.

All other times, that email address is a chunk of data indistinguishable only by the internet protocol address (IP address) that was given to it by the local hardware device that connected the OI-email client to the cyberspace. What I am hoping to illustrate, through an attempt to dumb down the effects of implementing this legislation technologically, and how when I do this I can prove, even before the bill goes into effect on January 1 of 2008, that the bill in its intent fails constitutionally to not abridge rights of constitutional magnitude of not only sex offenders, but importantly, to every person that a sex offender may attach his computer to or send an email utilizing his registered IO-email account.

Technically Speaking

Keeping this discussion in non-technical speak the only analogy from which I can illustrate what an OI is not is from me to compare what happens to voice as it travels across the wire in the familiar plain old telephone world (POT ) we are used to with wires and a receiver. When you pick up the phone, dial it, and someone picks the other side up, the government is highly scrutinized and regulated from the moment a connection is made till the time is hung up. One of the most important of these regulatory safeguards is the Privacy Act of 1974 which states that a government cannot intrude upon the communication of its citizens without the permission of at least one of the persons involved, or it can be shown that there was never any intention of privacy.

But, the Internet is still in its infancy and the discussion of who should regulate its space is at odds. In advanced to the regulatory ownership sex offender legislation is pioneering to do something about the Internet to guarantee children are safe. With the desire to put an end to its purpose as a vehicle for communication for predatory acts, the discussion of how to do it, has crossed many paths. Some of this like DateLines "To catch a predator" and websites like "Perverted Justice" have touched a nerve of the American Media and a call for order has been shot by advocates such as Greta Van Susteren and other mob justicites are determined to put a halt to the medium as a form of predator communication. HB 2734, passed in July of 2007, has had a dormant period assigned to its implementation, and it is the authors hope, that this was done to study a breadth of the magnitude this legislation has touched. If not, it is the hope of this writer to offer why this bit of legislation should be shelved forever.

The Privacy Act of 1974

The Privacy Act was written with the intent of protecting citizens from governmental intrusion and has been extended through rulings of the Courts to encompass many different forms of communication since its adoption in 1974. In reviewing the static nature of the POTS telephone system one has to recognize, that until wireless has matured to the state it is today, communication via the telephone has constantly been done thorough static connections, thus easily, containing easily defined end-points. But, with the invention of products by CISCO systems voice over IP (VO-IP) tele-systems, the static world of communication and the expansion of what is considered as acceptable privacy practices with the Privacy Act in mind will be tested.

Utilizing either wireless or static connectivity, the Internet dynamism as a communication tool is not reliant upon any static connectivity, in fact the very nature of how it transports your data, whether voice or data, is built upon the liberty from which end point systems communicate with each other and the ability for the data to be transported to be determined at will. To give you a not tech-speak example, imagine driving to grandma's house if there are 10 different paths from which you can get there, and the ideal aim is to get there as soon as possible, it would be advantageous to know in advance before getting in your car which path will by green when you get there. In the Internet world, information traveling through cyberspace have this knowledge. They are called entry and exit point devices called routers, and switches that communicate to each other constantly and tell each which entry points, or in the stop light scenario, which lights are going to turn green, and will allow your to travel where you needed with the least resistance. Or to drive to grandma's without have to stop at too stop lights.

Internet Railways

The transport that regulates how data is passed through cyberspace is called the Internet Protocol (IP ) and it is the responsibility of routers spoken about earlier to make sure that a sending routers packet are managed (TCP) or not unmanaged (UDP) have been passed as they are supposed to be. Kind of like a conductor does when you take a train ride. A routers job is to make sure all packets are "Onnnnn-Boooooard!" and accounted for.

But, once again the Internet's dynamism, which is it strength, have no human conductors, for if it did, it would be like placing a bug on the telephone analogy outlined above. A complete infringement of privacy!

But, back to the case at hand.

In my illustration about how email travels across the Internet, I eluded to, but never described how the router, or the conductor, knew how they were supposed to manage that the information coming to it, or leaving from it, and how they were to know whether a person walking around the train was even a customer to begin with. To answer this, I have to assign every conductor with a numeric value, or name. This name we have become familiar with, as it is the domain name of the company who owns the device that connects to the Internet. The name of thee devices is masked, but are exposed to the Internet if you know how to transcribe them. (I will show this later.)

To do this a naming scheme was devised by DARPA DARPA called the DNS system (Domain Name System). To transport information across the Internet via cyberspace reliable the scheme outlined by DARPA in the early Internet days provided for each end point and entry point device to have statically assigned IP addresses with a corresponding domain name so that packets could be routed properly from end-point to end-point. Thus every packet of information has to as well have associated IP addresses which is derived from the hardware from where it originated. This way the router can verify, called TCP/IP packets, or not verify, UDP/IP packets, in making sure that all the information wishing to be transported, have arrived at their intended destination.

In many ways this is like the post master guaranteeing your mail delivery. But, lets not forget something I said earlier. Earlier I mentioned that the internet's strength was in its dynamism in how it was able to transport the information you wished to have communicated, and that allowed for faster paths to be used every time you wanted to send data across cyberspace. But this does come at a cost. In the case of data being transported across the Internet, to maintain the speed of the data information is transported in small chunks of data, then rebuilt automatically once it arrives where it was intended.

What this means is that if you have an email which is one page long. It will actually be broken down into small packets of information and transported across Cyberspace. For example, a typical packet of information transported across the Internet is 1,000 to 1,500 bytes in size. If you want to send the an single page email that has a few images attached to it, like the one I get from MSN every day telling me my daily horoscope, which is about 20,480 bytes in size, the email will be broken down into approximately 21 packets of datum. (The reason I said minimum, is because the router as well has some overhead that it has to attach to that packet in order to manage the information across the Internet.)


In review, up to this stage I have not said very much about the OI-email which is the topic of this bill. Up to this point, I have had a lengthy discussion of how information is transported via cyber space, and I have discussed things such as routers, IP addresses and packet sizes. In addition, I have said very little about the OI-email address and the other OI associated with this b ill. The reason why is because the OI's, irregardless if they are use names for programs that use UDP as a transport, i.e. MSN chat, IRC, SKYPE accounts (VO-IP accounts), etc... because all of these are insignificant it is their associated IP address that determines communication across the Internet.

In the phone call illustration above, it was stated that it is a violation of the Privacy Act for the government to intrude and perform warrantless phone communication, in setting up a phone tap, or placing a digital recording device between two unknowing callers. This is based on the premise that each are expecting a level of privacy, and are communicating to each other with that expectation.

Therefore, herein lays the problem, and what I feel is the deception laid out in this legislation. Commonly called the finding of scienter. Courts across the country have determined that when a person sends images across the Internet that are illegal, since they are using the Internet, there is no expectation of privacy. But, those are post conviction relief arguments.

Not as we have in this instance. A law that is legislating that due to a person crime, and in Arizona this is for the rest of this persons life, they must allow the government, or any entity who requests the information, to do a comparisons on all OI's. Which, I have illustrated above is in fact not an OI, but the IP address associated with that OI. For to do data comparison, there is no way to search at the hardware layer of the TCP/IP stack (OSI layer) for an email address, OI or another internet based moniker without first finding the IP address,a nd reverse engineering to the OI, or the unknown cyberspace moniker associated with that IP.

It is obvious to me that the writers of this legislation knew this. Hence the ambiguity and broadness of who could receive and do what with the information.

Now let me show you how easy it is to reverse engineer your email address, then show you how I can track your every move, even without talking to the router directly! with wireless telephony taking place as a huge communication protocol for telephony, the use of email address and their associated IP addresses now makes it possible, though this legislation, for a company doing comparison analysis to track all VO-IP conversation.

1.) Go to an email in your in box and pick out an email. In my case I am going to go to a local politician and pick out an email she sent me several months back.

Now depending on your client, find the email properties tab for that particular email. In my case I am using Outlook Express. So to do this I do the following steps: 1.) go to "File,Properties" or alternatively with the email open type "alt,enter" 2.) go to the "Details" tab

3.) In the message Source window Search for the line that states "Received" or "X-Origination-IP:"

That IP address is the IP address that connects the email address, to how the email was transported across Cyber space.

5.) Now that you have that IP address, you can begin listening, or in this case, running queries against that IP address in the log files at the router and find out all Internet usage by that device! Irregardless, who owns it!

From your machine you can as well doing something fun, that basically shows you all the conductors (routers) you can query in order to determine what that IP address has been doing. To do this 1.) go to "start,run and type, cmd", 2.) in the command window type "tracerte IP address" and you wills see all the routers that email potentially took to get that email to your machine. The actual path is stored in the router tables at each ISP's Cyperspace entry point.

Review of what we learned

HB 2734 allows for sex offender email addresses to companies who can query all of their routers for sex offenders Internet traffic

In order for the companies to utilize these email addresses they have to find the IP address attached to that email address in order to query their routers logs

Once the IP addresses is revealed all Cyberspace traffic can be recorded for that IP address

That IP address is associated with a sex offender, but as well as non-sex offenders (Joe General Public) who share that ISP entry point

An ISP finding illegal activity, must report that to local law agencies, and they can not tell anyone that the activity was found to be done by sex offenders

What we have here are many Constitutional infringements and the intent-effect analysis shows that the law is far from anything regulatory. Unless of course if you are allowed to call investigations without a warrant, Constitutional!

No comments: