« July 2008 | Main | September 2008 »

August 29, 2008

RFID Tags Enable 24/7 Surveillance [Part I]

Are you ready to begin living a tagged life?  If you are, the future is here, courtesy of radio-frequency identification (RFID) tags.

Stage 1 of your tagged life is now here, in the form of new high-tech driver's licenses, which can be used at U.S. border crossings in Mexico and Canada.  Each license incorporates a RFID tag encoded with a unique identification number. 

As you approach a border crossing, a RFID reader sends out a signal that an antenna on the tag picks up.  The tag in turn reveals its ID number.  By the time you arrive at the border crossing, Customs agents already have your name, address, photo, and other details in front of them.

Ordinary U.S. passports also contain a RFID tag.  The only difference is that the tag can't be read remotely, at least in theory. 

States on the U.S. and Mexican border have now started to issue RFID-equipped licenses.  The state of Washington now issues an RFID tagged "enhanced driver license," which can be used for border crossings to and from Canada.  In the near future, Arizona, Michigan, New York, and Vermont will begin issuing them.

Although there's no law requiring you to obtain an enhanced driver license, once you sign up, you open the door to privacy invasion on an unprecedented scale.  That's because the RFID tag number on your license is associated with your identity.  Anyone with a RFID reader—an item you can pick up for a few hundred dollars—can interrogate the tag and access the data on it.  Combine that with the growing number of products which contain RFID tags—credit cards, ATM cards, cell phones, key cards, etc.—and the potential grows exponentially for surreptitious tracking, wherever you go.

Some people don't believe that's a problem.  I do, though, because the data on the RFID tags in enhanced drivers' licenses isn't encrypted.  An identity thief, a stalker, a private investigator, or anyone else who wants to learn your identity, and potentially match it to the growing array of data tied to your tag number, can remotely interrogate the tag with a simple RFID reader.  You won't even know when it happens. (In contrast, the data on the RFID tags in U.S. passports is encrypted--although hackers have already figured out how to clone the data).

Combine this potential for abuse with the huge plans corporations—and the government—have for "people tracking" via RFID tags, and the potential for 24/7 surveillance is obvious.  For instance, an IBM patent granted in 2006 describes a network of interconnected RFID readers that IBM calls "person tracking units" (PTUs).  IBM envisions installing PTUs everywhere that people go—in airports, shopping malls, sports arenas, theaters, etc.  According to the patent, the PTU network would "keep records of different locations where the person has visited, as well as the visitation times."

How do corporate America and the U.S. government plan to use the massive amounts of data gathered through RFID tags?  Essentially, to facilitate 24/7 surveillance of everything you do and everywhere you go.  I'll have more to say about that in my next blog entry...stay tuned.

Copyright © 2008 by Mark Nestmann

Posted at 03:23 PM in Financial Privacy, National ID, Travel Privacy | | Comments (0)

August 27, 2008

Attorney-Client Privilege: Use It, Don't Lose It

When you retain a licensed attorney, you generally have the right to refuse to disclose all "confidential communications" between you and your attorney.  You also have the right to prevent others from disclosing confidential communications.  In U.S. law, this is known as the attorney-client privilege.

If your attorney delegates responsibilities to others, the privilege usually extends to these people.  This is true even if they aren't licensed attorneys.  In addition, the privilege generally extends to communications between your employees and your attorney.  To be enforceable, there should be a written agreement between the attorney and those working under his or her supervision. 

However, what the courts consider "confidential communications" protected by attorney-client privilege isn't as broad as you might think.  For instance, documents and other written materials your attorney produces ("work product") aren't generally privileged unless prepared "in anticipation of litigation."  Nor does the privilege extend to work your attorney does at the direction of another person; i.e., an accountant.  In addition, if your attorney isn't acting as a lawyer, but in another capacity (e.g., to provide investment advice), the privilege generally doesn't apply.

There are also important differences between the states in the scope of protected communications.  California law, for instance, has a more expansive interpretation of confidentiality than virtually any other state.

Preserve the Privilege!

Unfortunately, it's easy to waive attorney-client privilege in a number of situations:

  • If you disclose to others information that your attorney conveyed to you in confidence, or that you conveyed to your attorney. 
  • If someone who isn't a client, employer or under contract to the attorney participates in a conversation between you and your attorney. 
  • If your engagement with an attorney involves tax planning, especially planning construed by the IRS as a tax shelter. 
  • If written communications to and from your attorney don't contain a statement stipulating that they are confidential and subject to attorney-client privilege. 
  • If you communicate with your attorney via unencrypted e-mail. If you must send and receive unencrypted e-mail from attorney, use a computer that only you can access.

Finally: discussions with an attorney someone else is paying for (e.g., your employer) aren't always protected.  In any kind of investigation by your employer or a government agency, hire your own attorney.  Don't rely on the "free" advice provided by an attorney employed by your own company.

Copyright © 2008 by Mark Nestmann

Posted at 05:56 PM in Communications Privacy | | Comments (0)

August 25, 2008

Surprise, Surprise! U.S. Tracks All Border Crossings

One long-term goal of the War on (Some) Terrorists is to create a "lifetime travel history" of all U.S. citizens and visitors to the United States.

A critical component of the lifetime travel history is now in place: the Department of Homeland Security's "Border Crossing Information System" (BCIS).  This database will collect information on all U.S. citizens crossing a U.S. border by land.  It co-exists with existing databases that track U.S. citizens' air travel, and for foreigners entering the United States.  Operating together, these databases create a blueprint for a lifetime travel history for anyone crossing a U.S. border.

Naturally, the DHS may share data in the BCIS with federal, state, local, tribal, or foreign governments.  And, although the BCIS is purportedly an anti-terrorist initiative, the DHS may release data to help enforce any civil or criminal law or regulation.  It can even share data with the news media, "when there exists a legitimate public interest in the disclosure of the information."

And of course, the entire system will be exempt from the Privacy Act.  That law would otherwise give you the right to know which law enforcement or intelligence agencies has reviewed your records, along with the right to correct errors or omissions in the database.

Instead of known or suspected terrorists, the government is tracking everyone who crosses a U.S. border.  And since there are no limits to how the government uses the data collected, the BCIS is almost certain to be used for politically motivated surveillance. 

That's particularly true with the new U.S. passports equipped with RFID chips.  The chips will eventually contain the final component of a lifetime travel history: a record not only of U.S. border crossings, but also of border crossings in other countries.  That feature soon will be added to the RFID chip in U.S. passports, according to standards issued by the International Civil Aviation Organization (ICAO).  The ICAO's technical standards for RFID chips in passports specifically reserve memory space for creating a log of border crossings or other situations in which the chip is queried. 

The potential for abuse is obvious.  Imagine that such a system existed now, and the DHS were to release data "in the public interest" that a leading presidential candidate had made previously undisclosed visits to Iran, North Korea, or Cuba.  Not to mention the sort of interrogations that would accompany visits to countries with reputations as tax havens, or that otherwise are "controversial."

Once this system is up and running, if you value your travel privacy, you won't want to use a U.S. passport when you travel internationally.  If you're a U.S. citizen, you must use your U.S. passport when you enter or leave the United States, but you're under no such obligation when you enter or leave other countries. 

Fortunately, it's still perfectly legal for U.S. citizens (and almost anyone else) to obtain a second passport.  The easiest way to qualify for one is based on your marital status, religion, or ancestry. 

A handful of countries also offer "instant" citizenship and passport in return for an economic contribution.  Dominica, St. Kitts/Nevis, and Austria are the only countries with such programs.  In all three countries, you must pass a strict vetting process that includes a comprehensive criminal background check.

For more information on how to obtain a second passport—and preserve your right to travel privately—see http://nestmann.com/passport.html.

Copyright © 2008 by Mark Nestmann

Posted at 04:46 PM in Alternative Citizenship and Residence, Travel Privacy | | Comments (0)

August 21, 2008

Click Here to Sue!

Looking for a quick buck?  Starting next month, you could do worse then surfing to http://www.WhoCanISue.com.

You too can get rich playing the "lawsuit lottery," Just go down the list of everyone you don't like, along with everyone you think has wronged you, to see if you have a case. 

It couldn't be easier.  On WhoCanISue, you first sign up and then answer a series of general questions about your specific grievance.  Based on your answers, you'll receive guidance on whether your target is "worth suing." 

If the answer is yes, WhoCanISue will then put you in touch with an interested attorney.  If no, simply go to the next grievance!

WhoCanISue.com now joins the ranks of Web sites like SueEasy (http://www.SueEasy.com) and LegalMatch (http://www.LegalMatch.com).  And, while you're case is pending, you can get an advance on your settlement from Lawsuit Funding (http://www.lawsuitfunding.com).

However, I suspect that most readers of this blog aren't in the market to sue anyone.  More likely, you're someone at risk for being sued.  To find out, how vulnerable you are, click here to take this online quiz: http://www.nestmann.com/popups/99ways.html.

What can you do to reduce your risk of being sued?  Here are a few suggestions:

Keep a low profile. People who openly display their wealth get sued much more often than those that don't.  So, to avoid lawsuits, don't make extravagant displays of your wealth.  For instance, instead of buying a mansion, rent a smaller home that is modest on the outside, but impeccably furnished within.  Send your children to a local private school, rather than a nationally recognized academy.  Instead of buying a Ferrari, lease a mid priced automobile, and have it customized to your taste.  All these steps lower your profile to potential litigants, and lessen the probability you will be investigated or sued. 

Keep your mouth shut.  Not disclosing personal information is the first line of defense and an essential element of the lifeboat strategy.  You have no way of knowing what a friend, lover, a casual acquaintance, or someone on the street who offers you a small reward will do with the information you disclose.

Deal with petty grievances from neighbors, friends, co-workers, etc.  If your neighbor asks you more than once to quiet your barking dog, take the complaint seriously.  If you don't, one day you just might find a process server at your door giving you notice of a lawsuit filed against you by your neighbor. 

Don't make promises you can't keep.  And keep the promises you make.  These rules are easy to repeat, but difficult to apply in real life.  A practical example is when a friend or family member asks you to co-sign for a loan.  The question you need to ask isn't, "Can I trust this person?" but, "Do I have the financial means to make good on this obligation?"  It's unlikely you can force your friend or family member to pay off the loan, at least not without losing the friendship or straining family ties.  You also have little or no control over what extraneous events might occur that would prevent the loan recipient from paying off the obligation.

Take practical steps to secure your wealth from lawsuits. The most important precaution is to purchase liability insurance for your home, your business, and your vehicles.  Don't stop at the minimum limits, either.  If you can purchase an "umbrella" policy with limits of US$1 million or more, do so.  For additional suggestions, click here

Even with these precautions, Web sites like WhoCanISue and SueEasy virtually guarantee an explosion in frivolous lawsuits.  No one is immune from attacks by American trial lawyers.  But by taking these precautions, you will have come a long way in the right direction!

Copyright © 2008 by Mark Nestmann

Posted at 04:13 PM in Asset Protection | | Comments (0)

August 19, 2008

The US "Passport Card": Your New National ID

Back in 2005, Congress enacted the "Real ID" Act.  This law, which Congress enacted unanimously, with no discussion, and without even reading the bill, imposed national standards to insure state-issued identity documents couldn't be counterfeited or falsified. 

Real ID seemed relatively harmless, except for one key component: the creation of inter-connected state databases to include details on nearly 250 million licensed drivers.  Any state could interrogate any other state's database.  And naturally, the federal government could interrogate any state database.  As such, critics, including myself, accused Congress of imposing a national ID card through the back door.

Three years later, the Real ID initiative is moribund.  Legislators in nearly 30 states have refused to go along with this federal mandate.  And while the Department of Homeland Security has issued "extensions" to the May 2008 compliance deadline, most states appear to have no intention of complying.

Perhaps that's the reason that on July 22, 2008, in a joint press release from Departments of State and Homeland Security, the government announced that it's now producing something called the "U.S. passport card."

According to the news release,

"The passport card facilitates entry and expedites document processing at U.S. land and sea ports-of-entry when arriving from Canada, Mexico, the Caribbean and Bermuda.  The card may not be used to travel by air.  Otherwise, it carries the rights and privileges of the U.S. passport book and is adjudicated to the exact same standards."

Sounds harmless enough.  But I think there may a hidden agenda. 

First, consider that any company that employs anyone in the United States must now verify the identity and employment eligibility of all new employees.  Wouldn't it be great if the new passport card could be used for that purpose?  Well, it can...what a coincidence!

Second, consider that according to the news release:

"To facilitate the frequent travel of U.S. citizens living in border communities and to meet DHS’s operational needs at land borders, the passport card contains a vicinity-read radio frequency identification (RFID) chip.  This chip points to a stored record in secure government databases.  There is no personal information written to the RFID chip itself."

So, what do we have here?  Essentially, we have an identity document you can use both to confirm your identity in the United States and at U.S. borders.  What's more, since it's equipped with a RFID chip, the government can add driver's license data any time it wants. 

I wouldn't be surprised if after a decent interval—six to 12 months—DHS issues another press release to announce that the passport card can be used for all "federal purposes" that the Real ID initiative was supposed to address.  In plain English, that means you'll need Real ID compliant driver's license, a passport card (or an actual passport) to travel on an airplane or enter any secured federal facility, such as a federal courthouse or even a Social Security Office. 

Of course, since the passport card is a federal initiative all along, there's no longer a need for a national interconnected database of drivers' license information.  The feds will have something even more valuable—and dangerous—a national database it can use for whatever purpose it deems suitable without any state-imposed restrictions.

Should this scenario come to pass as I anticipate, the government will have effectively bypassed state opposition to the Real ID Act and imposed a national ID, albeit in a very sneaky way. 

I hope that I'm wrong, but if not—you read it here first. 

Copyright © 2008 by Mark Nestmann

Posted at 05:32 PM in National ID | | Comments (0)

August 18, 2008

Asset Protection by Stealth: Why—and How

Lots of people contact me because they're interested in protecting their assets.  Yet, in setting up an "asset protection plans" for clients, I always caution them never to refer to their plan as, well, an "asset protection."

Why it that?  It's because "asset protection" has a negative connotation, especially in the United States.  The United States has a very "creditor friendly" court system.  If you make your assets unavailable to meet the claims of a creditor, many judges will view you as a deadbeat.

Whatever You Say, Don't Say "Asset Protection"

For that reason, when you set up an asset protection plan, there should be other reasons for the plan to exist other than asset protection.  If you can prove that these other reasons actually exist, then the asset protection part of the plan has a much better chance of holding up in court.

Here's an example. Let's say that you decide you want to set up an "asset protection trust."  You consult with a trust company in, say, the Cook Islands, and the company obligingly sets up a Cook Island international trust. 

What have you accomplished?  Yes, you now have a trust in the Cook Islands, with one of the world's strongest asset protection laws.  Yet, you've also formed a standalone structure that screams "deadbeat" to anyone who finds out about it. 

To force "deadbeats" to pay their bills, judges have a variety of tools available, up to and including jailing a debtor.  This last remedy isn't common, but it does exist most notably, in situations where a debtor or the debtor's legal advisors have made serious planning errors.

Understanding—and Avoiding—the "Anderson Fiasco"

One of the most famous examples where this scenario unfolded came in a case involving a Mr. and Mrs. Anderson, who allegedly were engaged in a Ponzi scheme.  The Federal Trade Commission (FTC) sued the Andersons in federal court and obtained a US$20 million judgment.

When the Andersons claimed that they couldn't pay the judgment, the FTC obtained a court order requiring the couple to repatriate US$8 million in assets from their Cook Islands trust.  The Andersons failed to obey this order and the judge jailed the couple for civil contempt.  A federal appeals court affirmed this decision. 

The judge released the Andersons from jail only after they:

  • Appointed a company controlled by the FTC as the new trustee of their trust
  • Amended the trust to remove the FTC from the definition of "excluded persons" under the trust deed
  • Resigned as protectors of their trust

In many ways, the Anderson case was a worst-case scenario due to serious errors in their trust.  Their most important error was that the Andersons were named as both co-trustees and co-protectors of the trust, a position they gave up only when their trial began. 

How to Protect Your Assets—and Stay Out of Jail

Fortunately, in the vast majority of situations, you don't need to go to jail to protect your assets.  All you have to do is to make sure that asset protection isn't transparently the sole purpose of your plan.

Returning to your example, let's say after consulting with a qualified attorney in the United States, you jointly decide that a Cook Islands trust should be part of your asset protection plan.  Only, instead of having the trust be the only element of the plan, it exists as part of a larger structure that accomplishes other goals.

For instance, an integrated structure that includes a Cook Islands trust might also contain your last will and testament, a living trust, and possibly a domestic limited partnership.  At your death, your residual assets "pour over" from the will into the living trust.

Properly structured, this configuration serves several purposes that are completely unrelated to asset protection:

  • Provides convenient access to non-U.S. investments
  • Doubles the estate tax exemptions for a married couple
  • Provides the opportunity for valuation discounts for gift tax purposes through gifts of limited partnership interests
  • Serves as the primary estate planning device after your death

Depending on your particular needs, many other elements can be brought into this structure.  The important point, though, is that asset protection is no longer the only—or even the exclusive—purpose of the plan.  It exists as a by-product of the plan, because the assets will be safely tucked away offshore, safe from creditors. 

Avoid "Fraudulent Conveyance"

The time to set up this type of plan isn't after you've received notice of a lawsuit.  You should form it when there are no pending claims against you, or that you even know about.  That way, it's unlikely that a court can later declare your plan was intended to "hinder, delay or defraud" creditors, thus making the transfer of assets a voidable "fraudulent conveyance" in the eyes of the law.  This determination is best made after consultation with an experienced asset protection attorney.

Finally, before you create or transfer assets to an offshore structure, be certain to seek out professional advice to insure that these actions won't constitute a fraudulent conveyance—and potentially subject you to the "Anderson fiasco."  But, if there are legitimate purposes not related to asset protection, you've gone a long way toward insuring that your planning will hold up in court.

Copyright © 2008 by Mark Nestmann

Posted at 07:25 PM in Asset Protection | | Comments (0)

August 13, 2008

Are You Ready for the e-PATRIOT Act?

If you've ever wondered how Congress could possible enact legislation as complex as the USA PATRIOT Act less than 30 days after the events of Sept. 11, 2001, you're not alone.

The answer, though, isn't that mysterious.  The proposals that eventually became the PATRIOT Act weren't new.  They had been previously introduced numerous times, but never enacted.  Only after the tragic events of 9/11/01 did Congress act. 

And that's what leads me to make a prediction: within a few years, perhaps much sooner, there will be an information security "meltdown" event that is too big to ignore.  Perhaps terrorists will steal launch codes to nuclear missiles and initiate an attack on Israel.  Maybe hackers will infiltrate NSA computers and shut down its network of more than 50 surveillance satellites.  Whatever the event, whatever administration is in power—Democrat or Republican—will demand an immediate congressional response: a PATRIOT Act for the Internet.

What's more, much of such an e-PATRIOT Act already exists.  According to Stanford University law professor Larry Lessig, who founded the university's Center for Internet and Society, the Justice Department is waiting for an Internet security meltdown before introducing a cyber equivalent of the PATRIOT Act.

What will the e-PATRIOT Act include?  The Justice Department isn't talking, but it's safe to assume that it will include provisions previously introduced, but rejected due to civil liberties concerns.  These include:

  • Mandatory disclosure of encryption keys and passphrases after a court order or some lesser legal process
  • Prohibition of anonymous e-mail accounts
  • Mandatory retention of e-mail logs and Web surfing logs by Internet Service Providers
  • Mandatory use of "Internet ID cards" to access the Internet

And that's just for starters.  The Justice Department no doubt has many other initiatives in mind, waiting for an expedient time for introduction. 

As bad as an e-PATRIOT Act would be, it's not the end of the world.  One suggestion I've seen on several blogs for communicating without the Internet is short-wave radio.  And there's always postal mail, which, despite being derided as "snail mail," can't be routinely monitored as easily as e-mail. 

While the timing of the e-PATRIOT Act is unknown, its eventual arrival is a near-certainty.  Be prepared!

Copyright © 2008 by Mark Nestmann

Posted at 07:45 PM in Communications Privacy | | Comments (0)

August 12, 2008

America's "Long Arm" is Very Long Indeed

Have you committed a "tax crime"—or any other crime—that could be prosecuted in the United States?  If you have, you should know that there are few if any practical limits to U.S. jurisdiction if Uncle Sam wants to bring you before its courts. 

Whether it's through an extradition treaty, deportation, or even kidnapping, it's perfectly legal—at least under U.S. law—for U.S. authorities to take "any means necessary" to accomplish this goal.

The best-known method for the United States to bring someone from outside its territorial jurisdiction before its courts is via an extradition treaty.  The United States has extradition treaties in force with over 100 countries.  The largest countries that don't have extradition treaties with the United States are China, Indonesia, Russia, and South Korea. 

Extradition to the requesting country is subject to the laws, procedures, and policies of the requested country.  However, even if there is no extradition treaty in effect—or if the offense with which you are charged (e.g., violations of U.S. economic sanctions against particular countries) isn't covered in the particular treaty—the United States has numerous alternatives to bring you before its courts.

For instance, U.S. authorities might try to nab you when you travel internationally.  Let's say you're a Russian national who travels internationally on their Russian passport.  While you've never set foot in the United States, you have an e-mail account at G-Mail, a U.S.-based e-mail service.  Through this account, you've transacted considerable business with companies in Iran—a country against which the United States has imposed economic sanctions. 

Under U.S. law, using the G-Mail account may well provide U.S. prosecutors with jurisdiction to indict you for violations under the International Economic Emergency Powers Act (IEEPA).  The fact you've never visited the United States won't prevent an indictment.  Nor will it prevent an increasing number of governments from extraditing you to the United States if you set foot there. 

For instance, the U.K.-U.S. extradition treaty eliminates most evidentiary requirements for extradition.  Since the United States now reportedly has access to airline passenger manifests from persons flying into our out of the United Kingdom, it can easily screen these names against those persons it wants to extradite.  Should you fly from Moscow to London, it's possible that when you arrive, police will take you into custody and place you into detention.  Depending on the nature of your alleged offenses, you may—or may not—be able to avoid extradition to the United States.  Welcome to the USA!

The United States can also request that you be deported to its custody, so long as you are present in a particular country, if only for a brief visit.  For instance, when the U.S. Department of Justice wanted to bring offshore tax scammer Marc Harris to the United States from Nicaragua, it didn't use the U.S.-Nicaraguan extradition treaty.  Instead, it issued an Interpol notice, which many of Interpol's 186 members treat as a valid request for provisional arrest.  After arresting Harris, Nicaraguan authorities deported him to the United States, where he was subsequently tried and convicted for tax evasion and money laundering. 

What if you live in a country with no extradition treaty with the United States and never travel outside that country?  In that event, U.S. authorities can carry out an "extraordinary rendition" to bring you into U.S. custody.  This essentially amounts to sending undercover operatives into the country, kidnapping you, and bringing you back to the United States.  Numerous alleged "enemy combatants" now awaiting trial before military tribunals at Guantanamo Bay, Cuba arrived via extraordinary renditions.  And, in case you wondered, the Supreme Court has blessed the practice of kidnapping criminal suspects, even where an extradition treaty is in effect. 

What should you do if you've been accused of a crime in the United States, but live elsewhere?  Certainly, you should hire a competent attorney in your own country to advise you of your options.  One option might be to approach the authorities in your own country and request that you be prosecuted under its laws.  The punishment may be much less than what you would face in the United States, and under most conditions, you can't be extradited for a crime for which you've already been tried. 

Copyright © 2008 by Mark Nestmann

Posted at 04:13 PM in Travel Privacy | | Comments (0)

August 07, 2008

Welcome to the Olympics…and Big Brother

You've realized a lifelong dream…and arrived in Beijing just in time for the opening ceremonies on Friday, August 8. 

No doubt you've brought your suitcases, video recorder, and if you're a bit more adventurous, a Chinese language phrasebook.  But upon your arrival, you'll have an unacknowledged, although very real, presence to accompany you throughout your visit: Big Brother.

This isn't the Big Brother of old, as China displayed to the world at Tiananmen Square in 1989.  No, the new Chinese Big Brother is a lot subtler.

Take the cab ride to your hotel, for instance.  Nearly all of Beijing's taxis are equipped with microphones and video cameras that the Chinese security services police can remotely activate to eavesdrop on passengers.  And please don't discuss politics: if you say something offensive, you could be deported before you even arrive at the opening ceremony! 

Assuming you arrive intact at your gleaming five-star digs, you'll no doubt want to log on to the Internet to catch up with events at home.  With what China calls the "Great Firewall," you might notice that certain Web sites aren't accessible, particularly if they're reporting on events Tibet, human rights violations in China, and the Falun Gong spiritual movement. Other Web sites, such as the BBC or Voice of America sites, are blacked out entirely.

But more likely, you want to read e-mails from home and perhaps correspond with your colleagues at work.  You'll be glad to know that you won't be the only one reading your communications: more than 30,000 full-time security officials monitor e-mail, Internet forums, blogs, and news sites.  And especially if you're staying at one of Beijing's luxury hotels, your room probably comes with a video camera and microphone as well that officials can remotely activate anytime.

Once you leave your room, your belongings probably won't be stolen, thanks to tens of thousands of police stationed throughout the city, and in hotels.  However, when you return, you may notice—or more likely, notice—a few hidden additions to your laptop, cell phone, Blackberry, or other portable electronic device.

In just a few minutes, security officials can sneak into your room and copy all data off any electronic media you've brought with you—your laptop's hard drive, the contact list on your cell phone, etc.  They can also plant software into any electronic device that effectively takes it over once you reactivate it.  From that point forward, even after you return home, Chinese officials can monitor every keystroke on your laptop, your PDA, along with all conversations or text messages on your cell phone. 

How likely is it that you'll be targeted?  Since China requires most visitors to apply for a visa, officials will know in advance that you're arriving.  And, if you're important enough—or if officials believe you possess important information that could be useful to China—you can probably count on the kind of reception that I just described.

Cisco and other U.S. companies manufacture most of the equipment and software China uses for this type of surveillance.  And increasingly, it's being adapted for use in other countries, which means you can expect more and more pervasive surveillance, wherever you travel.

How can you protect yourself?  For once, the U.S. Department of Homeland Security actually has some good suggestions for foreign travel:

"Protective measures should include using designated 'travel' computers, single-use cell phones, temporary e-mail addresses, as well as refraining from communicating with a home organization's information technology systems." 

When you return, simply discard your cell phone and temporary e-mail address.  And "wipe" your computer clean before you leave and after you return, using a utility such as Killdisk (http://www.killdisk.com).

Enjoy the Olympics!

Copyright © 2008 by Mark Nestmann

Posted at 02:13 PM in Travel Privacy | | Comments (0)

August 06, 2008

Skype "Back Door" for Eavesdropping Revealed

I like Skype—the low-cost voice over Internet (VOIP) telephone provider—for several reasons. 

First, it's extremely easy to install and use.  Secondly, you can make free calls to other Skype users, anywhere in the world.  But most importantly, Skype automatically encrypts calls to other Skype users, protecting your conversations from being monitored.

However, I've long been skeptical about the encryption method Skype uses.  The reason is that Skype refuses to publish the source code it uses for encrypting phone calls to permit experts to inspect it for possible flaws or "back doors." 

Apparently, my concerns were warranted.  European news sources report that an Austrian government official recently disclosed that monitoring conversations over Skype presented "no particular problems."  And Skype (now owned by eBay) refuses to comment on the allegations. 

It's not clear how eavesdropping occurs, although there's speculation that Skype's global service outage last summer wasn't due to "Windows update" issues, as previously reported.  Instead, it was allegedly part of a secret plan orchestrated by the U.S. National Security Agency to install software that would allow law enforcement personnel to decipher Skype conversations. 

I'm not surprised by this development.  I've repeatedly warned that Skype may be secure against casual eavesdropping, but that it's not safe from "official" monitoring.  The report from Austria only confirms this conclusion.

If you really want privacy for your Internet telephone calls, check out Zfone (http://zfoneproject.com).  Like Skype, Zfone lets you make encrypted phone calls over the Internet.  But unlike Skype, its open-source design allows experts to examine the software for back doors or other flaws.

Zfone's principal designer is Phil Zimmermann, the creator of PGP, the most widely used email encryption software in the world.  It's not as easy to use as Skype, but if telephone privacy is important to you, I recommend that you check it out.

Copyright © 2008 by Mark Nestmann

Posted at 03:33 PM in Communications Privacy | | Comments (0)

Next »