Archive for Privacy

Australia Passes A New Encryption Law That Qualifies As The Worst Idea Ever

Posted in Commentary with tags on December 7, 2018 by itnerd

Australia has passed a new encryption law which the folks down under claim is essential for national security and an important part of law enforcement efforts in fighting terrorism. Essentially, the legislation allows for law enforcement and select government agencies to ask for three different levels of assistance from technology companies in accessing encrypted messages. CNET details those three levels:

  • Technical assistance request: A notice to provide “voluntary assistance” to law enforcement for “safeguarding of national security and the enforcement of the law.”
  • Technical assistance notice: A notice requiring tech companies to offer decryption “they are already capable of providing that is reasonable, proportionate, practicable and technically feasible” where the company already has the “existing means” to decrypt communications (e.g. where messages aren’t end-to-end encrypted).
  • Technical capability notice: A notice issued by the attorney general, requiring tech companies to “build a new capability” to decrypt communications for law enforcement. The bill stipulates this can’t include capabilities that “remove electronic protection, such as encryption.”

This is the dumbest idea ever on a number of levels. First, it sets a dangerous precedent that other countries might be stupid enough to follow. Second, there is almost zero chance that an Apple or Google will willingly go along with this. Finally, you have to trust Australia can keep secrets as what they want is a backdoor. The problem with that is that no government in the history of the universe can keep a secret and you can bet that whatever backdoor access they want will either fall into the wrong hands or get used for something that it was never intended for. That of course is bad.

Australia seriously needs to rethink this because they’re really out to lunch here.

Advertisements

Smartphone Users Might Want To Take Note Of These Legal Related News Items

Posted in Commentary with tags on October 1, 2018 by itnerd

There’s a pair of legal related news items that relates to smartphone users that piqued my interest, and it should pique your interest as well. Let’s start with one aimed at Apple iPhone X users. In what may be a first, the FBI has “forced” a suspect to unlock his iPhone X using Face ID:

Agents in Columbus, Ohio entered the home of 28-year-old Grant Michalski, who was suspected of child abuse, according to court documents spotted by Forbes. With a search warrant in hand, they forced him to put his face on front of the device to unlock it. They were then able to freely search for his photos, chats and any other potential evidence. The FBI started investigating Michalski after discovering his ad on Craigslist titled “taboo.” Later, they discovered emails in which he discussed incest and sex with minors with another defendant, William Weekly.

Once you get past the creep factor, let’s just consider this. This really isn’t any different than cops “forcing” (I put the quotes in as the FBI got a warrant to do this) someone to unlock their phone via a fingerprint. Thus one could argue that there is nothing new here. But it is worth noting if you have Apple’s coolest phone in your possession when the cops pay you a visit.

The next piece of legal news come from New Zealand where travelers who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine:

The Customs and Excise Act 2018 — which comes into effect today — sets guidelines around how Customs can carry out “digital strip-searches.” Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travelers must provide access — whether that be a password, pin-code or fingerprint — but officials would need to have a reasonable suspicion of wrongdoing. “It is a file-by-file [search] on your phone. We’re not going into ‘the cloud.’ We’ll examine your phone while it’s on flight mode,” Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched. Mr Brown said the law struck the “delicate balance” between a person’s right to privacy and Customs’ law enforcement responsibilities. “I personally have an e-device and it maintains all my records — banking data, et cetera, et cetera — so we understand the importance and significance of it.”

Now I’ve written about New Zealand before on a similar topic. Thus this doesn’t shock me. And realistically customs in any can demand to poke around your suitcase, frisk you or whatever as long as they have reasonable grounds….. Assuming of course you’re going to someplace where that applies. If you’re going to some repressive backwater where due process doesn’t exist then it sucks to be you. But I digress. Assuming that due process is being followed, then this isn’t a big deal as they searched roughly 540 electronic devices at New Zealand airports in 2017. You have to imagine that there are millions of travellers that go to that country which makes that number a drop in the bucket. However, if New Zealand uses this to go “hog wild” to search anything and everything they can get their hands on, that’s a problem. Hopefully someone is keeping an eye on this to see what happens next.

 

If You Get Your Email Via Oath, They May Be Trolling The Contents Of Your Email To Sell To Advertisers

Posted in Commentary with tags , on August 29, 2018 by itnerd

There’s a story (assuming that you can get past the paywall) in the Wall Street Journal that Oath scanned millions of Yahoo/AOL mailboxes for things like receipts, invoices, loan agreements and such which they can then use for customer profiling purposes. Of course then those profiles get sold to advertisers so that Oath can make money. And Oath isn’t apologizing for this. Doug Sharp, VP, Data, Measurement & Insights at Oath had this to say:

Email is an expensive system, I think it’s reasonable and ethical to expect the ‘value exchange,’ if you’ve got this mail service and there is advertising going on.

Translation: If you’re not paying for the service, you are the product.

Now, frequent readers may be saying “Wait…. That sounds familiar.” And it should. This was the chief reason that Canadian telco Rogers faced an epic backlash earlier this year when the terms of service changed for Rogers customers to allow Oath who serves up email for Rogers to scan the inboxes of those who used Rogers e-mail addresses. Now while this blowback was addressed in Canada (Mostly… The Privacy Commissioner of Canada is still looking into this and a further smackdown may yet inbound), the rest of world now has to deal with this. That’s why when this issue flared up in Canada, I offered up this option and this option in terms of email providers that don’t demand that you become the product. Thus if this whole idea of Oath reading your email bothers you, and you don’t want to be bothered with turning off the scanning on the relevant AOL or Yahoo Privacy pages, you can go elsewhere and deprive Oath of some money. .

Polar Exposed Locations of Spies and Military Personnel…. Oops

Posted in Commentary with tags on July 9, 2018 by itnerd

Polar is a company that makes fitness gear like fitness trackers, heart rate monitors and the like. They also make an app that allows you to compile the data from their gear called Polar Flow. But Polar Flow has one extra feature” that is likely to make a lot of people nervous right now, the location data of people such as spies and military personnel was accidentally exposed to the planet. Here’s the details:

For most users who set their activity tracking records to public, posting their workouts on Polar’s so-called Explore map is a feature and not a privacy issue. But even with profiles set to private, a user’s fitness activity can reveal where a person lives.

An exposed location of anyone working at a government or military installation can quickly become a national security risk.

Well, that’s an oops moment. This is pretty similar to what happened to Strava not too long ago. And it’s not just GPS info. It’s info that could also allow someone to identify you. Which of course isn’t good. After the company was told about this, the company took the relevant functionality off line. Then they put out this statement…. Which was kind of strange to me when I first read it:

In a statement sent by Polar chief strategy officer Marco Suvilaakso, the company said it “recently learned that public location data shared by customers via the Explore feature in Flow could provide insight into potentially sensitive locations.”

The company denied a leak or a breach of its systems.

“Currently the vast majority of Polar customers maintain the default private profiles and private sessions data settings, and are not affected in any way by this case,” said the statement. “While the decision to opt-in and share training sessions and GPS location data is the choice and responsibility of the customer, we are aware that potentially sensitive locations are appearing in public data, and have made the decision to temporarily suspend the Explore API.”

Well, if this isn’t a leak of some sort, I don’t know what qualifies. Thus this is a strange response from the company.

This is the bottom line that you have to keep in mind when you use these sorts of apps. They collect a ton of data on you. Thus you have to be 100% comfortable with the fact that this data could get exposed at some point and someone could learn a lot about you.

#PSA: Do You Have A Browser Extension Called Stylish Installed In Chrome Or Firefox? Uninstall It NOW!

Posted in Commentary with tags on July 5, 2018 by itnerd

There’s a popular extension called Stylish which was once a great way to remove annoying features from websites—trending topics on Facebook, say, or that annoying bar that follows you as you scroll on Medium. To do this Stylish, the browser extension, needs access to every website you visit. But it also trolls and steals your browser history. In short, it’s spyware. And here’s what  Robert Heaton has to say about it on his personal blog:

Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit. Stylish sends our complete browsing activity back to its servers, together with a unique identifier. This allows it’s new owner, SimilarWeb, to connect all of an individual’s actions into a single profile. And for users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie. This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.

As a result, Firefox has taken steps to ban the extension from its addons site and prompt all users to disable it. Google has done the same thing. Now the data that this addon shares is anonymized, but that’s still scary.

I try not to use browser add ons as I am always afraid of this sort of thing happening. Now it looks like my paranoia isn’t paranoia after all.

Cell Phone Tracking Firm Exposed Millions Of Americans’ Real-time Locations

Posted in Commentary with tags on May 18, 2018 by itnerd

You’ve likely never heard of a company called LocationSmart. But I will let security researcher Brian Krebs tell you why you should care:

On May 10, The New York Times broke the news that a different cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Mo.

On May 15, ZDnet.com ran a piece saying that Securus was getting its data through an intermediary — Carlsbad, CA-based LocationSmart.

Wednesday afternoon Motherboard published another bombshell: A hacker had broken into the servers of Securus and stolen 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. Most of the stolen credentials reportedly belonged to law enforcement officers across the country — stretching from 2011 up to this year.

None of that is good. But it actually gets worse. Apparently the LocationSmart website had a bug in its website that allowed anyone to see where a person is located without obtaining their consent:

LocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower.

Once that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map. [It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information”].

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”

Well, that’s very disturbing. This demo software was promptly taken offline when the story broke. But there’s a larger issue here. Which is the security of your data and what you should expect in terms of privacy. A US senator is poking around the edges of this, but this requires a more stringent response. As in the four telcos and all of the companies above need to come in front of congress to answer some tough questions about this.

When It Comes To Privacy For In Car Infotainment Systems, It’s An Open Question As To What Data Google And Apple Collects From You

Posted in Commentary with tags , , , on April 20, 2018 by itnerd

The issue of privacy when it comes to in car infotainment systems like Android Auto and Apple CarPlay flared up again yesterday when it came to light that Toyota took a pass on Android Auto because of privacy concerns. They joined Porsche who famously did the same thing a few years ago.

That made me wonder if it is spelled out clearly what data either of these systems collects and how it is used. Why does that matter? I’d like to know if Google or Apple is motioning how aggressively I drive. And what they do with that information and who gets to see it.  Thus I spent a day looking around the Internet to see if such documentation exists. The net result of my research is that neither company does a great job of spelling out what data they collect via their infotainment systems and how it is used. To illustrate this, I want to use Tesla as an example of what I am looking for. Their privacy policy makes it very clear what they collect in terms of data. And they go into a great amount of detail about how it is used. That way, you know exactly what Tesla is doing. As far as I am concerned, this is the gold standard when it comes to this sort of thing as it removes any questions from my mind about what Tesla may or may not be doing.

Now let’s go over to Apple. They have a privacy microsite that is better than most and specifically mentions Apple CarPlay here where it says this:

All the rigorous privacy measures built into your iPhone and apps carry over to CarPlay. Only essential information that enhances the CarPlay experience will be used from your car. For example, data such as your car’s GPS location can be used to help iPhone produce more accurate results in Maps.

That’s something I suppose, but beyond that there’s no specific mention in their privacy policy or anywhere else on their microsite about what CarPlay collects and what is done with that information.

In the case of Google and Android Auto, I was unable to find anything that specifically mentions Android Auto, and I looked at the Android Auto site and their privacy and terms microsite which if you dig for bit lists pretty much every product that they make except Android Auto. Which means that I have no idea what info Google collects. And that’s a step behind Apple who at least gives me some minimal information on this front.

So in either case, both Android Auto and Apple CarPlay fall well short of telling their users about what data they collect and how it is used when compared to Tesla. That’s a problem given how privacy and the security of data is now a top of mind issue. As a result, we’re left with rumor rather than fact. And that’s a huge problem for both companies if they want their infotainment systems to be adopted widely.

My challenge to both companies would be for them to make their data collection and usage policies for their infotainment systems as clear as Tesla does. At least when Tesla spells it out, I know what I am getting myself into up front assuming that I read the document. I believe that Google and Apple owe us the same.

So how about it Apple and Google? Will you do what’s right for users of Android Auto and Apple CarPlay, or will you continue to keep them in the dark about what data you collect and how it is used in terms of those products? Inquiring minds want to know.