Archive for Privacy

Cell Phone Tracking Firm Exposed Millions Of Americans’ Real-time Locations

Posted in Commentary with tags on May 18, 2018 by itnerd

You’ve likely never heard of a company called LocationSmart. But I will let security researcher Brian Krebs tell you why you should care:

On May 10, The New York Times broke the news that a different cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Mo.

On May 15, ZDnet.com ran a piece saying that Securus was getting its data through an intermediary — Carlsbad, CA-based LocationSmart.

Wednesday afternoon Motherboard published another bombshell: A hacker had broken into the servers of Securus and stolen 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. Most of the stolen credentials reportedly belonged to law enforcement officers across the country — stretching from 2011 up to this year.

None of that is good. But it actually gets worse. Apparently the LocationSmart website had a bug in its website that allowed anyone to see where a person is located without obtaining their consent:

LocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower.

Once that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map. [It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information”].

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”

Well, that’s very disturbing. This demo software was promptly taken offline when the story broke. But there’s a larger issue here. Which is the security of your data and what you should expect in terms of privacy. A US senator is poking around the edges of this, but this requires a more stringent response. As in the four telcos and all of the companies above need to come in front of congress to answer some tough questions about this.

Advertisements

When It Comes To Privacy For In Car Infotainment Systems, It’s An Open Question As To What Data Google And Apple Collects From You

Posted in Commentary with tags , , , on April 20, 2018 by itnerd

The issue of privacy when it comes to in car infotainment systems like Android Auto and Apple CarPlay flared up again yesterday when it came to light that Toyota took a pass on Android Auto because of privacy concerns. They joined Porsche who famously did the same thing a few years ago.

That made me wonder if it is spelled out clearly what data either of these systems collects and how it is used. Why does that matter? I’d like to know if Google or Apple is motioning how aggressively I drive. And what they do with that information and who gets to see it.  Thus I spent a day looking around the Internet to see if such documentation exists. The net result of my research is that neither company does a great job of spelling out what data they collect via their infotainment systems and how it is used. To illustrate this, I want to use Tesla as an example of what I am looking for. Their privacy policy makes it very clear what they collect in terms of data. And they go into a great amount of detail about how it is used. That way, you know exactly what Tesla is doing. As far as I am concerned, this is the gold standard when it comes to this sort of thing as it removes any questions from my mind about what Tesla may or may not be doing.

Now let’s go over to Apple. They have a privacy microsite that is better than most and specifically mentions Apple CarPlay here where it says this:

All the rigorous privacy measures built into your iPhone and apps carry over to CarPlay. Only essential information that enhances the CarPlay experience will be used from your car. For example, data such as your car’s GPS location can be used to help iPhone produce more accurate results in Maps.

That’s something I suppose, but beyond that there’s no specific mention in their privacy policy or anywhere else on their microsite about what CarPlay collects and what is done with that information.

In the case of Google and Android Auto, I was unable to find anything that specifically mentions Android Auto, and I looked at the Android Auto site and their privacy and terms microsite which if you dig for bit lists pretty much every product that they make except Android Auto. Which means that I have no idea what info Google collects. And that’s a step behind Apple who at least gives me some minimal information on this front.

So in either case, both Android Auto and Apple CarPlay fall well short of telling their users about what data they collect and how it is used when compared to Tesla. That’s a problem given how privacy and the security of data is now a top of mind issue. As a result, we’re left with rumor rather than fact. And that’s a huge problem for both companies if they want their infotainment systems to be adopted widely.

My challenge to both companies would be for them to make their data collection and usage policies for their infotainment systems as clear as Tesla does. At least when Tesla spells it out, I know what I am getting myself into up front assuming that I read the document. I believe that Google and Apple owe us the same.

So how about it Apple and Google? Will you do what’s right for users of Android Auto and Apple CarPlay, or will you continue to keep them in the dark about what data you collect and how it is used in terms of those products? Inquiring minds want to know.

 

Law Enforcement Again Finds Themselves In A Situation Where They Can’t Unlock A Mass Shooter’s Phone

Posted in Commentary with tags on November 8, 2017 by itnerd

The recent mass shooting in a Texas church has been making headlines since Sunday. But related to that is a problem that law enforcement has faced before. The inability to unlock the shooter’s phone to get to critical data that could help in their investigation. News.com has the details on this:

An official said at a press conference Tuesday that the FBI is unable to open the phone of Devin Patrick Kelley, who killed 26 people and injured 20 more at a Texas church on Sunday. 

The phone is encrypted, meaning the information inside is unreadable without a passcode. The FBI didn’t say what kind of phone the shooter used.

“With the advance of the technology and the phones and the encryptions, law enforcement — whether at a state, local or federal level — is increasingly not able to get into these phones,” said Christopher Combs, the FBI special agent in charge.

This is the same sort of situation that the FBI found itself in with the San Bernardino shooter’s iPhone, which in turn led to a protracted legal battle with Apple. But in the end they unlocked the phone with the help of a third party. Not only that, but apparently the FBI has been unable to get into thousands of phones which is making it difficult for them to investigate crimes.

Now I have to admit that I struggle with this. On one hand, I see the need for law enforcement to have the ability to get into phones to help them to put bad guys in jail. But at the same time, I don’t think that anyone should have a free pass to look at anything on a phone. Nor should Apple, Google or anyone else build backdoors into their phones for law enforcement. It’s a tricky balance I admit and I am not sure how you get the balance right. But hopefully there’s reasonable discussion about this that leads to that balance.

US Border Security More Likely To Look At Your Phone And Demand Passwords…. Yikes!

Posted in Commentary with tags on September 19, 2017 by itnerd

According to a CTV News report, Canadian Privacy Commissioner Daniel Therrien told a House of Commons committee yesterday that U.S. Customs and Border Protection officers can look at mobile devices and even demand passwords under new American law:

Therrien cited statistics indicating U.S. border searches of mobile phones had increased between 2015 and 2016.

“These devices contain a lot of sensitive information,” Therrien said. “We should be very concerned.”

And it seems that when US border officials look at your phone, they can deny you entry based on what is found on it. And it doesn’t have to be related to you being a bad guy. Take for example what New Democrat MP Nathan Cullen had to say:

 

Cullen said one of his constituents was denied entry to the U.S. on health-related grounds because information on the person’s phone indicated a prescription for heart medication.

Now to be fair, Canadian border officials can do this as well. But….. :

Canadian law also allows border officers to inspect cell phones, since they are treated as goods, Therrien told the Commons committee on access to information, privacy and ethics.

But he noted Canada’s border agency has a policy of limiting searches to cases where an officer has grounds to do so — for instance, because a phone might contain information about contraband items.

So travelers, you now know that if you’re going to the US, you can expect that there’s a higher probability that your phone might be searched. Thus if you don’t want things to go sideways, you should likely take precautions prior to departure.

Australia to Push for Greater Powers on Encrypted Messaging at “Five Eyes” Meeting

Posted in Commentary with tags on June 26, 2017 by itnerd

There’s a group of five nations that collaborate on collecting and sharing intelligence. Known as the “Five Eyes” they are the U.S., the U.K, Canada, Australia, and New Zealand. Australia at a meeting this week of the “Five Eyes” will push for greater international powers to thwart the use of encrypted messaging services by terrorists and criminals. Here’s what Reuters had to say on this:

Australia has made it clear it wants tech companies to do much more to give intelligence and law enforcement agencies access to encrypted communications.

“I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption,” Australian Attorney General Senator Brandis said in a joint statement.

“These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies.”

While I fully support any and all reasonable methods for law enforcement to stop “evil doers” from doing “evil things,” this isn’t going to accomplish that goal. Simply put, those who want to inflict chaos and destruction on the world will move to unregulated open source solutions with end to end encryption which will put them out of the reach of law enforcement. Thus the only thing that will be accomplished is the weakening of security consumer devices and software that “evil doers” will move away from to stay out of the reach of the good guys. Do I have a better idea? Short of putting some sort of “backdoor” into every device and software that has encryption, no. But I do know a bad idea when I see it. And this qualifies as a bad idea.

Does Your Printer Spy On You? The EFF Can Help You Find Out….

Posted in Commentary with tags on June 12, 2017 by itnerd

Recently we’ve had the case of a woman named Reality Winner…. Yes, that is apparently her name…. being arrested for leaking sensitive info to The Intercept that the NSA had in its possession. She was apparently busted because the printers that she printed this sensitive info out from had microdots which were used to hunt her down. Now, you’re likely wondering what these microdots are and if the printer in your home or business does this or something similar. Well, the Electronic Frontier Foundation can help you find out. They’ve not only posted a document that lists printers known to do this, they’ve also got a document that explains this tracking tech. But the first document that I linked to does have this warning:

Some of the documents that we previously received through FOIA suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable. Although we still don’t know if this is correct, or how subsequent generations of forensic tracking technologies might work, it is probably safest to assume that all modern color laser printers do include some form of tracking information that associates documents with the printer’s serial number.

Thus consider this to be a starting point. It will be interesting to see if any printer company fesses up to doing this now that it’s got a rather bright spotlight.

Canadian Connected Sex Toy Company Fingered For Data Mining Users Without Consent

Posted in Commentary with tags on March 14, 2017 by itnerd

Ottawa based connected sex toy company Standard Innovation who makes an apparently popular sex toy called WeVibe apparently did more than make the sex toy and the app for your phone that goes with it. It also apparently data mined users by collecting real-time data of their connected sex toys usage without the users knowledge. Clearly that’s more invasive than it should be. So it’s no surprise that when users found out about it they went to court and got a $3.75 million (CDN) settlement. The Financial Post has the intimate details:

Under the terms of the settlement, Standard Innovation Corp. has agreed to destroy the personal information it has collected from users of the vibrator and stop collecting such information from now on. The vibrator, known as the We-Vibe Rave, could be paired with a smartphone app to allow a partner to control it remotely.

About 300,000 customers purchased the vibrators, with about one-third of them using them with the app, according to the settlement agreement. App users are entitled to a share of a fund up to US$10,000 after expenses and fees, with anyone who purchased vibrator without using the app entitled to up to US$199.

The company won’t have to admit that they did anything wrong as part of this settlement.

My take on this is that in the era of the Internet of Things, you can fully expect that your data will be used in some way that you don’t expect it to. That includes what you do in your bedroom. Now the company is wrong for not telling users that they were collecting real time stats of their intimate activities. But part of me isn’t shocked by this at all as data is very valuable these days. Thus if this is the sort of thing that you’re into, because if it is there’s nothing wrong with that, you might want to keep the fact that you may not fully control the data that your activities generate in mind.