Category Archives: privacy

How a misreported story is changing U.S. immigration policy

The Atlantic reports: On Sunday, The New York Times published a scorching story alleging that one of the killers in the San Bernardino attack had previously “talked openly on social media about her views on violent jihad.”

But by Thursday, the Times admitted it had gotten parts of the story wrong. Tashfeen Malik had not posted publicly about violent jihad before moving to the U.S. Instead, according to the FBI, she had written about violent jihad only in private messages—not public posts. The Times changed its story, issued a correction, and endured a par­tic­u­larly bru­tal pub­lic flog­ging at the hands of its public editor.

That correction, however, came far too late to put the genie back in the bottle. News of the so-called “public” posts had already rocketed around the Internet, been cited repeatedly in the Republican presidential debate, and, apparently, made quite an impression on Capitol Hill.

On Tuesday, Senator John McCain pointed to the Times report in an­noun­cing legislation to require the Department of Homeland Security to “search all public records, including Internet sites and social media profiles” when vetting applicants to enter the U.S.

The same day, nearly two dozen Democrats wrote to Homeland Security Secretary Jeh Johnson calling for “more robust social media background check process for all visitors and immigrants to the United States.” The let­ter references press ac­counts in­dic­at­ing that such work had been done inconsistently. And it says Ma­lik “may have ex­pressed rad­ic­al ji­hadist sentiments on so­cial me­dia platforms.” [Continue reading…]

Facebooktwittermail

Brave New China: The most disturbing tech story of 2015

shadow8

The New Republic reports: China wants to get in on the credit racket. At the moment, most Chinese citizens don’t have credit scores, unlike in the United States, where they have been part of the consumer landscape for decades, led by the big three credit bureaus, Equifax, Experian, and TransUnion. The Chinese government aims to fix that and fast, establishing a nationwide credit scoring system, known as the Social Credit System (SCS), by 2020.

As with China’s vast construction projects, this scoring system is fiercely ambitious, authoritarian, technologically sophisticated, and likely to disrupt the lives of millions of people. And although it is a deeply capitalist undertaking, the SCS is being positioned as a socialist effort. A 2014 planning document states that “a social credit system is an important component part of the Socialist market economy system” and that “its inherent requirements are establishing the idea of an sincerity culture, and carrying forward sincerity and traditional virtues.” That vague phrasing actually speaks to the scope of the project. With “social credit,” the Chinese authorities plan to do more than gauge people’s finances; they want to rate the trustworthiness of citizens in all facets of life, from business deals to social behavior. Eventually, all Chinese citizens will be required to be part of the SCS.

As of now, the Chinese government is allowing select companies to roll out test projects designed to rate individuals’ trustworthiness. These include efforts by Baidu and Alibaba, respectively the country’s largest search engine and e-commerce site. The involvement of these tech companies is key. Credit scoring in the U.S. has long graduated beyond simple matters of credit card debt or bankruptcy history. The credit bureaus now double as some of the country’s biggest data brokers, and they consider a range of consumer activity when creating their proprietary scores. The scores themselves have grown in value, now being used for anything from rating credit worthiness to evaluating one’s fitness for a job (some states, including New York, have banned the use of credit scores in job screenings). As a consequence many forms of consumer scoring now lie outside existing consumer protections, as a World Privacy Forum report found last year.

China’s Social Credit System promises to build on these techniques, using the vast behavioral records of its people to rate them — as consumers, as citizens, as human beings. According to that same planning document, the SCS will be used “to encourage keeping trust and punish breaking trust,” which includes violations of the “social order.” In other words, everything Chinese citizens do, especially online, may be incorporated into their scores. Doctors, teachers, construction firms, scientists, and tourism employees will be scored. So will sports figures, NGOs, companies, members of the judicial system, and government administrators.

Approved behaviors and purchases will raise a score; other activities may lower it, perhaps drawing the unwanted attention of authorities in the process. Scores in turn will be used for employment, disbursing credit, and determining eligibility for social benefits. While the Chinese government has frequently touted its desire to create “a culture of sincerity” and “trust,” the plan uses surveillance, data collection, online monitoring, and behavioral tracking to render practically all of its citizens’ affairs in market terms. Rather than being equal, China’s citizens will be in fierce competition with one another, jostling for rankings better than their peers. [Continue reading…]

Facebooktwittermail

Our web history reveals what we think and do. Shouldn’t that remain private?

By Paul Bernal, University of East Anglia

An overlooked aspect of the draft Investigatory Powers Bill is the significance of demanding that service providers store 12 months’ internet connection records. A record of every website visited and internet service connected to, the government presents this as the online equivalent of an itemised phone bill. But this is a false analogy: internet connection records carry far more detail than a phone book, and the government’s move to claim them represents an unprecedented intrusion into our lives.

Supporters of the bill suggest that this data provides a way of checking that someone accessed Facebook at a particular time, just as phone records can reveal that a user called a particular number at a certain time. But while this is true, it misunderstands the role the internet has in our lives, and consequently underplays how much it can reveal.

The phone is a communications tool, but we have complex online lives and use the internet for many things other than “communication”. We do almost everything online: we bank online, we shop, find relationships, listen to music, watch television and films, plan our holidays, read about and indulge our interests.

Access to the websites we visit, for an entire year, is not at all comparable to having an itemised telephone bill. It’s more equivalent to tailing someone as they visit the shops, the pub, the cinema, listen to the radio, go to the park and on holiday, read books and magazines and newspapers, and much more.

It’s not just the data that’s revealing, it’s the sort of direct, logical inferences that can be made given a web browsing history. For example, from the fact that someone visits sites connected with a particular religion, one can infer that they follow that religion. If they visit sites regarding a particular health condition, it’s possible to infer that they may suffer from that condition, or are worried about their health.

Continue reading

Facebooktwittermail

If you’re not paranoid, you’re crazy

Walter Kirn writes: I knew we’d bought walnuts at the store that week, and I wanted to add some to my oatmeal. I called to my wife and asked her where she’d put them. She was washing her face in the bathroom, running the faucet, and must not have heard me—she didn’t answer. I found the bag of nuts without her help and stirred a handful into my bowl. My phone was charging on the counter. Bored, I picked it up to check the app that wirelessly grabs data from the fitness band I’d started wearing a month earlier. I saw that I’d slept for almost eight hours the night before but had gotten a mere two hours of “deep sleep.” I saw that I’d reached exactly 30 percent of my day’s goal of 13,000 steps. And then I noticed a message in a small window reserved for miscellaneous health tips. “Walnuts,” it read. It told me to eat more walnuts.

It was probably a coincidence, a fluke. Still, it caused me to glance down at my wristband and then at my phone, a brand-new model with many unknown, untested capabilities. Had my phone picked up my words through its mic and somehow relayed them to my wristband, which then signaled the app?

The devices spoke to each other behind my back—I’d known they would when I “paired” them—but suddenly I was wary of their relationship. Who else did they talk to, and about what? And what happened to their conversations? Were they temporarily archived, promptly scrubbed, or forever incorporated into the “cloud,” that ghostly entity with the too-disarming name?

It was the winter of 2013, and these “walnut moments” had been multiplying—jarring little nudges from beyond that occurred whenever I went online. One night the previous summer, I’d driven to meet a friend at an art gallery in Hollywood, my first visit to a gallery in years. The next morning, in my inbox, several spam e-mails urged me to invest in art. That was an easy one to figure out: I’d typed the name of the gallery into Google Maps. Another simple one to trace was the stream of invitations to drug and alcohol rehab centers that I’d been getting ever since I’d consulted an online calendar of Los Angeles–area Alcoholics Anonymous meetings. Since membership in AA is supposed to be confidential, these e‑mails irked me. Their presumptuous, heart-to-heart tone bugged me too. Was I tired of my misery and hopelessness? Hadn’t I caused my loved ones enough pain? [Continue reading…]

Facebooktwittermail

How GCHQ tracks web users’ online identities

The Intercept reports: There was a simple aim at the heart of the top-secret program: Record the website browsing habits of “every visible user on the Internet.”

Before long, billions of digital records about ordinary people’s online activities were being stored every day. Among them were details cataloging visits to porn, social media and news websites, search engines, chat forums, and blogs.

The mass surveillance operation — code-named KARMA POLICE — was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom’s electronic eavesdropping agency, Government Communications Headquarters, or GCHQ.

The revelations about the scope of the British agency’s surveillance are contained in documents obtained by The Intercept from National Security Agency whistleblower Edward Snowden. Previous reports based on the leaked files have exposed how GCHQ taps into Internet cables to monitor communications on a vast scale, but many details about what happens to the data after it has been vacuumed up have remained unclear.[Continue reading…]

Facebooktwittermail

New worry for tech firms that don’t want to hand data to the government: Hillary Clinton

The Los Angeles Times reports: When Hillary Rodham Clinton talks tough about diluting the influence of the sprawling Islamic State terrorist network, she sometimes skips the rhetoric on diplomatic and military strategy in the Middle East – and instead targets Silicon Valley.

Executives in the boardrooms of America’s big tech firms are taking notice as the Democratic front-runner in the presidential race warns about the impunity with which terrorists operate online. Clinton said the problem needs a “hard look” by government. Internet freedom is great, she told voters at a town hall in New Hampshire, “but I don’t believe we should give a free pass to a terrorist organization.”

The remarks haven’t been particularly controversial in the early voting states where Clinton is stumping. But across the country in the Bay Area, the social media industry is anxious about what exactly Clinton has in mind. Her focus comes as tech companies are engaged in a pitched battle with their state’s senior senator, Dianne Feinstein, over her push to require Internet companies to become government informants when they come across potentially troublesome communications.

At the core of the dispute is disagreement over how much companies should do to stop terrorist groups from using their platforms to recruit members and coordinate attacks. The firms, Feinstein said at a hearing last month, are taking down thousands of posts monthly that violate corporate bans on terrorism-related discussions – but they are not alerting law enforcement about any of that content. Feinstein made the comments after convening meetings with high-level officials at Google, Facebook, Yahoo, Twitter and Microsoft.

“The companies do not proactively monitor their sites to identify [terrorist] content, nor do they inform the FBI when they identified and remove their content,” she said. “I believe they should.” Soon after, the Senate Intelligence Committee, of which Feinstein is vice chair, tacked language onto a routine funding bill requiring the firms to share with law enforcement any such posts they come across. [Continue reading…]

Facebooktwittermail

Why the fear over ubiquitous data encryption is overblown

Mike McConnell, former director of the National Security Agency and director of national intelligence, Michael Chertoff, former homeland security secretary, and William Lynn, former deputy defense secretary, write: More than three years ago, as former national security officials, we penned an op-ed to raise awareness among the public, the business community and Congress of the serious threat to the nation’s well-being posed by the massive theft of intellectual property, technology and business information by the Chinese government through cyberexploitation. Today, we write again to raise the level of thinking and debate about ubiquitous encryption to protect information from exploitation.

In the wake of global controversy over government surveillance, a number of U.S. technology companies have developed and are offering their users what we call ubiquitous encryption — that is, end-to-end encryption of data with only the sender and intended recipient possessing decryption keys. With this technology, the plain text of messages is inaccessible to the companies offering the products or services as well as to the government, even with lawfully authorized access for public safety or law enforcement purposes.

The FBI director and the Justice Department have raised serious and legitimate concerns that ubiquitous encryption without a second decryption key in the hands of a third party would allow criminals to keep their communications secret, even when law enforcement officials have court-approved authorization to access those communications. There also are concerns about such encryption providing secure communications to national security intelligence targets such as terrorist organizations and nations operating counter to U.S. national security interests.

Several other nations are pursuing access to encrypted communications. In Britain, Parliament is considering requiring technology companies to build decryption capabilities for authorized government access into products and services offered in that country. The Chinese have proposed similar approaches to ensure that the government can monitor the content and activities of their citizens. Pakistan has recently blocked BlackBerry services, which provide ubiquitous encryption by default.

We recognize the importance our officials attach to being able to decrypt a coded communication under a warrant or similar legal authority. But the issue that has not been addressed is the competing priorities that support the companies’ resistance to building in a back door or duplicated key for decryption. We believe that the greater public good is a secure communications infrastructure protected by ubiquitous encryption at the device, server and enterprise level without building in means for government monitoring. [Continue reading…]

Facebooktwittermail

Sen. Wyden objects to anti-terrorism rules for websites

The Associated Press reports: Sen. Ron Wyden, an Oregon Democrat and skeptic of broad government surveillance, objected Tuesday to a bill that would have required social media and online sites like Google, Yahoo, Twitter and Facebook to alert federal authorities of any terrorist activity.

The proposal, by Sen. Dianne Feinstein, D-Calif., had been tucked into a broader bill authorizing intelligence programs throughout the 2016 budget year and became the subject of several private meetings on Capitol Hill between congressional staff and industry officials.

In a statement submitted into the Congressional Record, Wyden said the Senate had been asked on Tuesday to approve the intelligence authorization bill by unanimous consent. Doing so would bypass any debate. A spokesman for Senate Majority Leader Mitch McConnell, R-Ky., confirmed that leadership had hoped to pass the bill before the August recess, but that not all senators were on board. [Continue reading…]

Facebooktwittermail

Privacy campaigners win concessions in UK surveillance report

The Guardian reports: Privacy campaigners have secured significant concessions in a key report into surveillance by the British security agencies published on Tuesday.

The 132-page report, A Democratic Licence To Operate, which Nick Clegg commissioned last year in the wake of revelations by the US whistleblower Edward Snowden, acknowledges the importance of privacy concerns.

“Privacy is an essential prerequisite to the exercise of individual freedom, and its erosion weakens the constitutional foundations on which democracy and good governance have traditionally been based in this country,” the report says. [Continue reading…]

Facebooktwittermail

MIT report: Giving government special access to data poses major security risks

MIT’s Computer Science and Artificial Intelligence Lab: In recent months, government officials in the United States, the United Kingdom, and other countries have made repeated calls for law-enforcement agencies to be able to access, upon due authorization, encrypted data to help them solve crimes.

Beyond the ethical and political implications of such an approach, though, is a more practical question: If we want to maintain the security of user information, is this sort of access even technically possible?

That was the impetus for a report — titled “Keys under doormats: Mandating insecurity by requiring government access to all data and communications” — just published by security experts from MIT’s Computer Science and Artificial Intelligence Lab (CSAIL), alongside other leading researchers from the U.S. and the U.K.

The report argues that such mechanisms “pose far more grave security risks, imperil innovation on which the world’s economies depend, and raise more thorny policy issues than we could have imagined when the Internet was in its infancy.” [Continue reading…]

Facebooktwittermail

What happens when policy is made by corporations? Your privacy is seen as a barrier to economic growth

Evgeny Morozov: With all eyes on Greece, the European parliament has quietly passed a non-binding resolution on the Transatlantic Trade and Investment Partnership (TTIP), the controversial trade liberalisation agreement between the United States and Europe. Ironically, it did so a few hours after lecturing Alexis Tsipras, the Greek leader, about the virtues of European solidarity and justice.

If enacted, TTIP, along with two other treaties currently under negotiation– the Trade in Services Agreement (TISA) and the Trans-Pacific Partnership agreement (TPP) – will considerably limit the ability of governments to rein in the activities of corporations; all three treaties have predictably triggered much resistance.

The European parliament’s resolution seeks to eliminate the main point of contention between the US and Europe. While many Europeans object to the very idea of creating an international tribunal, where corporations can sue governments for passing business-unfriendly laws, the European parliament has proposed to turn this tribunal into a public European institution. Some such institutions do have teeth – consider the recent “right to be forgotten” judgment from the European court of justice – but this can’t be taken for granted. [Continue reading…]

Facebooktwittermail

Google eavesdropping tool installed on computers without permission

The Guardian reports: Privacy campaigners and open source developers are up in arms over the secret installing of Google software which is capable of listening in on conversations held in front of a computer.

First spotted by open source developers, the Chromium browser – the open source basis for Google’s Chrome – began remotely installing audio-snooping code that was capable of listening to users.

It was designed to support Chrome’s new “OK, Google” hotword detection – which makes the computer respond when you talk to it – but was installed, and, some users have claimed, it is activated on computers without their permission. [Continue reading…]

Facebooktwittermail

FISA Court skips talking to privacy advocates

National Journal reports: The secretive court that oversees U.S. spying programs selected to not consult a panel of privacy advocates in its first decision made since the enactment earlier this month of major surveillance reform, according to an opinion declassified Friday.

The Foreign Intelligence Surveillance Court opted to forgo appointing a so-called “amicus” of privacy advocates as it considered whether the USA Freedom Act could reinstate spying provisions of the Patriot Act even though they expired on June 1 amid an impasse in the Senate.

The Court ruled that the Freedom Act’s language — which will restore the National Security Agency’s bulk collection of U.S. call data for six months before transitioning to a more limited program — could revive those lapsed provisions, but in assessing that narrow legal question, Judge Dennis Saylor concluded that the Court did not first need confer with a privacy panel as proscribed under the reform law. [Continue reading…]

Facebooktwittermail

With ISIS using instant messaging apps, FBI seeks access to data

The Los Angeles Times reports: Islamic State militants and their followers have discovered an unnerving new communications and recruiting tool that has stymied U.S. counter-terrorism agencies: instant messaging apps on smartphones that encrypt the texts or destroy them almost immediately.

In many cases, U.S. intelligence and law enforcement agencies can’t read the messages in real time, or even later with a court order, because the phone companies and the app developers say they can’t unlock the coded text and don’t retain a record of the exchanges.

“We’re past going dark in certain instances,” said Michael B. Steinbach, the FBI’s top counter-terrorism official. “We are dark.”

The hole in U.S. surveillance capabilities was not mentioned during the recent congressional battle over the National Security Agency’s bulk collection of U.S. landline and cellphone data. Lawmakers ultimately agreed to scale back that program because of concerns it violated Americans’ privacy.

FBI officials now want Congress to expand their authority to tap into messaging apps such as WhatsApp and Kik, as well as data-destroying apps such as Wickr and Surespot, that hundreds of millions of people — and apparently some militants — have embraced precisely because they guarantee security and anonymity. [Continue reading…]

Facebooktwittermail

Spot the difference: Being or not being subject to mass surveillance

On Sunday night, at the stroke of midnight, will a shroud of fear be lifted from freedom-loving Americans?

Let’s assume that a last minute deal isn’t reached in Congress and the surveillance powers of the Patriot Act are indeed allowed to expire.

This might not amount to the kind of statutory protection of privacy that critics of the NSA have hoped for, and yet physically pulling the plug on the actual mechanisms of mass surveillance will highlight the difference between living in a world where all our information gets sucked into data warehouses and a world in which it remains a tad more secure under a blanket in the Cloud — or wherever else we’ve chosen to keep it hidden.

Of course, a lot of people won’t believe the plug got pulled — certainly not at a moment when they believe the Federal government is about to impose martial law in Texas — and so the reported suspension of surveillance will more likely reinforce their paranoia.

But for those who believe that a measure of freedom lost has been reclaimed — at least for now — how will that freedom be enjoyed?

That’s where I draw a blank.

I’ve seen the polls in which some people say that NSA surveillance has changed how they use email and made them inclined to censor themselves and yet I’ve always been baffled by these reactions.

Most NSA critics who have studied the issue are acutely aware that mass surveillance is virtually useless for gathering information about terrorism, so how exactly might it accumulate useful information about you or me?

From Sunday to Monday, we will cross over from a world in which we are watched but unseen, into a world in which we will remain unseen. If that seems like a profound transition, I’d say your fixation on personal freedom has become a distraction from much more serious issues that truly shape our world.

There are plenty of good reasons to be opposed to mass surveillance — including the principle that no democratic government should claim the right to spy on its own citizens. But we have less reason to be concerned about intrusions on our privacy than that over-funded intelligence agencies have exploited public fear and manipulated Congress in order to create programs of negligible value.

If mass surveillance is about to quietly die, maybe the lesson that can be drawn is that the threat it supposedly posed and the need it supposedly met, were both wildly overstated.

The NSA’s appetite to gather information has always exceeded its capacity to use it, but the same cannot be said for Google or Facebook. The NSA never was and never could become more than a flea on the back of a digital infrastructure that primarily serves Silicon Valley.

Most of the information that is being gathered about each and every one of us is not being swept up in secret but dished out freely down what we have come to regard as lifelines connecting us to the world.

Rather than being subject to unwanted surveillance, we are far more subject to networks of dependence which affect what we want, what we expect, and how we live.

Big Brother is less inclined to breath down our neck than hold our hand. And if the grip feels too tight it’s because we’re afraid of letting go.

Facebooktwittermail

Intelligence official: Era of bulk-records collection likely over

The Wall Street Journal: A senior U.S. intelligence official on Friday afternoon suggested that the public blowback and corporate outrage that erupted after it was revealed that the National Security Agency collected bulk telephone records made it rather certain the government would not try to recreate such a program in the future.

Robert Litt, the Office of the Director of National Intelligence’s general counsel, told a panel hosted by the Sunlight Foundation that the intelligence community now decides when it creates any new program how it will look if it is leaked to the public.

He says they ask “Are the benefits we get from that program worth that risk?”

Facebooktwittermail

NSA phone records program illegal, court rules

The Guardian reports: The US court of appeals has ruled that the bulk collection of telephone metadata is unlawful, in a landmark decision that clears that way for a full legal challenge against the National Security Agency.

A panel of three federal judges for the second circuit overturned an earlier ruling that the controversial surveillance practice first revealed to the US public by NSA whistleblower Edward Snowden in 2013 could not be subject to judicial review.

But the judges also waded into the charged and ongoing debate over the reauthorization of a key Patriot Act provision currently before US legislators. That provision, which the appeals court ruled the NSA program surpassed, will expire on June 1 amidst gridlock in Washington on what to do about it.

The judges opted not to end the domestic bulk collection while Congress decides its fate, calling judicial inaction “a lesser intrusion” on privacy than at the time the case was initially argued. [Continue reading…]

Facebooktwittermail

Utah’s reaction to NSA data center mirrors wider ambivalence over surveillance programs

The Wall Street Journal reports: As a defiant statement against what it sees as government overreach, a group of Utahans “adopted” the desert highway that leads to the National Security Agency’s secretive and sprawling new facility in Bluffdale.

Their novel plan: While collecting trash along their stretch of road, they would simultaneously protest outside the NSA building, spreading the “Restore the Fourth” message in favor of Fourth Amendment protections against illegal search and seizure.

But their plan soon wilted thanks to a lack of organization and a lack of enthusiasm for more protests.

“What we’re working on now is consolidating and coordinating our actions with other organizations,” said Dan Garfield, who leads Restore the Fourth’s Utah chapter. He said there is no timeline for the next protest.

The stalled effort highlights the ambivalence in Utah and in Washington, D.C., over secret government surveillance programs. Section 215 of the USA Patriot Act, which the government has used to justify its bulk telephone-record collection program, expires at the end of this month, giving hope to the agency’s critics that they can make major changes. But the rise of the Islamic State extremist group has encouraged more outspoken support for the NSA, including by several potential presidential candidates, complicating negotiations about what to do with the expiring powers.

In Utah, plenty of people don’t seem bothered by the NSA presence. [Continue reading…]

Facebooktwittermail