Category Archives: privacy

The Obama administration and the press: Leak investigations and surveillance in post-9/11 America

In a report for the Committee to Protect Journalists, Leonard Downie Jr., former editor of the Washington Post, writes: In the Obama administration’s Washington, government officials are increasingly afraid to talk to the press. Those suspected of discussing with reporters anything that the government has classified as secret are subject to investigation, including lie-detector tests and scrutiny of their telephone and e-mail records. An “Insider Threat Program” being implemented in every government department requires all federal employees to help prevent unauthorized disclosures of information by monitoring the behavior of their colleagues.

Six government employees, plus two contractors including Edward Snowden, have been subjects of felony criminal prosecutions since 2009 under the 1917 Espionage Act, accused of leaking classified information to the press — compared with a total of three such prosecutions in all previous U.S. administrations. Still more criminal investigations into leaks are under way. Reporters’ phone logs and e-mails were secretly subpoenaed and seized by the Justice Department in two of the investigations, and a Fox News reporter was accused in an affidavit for one of those subpoenas of being “an aider, abettor and/or conspirator” of an indicted leak defendant, exposing him to possible prosecution for doing his job as a journalist. In another leak case, a New York Times reporter has been ordered to testify against a defendant or go to jail.

Compounding the concerns of journalists and the government officials they contact, news stories based on classified documents obtained from Snowden have revealed extensive surveillance of Americans’ telephone and e-mail traffic by the National Security Agency. Numerous Washington-based journalists told me that officials are reluctant to discuss even unclassified information with them because they fear that leak investigations and government surveillance make it more difficult for reporters to protect them as sources. “I worry now about calling somebody because the contact can be found out through a check of phone records or e-mails,” said veteran national security journalist R. Jeffrey Smith of the Center for Public Integrity, an influential nonprofit government accountability news organization in Washington. “It leaves a digital trail that makes it easier for the government to monitor those contacts,” he said.

“I think we have a real problem,” said New York Times national security reporter Scott Shane. “Most people are deterred by those leaks prosecutions. They’re scared to death. There’s a gray zone between classified and unclassified information, and most sources were in that gray zone. Sources are now afraid to enter that gray zone. It’s having a deterrent effect. If we consider aggressive press coverage of government activities being at the core of American democracy, this tips the balance heavily in favor of the government.”

At the same time, the journalists told me, designated administration spokesmen are often unresponsive or hostile to press inquiries, even when reporters have been sent to them by officials who won’t talk on their own. Despite President Barack Obama’s repeated promise that his administration would be the most open and transparent in American history, reporters and government transparency advocates said they are disappointed by its performance in improving access to the information they need.

“This is the most closed, control freak administration I’ve ever covered,” said David E. Sanger, veteran chief Washington correspondent of The New York Times.

The Obama administration has notably used social media, videos, and its own sophisticated websites to provide the public with administration-generated information about its activities, along with considerable government data useful for consumers and businesses. However, with some exceptions, such as putting the White House visitors’ logs on the whitehouse.gov website and selected declassified documents on the new U.S. Intelligence Community website, it discloses too little of the information most needed by the press and public to hold the administration accountable for its policies and actions. “Government should be transparent,” Obama stated on the White House website, as he has repeatedly in presidential directives. “Transparency promotes accountability and provides information for citizens about what their government is doing.”

But his administration’s actions have too often contradicted Obama’s stated intentions. “Instead,” New York Times public editor Margaret Sullivan wrote earlier this year, “it’s turning out to be the administration of unprecedented secrecy and unprecedented attacks on a free press.”

“President Obama had said that default should be disclosure,” Times reporter Shane told me. “The culture they’ve created is not one that favors disclosure.” [Continue reading…]

Facebooktwittermail

How we have become the tools of our devices

The New York Times reports: Once, only hairdressers and bartenders knew people’s secrets.

Now, smartphones know everything — where people go, what they search for, what they buy, what they do for fun and when they go to bed. That is why advertisers, and tech companies like Google and Facebook, are finding new, sophisticated ways to track people on their phones and reach them with individualized, hypertargeted ads. And they are doing it without cookies, those tiny bits of code that follow users around the Internet, because cookies don’t work on mobile devices.

Privacy advocates fear that consumers do not realize just how much of their private information is on their phones and how much is made vulnerable simply by downloading and using apps, searching the mobile Web or even just going about daily life with a phone in your pocket. And this new focus on tracking users through their devices and online habits comes against the backdrop of a spirited public debate on privacy and government surveillance.

On Wednesday, the National Security Agency confirmed it had collected data from cellphone towers in 2010 and 2011 to locate Americans’ cellphones, though it said it never used the information.

“People don’t understand tracking, whether it’s on the browser or mobile device, and don’t have any visibility into the practices going on,” said Jennifer King, who studies privacy at the University of California, Berkeley and has advised the Federal Trade Commission on mobile tracking. “Even as a tech professional, it’s often hard to disentangle what’s happening.”

Drawbridge is one of several start-ups that have figured out how to follow people without cookies, and to determine that a cellphone, work computer, home computer and tablet belong to the same person, even if the devices are in no way connected. Before, logging onto a new device presented advertisers with a clean slate.

“We’re observing your behaviors and connecting your profile to mobile devices,” said Eric Rosenblum, chief operating officer at Drawbridge. But don’t call it tracking. “Tracking is a dirty word,” he said. [Continue reading…]

Facebooktwittermail

The NSA’s struggle against Tor

The Register reports: An NSA presentation released by Edward Snowden contains mixed news for Tor users. The anonymizing service itself appears to have foxed US and UK government snoops, but instead they are using a zero-day flaw in the Firefox browser bundled with Tor to track users.

“These documents give Tor a huge pat on the back,” security guru Bruce Schneier told The Register. “If I was a Tor developer, I’d be really smiling after reading this stuff.”

The PowerPoint slide deck, prepared in June last year and entitled “Tor stinks”, details how the NSA and the UK’s Government Communications Headquarters (GCHQ) have been stymied by trying to track Tor users, thanks to the strength of the open source system.

“We will never be able to de-anonymize all Tor users all the time,” the presentation states. “With manual analysis we can de-anonymize a very small fraction of Tor users, however, no success de-anonymizing a user.”

The presentation says that both the NSA and GCHQ run Tor nodes themselves (the Brits use Amazon Web Services for this under a project entitled Newton’s Cradle), but these are only a very small number in comparison to the whole system. This makes tracking users using traditional signals-intelligence methods impossible.

There’s also a case of diminishing returns as Tor becomes more popular. With each user acting as a transport node, the sheer scale of the system means it becomes steadily more difficult for the intelligence community to run enough nodes to be useful for tracking.

Bruce Schneier reports: The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA’s application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.

According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identified Tor users on the internet and then executes an attack against their Firefox web browser.

The NSA refers to these capabilities as CNE, or computer network exploitation.

The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the internet. This is done via the agency’s partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.

The NSA creates “fingerprints” that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see “almost everything” a target does on the internet.

Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of internet traffic that it sees, looking for Tor connections.

Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring internet traffic.

The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US. [Continue reading…]

Everything you need to know about the NSA and Tor in one FAQ.

Reports in The Guardian and the Washington Post, and the leaked documents: Tor: ‘The king of high-secure, low-latency anonymity’ and ‘Tor stinks’.

Facebooktwittermail

How Britain became the most spied on, monitored and surveilled democratic society there has ever been

John Lanchester writes: In August, the editor of the Guardian rang me up and asked if I would spend a week in New York, reading the GCHQ files whose UK copy the Guardian was forced to destroy. His suggestion was that it might be worthwhile to look at the material not from a perspective of making news but from that of a novelist with an interest in the way we live now.

I took Alan Rusbridger up on his invitation, after an initial reluctance that was based on two main reasons. The first of them was that I don’t share the instinctive sense felt by many on the left that it is always wrong for states to have secrets. I’d put it more strongly than that: democratic states need spies.

The philosopher Karl Popper, observing the second world war from his academic post in New Zealand, came up with a great title for his major work of political thought: The Open Society and Its Enemies. It is, in its way, a shocking phrase – why would the open society have enemies? (But then, the title of Charles Repington’s The First World War, published in 1920, was shocking too, because it implied that there would be another one.)

We do have enemies, though, enemies who are in deadly earnest; enemies who wish you reading this dead, whoever you are, for no other reason than that you belong to a society like this one. We have enemies who are seeking to break into our governments’ computers, with the potential to destroy our infrastructure and, literally, make the lights go out; we have enemies who want to kill as many of us, the more innocent the better, as possible, by any means possible, as a deliberate strategy; we have enemies who want to develop nuclear weapons, and thereby vastly raise the stakes for international diplomacy and the threat of terrorism; and we have common-or-garden serious criminals, who also need watching and catching.

I get all that. It doesn’t thrill me to bits that the state has to use the tools of electronic surveillance to keep us safe, but it seems clear to me that it does, and that our right to privacy needs to be qualified, just as our other rights are qualified, in the interest of general security and the common good.

My week spent reading things that were never meant to be read by outsiders was, from this point of view, largely reassuring. Most of what GCHQ does is exactly the kind of thing we all want it to do. It takes an interest in places such as the Horn of Africa, Iran, and North Korea; it takes an interest in energy security, nuclear proliferation, and in state-sponsored computer hacking.

There doesn’t seem to be much in the documents about serious crime, for which GCHQ has a surveillance mandate, but it seems that much of this activity is covered by warrants that belong to other branches of the security apparatus. Most of this surveillance is individually targeted: it concerns specific individuals and specific acts (or intentions to act), and as such, it is not the threat.

Even Julian Assange thinks that, and said as much in his alarming and perceptive book Cypherpunks: “Individual targeting is not the threat.” When the state has specific enemies and knows who they are and the kind of harm they intend, it is welcome to target them to make the rest of our polity safe. I say again, on the evidence I’ve seen, this is mainly what GCHQ does. I would add that the Guardian and its partners have gone to a lot of trouble to prevent any unnecessarily damaging detail about this work being published.

The problems with GCHQ are to be found in the margins of the material – though they are at the centre of the revelations that have been extracted from the Snowden disclosures, and with good reason. The problem and the risk comes in the area of mass capture of data, or strategic surveillance. This is the kind of intelligence gathering that sucks in data from everyone, everywhere: from phones, internet use from email to website visits, social networking, instant messaging and video calls, and even areas such as video gaming; in short, everything digital.

In the US, the Prism programme may have given the NSA access to the servers of companies such as Google and Facebook; in the UK, GCHQ has gained a similar degree of access via its Tempora programme, and the two of them together have a cable- and network-tapping capabilities collectively called Upstream, which have the ability to intercept anything that travels over the internet. This data is fed into a database called XKeyscore, which allows analysts to extract information “in real time”, ie immediately, from a gigantic amount of hoovered-up data.

In addition, the NSA has encouraged technology companies to install secret weaknesses or “backdoors” into their commercially available, supposedly secure products. They have spent a very great deal of money ($250m a year alone on weakening encryption), on breaking commercially available security products. Other revelations have been published in Der Spiegel, and concern the NSA exploitation of technology such as the iPhone.

What this adds up to is a new thing in human history: with a couple of clicks of a mouse, an agent of the state can target your home phone, or your mobile, or your email, or your passport number, or any of your credit card numbers, or your address, or any of your log-ins to a web service.

Using that “selector”, the state can get access to all the content of your communications, via any of those channels; can gather information about anyone you communicate with, can get a full picture of all your internet use, can track your location online and offline. It can, in essence, know everything about you, including – thanks to the ability to look at your internet searches – what’s on your mind.

To get a rough version of this knowledge, a state once had to bug phones manually, break into houses and intercept letters, and deploy teams of trained watchers to follow your whereabouts. Even then it was a rough and approximate process, vulnerable to all sorts of human error and countermeasures. It can now have something much better than that, a historically unprecedented panoply of surveillance, which it can deploy in a matter of seconds.

This process is not without supervision, of course. In order to target you via one of these “selectors” – that’s the technical term – the agent of the state will have to type into a box on his or her computer screen a Miranda number, to show that the process is taking place in response to a specific request for information, and will also need to select a justification under the Human Rights Act. That last isn’t too arduous, because the agent can choose the justification from a drop-down menu. This is the way we live now.

And yet nobody, at least in Britain, seems to care. In the UK there has been an extraordinary disconnect between the scale and seriousness of what Snowden has revealed, and the scale and seriousness of the response. One of the main reasons for that, I think, is that while some countries are interested in rights, in Britain we are more focused on wrongs. [Continue reading…]

Facebooktwittermail

NSA admits grossly exaggerating effectiveness of mass surveillance in thwarting terrorism

The Washington Times reports: The Obama administration’s credibility on intelligence suffered another blow Wednesday as the chief of the National Security Agency admitted that officials put out numbers that vastly overstated the counterterrorism successes of the government’s warrantless bulk collection of all Americans’ phone records.

Pressed by the Democratic chairman of the Senate Judiciary Committee at an oversight hearing, Gen. Keith B. Alexander admitted that the number of terrorist plots foiled by the NSA’s huge database of every phone call made in or to America was only one or perhaps two — far smaller than the 54 originally claimed by the administration.

Gen. Alexander and other intelligence chiefs have pleaded with lawmakers not to shut down the bulk collection of U.S. phone records despite growing unease about government overreach in the program, which was revealed in documents leaked by former NSA contractor Edward Snowden.

“There is no evidence that [bulk] phone records collection helped to thwart dozens or even several terrorist plots,” Sen. Patrick J. Leahy, Vermont Democrat and committee chairman, told Gen. Alexander of the 54 cases that administration officials — including the general himself — have cited as the fruit of the NSA’s domestic snooping.

“These weren’t all plots and they weren’t all foiled,” he said.

Mr. Leahy and Rep. F. James Sensenbrenner Jr., Wisconsin Republican and author of the USA Patriot Act, which the government says allows bulk data collection, are working on a bill to roll back that authority.

In a summary they floated to colleagues Wednesday, the men said they would end bulk collection and require the NSA to show that the data it is seeking are relevant to an authorized investigation and involve a foreign agent.

The two lawmakers also proposed a special advocacy office with appellate powers to be part of the proceedings in the secret Foreign Intelligence Surveillance Court, and requiring the court to release secret opinions that lay out major interpretations of law.

Mr. Leahy, who has been a chief critic of the NSA, asked Gen. Alexander to admit that only 13 of the 54 cases had any connection at all to the U.S., “Would you agree with that, yes or no?”

“Yes,” Gen. Alexander replied in a departure from normal practice.

Administration officials giving testimony to Congress, even when asked to confine themselves to a simple yes or no, rarely do.

In response to a follow-up question, Gen. Alexander also acknowledged that only one or perhaps two of even those 13 cases had been foiled with help from the NSA’s vast phone records database. [Continue reading…]

Facebooktwittermail

NSA had test project to collect data on Americans’ cellphone locations, director says

The Washington Post reports: The National Security Agency began a test project in 2010 to collect data on ordinary Americans’ cellphone locations, but later discontinued it because it had no “operational value,” the agency’s director said Wednesday.

In response to questioning at a Senate hearing, Gen. Keith Alexander said that the secret effort ended in 2011 and that the data collected were never available for intelligence analysis purposes.

“This may be something that is a future requirement for the country, but it is not right now,” given that the FBI is able to gather the location of suspects’ cellphones by obtaining warrants from a court, Alexander told the Senate Judiciary Committee.

The disclosure came just a week after Alexander declined to answer whether the NSA had ever sought the authority to obtain such data. But Sen. Ron Wyden (D-Ore.), an Intelligence Committee member who has been pressing this issue for at least two years, suggested Wednesday that officials were still withholding significant information.

“After years of stonewalling on whether the government has ever tracked or planned to track the location of law abiding Americans through their cell phones, once again, the intelligence leadership has decided to leave most of the real story secret — even when the truth would not compromise national security,” Wyden said in a statement. [Continue reading…]

Facebooktwittermail

Edward Snowden’s e-mail provider defied FBI demands to turn over crypto keys, documents show

Wired reports: The U.S. government in July obtained a search warrant demanding that Edward Snowden’s e-mail provider, Lavabit, turn over the private SSL keys that protected all web traffic to the site, according to to newly unsealed documents.

The July 16 order came after Texas-based Lavabit refused to circumvent its own security systems to comply with earlier orders intended to monitor a particular Lavabit user’s metadata, defined as “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication.”

The name of the target is redacted from the unsealed records, but the offenses under investigation are listed as violations of the Espionage Act and theft of government property — the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court.

The records in the case, which is now being argued at the 4th U.S. Circuit Court of Appeals, were unsealed today by a federal judge in Alexandria, Virginia. They confirm much of what had been suspected about the conflict between the pro-privacy e-mail company and the federal government, which led to Lavabit voluntarily closing in August rather than compromise the security it promised users. [Continue reading…]

Facebooktwittermail

The DEA thinks you have ‘no constitutionally protected privacy interest’ in your confidential prescription records

ACLU Speech, Privacy & Technology Project: The Drug Enforcement Administration thinks people have “no constitutionally protected privacy interest” in their confidential prescription records, according to a brief filed last month in federal court. That disconcerting statement comes in response to an ACLU lawsuit challenging the DEA’s practice of obtaining private medical information without a warrant. The ACLU has just filed its response brief, explaining to the court why the DEA’s position is both startling and wrong.

We represent four patients and a physician in Oregon whose confidential prescription records are contained in a state database that tracks prescriptions for certain drugs. The database, called the Oregon Prescription Drug Monitoring Program (PDMP), was intended to be a public health tool to help physicians avoid drug overdoses and abuse in their patients. Despite a state law requiring law enforcement to obtain a probable cause warrant from a judge before requesting records from the PDMP, the DEA has been requesting records using administrative subpoenas, which do not involve judicial authorization or probable cause. Our clients object to the DEA’s warrantless access to the PDMP because their prescription records reveal deeply private information about their health and medical history, including their gender identity (two of our clients are transgender men taking testosterone as part of their transition from female to male sex) and mental illness (one client takes medication to treat anxiety and post-traumatic stress disorders).

In July, we explained to the court why people have a “reasonable expectation of privacy” in their confidential prescription records and the medical information those records reveal. (Under the Fourth Amendment, if there is a reasonable expectation of privacy in an item or location, law enforcement can generally conduct a search only if it first obtains a warrant). In support of our arguments, we submitted sworn declarations from medical privacy experts, including a scholar of medical ethics and a physician who explained that maintaining the confidentiality of doctor-patient communications is vital to the successful practice of medicine, and an authority on the history of medical ethics who explained that principles of medical confidentiality were well established at the time of the writing of the Fourth Amendment and would have been relied on by the Amendment’s framers.

In its latest brief, the DEA ignores these points and instead argues that the mere fact that our clients’ prescription records are held in a database maintained by a third party—the State of Oregon—means that they have somehow given up their privacy interest in the records. [Continue reading…]

Facebooktwittermail

U.S. judge allows lawsuit accusing Google of wiretapping emails

Reuters reports: A federal judge on Thursday refused to dismiss most of a lawsuit against Google Inc over allegations the company improperly scanned the content of customers’ emails in order to place ads.

U.S. District Judge Lucy Koh in San Jose, California ruled that the proposed class action lawsuit against Google can proceed. She rejected Google’s argument that its users had consented to having their email read for the purposes of targeted advertising.

“We’re disappointed in this decision and are considering our options,” Google spokesman Matt Kallman said in an email.

Litigation brought by nine plaintiffs, some Gmail users, some not, was consolidated before Koh earlier this year. The plaintiffs maintain Google violated several laws, including federal anti-wiretapping statutes by systematically crossing the “creepy line” to read private email messages in order to profit, according to court documents.

Facebooktwittermail

Press suckered by anti-Google group’s bogus claim that Gmail users can’t expect privacy

TechDirt: Okay, so as a bunch of folks have been sending over today, there’s been a bit of a furor over a press release pushed out by Consumer Watchdog, a hilariously ridiculous group that has decided that Google is 100% pure evil. The “story” claims that Google has admitted in court that there is no expectation of privacy over Gmail. This is not actually true — but we’ll get to that. This story is a bit complex because the claims in most of the news coverage about this are simply wrong — but I still think Google made a big mistake in making this particular filing. So, first, let’s explain why the coverage is completely bogus trumped up bullshit from Consumer Watchdog, and then we’ll explain why Google still shouldn’t have made this filing.

First off, you may recall Consumer Watchdog from previous stunts such as a putting together a hilariously misleading and almost 100% factually inaccurate video portrayal of Eric Schmidt, which was all really part of an effort to sell more copies of its founder’s book (something the group flat out admitted to us in an email). They’re not a consumer watchdog site — they’re a group that makes completely hogwash claims to try to generate attention on a campaign to attack Google.

The press release from Consumer Watchdog fits along its typical approach to these things: take something totally out of context, put some hysterical and inaccurate phrasing around it, dump an attention-grabbing headline on it and send it off to the press. In this case, it claimed that Google had said in a court filing that you have no expectation of privacy with Gmail. [Continue reading…]

Facebooktwittermail

Our instincts for privacy evolved in tribal societies where walls didn’t exist

Ian Leslie writes: In October 2012 a woman from Massachusetts called Lindsey Stone went on a work trip to Washington DC, and paid a visit to Arlington National Cemetery, where American war heroes are buried. Crouching next to a sign that said ‘Silence and Respect’, she raised a middle finger and pretended to shout while a colleague took her photo. It was the kind of puerile clowning that most of us (well me, anyway) have indulged in at some point, and once upon a time, the resulting image would have been noticed only by the few friends or family to whom the owner of the camera showed it. However, this being the era of sharing, Stone posted the photo to her Facebook profile.

Within weeks, a ‘Fire Lindsey Stone’ page had materialised, populated by commentators frothing with outrage at a desecration of hallowed ground. Anger rained down on Stone’s employer, a non-profit that helps adults with special needs. Her employers decided, reluctantly, that Stone and her colleague would have to leave.

More recently, Edward Snowden’s revelations about the panoptic scope of government surveillance have raised the hoary spectre of ‘Big Brother’. But what Prism’s fancy PowerPoint decks and self-aggrandising logo suggest to me is not so much an implacable, omniscient overseer as a bunch of suits in shabby cubicles trying to persuade each other they’re still relevant. After all, there’s little need for state surveillance when we’re doing such a good job of spying on ourselves. Big Brother isn’t watching us; he’s taking selfies and posting them on Instagram like everyone else. And he probably hasn’t given a second thought to what might happen to that picture of him posing with a joint.

Stone’s story is hardly unique. Earlier this year, an Aeroflot air hostess was fired from her job after a picture she had taken of herself giving the finger to a cabin full of passengers circulated on Twitter. She had originally posted it to her profile on a Russian social networking site without, presumably, envisaging it becoming a global news story. Every day, embarrassments are endured, jobs lost and individuals endangered because of unforeseen consequences triggered by a tweet or a status update. Despite the many anxious articles about the latest change to Facebook’s privacy settings, we just don’t seem to be able to get our heads around the idea that when we post our private life, we publish it.

At the beginning of this year, Facebook launched the drably named ‘Graph Search’, a search engine that allows you to crawl through the data in everyone else’s profiles. Days after it went live, a tech-savvy Londoner called Tom Scott started a blog in which he posted details of searches that he had performed using the new service. By putting together imaginative combinations of ‘likes’ and profile settings he managed to turn up ‘Married people who like prostitutes’, ‘Single women nearby who like to get drunk’, and ‘Islamic men who are interested in other men and live in Tehran’ (where homosexuality is illegal).

Scott was careful to erase names from the screenshots he posted online: he didn’t want to land anyone in trouble with employers, or predatory sociopaths, or agents of repressive regimes, or all three at once. But his findings served as a reminder that many Facebook users are standing in their bedroom naked without realising there’s a crowd outside the window. Facebook says that as long as users are given the full range of privacy options, they can be relied on to figure them out. Privacy campaigners want Facebook and others to be clearer and more upfront with users about who can view their personal data. Both agree that users deserve to be given control over their choices.

But what if the problem isn’t Facebook’s privacy settings, but our own?

A few years ago George Loewenstein, professor of behavioural economics at Carnegie Mellon University in Pittsburgh, set out to investigate how people think about the consequences of their privacy choices on the internet. He soon concluded that they don’t. [Continue reading…]

Facebooktwittermail

A cheap spying tool with a high creepy factor

The New York Times: Brendan O’Connor is a security researcher. How easy would it be, he recently wondered, to monitor the movement of everyone on the street – not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare?

Mr. O’Connor, 27, bought some plastic boxes and stuffed them with a $25, credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters. He connected each of those boxes to a command and control system, and he built a data visualization system to monitor what the sensors picked up: all the wireless traffic emitted by every nearby wireless device, including smartphones.

Each box cost $57. He produced 10 of them, and then he turned them on – to spy on himself. He could pick up the Web sites he browsed when he connected to a public Wi-Fi – say at a cafe – and he scooped up the unique identifier connected to his phone and iPad. Gobs of information traveled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.

Even when he didn’t connect to a Wi-Fi network, his sensors could track his location through Wi-Fi “pings.” His iPhone pinged the iMessage server to check for new messages. When he logged on to an unsecured Wi-Fi, it revealed what operating system he was using on what kind of device, and whether he was using Dropbox or went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.

“Actually it’s not hard,” he concluded. “It’s terrifyingly easy.”

Also creepy – which is why he called his contraption “creepyDOL.”

“It could be used for anything depending on how creepy you want to be,” he said.

You could spy on your ex-lover, by placing the sensor boxes near the places the person frequents, or your teenage child, or the residents of a particular neighborhood. You could keep tabs on people who gather at a certain house of worship or take part in a protest demonstration in a town square. Their phones and tablets, Mr. O’Connor argued, would surely leak some information about them – and certainly if they then connected to an unsecured Wi-Fi. The boxes are small enough to be tucked under a cafe table or dropped from a hobby drone. They can be scattered around a city and go unnoticed.

Mr. O’Connor says he did none of that – and for a reason. In addition to being a security researcher and founder of a consulting firm called Malice Afterthought, he is also a law student at the University of Wisconsin at Madison. He says he stuck to snooping on himself – and did not, deliberately, seek to scoop up anyone else’s data – because of a federal law called the Computer Fraud and Abuse Act.

Some of his fellow security researchers have been prosecuted under that law. One of them, Andrew Auernheimer, whose hacker alias is Weev, was sentenced to 41 months in prison for exploiting a security hole in the computer system of AT&T, which made e-mail addresses accessible for over 100,000 iPad owners; Mr. Aurnheimer is appealing the case.

“I haven’t done a full deployment of this because the United States government has made a practice of prosecuting security researchers,” he contends. “Everyone is terrified.” [Continue reading…]

Facebooktwittermail

64,019 searches: A dark journey into my Google history

Tom Gara writes: Let’s run through a little thought experiment.

Imagine there’s a list somewhere that contains every single webpage you have visited in the last five years. It also has everything you have ever searched for, every address you looked up on Google Maps, every email you sent, every chat message, every YouTube video you watched. Each entry is time-stamped, so it’s clear exactly, down to the minute, when all of this was done.

Now imagine that list is all searchable. And imagine it’s on a clean, easy-to-use website. With all that imagined, can you think of a way a hacker, with access to this, could use it against you?

And once you’ve imagined all that, go over to google.com/dashboard, and see it all become reality.

For a piece complementing today’s story on Google and privacy by the WSJ’s Amir Efrati, I took a deep dive into Google Dashboard, a kind of Grand Central Terminus for all the information the company has stored on you. It’s a truly amazing amount, especially if, like me, you have been a heavy Gmail user since its launch in 2004. As long as you are logged into Gmail, or any other Google account, the company isn’t just keeping track of how you use its own service — it’s noting every site you visit on the web. [Continue reading…]

Facebooktwittermail