US border agents must get warrant before cell phone searches, federal court rules →

A federal district court in New York has ruled that U.S. border agents must obtain a warrant before searching the electronic devices of Americans and international travelers crossing the U.S. border.

The ruling on July 24 is the latest court opinion to upend the U.S. government’s long-standing legal argument, which asserts that federal border agents should be allowed to access the devices of travelers at ports of entry, like airports, seaports and land borders, without a court-approved warrant.

Novel attack against virtually all VPN apps neuters their entire purpose →

Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the user’s IP address. The researchers believe it affects all VPN applications when they’re connected to a hostile network and that there are no ways to prevent such attacks except when the user's VPN runs on Linux or Android. They also said their attack technique may have been possible since 2002 and may already have been discovered and used in the wild since then.

Reverse Keyword Search Warrant Upheld at Colorado Supreme Court →

The legal controversy was documented and ruled on by the Colorado Supreme Court in an October 2023 decision, Colorado v. Seymour. The court’s decision to deny the defendant’s suppression motion was a narrow one. However, the decision is one of the first to analyze the constitutionality of reverse warrants when no suspects have been identified.

How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin →

Adtech uses the basic lifeblood of digital commerce—the trail of data that comes off nearly all mobile phones—to deliver valuable intelligence information. Edward Snowden’s 2013 leaks showed that, for a time, spy agencies could get data from digital advertisers by tapping fiber-optic cables or internet choke points. But in the post-Snowden world, more and more traffic like that was being encrypted; no longer could the National Security Agency pull data from advertisers by eavesdropping. So it was a revelation—especially given the public outcry over Snowden’s leaks—that agencies could just buy some of the data they needed straight from commercial entities. One technology consultant who works on projects for the US government explained it this way to me: “The advertising technology ecosystem is the largest information-gathering enterprise ever conceived by man. And it wasn’t built by the government.”

Why You Can No Longer Get Lost in the Crowd →

Obscurity is vital to our well-being for several reasons. It gives us breathing room to go about our daily routines with little fear of being judged, sent unwanted ads, gossiped about or needlessly shamed.

Obscurity makes meaningful and intimate relationships possible, ones that offer solidarity, loyalty and love. It allows us to choose with whom we want to share different kinds of information. It protects us from having everyone know the different roles we play in the different parts of our lives. We need to be able to play one role with our co-workers while revealing other parts of ourselves with friends and family. Indeed, obscurity is one reason we feel safe bonding with others over our shared vulnerabilities, our mutual hopes, dreams and fears.

As Drs. Woodrow Hartzog and Evan Selinger write, "[O]ur failure to collectively value this idea shows where we’ve gone wrong in the debates over data and surveillance."

The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 →

[The credit header] is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement.

A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online.

CVS, Rite Aid, Walgreens hand out medical records to cops without warrants →

All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.

Secretive White House Surveillance Program Gives Cops Access to Trillions of US Phone Records →

A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter WIRED obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality.

Privacy is a collective concern →

Because we are intertwined in ways that make us vulnerable to each other, we are responsible for each other’s privacy. I might, for instance, be extremely careful with my phone number and physical address. But if you have me as a contact in your mobile phone and then give access to companies to that phone, my privacy will be at risk regardless of the precautions I have taken.

Why data, not privacy, is the real danger →

While it's creepy to imagine companies are listening in to your conversations, it's perhaps more creepy that they can predict what you’re talking about without actually listening.

DHS bought "shocking amount" of warrantless phone-tracking data, ACLU says →

For years, people have wondered not if, but how much, the Department of Homeland Security accesses mobile location data to monitor US citizens. This week, the American Civil Liberties Union released thousands of heavily redacted pages of documents that provide a "glimpse" of how DHS agencies came to leverage "a shocking amount" of location data, apparently purchasing data without following proper protocols to ensure they had the authority to do so.

American Dragnet | Data-Driven Deportation in the 21st Century →

In its efforts to arrest and deport, ICE has – without any judicial, legislative or public oversight – reached into datasets containing personal information about the vast majority of people living in the U.S., whose records can end up in the hands of immigration enforcement simply because they apply for driver’s licenses; drive on the roads; or sign up with their local utilities to get access to heat, water and electricity.

How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps →

Mr. Lopp, a self-described libertarian who works for a Bitcoin security company, had long been obsessed with the value of privacy, and he set out to learn how thoroughly a person can escape the all-seeing eyes of corporate America and the government.

Face recognition and AI ethics →

We worry about face recognition just as we worried about databases - we worry what happens if they break, and we worry what happens if they work too well.

Exclusive: Government Secretly Orders Google To Identify Anyone Who Searched A Sexual Assault Victim’s Name, Address Or Telephone Number →

While Google deals with thousands of such orders every year, the keyword warrant is one of the more contentious. In many cases, the government will already have a specific Google account that they want information on and have proof it’s linked to a crime. But search term orders are effectively fishing expeditions, hoping to ensnare possible suspects whose identities the government does not know.

Meta loses battle in EU, will ask for consent to show personalized ads →

After five years of fighting legal battles to prevent this undesirable outcome, Meta has finally agreed to ask Instagram and Facebook users in the European Union for consent before targeting them with highly personalized ads, a Wall Street Journal report has revealed.

Federal Judge Makes History in Holding That Border Searches of Cell Phones Require a Warrant | Electronic Frontier Foundation →

With United States v. Smith (S.D.N.Y. May 11, 2023), a district court judge in New York made history by being the first court to rule that a warrant is required for a cell phone search at the border, "absent exigent circumstances".

This Surveillance Artist Knows How You Got That Perfect Instagram Photo →

Earlier this month, a photo [David Welly Sombra Rodrigues] took in Ireland for his more than 7,000 Instagram followers went viral. But he didn't realize it until a friend messaged him, pointing him to a news article about "The Follower,," a digital art project that showed just how much can be captured by webcams broadcasting from public spaces — and how surprising it can be for those who are unwittingly filmed by them.

The artist had paired Instagram photos with video footage that showed the process of taking them.

FBI document shows what data can be obtained from encrypted messaging apps →

A recently discovered FBI training document shows that US law enforcement can gain limited access to the content of encrypted messages from secure messaging services like iMessage, Line, and WhatsApp, but not to messages sent via Signal, Telegram, Threema, Viber, WeChat, or Wickr.

What type of encryption you use and how you use it are pretty important.

Nothing Sacred: These Apps Reserve The Right To Sell Your Prayers →

Pray.com collects data about its users in multiple ways. According to its privacy policy, the company records detailed information about users, including their physical location, the links they click on, and the text of the posts they make. Then, it supplements that information with data from "third-parties such as data analytics providers and data brokers," which can include "your gender, age, religious affiliation, ethnicity, marital status, household size and income, political party affiliation and interests... geographic location, and Personal Information." The policy also says Pray.com shares users' personal information, including identifiers that link their activity to specific devices, with "third parties" for "commercial purposes."

If only we had a nationwide data privacy protection law.

Amazon's Dark Secret: It Has Failed to Protect Your Data →

Some pretty harrowing stories from Wired about Amazon's retail business's security and privacy culture.

Catholic priest quits after "anonymized" data revealed alleged use of Grindr →

In what appears to be a first, a public figure has been ousted after de-anonymized mobile phone location data was publicly reported, revealing sensitive and previously private details about his life.

Private Israeli spyware used to hack cellphones of journalists, activists worldwide →

Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.

Opinion | They Stormed the Capitol. Their Apps Tracked Them. →

A source has provided another data set, this time following the smartphones of thousands of Trump supporters, rioters and passers-by in Washington, D.C., on January 6, as Donald Trump's political rally turned into a violent insurrection. At least five people died because of the riot at the Capitol. Key to bringing the mob to justice has been the event's digital detritus: location data, geotagged photos, facial recognition, surveillance cameras and crowdsourcing.

Inside 'TALON,' the Nationwide Network of AI-Enabled Surveillance Cameras →

"I think of it as the Ring doorbell of [Automated License Plate Recognition]," Sergeant JT Maultsby from the Raleigh Police Department wrote in one July 2019 email to colleagues.

Oh, please no.

Senators seek IG probe of border agency's warrantless use of phone location data →

U.S. Customs and Border Protection officials who have used cellphone location data to track people inside the country without a warrant are refusing to tell members of Congress what gives them the legal right to do so, a group of Democratic senators said.

The problem of course, is that it's almost certainly legal without any justification.

'The Big Shift': Internal Facebook Memo Tells Employees to Do Better on Privacy →

In an internal memo called "The Big Shift", obtained by Big Technology and first reported here, Bosworth called on Facebook employees to prioritize privacy as they built their products, even to the detriment of the user's experience. The public's expectations on privacy were changing, he said, and Facebook's old approach wasn't cutting it anymore.

I'm skeptical.

Facebook will pay more than $300 each to 1.6M Illinois users in settlement →

Millions of Facebook users in Illinois will be receiving about $340 each as Facebook settles a case alleging it broke state law when it collected facial recognition data on users without their consent. The judge hearing the case in federal court in California approved the final settlement on Thursday, six years after legal proceedings began.

Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones →

This report documents the widespread adoption of [mobile device forensic tools] by law enforcement in the United States. Based on 110 public records requests to state and local law enforcement agencies across the country, our research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant. To our knowledge, this is the first time that such records have been widely disclosed.

Every American is at risk of having their phone forensically searched by law enforcement.

Some very common-sense policy recommendations about how to balance law-enforcement and 4th Amendment concerns at the end.

The High Privacy Cost of a "Free" Website – The Markup →

Trackers piggybacking on website tools leave some site operators in the dark about who is watching or what marketers do with the data.

IBM completes successful field trials on Fully Homomorphic Encryption →

Large performance penalties, but within the bounds of usefulness for real problems now. This could allow companies to provide you useful information about your data without ever seeing what your data actually is.

The Spycraft Revolution →

The world of espionage is facing tremendous technological, political, legal, social, and commercial changes. The winners will be those who break the old rules of the spy game and work out new ones. They will need to be nimble and collaborative and — paradoxically — to shed much of the secrecy that has cloaked their trade since its inception.

Total Surveillance Is Not What America Signed Up For →

The incongruity between the robust legal regime around legacy methods of privacy invasion and the paucity of regulation around more comprehensive and intrusive modern technologies has come into sharp relief in an investigation into the location data industry by Times Opinion. The investigation, which builds on work last year by The Time's newsroom, was based on a dataset provided to Times Opinion by sources alarmed by the power of the tracking industry. The largest such file known to have been examined by journalists, it reveals more than 50 billion location pings from the phones of more than 12 million Americans across several major cities.

By analyzing these pings, our journalists were able to track the movements of President Trump's Secret Service guards and of senior Pentagon officials. They could follow protesters to their homes and stalk high-school students across Los Angeles. In most cases, it was child's play for them to connect a supposedly anonymous data trail to a name and an address — to a real live human being.

The collection, aggregation, and sale of personal location data needs to be be banned. Location is yet another way in which we've become the product technology companies are selling.

California Police Have Been Illegally Sharing License Plate Reader Data →

Some of California's largest police departments have been collecting millions of images of drivers' license plates and sharing them with entities around the country—without having necessary security policies in place, in violation of state law, according to a newly released state audit.

Twelve Million Phones, One Dataset, Zero Privacy →

Every minute of every day, everywhere on the planet, dozens of companies — largely unregulated, little scrutinized — are logging the movements of tens of millions of people with mobile phones and storing the information in gigantic data files. The Times Privacy Project obtained one such file, by far the largest and most sensitive ever to be reviewed by journalists. It holds more than 50 billion location pings from the phones of more than 12 million Americans as they moved through several major cities, including Washington, New York, San Francisco and Los Angeles.

Hopefully this wakes some people up. I'm looking forward to the rest of the reporting in this series.

We Built an 'Unbelievable' (but Legal) Facial Recognition Machine →

To demonstrate how easy it is to track people without their knowledge, we collected public images of people who worked near Bryant Park (available on their employers' websites, for the most part) and ran one day of footage through Amazon's commercial facial recognition service. [...] The total cost: about $60.

Losing Our Fourth Amendment Data Protection →

If our privacy extends only as far as we expect it to, then as soon as we begin expecting companies to collect lots of data about us, we stand to lose our Fourth Amendment protections for that data.

In Court, Facebook Blames Users for Destroying Their Own Right to Privacy →

Representing Facebook before U.S. District Judge Vince Chhabria was Orin Snyder of Gibson Dunn & Crutcher, who claimed that the plaintiffs' charges of privacy invasion were invalid because Facebook users have no expectation of privacy on Facebook. The simple act of using Facebook, Snyder claimed, negated any user's expectation of privacy:

There is no privacy interest, because by sharing with a hundred friends on a social media platform, which is an affirmative social act to publish, to disclose, to share ostensibly private information with a hundred people, you have just, under centuries of common law, under the judgment of Congress, under the SCA, negated any reasonable expectation of privacy.

I'm so glad I've never in my life used Facebook. The company cares less than nothing about its users.

How spies can use your cellphone to find you – and eavesdrop on your calls and texts too →

"I don't think most Americans realize how insecure U.S. telephone networks are," Wyden said in a statement. "If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies do something about it. These aren't just hypotheticals."

I'm glad we have at least one tech-savvy Senator.

As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants →

For years, Facebook gave some of the world's largest technology companies more intrusive access to users' personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews.

The real threat to Facebook is the Kool-Aid turning sour →

But the leaks are not the disease, just the symptom. Sunken morale is the cause, and it's dragging down the company.

How to stop morale's downward momentum will be one of Facebook's greatest tests of leadership. This isn't a bug to be squashed. It can't just roll back a feature update. And an apology won't suffice. It will have to expel or reeducate the leakers and those disloyal without instilling a witch hunt's sense of dread. Compensation may have to jump upwards to keep talent aboard like Twitter did when it was floundering. Its top brass will need to show candor and accountability without fueling more indiscretion. And it may need to make a shocking, landmark act of contrition to convince employees it's capable of change.

Why Mark Zuckerberg's 14-Year Apology Tour Hasn't Fixed Facebook →

As far as I can tell, not once in his apology tour was Zuckerberg asked what on earth he means when he refers to Facebook's 2 billion-plus users as "a community" or "the Facebook community." A community is a set of people with reciprocal rights, powers, and responsibilities.

Exactly. It's the same reason I don't love startups who insist they're a family - I don't have the ability to leave my family and I wasn't born into your company. It's a false equivalence. The same is true of calling a mass-market surveillance platform a "community".

The Unlikely Activists Who Took On Silicon Valley — and Won →

At hearings, industry representatives complained that they had been put in the impossible position of either accepting the compromise or fighting a ballot initiative they had no power to change. "The internet industry will not obstruct or block AB 375 from moving forward," the Internet Association announced, "because it prevents the even-worse ballot initiative from becoming law in California." Soltani wryly pointed out that Mactaggart had offered Silicon Valley a take-it-or-leave-it privacy policy — the same kind that Silicon Valley usually offered everyone else.

Such a great story about the power of democracy.

Google+ shutting down after data leak affecting 500,000 users →

Google exposed the private details of almost 500,000 Google+ users and then opted not to report the lapse, in part out of concern disclosure would trigger regulatory scrutiny and reputational damage, The Wall Street Journal reported Monday, citing people briefed on the matter and documents that discussed it.

Understanding differential privacy and why it matters for digital rights - Access Now →

"Differential privacy" is a powerful, sophisticated, often misunderstood concept and approach to preserving privacy that, unlike most privacy-preserving tech, doesn't rely on encryption. It's fraught with complications and subtlety, but it shows great promise as a way to collect and use data while preserving privacy.

This is a good overview, and see parts two and three for a deeper dive into implementations.

How robo-callers outwitted the government and completely wrecked the Do Not Call list →

In 2015, the call-blocking app YouMail estimated that close to a billion robo-calls were being placed every month. Two years later, that number has leapt to 2.5 billion. At best, these calls annoy. At worst, they defraud. By far, they constitute the top consumer complaint received by the FTC.

In theory, there is a fix: the National Do Not Call Registry, created in 2003. Today, 230 million numbers are on it. The point, obviously, is to not be called. And yet the FTC receives 19,000 complaints every day from list members who have, in fact, been called. There is a battle being waged over the inviolability of our telephone numbers — over the right to not be bothered.

You're Browsing a Website. These Companies May Be Recording Your Every Move. →

Analytics software that measures mouse movements or keystrokes has been around for years, says Steven Englehardt, one of the authors of the study. But the technology has typically been used to track groups of users, such as the parts of a web page where visitors linger the longest. The researchers found that FullStory and the other companies are now tracking users individually, sometimes by name.

Dig into the underlying research presented at https://freedom-to-tinker.com/tag/noboundaries/.

U.S. Soldiers Are Revealing Sensitive and Dangerous Information by Jogging →

In war zones and deserts in countries such as Iraq and Syria, the heat map becomes almost entirely dark — except for scattered pinpricks of activity. Zooming in on those areas brings into focus the locations and outlines of known U.S. military bases, as well as of other unknown and potentially sensitive sites — presumably because American soldiers and other personnel are using fitness trackers as they move around.

Good opsec, y'all.

You Are the Product →

What this means is that even more than it is in the advertising business, Facebook is in the surveillance business. Facebook, in fact, is the biggest surveillance-based enterprise in the history of mankind. It knows far, far more about you than the most intrusive government has ever known about its citizens. It's amazing that people haven't really understood this about the company. I've spent time thinking about Facebook, and the thing I keep coming back to is that its users don't realise what it is the company does. What Facebook does is watch you, and then use what it knows about you and your behaviour to sell ads. I'm not sure there has ever been a more complete disconnect between what a company says it does – 'connect', 'build communities' – and the commercial reality.

How Facebook Figures Out Everyone You've Ever Met →

Connections like these seem inexplicable if you assume Facebook only knows what you've told it about yourself. They're less mysterious if you know about the other file Facebook keeps on you — one that you can't see or control.

Behind the Facebook profile you've built for yourself is another one, a shadow profile, built from the inboxes and smartphones of other Facebook users. Contact information you've never given the network gets associated with your account, making it easier for Facebook to more completely map your social connections.

System Shock: How A Cloud Leak Exposed Accenture's Business →

A folder in the bucket titled "Secure Store" contains not only configuration files for the Identity API, but also a plaintext document containing the master access key for Accenture's account with Amazon Web Service's Key Management Service, exposing an unknown number of credentials to malicious use.

Yeah, no one ever thought twice before writing that one down, much less exposing it to the Internet?

US | How Peter Thiel's secretative data company pushed into policing →

privacyandtechnology:

By: Mark Harris (Wired Backchannel)

From the article:

The scale of Palantir's implementation, the type, quantity and persistence of the data it processes, and the unprecedented access that many thousands of people have to that data all raise significant concerns about privacy, equity, racial justice, and civil rights. But until now, we haven't known very much about how the system works, who is using it, and what their problems are. And neither Palantir nor many of the police departments that use it are willing to talk about it. In one of the largest systematic investigations of the company to date, Backchannel filed dozens of public records requests with police forces across America. When Palantir started selling its products to law enforcement, it also laid a paper trail. All 50 states have public records laws providing access to contracts, documents, and emails of local and government bodies. That makes it possible to peer inside the company's police-related operations in ways that simply aren't possible with its national security work.

Read more: full text

Via: Light Blue Touchpaper

Smart TV hack embeds attack code into broadcast signal—no access required →

The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs.

Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence →

Yahoo Inc last year secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials, according to people familiar with the matter.

Mayer and Yahoo General Counsel Ron Bell did not involve the company's security team in the process, instead asking Yahoo's email engineers to write a program to siphon off messages containing the character string the spies sought and store them for remote retrieval, according to the sources.

More than one mistake in that series of events.

The NSA Leak Is Real, Snowden Documents Confirm →

Motherboard is citing former NSA staffers who are convinced another insider smuggled the weapons out of an air-gapped system, while The Intercept has definitively tied the malware to the NSA. Pretty much a worst-case scenario for the agency.

I certainly may not like how the NSA knowingly chooses to target Americans' data, but I agree without reservation with their mandate for digital intelligence-gathering against foreign actors. I don't want their methods exposed nor their digital nuclear weapons available to those enemies. I respect Snowden's responsible disclosure; this is reprehensible.

Legal quirk enabling surveillance state expansion absent Congressional vote →

The Federal Rule of Criminal Procedure was amended to allow judges to sign warrants to allow the authorities to hack into computers outside a judge's jurisdiction as part of a criminal investigation. What's more, Rule 41 would allow judges to use one warrant to search multiple computers anywhere instead of having to get warrants for each computer.

Congress would need to act to overturn the rules by Dec 1.

How hackers eavesdropped on a US Congressman using only his phone number →

A US congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

Watch the full report on 60 Minutes.

Canadian Police Obtained BlackBerry's Global Decryption Key →

According to technical reports by the Royal Canadian Mounted Police that were filed in court, law enforcement intercepted and decrypted roughly one million PIN-to-PIN BlackBerry messages in connection with the probe. The report doesn't disclose exactly where the key — effectively a piece of code that could break the encryption on virtually any BlackBerry message sent from one device to another — came from.

The actual, honest-to-God global master BlackBerry encryption key.

See also Motherboard's reporting on this issue and the revelation that PGP-protected BlackBerrys are also hackable.

Mr. Fart's Favorite Colors →

A funny yet serious look at the encryption debate. I won't spoil it for you.

Apple Prevails in Forced iPhone Unlock Case in New York Court →

In short, whatever else the AWA's "usages and principles" clause may be intended to accomplish, it cannot be a means for the executive branch to achieve a legislative goal that Congress has considered and rejected.

— US Magistrate Judge James Orenstein, New York

A big win for Apple and one that possibly sets up a circuit split between the 2nd and 9th Circuits.

Apple's Motion to Vacate →

At every level of our legal system - from the Constitution, to our statues, common law, rules, and even the Department of Justice's own policies - society has acted to preserve certain rights at the expense of burdening law enforcement's interest in investigating crimes and bringing criminals to justice.

Forceful and compelling, with notable citations of the First and Fifth Amendments and CALEA.

Microsoft, Google, Facebook Back Apple in Blocked Phone Case →

Microsoft Corp. will file an amicus brief next week to support Apple Inc. in its fight with the U.S. government over unlocking a terrorist's iPhone, President and Chief Legal Officer Brad Smith said at a congressional hearing Thursday to discuss the need for new legislation to govern privacy.

About time.

Why you should side with Apple, not the FBI, in the San Bernardino iPhone case →

Either everyone gets security or no one does. Either everyone gets access or no one does. The current case is about a single iPhone 5c, but the precedent it sets will apply to all smartphones, computers, cars and everything the Internet of Things promises. The danger is that the court's demands will pave the way to the FBI forcing Apple and others to reduce the security levels of their smart phones and computers, as well as the security of cars, medical devices, homes, and everything else that will soon be computerized. The FBI may be targeting the iPhone of the San Bernardino shooter, but its actions imperil us all.

Bruce Schneier is one of the leading security and privacy experts in the world and his opinion in this case is no surprise.

Why the FBI's Request to Apple Will Affect Civil Rights for a Generation →

On Tuesday, the United States District Court of California issued an order requiring Apple to assist the FBI in accessing a locked iPhone — and not just any iPhone, but the iPhone 5c used by one of the San Bernardino shooters. The order is very clear: build new firmware to enable the FBI to perform an unlimited, high speed brute force attack and place that firmware on the device.

Dan Guido argues that the request is technically feasible given that Apple can sign firmware updates to the Secure Enclave:

I believe it is technically feasible for Apple to comply with all of the FBI's requests in this case. On the iPhone 5C, the passcode delay and device erasure are implemented in software and Apple can add support for peripheral devices that facilitate PIN code entry. In order to limit the risk of abuse, Apple can lock the customized version of iOS to only work on the specific recovered iPhone and perform all recovery on their own, without sharing the firmware image with the FBI.

Despite the technical feasibility and the emotion of a terrible domestic terrorism case, Apple is fighting this order as the act of coercing a company to defeat their own security measures using a law from 1789 could lead to dangerous precedence for future cases and for encryption at large. Tim Cook's letter shows that Apple well understands the legal precedent this could set and is resolutely opposed:

The United States government has demanded that Apple take an unprecedented step which threatens the security of our customers. We oppose this order, which has implications far beyond the legal case at hand.

I applaud Apple's stance and support the continued adoption of strong encryption and security measures to protect us from government and criminals alike.

Spying on Congress and Israel: NSA Cheerleaders Discover Value of Privacy Only When Their Own Is Violated →

Now do things change?

Meet the woman in charge of the FBI's most controversial high-tech tools →

Privacy advocates also worry that to carry out its hacks, the FBI is using "zero-day" exploits that take advantage of software flaws that have not been disclosed to the software maker. That practice makes consumers who use the software vulnerable, they argue.

Hess acknowledged that the bureau uses zero-days — the first time an official has done so.

The National Security Letter Has Been Uncloaked →

Among other things, the FBI was demanding a target's complete Web browsing history, IP addresses of everyone a person has corresponded with, and records of all online purchases, according to a court document unveiled Monday. All that's required is an agent's signature denoting that the information is relevant to an investigation.

California cops, want to use a stingray? Get a warrant, governor says →

On Thursday, California Governor Jerry Brown signed a bill into law that requires police get a warrant to use a stingray during investigations. The devices, which are also known as cell-site simulators, are usually used to locate a phone but can also in some cases intercept calls and text messages.

The law, known as the California Electronic Communications Privacy Act, imposes other sweeping new requirements to enhance digital privacy, and imposes a warrant requirement before police can access nearly any type of digital data produced by or contained within a device or service.

Huge win for California citizens and likely to effect similar changes across state legislatures.

USA Freedom Act fails as senators reject bill to scrap NSA bulk collection →

Those want a straight extension of the Patriot Act are in a distinct minority and supporters of the USA Freedom Act still cannot muster the necessary super majority to advance the bill. The result means those who are more than happy to simply let Section 215 expire on May 31 are in the driver's seat.

More good news.

NSA phone dragnet is illegal, appeals court rules →

The National Security Agency's bulk telephone metadata collection program exposed by Edward Snowden is not authorized by the Patriot Act, a federal appeals court ruled Thursday.

Hallelujah!

Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet →

Wired:

For nearly a year, the researchers [Kaspersky] have been gradually collecting components that belong to several highly sophisticated digital spy platforms that they say have been in use and development since 2001, possibly even as early as 1996, based on when some command servers for the malware were registered. They say the suite of surveillance platforms, which they call EquationLaser, EquationDrug and GrayFish, make this the most complex and sophisticated spy system uncovered to date.

See also Ars Technica:

The accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

The attackers managed to rewrite hard drives' firmware to enable persistence. Reuters quotes sources saying it was in fact the NSA and quotes Kaspersky's argument:

The authors of the spying programs must have had access to the proprietary source code that directs the actions of the hard drives. That code can serve as a roadmap to vulnerabilities, allowing those who study it to launch attacks much more easily.

"There is zero chance that someone could rewrite the [hard drive] operating system using public information," [lead Kaspersky researcher Costin Raiu] said.

Incredible.

The Messy Media Ethics Behind The Sony Hacks →

The answers to these questions, and the way these documents are handled and discussed in the weeks and years to come, aren't limited to the journalism ethics classroom. [...] When it comes to future handling of such information, the gray area in which they reside — between public and private, between prurient and illuminating — might not be the exception, but the new normal. The stance that journalists and academics take on these documents has the potential to guide our nation's understanding of how we treat the compromise of the 21st century's most valuable commodity, for both individuals and corporations: privacy.

The new reality is that journalists simply do not own the news cycle. [...] The new role of journalists, for better or for worse, isn't as gatekeepers, but interpreters: If they don't parse it, others without the experience, credentials, or mindfulness toward protecting personal information certainly will.

Keeping Secrets →

The history of Hellman's (and Stanford's) fight to publish his cryptographic research against the objections of the NSA.

NSA Core Secrets: Sentry Eagle →

Some more disturbing stuff in the latest set of NSA leaks. Given, the fact that the NSA works with foreign and domestic companies and gained physical access to infrastructure isn't new, but the stuff that is is scary and the list of ECI program descriptions is telling:

In addition to so-called "close access" operations, the NSA's "core secrets" include the fact that the agency works with U.S. and foreign companies to weaken their encryption systems; the fact that the NSA spends "hundreds of millions of dollars" on technology to defeat commercial encryption; and the fact that the agency works with U.S. and foreign companies to penetrate computer networks, possibly without the knowledge of the host countries. Many of the NSA's core secrets concern its relationships to domestic and foreign corporations.

Edward Snowden: The Untold Story →

The best biography I've seen on Snowden and his motivations yet.

What Does the Facebook Experiment Teach Us? →

Whether it's couched as research or operations, people don't want to think that they're being manipulated. So when they find out what soylent green is made of, they're outraged. This study isn't really what's at stake. What's at stake is the underlying dynamic of how Facebook runs its business, operates its system, and makes decisions that have nothing to do with how its users want Facebook to operate. It's not about research. It's a question of power.

As usual, great insight from danah boyd.

Microsoft Fights U.S. Search Warrant for Overseas E-mails →

Microsoft, one of the world's largest e-mail providers, is resisting a government search warrant to compel the firm to turn over customer data held in a server located overseas.

Specifically, hosted in a datacenter in Dublin, Ireland. This is an entirely novel legal argument, however.

Microsoft argues that for data held overseas, the U.S. government should abide by its mutual legal assistance treaties, or MLATs. Those are agreements between the United States and foreign countries that typically require the requesting government to be in compliance with the other government's laws. Irish law requires authorization from an Irish district court judge to obtain e-mail content from a provider.

Seems pretty obvious that since we have chosen to comply with EU data protection regulations by hosting European users' data in Ireland, that data should be subject to the legal protections of those regulations.

Ars Spies on an NPR Reporter →

An amazingly revealing experiment about the online services we use everyday.

Critical Crypto Bug in OpenSSL →

Another day, another broken implementation of web security in a popularly-used product. CVE-2014-0160 is melting the Internet, and we're going to be dealing with the fallout for quite some time. A lot of engineers are not going home tonight...

How to Protect Your iCloud Keychain from the NSA →

There's more technical detail in here than even I can follow, but it sounds like on the whole Apple put some seriously impressive technical effort into securing iCloud, Keychain, and other personal data backed up from iOS. Props to them.

Why Is Everyone Disappointed by Google Buying Nest? →

It's a strange set of affairs: an innovative young company led by some of the best engineers and executives in the business being acquired and validated by one of the great American businesses of the past 20 years should be a slam dunk of good PR. Instead, there's a chorus of concern — some sincere, some contrived, but all of it grounded in fear of an unchecked Google.

I was really hoping that Nest would continue down their path of building wonderful experiences for their users instead of selling their users out. Google doesn't care about the users, just Nest's data and what it can do with it.

The NSA Uses Powerful Toolbox in Effort to Spy on Global Networks →

I've heard of the NSA's TAO unit before, but some of the stuff described in this article sounds fantastical - using Windows Error Reporting to identify programs and vulnerabilities in conjunction with XKeyscore and physically intercepting online electronics purchases. I'm impressed and terrified at the same time.

Facebook Is Tracking What You Don't Do on Facebook →

Adam Kramer, a data scientist at Facebook, and Sauvik Das, a summer Facebook intern, tracked two things for the study: the HTML form element where users enter original status updates or upload content and the comment box that allows them to add to the discussion of things other people have posted. A “self-censored” update counted as an entry into either of those boxes of more than five characters that was typed out but not submitted for at least the next 10 minutes.

Interesting and clever approach, and completely understandable from Facebook's perspective. When and why people aren't posting is an important point for them to understand, just as a business might want to understand their conversion rate through various marketing efforts or their funnel abandonment.

How the NSA tracks cell phone locations →

Was waiting for this "revelation" for quite a while longer than I expected to be. Now we know for sure the Director of National Intelligence James Clapper and NSA chief Keith Alexander repeatedly lied about the answer to this question on multiple occasions.

NSA Files Decoded: Edward Snowden's Surveillance Revelations Explained →

Wonderfully designed interactive look at the NSA controversy and what it means.

C.I.A. Is Said to Pay AT&T for Call Data →

Here I might have thought they only responded to legal threats, but apparently millions of dollars will also do it.

How a Purse Snatching Led to the Legal Justification for NSA Domestic Spying →

A breakdown of the precedent for metadata surveillance set in Smith v. Maryland.

Web Privacy, and How Consumers Let Down Their Guard →

Intriguing experiments by Alessandro Acquisti, a behavioral economist, suggest that people often reveal more than they mean to online.

A researcher at Carnegie Mellon, Mr. Acquisiti teaches courses on the economics and psychology of privacy under a program called privacy engineering.

Everything We Know About What Data Brokers Know About You →

Everything that's worth selling.

Carnegie Mellon Voice Verification Technology Prevents Impersonators From Obtaining Voiceprints →

The system would enable people to register or check in on a voice authentication system, without their actual voice ever leaving their smartphone. This reduces the risk that a fraudster will obtain the person's voice biometric data, which could subsequently be used to access bank, health care or other personal accounts.

Preventing the transmission of voice data from client to server doesn't seem to be the major problem with voiceprint authentication to me, since in every spy movie they just record the person while they're talking...

Poll Shows Low Opinion of Facebook →

In the poll of U.S. adults published Tuesday, only 13 percent said they trust Facebook "completely" or "a lot" when it comes to keeping their personal information private. A majority, or 59 percent, said they trust Facebook "only a little," or "not at all."

Surprised?

I'm Being Followed: How Google - and 104 Other Companies - Are Tracking Me on the Web →

Companies' ability to track people online has significantly outpaced the cultural norms and expectations of privacy. This is not because online companies are worse than their offline counterparts, but rather because what they can do is so, so different.

Not only are these (numerous) companies getting better at tracking us, a lot of times we're unsure of what the privacy expectations should be around that tracking. But Madrigal anticipates where the uncertainty leads if we don't set cultural expectations on online privacy:

The current levels of machine intelligence insulate us from privacy catastrophe, so we let data be collected about us. But we know that this data is not going away and yet machine intelligence is growing rapidly. The results of this process are ineluctable. Left to their own devices, ad tracking firms will eventually be able to connect your various data selves. And then they will break down the name wall, if they are allowed to.

Another fantastic article from The Atlantic.

Privacy is not an Option →

And as with the opt-in security settings of the past, today's opt-in privacy settings are leading to all sorts of problems. Every day we see headlines about privacy violations that could've been avoided if we used software that didn't treat privacy as an option.

Fitting analogy for the state of technology today. What will it take for companies to make privacy a default, not an option?

My Smartphone, the Spy: Protecting Privacy in a Mobile Age →

The last time Congress re-wrote electronic privacy law was in 1986. Obviously, communication technologies have changed dramatically in the last quarter-century. The legal categories Congress established then don't necessarily make much sense today.

What are the chances Congress ever decides these need updating? In the mean time, encrypt your data and keep it locally to avoid the third-party doctrine.

Facebook Is Using You →

Last week, Facebook filed documents with the government that will allow it to sell shares of stock to the public. It is estimated to be worth at least $75 billion. But unlike other big-ticket corporations, it doesn't have an inventory of widgets or gadgets, cars or phones. Facebook's inventory consists of personal data — yours and mine.

If you're not being charged for the product, you are the product.

Europe Proposes a "Right To Be Forgotten" →

European Union Justice Commissioner Viviane Reding has proposed a sweeping reform of the EU's data protection rules, claiming that the proposed rules will both cost less for governments and corporations to administer and simultaneously strengthen online privacy rights. Chief among the new proposals is a "right to be forgotten" that will allow people to demand that organizations that hold their data delete that data, as long as there is no legitimate grounds to hold it.

Judge: Americans Can Be Forced to Decrypt Their Laptops →

American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.

Note that while the DOJ agrees, the U.S. Supreme Court has never ruled on the topic and a federal judges in Michigan ruled the opposite way in March 2010.

Opt-Out of Facebook Permissions →

Nice little Chrome plugin that modifies the permissions Facebook apps are asking for so you can opt-out.

iSpy Detects Text Typed on Smartphones →

The method exploits a feature meant to aid typing on small touchscreens: magnified keys. iSpy can identify text typed on a touchscreen from video footage of the screen or even its reflection in windows or sunglasses. Video from an ordinary mobile phone camera can be used to spy on a person from 3 metres away. And a snoop with a digital SLR camera that shoots HD video could read a screen up to 60 metres away.

"We were surprised at how well [this idea] worked."

Bonus points for the fact that one of the researchers is a former Hopkins professor and for a quote from a current Hopkins professor.

F.T.C. Settles Privacy Issue at Facebook →

Accusing Facebook of engaging in "unfair and deceptive" practices, the federal government on Tuesday announced a broad settlement that requires the company to respect the privacy wishes of its users and subjects it to regular privacy audits for the next 20 years.

First Google, now Facebook. Guess Microsoft was really ahead of the curve on the whole 'judicial oversight' thing.

Using Credit Cards to Target Web Ads →

The two largest credit-card networks, Visa Inc. and MasterCard Inc., are pushing into a new business: using what they know about people's credit-card purchases for targeting them with ads online.

Over my dead body.

MasterCard doesn't collect people's names or addresses when processing credit-card transactions. That makes it tricky to directly link people's card activity to their online profiles, ad executives said. The company's document describes its "extensive experience" linking "anonymized purchased attributes to consumer names and addresses" with the help of third-party companies.

"Extensive experience", huh. That's not worrisome.

The trove of details about people's credit-card activity would be a gold mine, ad executives say, because it illuminates a person's budget, where they shop, what they buy and how they spend their time. "The combination of actual purchase behavior with attitudinal and demographic information provides an unparalleled understanding of the consumer," MasterCard's document says.

Unparalleled and downright scary. The whole article is full of other statements that are frightening.

Google Puts a Price on Privacy →

Ben Brooks:

Sean Sperte reflecting on the recent changes to Google searches:

It means, though, that Google's privacy policies are being dictated by money. That can't be a good thing.

It was a matter of time.

Researchers Can Keylog Your PC Using Your iPhone's Accelerometer →

Researchers at Georgia Tech and MIT have developed a proof of concept to demonstrate that it is possible to record a computer user's keystrokes using an iPhone 4's accelerometer. The researchers developed a method to accurately translate the vibrations from typing on a keyboard picked up by the device's accelerometer when placed on a desk near a PC.

Probably cooler than using the accelerometer as a keylogger on a touchscreen phone as I posted last month.

Facebook Re-Enables Controversial Tracking Cookie →

Kinda sorta. From a Facebook engineer in the comments:

We have been made aware of 2 instances in the past 2 weeks related to cookies which needed to be addressed. What you describe in this post is not a re-enabling of anything, but a separate issue involving a limited number of sites, including CBSSports.

It's starting to sound like either Facebook doesn't know where their cookies go and how they'e used, or their whole cookie management system is riddled with bugs. Both ignorance and incompetence are confidence-inspiring.

Facebook Fixes and Explains Logout Issue →

Facebook has fixed a "bug" where a cookie containing your account ID persisted after logout. But the remaining cookies...

...by the very purpose they serve, uniquely identify the browser being used - even after logout. As a user, you have to take Facebook at their word that the purpose of these cookies is only for what is being described.

Facebook Defends Getting Data From Logged-Out Users →

Facebook responds to the tracking allegations with comments to the Wall Street Journal:

Facebook on Monday defended its practice of gathering data from "Like" buttons even after users have logged out, saying that the collection is part of a system to prevent improper logins and that the information is quickly deleted.

Sounds like no one's denying this is actually true.

Arturo Bejar, a Facebook director of engineering, said that the data is required to prevent spam and phishing attacks and to help keep users from having to go through extra authentication steps every time they log in.

"The onus is on us is to take all the data and scrub it," said Bejar. "What really matters is what we say as a company and back it up."

That's funny, Facebook. I really don't trust what you say.

Logging Out of Facebook Is Not Enough →

The privacy concern here is that because you no longer have to explicitly opt-in to share an item, you may accidentally share a page or an event that you did not intend others to see.

The advice is to log out of Facebook. But logging out of Facebook only de-authorizes your browser from the web application. A number of cookies (including your account number) are still sent along to all requests to facebook.com. Even if you are logged out, Facebook still knows and can track every page you visit. The only solution is to delete every Facebook cookie in your browser, or to use a separate browser for Facebook interactions.

Subsequent requests to Facebook as a signed-out user still send nine different cookies, including your account number, to Facebook or to any page that interfaces with Facebook.

How I Tracked Down an Entire Family From One Tweet →

I've gone from one tweet to knowing an entire family's names, location, address, contact details, what they look like, how they are connected to the military and, potentially, where a part of the US army is coming under fire.

Obama Eyeing Internet ID for Americans →

President Obama is planning to hand the U.S. Commerce Department authority over a forthcoming cybersecurity effort to create an Internet ID for Americans, a White House official said here today.

"We are not talking about a government-controlled system," U.S. Commerce Secretary Gary Locke said.

The Nervous Breakdown →

With the rise of new media has come the redefinition of privacy. No longer is privacy simply the condition of withdrawal from public view or company; it now suggests the active ability to control what the public sees of you, as well as your availability to said company. And in light of the social network revolution, the significance of popularity is also being reconsidered.

Well-written perspective on a Facebook deactivation.

What if the Facebook (Un)Privacy Revolution Is a Good Thing? →

Scary 'cause I'm not exactly sure he's wrong about Facebook continuously changing the definition of online privacy.

The Evolution of Privacy on Facebook →

If you don't want it on the whole Internet, don't put it on the Internet.

Facebook: Privacy Enemy Number One? →

I don't normally appreciate anything written in PC Magazine, but this editorial on the privacy impact of Facebook's "like" button is pretty good.