We recently wrote about a somewhat surprising ruling by the appeals court in the DC circuit saying that long-term use of a GPS to track someone without a warrant violated the 4th Amendment. What was surprising about this is that, while state courts had ruled similarly, the federal courts had almost universally ruled that such tracking was legal. While that case will almost certainly be appealed and seems to have a decent likelihood of ending up before the Supreme Court, it's apparently already impacting some rulings elsewhere. Chris Soghoian notes that a federal magistrate judge recently rejected the governments' request for historical cell site data from Sprint, because the government failed to show probable cause (as required under the 4th Amendment): What's notable is that the judge admits to having approved similar requests in the past, but refuses to do so this time, as a result of that recent ruling, and noting that the reasoning highlighted that technology is changing the way many view things concerning privacy and surveillance:

The decision in Maynard is just one of several rulings in recent years reflecting a growing recognition, at least in some courts, that technology has progressed to the point where a person who wishes to partake in the social, cultural, and political affairs of our society has no realistic choice but to expose to others, if not to the public as a whole, a broad range of conduct and communications that would previously have been deemed unquestionably private....

As a result of such decisions, I believe that magistrate judges presented with ex parte requests for authority to deploy various forms of warrantless location-tracking must carefully re- examine the constitutionality of such investigative techniques, and that it is no longer enough to dismiss the need for such analysis by relying on cases such as Knotts or, as discussed below, Smith v. Maryland.... For the reasons discussed below, I now conclude that the Fourth Amendment prohibits as an unreasonable search and seizure the order the government now seeks in the absence of a showing of "probable cause, supported by Oath or affirmation[.]"

Nice to see some judges recognizing this, though it remains to be seen how many others will agree... and how the Supreme Court reacts to all of this.

With last week's news that the United Arab Emirates and Saudi Arabia were going to block access for BlackBerry users over the inability to spy on RIM's servers, the news over the weekend that Saudi Arabia is testing three local servers that would alleviate the need for a ban has many wondering how secure their BlackBerry communications really are.

Of course, the more pertinent question may be how secure BlackBerry communications have ever been. One of the big complaints from the UAE and Saudi Arabia (and others) is that they believe RIM already lets certain governments access content flowing across their network. And, of course, no one seems willing to come out with a straight answer one way or the other on whether or not that's an accurate statement. However, as the NY Times article above makes clear, whether or not governments really do have access to RIM's network probably isn't as meaningful as some believe, since there are multiple different potential points of access for anyone wishing to monitor messages. About the only thing that is clear is that if you're communicating online, it's probably best to assume that, sooner or later, someone other than the intended recipients will probably see it.

As governments around the world continue to go overboard in their condemnations of Google's (admittedly bad) collection of open WiFi data via its Street View cars, much more interesting than the political grandstanding is the legal limbo mess that the collected data has been placed into. After realizing that it had accidentally collected this data, Google announced that it would stop collecting and begin deleting the data it collected (Update: more specifically, it said it wanted to delete the data, but would discuss with regulators before doing so). But that raised alarm bells from some, who worried that doing so would be deleting evidence for a possible lawsuit against Google. Then, governments started demanding that Google share the data with regulators, so they could determine how serious a privacy breach this really was. However, Google is noting that sharing the data would be a violation of privacy rights in many countries, pissing off regulators who put those privacy laws in place in the first place.

So... Google can't collect this data, but it can't delete the data it accidentally collected. Regulators want to see the data to see if it's okay for Google to delete it, but they can't see it, because that would violate privacy regulations. But, regulators feel they need to see it, to see if Google violated privacy regulations. So, basically everyone's stuck in a state of limbo.

You may recall the news story from last year about some teenaged girls in Pennsylvania who were being threatened with child porn charges, after taking "nude and semi-nude" photos of themselves on a mobile phone during a party, and sending them to others. The judge halted the potential lawsuit, noting that the nude photos didn't appear to depict any sexual acts (as per the law), but the local prosecutor still wanted to file charges. As more and more details came out, the whole thing got increasingly ridiculous. Apparently, the girls in question were given a choice to either take a "re-education" class, or face charges.

And now, reader Pickle Monger points out that one of the girls, along with the ACLU, is suing the school district itself, claiming that it violated the girl's privacy. Apparently, the way the school found out about the photos was that it had confiscated her mobile phone, after she was caught making a phone call on school grounds, against school rules. There's no problem with confiscating the phone, of course, but then the school searched through the phone and found those photos. It's the search that the ACLU and the student are questioning. The school had no reason to search through the phone, or to look at the photos stored on the phone after it had confiscated it.

Late last week, of course, Google 'fessed up to the fact that it was accidentally collecting some data being transmitted over open WiFi connections with its Google Street View mapping cars. As we noted at the time, it was bad that Google was doing this and worse that they didn't realize it. However, it wasn't nearly as bad as some have made it out to be. First of all, anyone on those networks could have done the exact same thing. As a user on a network, it's your responsibility to secure your connection. Second, at best, Google was getting a tiny fraction of any data, in that it only got a quick snippet as it drove by. Third, it seemed clear that Google had not done anything with that collected data. So, yes, it was not a good thing that this was done, but the actual harm was somewhat minimal -- and, again, anyone else could have easily done the same thing (or much worse).

That said, given the irrational fear over Google collecting any sort of information in some governments, this particular bit of news has quickly snowballed into investigations across Europe and calls for the FTC to get involved in the US. While one hopes that any investigation will quickly realize that this is not as big a deal as it's being made out to be, my guess is that, at least in Europe, regulators will come down hard on Google.

However, going to an even more ridiculous level, the class action lawyers are jumping into the game. Eric Goldman points us to a hastily filed class action lawsuit filed against Google over this issue. Basically, it looks like the lawyers found two people who kept open WiFi networks, and they're now suing Google, claiming that its Street View operations "harmed" them. For the life of me, I can't see how that argument makes any sense at all. Here's the filing: Basically, you have two people who could have easily secured their WiFi connection or, barring that, secured their own traffic over their open WiFi network, and chose to do neither. Then, you have a vague claim, with no evidence, that Google somehow got their traffic when its Street View cars photographed the streets where they live. As for what kind of harm it did? Well, there's nothing there either.

My favorite part, frankly, is that one of the two people involved in bringing the lawsuit, Vicki Van Valin, effectively admits that she failed to secure confidential information as per her own employment requirements. Yes, this is in her own lawsuit filing:

Van Valin works in the high technology field, and works from her home over her internet-connect computer a substantial amount of time. In connection with her work and home life, Van Valin transmits and receives a substantial amount of data from and to her computer over her wireless connection ("wireless data"). A significant amount of the wireless data is also subject to her employer's non-disclosure and security regulations.

Ok. So your company has non-disclosure and security regulations... and you access that data unencrypted over an unencrypted WiFi connection... and then want to blame someone else for it? How's that work now? Basically, this woman appears to be admitting that she has violated her own company's rules in a lawsuit she's filed on her behalf. Wow.

While there's nothing illegal about setting up an open WiFi network -- and, in fact, it's often a very sensible thing to do -- if you're using an open WiFi network, it is your responsibility to recognize that it is open and any unencrypted data you send over that network can be seen by anyone else on the same access point.

This is clearly nothing more than a money grab by some people, and hopefully the courts toss it out quickly, though I imagine there will be more lawsuits like this one.

Ah, modern technology. Michael Geist points us to the story of a woman in Canada who is suing her mobile phone provider, Rogers, for supposedly "revealing" the fact that she was having an affair. Basically, she had a mobile phone account with Rogers under her maiden name, which she used to have long chats with someone she was having an affair with. Her husband had set up the family's cable TV service, also from Rogers. At one point, he called Rogers to add internet and home phone service to the account, and Rogers then mailed a "global" bill that included all accounts. In looking over the bill, the husband noticed the long phone calls all to one number, and called it, and got the guy to admit to the affair. Following that, he left the wife.

Now the woman, whose husband walked out, is suing the communications giant for $600,000 for alleged invasion of privacy and breach of contract, the results of which she says have ruined her life.

I don't know, but I'd have to say that, perhaps, having the affair was the key problem here, rather than the bill. Hell, the husband could have just as easily opened the original mobile phone bill which was sent to the same house. It doesn't say so, but it seems likely that when the guy called to add services, Rogers asked if he wanted the bills consolidated and the guy just said yes.

Furthermore, the whole thing gets more bizarre later, when the story also claims that the "jilted third-party" later got access to the woman's voicemail and "harassed" her and "taunted" her (ex-)husband. And, on top of that, the article later notes "the wrongdoing that occurred in 2007 reoccurred" because the phone was still being billed to her husband's account in 2009. This part is left vague, but, it makes you wonder why two years after her husband had left her, she hadn't set up separate phone service for herself.

I'm sure it sucks to have all that happen, but it seems like a pretty big stretch to blame your mobile phone provider for the affair you had that caused your spouse to leave you...

A couple months ago, we wrote about Julian Sanchez's realization (due to odd choices in gov't agencies redacting already publicly available info) that it appeared the government was likely regularly getting location info from mobile phone providers on users, using a much lower standard, without much oversight. In a somewhat related case, a court is now trying to determine if the location info on your mobile phone requires a warrant. The federal government is saying, no, claiming that Americans have no expectation of privacy as to where their phone is (even though that's likely where they are as well).

That seems like a very troubling bit of reasoning -- but no surprise from a federal government, that for years, has been stretching its ability to secretly spy on Americans. Hopefully the court shuts this down, but just the fact that the government would defend such a blatant overreach is troubling enough.

We've had numerous discussions on this site about both the legality and ethics of open WiFi networks. And yet, the issue still comes up now and again -- but who knew it was a Constitutional issue? Thomas O'Toole shares the news of a ruling in Oregon, that suggests a user who left his WiFi open gave up certain 4th Amendment rights to privacy. Though, actually, the details of the case suggest it's not so much the open WiFi that's the issue, but the fact that the guy also left illegal material in shared Limewire and iTunes folders. It was just that police were able to confirm that by connecting to his open WiFi. But the court does make a specific statement on the WiFi issue, noting:

"as a result of the ease and frequency with which people use each others' wireless networks, I conclude that society recognizes a lower expectation of privacy in information broadcast via an unsecured wireless network router than in information transmitted through a hardwired network or password-protected network."

While O'Toole doesn't think there's anything earth shattering about this, I'm not sure I agree. I think, in this case, the guy probably gave up rights to privacy by putting the content in shared folders that were available widely -- but I don't think that just because you're using an open WiFi network you've set yourself a "lower expectation of privacy." I would suspect that most users have no idea that it's less secure, and I wonder why the type of network used should really determine the level of 4th Amendment protections.

The big news in security circles this week is the fact that a security researcher claims to have cracked the encryption used to keep GSM mobile phone calls private. It looks like he and some collaborators used a brute force method. He admits that it requires about $30,000 worth of equipment to de-crypt calls in real-time, but that's pocket change for many of the folks who would want to make use of this. What's much more interesting (and worrisome) is the GSM Association's (GSMA) response to this news:

"This is theoretically possible but practically unlikely," said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. "What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me."

There are so many things wrong with that statement it's hard to know where to begin. First, claiming it's "theoretically possible, but practically unlikely" means that it's very, very possible and quite likely. To then say that no one else had broken the code since its adoption fifteen years ago is almost certainly false. What she means is that no one else who's broken the code has gone public with it -- probably because it's much more lucrative keeping that info to themselves. Next, blaming the messenger by announcing that cracking the code is "illegal in Britain and the United States" is not what anyone who uses a GSM phone should want to hear. They should want to know how the GSMA is responding and fixing the problem -- not how they're responding to the public release. Finally, if it's "beyond" her why cracking a code used for private conversations and showing that it's insecure is all about being concerned about "privacy" -- she should be looking for a different job. This has everything to do with privacy. The GSMA claims that the code is secure for private conversations, and this group of folks is showing that it is not. That seems to have everything to do with privacy.

Last year, it became clear that REAL ID was dead on arrival as pretty much everyone was against it, and states were refusing to implement it. With the changing of the administration, it seemed like REAL ID was finally going to die completely... but apparently not just yet. EFF alerts folks to the fact that the same concept has basically been reintroduced under the name PASS ID, as if that would trick people: The plan sounds equally as bad and unnecessary:

Proponents seem to be blind to the systemic impotence of such an identification card scheme. Individuals originally motivated to obtain and use fake IDs will instead use fake identity documents to procure "real" drivers' licenses. PASS ID creates new risks -- it calls for the scanning and storage of copies of applicants' identity documents (birth certificates, visas, etc.). These documents will be stored in databases that will become leaky honeypots of sensitive personal data, prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database. Despite some alterations to the scheme, PASS ID is still bad for privacy in many of the same ways the REAL ID was.

But why let that stop the gov't from coming up with more ways to keep tabs on you?