Hoping To Combat ISP Snooping, Mozilla Enables Encrypted DNS

from the encrypt-ALL-the-things! dept

Historically, like much of the internet, DNS hasn't been all that secure. That's why Mozilla last year announced it would begin testing something called "DNS over HTTPS," a significant security upgrade to DNS that encrypts and obscures your domain requests, making it more difficult (though not impossible) to see which websites a user is visiting. Obviously, this puts a bit of a wrinkle in government, telecom, or other organizational efforts to use DNS records to block and filter content, or track and sell user activity.

As a result, a lot of these folks have been throwing temper tantrums in recent weeks.

The telecom sector, which makes plenty of cash selling your daily browsing habits, have spent much of the last year trying to demonize the Google and Mozilla efforts any way they can, from insisting the move constitutes an antitrust violation on Google's part (it doesn't), to saying it's a threat to national security (it's not), to suggesting it even poses a risk to 5G deployments (nah, that's an entirely different mess). Mozilla's response to telecoms' face fanning? To first urge Congress to investigate telecom's long history of privacy abuses, then proceeding this week to enable the feature by default in the Mozilla browser.

In a blog post, Mozilla explains its thinking as such:

"At the creation of the internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit."

While there's a lot of overheated rhetoric about the risk of DNS over HTTPS from the likes of big telecom and government surveillance aficionados, there are some legitimate concerns about the standard from more above-board cybersecurity professionals. They'll be quick to note there's several other points at which ISPs can still engage in data surveillance and sales. They'll also argue that DNS over HTTPS really complicates life for enterprise IT managers, and in some instances encrypted DNS could derail existing cybersecurity solutions or parental control solutions.

Mozilla says it's listening to these complaints, so it's starting slowly with a gradual roll out across the US only. The organization says Firefox will disable encrypted DNS if it conflicts with parental controls. The feature will also be disabled by default in enterprise configurations. Firefox's encrypted DNS will use Cloudflare by default, though users can switch to other encrypted DNS providers manually in their browser settings. Those curious about the particulars can dig through Mozilla's FAQ here.

Filed Under: browsers, dns, dns-over-https, encryption, firefox, privacy, snooping
Companies: mozilla

Stalkerware Developer Found Leaking Sensitive Data From Thousands Of The Software's Victims

from the it-all-starts-with-not-giving-a-fuck-about-anyone dept

Oh, if only this were more of a surprise. Another vendor selling sketchy spyware has been discovered to be careless with its handling of all the sensitive communications and data it pulls from victims' cell phones. (via Databreaches.net)

The company doing all the leaking is ClevGuard, which I guess is short for "clever." It apparently isn't. Its phone-snooping app, KidsGuard, is supposed to allow parents to monitor their children's cell phone usage. Obviously, there are other applications for it, like monitoring the activity of spouses, ex-spouses, girlfriends/boyfriends of the current and ex- variety, employees, dissidents, journalists… just about anyone someone else wants to spy on.

The name isn't deliberately misleading but the app disguises itself as a system update app, allowing it to hide in plain sight, untroubled by surveillance targets. The company even advertises the app's flexibility as going beyond monitoring kids to spying on other adults.

Zach Whittaker has the details on the leaky app for TechCrunch:

TechCrunch obtained a copy of the Android app from Till Kottmann, a developer who reverse-engineers apps to understand how they work.

Kottmann found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottmann’s findings.

The app -- in its full paid form -- is pervasive. In addition to hoovering up contacts, photos, SMS message content, and location data, it provides a wealth of information about conversations occurring in WhatsApp, Viber, and Facebook Messenger. It also compromises more secure services like Snapchat and Signal by taking snapshots of conversations and relaying them to the company's servers.

The company has since shut down access to the leaky Alibaba cloud storage bucket, but the damage may already have been done. And it's just more evidence that companies selling malicious stalkerware care very little about the security of their customers… and even less about the security of their software's victims.

Filed Under: data breach, kidsguard, parents, snooping
Companies: clevguard

The FBI Says Your TV Is Probably Spying On You

from the watching-you-watching-me dept

Like most of the infamous "internet of things," (IOT) smart TVs are a security and privacy dumpster fire. Numerous set vendors have already been caught hoovering up private conversations or transmitting private user data unencrypted to the cloud. One study in 2017 surmised that around 90% of smart televisions can be hacked remotely, something intelligence agencies, private contractors and other hackers are clearly eager to take full advantage of.

This week, the FBI, that bastion of sage privacy and security advice, issued a blog post out of its Portland field office warning cyber Monday shoppers that their smart TV is a little too smart, and likely watches you as much as you watch it. The post is filled with some handy tips to help you protect your privacy:

"Know exactly what features your TV has and how to control those features. Do a basic Internet search with your model number and the words “microphone,” “camera,” and “privacy.”

Don’t depend on the default security settings. Change passwords if you can – and know how to turn off the microphones, cameras, and collection of personal information if possible. If you can’t turn them off, consider whether you are willing to take the risk of buying that model or using that service.

If you can’t turn off a camera but want to, a simple piece of black tape over the camera eye is a back-to-basics option.

Check the manufacturer’s ability to update your device with security patches. Can they do this? Have they done it in the past?

Check the privacy policy for the TV manufacturer and the streaming services you use. Confirm what data they collect, how they store that data, and what they do with it."

Granted such tips don't really do much to fix a broken sector where privacy and security remains an afterthought. A Consumer Reports study from last year found that things aren't really improving in the space. Government hasn't done much to pass any meaningful privacy law for the internet era. Gadget obsessed consumers are historically oblivious or apathetic to the problem. And product makers are too busy worrying about margins and the next big product launch to spend money to upgrade past sets or improve their privacy and security practices (at least not until there's another major scandal).

And if you've shopped for a TV recently, you may have noticed that it's largely impossible to just buy a "dumb" TV set without all of the "smart" internals. More specifically, most TV vendors don't want to sell you a bare-bones set because they want you to use their streaming services. Even more specifically, they want you to buy their sets with their specific streaming functionality because they want to spy on you and monetize your usage data.

So yeah, the FBI's tips are great and all, but they don't really get to the root of the market dysfunction that's plaguing the IOT space. There are plenty of fractured entities trying to help (like Consumer Reports' efforts to integrate an open source privacy and security standard in hardware reviews, or efforts at Princeton to make it clear what devices are actually doing on the network), but in terms of any kind of cohesive solution to the problem, there's little to nothing on the horizon.

Filed Under: fbi, privacy, smart tv, snooping, spying

DOJ Boss Joins UK, Australian Gov't In Asking Facebook To Ditch Its End-To-End Encryption Plan

from the [stacks-exploited-bodies-higher]-MR-FACEBOOK-PLEASE dept

The DOJ seems to be handling its anti-encryption (a.k.a. "going dark") grief badly. I doubt it will ever reach "acceptance," but it is accelerating through the rest of the stages with alarming speed.

It went through shock first, personified by former FBI director Jim Comey, who insisted tech companies were offering encryption to:

A. Give the feds the middle finger
B. Enable all sorts of dangerous criminals
C. To act like children in a roomful of adults

"Denial" seems to have been bypassed completely. Instead, Comey (and others) repeated the "shock" stage, banging the table louder and louder in hopes of convincing everyone they were right.

They weren't right and encryption deployments continued.

The FBI and DOJ shifted quickly to anger. This was first displayed during the legal fight over the San Bernardino shooter's iPhone. The DOJ insisted a law nearly 230 years old gave it permission to force Apple to break encryption. Apple disagreed. The court disagreed. The FBI insisted this would be the death of us all and ignored outside offers to crack the phone while pursuing precedent it would never obtain.

The phone was eventually cracked by a third party and the FBI moved on, still clinging to its "going dark" narrative, even as vendor after vendor stepped up to provide phone-cracking tools. It also overstated the number of "uncrackable" devices in its possession by at least 6,000 devices. It has been nearly 17 months since the FBI promised to correct this count. It still has yet to provide an updated number.

The DOJ's new boss is carrying the (apparently unlit) torch for the FBI. He has demonized both end-to-end encryption and citizens who don't believe cops are blameless white knights standing between us and the collapse of civilization.

Now, he's moving the feds on to the next stage of grief: bargaining. A letter sent to Facebook -- sporting Barr's signature, along with other stalwart encryption foes like UK Home Dept. head Priti Patel and Australian MP Peter Dutton -- begs Facebook to please please please stop adding encryption to its services.

BuzzFeed obtained a draft report of the letter, which appears to be the charm offensive preceding the new US-UK data sharing agreement that targets encrypted communications. The letter contains some loaded language about child porn and its victims, suggesting Barr isn't done leaning on victimized children to advance his anti-encryption efforts. Hey, it didn't work for Comey, but maybe Bill Barr will get the horrific crime he needs to turn the public against their own best interests.

Here are some excerpts from the letter, as first published by BuzzFeed.

Dear Mr. Zuckerberg,

OPEN LETTER: FACEBOOK’S “PRIVACY FIRST” PROPOSALS

We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.

So, this is a request for a backdoor. (But one no government agency will refer to as a "backdoor.") "Lawful access" is law enforcement slang for "backdoor," kind of like "officer-involved shooting" is slang for "homicide" and "detected the odor of marijuana" is slang for "Fourth Amendment violation."

Barr (and his anti-encryption warriors) then attempt to call Zuck's bluff... um... I guess??

In your post of 6 March 2019, “A Privacy-Focused Vision for Social Networking,” you acknowledged that “there are real safety concerns to address before we can implement end-to-end encryption across all our messaging services.” You stated that “we have a responsibility to work with law enforcement and to help prevent” the use of Facebook for things like child sexual exploitation, terrorism, and extortion. We welcome this commitment to consultation. As you know, our governments have engaged with Facebook on this issue, and some of us have written to you to express our views. Unfortunately, Facebook has not committed to address our serious concerns about the impact its proposals could have on protecting our most vulnerable citizens.

And there it is. "Our most vulnerable citizens." Apparently that demographic group doesn't contain Facebook users. Facebook users will be fine, I guess, even if any number of malicious hackers/governments want access to communications no one on Facebook actually wants to share with them. "For the children" is the game here, and Barr forges forward with contradictory statements and terrible logic.

We support strong encryption, which is used by billions of people every day for services such as banking, commerce, and communications.

(But, pointedly, not Facebook communications.)

We also respect promises made by technology companies to protect users’ data. Law abiding citizens have a legitimate expectation that their privacy will be protected.

(Except from us.)

However, as your March blog post recognized, we must ensure that technology companies protect their users and others affected by their users’ online activities. Security enhancements to the virtual world should not make us more vulnerable in the physical world. We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity. Not doing so hinders our law enforcement agencies’ ability to stop criminals and abusers in their tracks.

Ah, the famous tradeoff government officials always pitch, but one that isn't actually the tradeoff being made. It's not privacy vs. the security of the nation as a whole. It's personal security vs. government access that also grants access to criminals and state-sponsored hackers.

What people want is security. They're aren't really interested in trading security for government access. That does nothing for them. The government may solve a few more crimes, but the government was solving crimes long before cellphones, social media platforms, and end-to-end encryption.

Now, multiple governments feel they can't solve crimes without on-demand access to people's communications -- something they have never had in the history of crime-solving and communications. But here we are, listening to Barr and his buddies make a pitch for encryption backdoors while standing on the backs of child porn victims.

Barr makes this pitch while acknowledging that Facebook probably does far more than all US and UK law enforcement agencies combined to combat child porn.

Facebook currently undertakes significant work to identify and tackle the most serious illegal content and activity by enforcing your community standards. In 2018, Facebook made 16.8 million reports to the US National Center for Missing & Exploited Children (NCMEC) – more than 90% of the 18.4 million total reports that year. As well as child abuse imagery, these referrals include more than 8,000 reports related to attempts by offenders to meet children online and groom or entice them into sharing indecent imagery or meeting in real life. The UK National Crime Agency (NCA) estimates that, last year, NCMEC reporting from Facebook will have resulted in more than 2,500 arrests by UK law enforcement and almost 3,000 children safeguarded in the UK.

And yet, Barr wants to complain. Barr and his UK/Aussie counterparts want to claim this isn't enough. What's really needed is insecure communications on a platform used by billions. And to make this claim, Barr again points to something Facebook does as evidence that Facebook isn't doing enough.

While these statistics are remarkable, mere numbers cannot capture the significance of the harm to children. To take one example, Facebook sent a priority report to NCMEC, having identified a child who had sent self-produced child sexual abuse material to an adult male. Facebook located multiple chats between the two that indicated historical and ongoing sexual abuse. When investigators were able to locate and interview the child, she reported that the adult had sexually abused her hundreds of times over the course of four years, starting when she was 11. He also regularly demanded that she send him sexually explicit imagery of herself. The offender, who had held a position of trust with the child, was sentenced to 18 years in prison. Without the information from Facebook, abuse of this girl might be continuing to this day.

Here's what Barr thinks will happen if Facebook deploys end-to-end encryption. Facebook will no longer be able to "read" messages sent between users, which will result in an increase in abused children that authorities will be powerless to help.

Our understanding is that much of this activity, which is critical to protecting children and fighting terrorism, will no longer be possible if Facebook implements its proposals as planned. NCMEC estimates that 70% of Facebook’s reporting – 12 million reports globally – would be lost. This would significantly increase the risk of child sexual exploitation or other serious harms. You have said yourself that “we face an inherent tradeoff because we will never find all of the potential harm we do today when our security systems can see the messages themselves”. While this tradeoff has not been quantified, we are very concerned that the right balance is not being struck, which would make your platform an unsafe space, including for children.

"For children." That's the leverage. Barr wants Facebook to abandon its encryption plans to save children. Sure, that's admirable, if you're willing to overlook the considerable downside of creating a backdoor for governments or simply removing the encryption offer altogether. Facebook's encryption plans offer a whole new layer of security for lawful users -- some of which are targeted by authoritarian/corrupt governments. Many governments around the world pose as much of a threat to their citizens as criminals do. And a great many people believe their communications should be private, which means not being read/scanned by Facebook, much less any government that happens to stroll by waving some paperwork.

All Barr wants is for Facebook to abandon its encryption plans. He wants Facebook to be able to access the content of its users' messages. He wants every government in the world to be able to access the content of users' messages. He may only be aligned with three-fifths of the Five Eyes in this letter, but ensuring US/UK/Australian "lawful access" means giving every other two-bit dictatorship the same level of access to users' communications.

This isn't standard government bullshit. This is heinous, dangerous bullshit. This is a conglomerate of Western governments, on the eve of the deployment of a mysterious "data-sharing" agreement, portraying the implementation of encryption for communications as aiding and abetting the sexual abuse of children. This is a not-very-subtle smearing of every tech company that deploys encryption to protect its users from criminals and governments that behave like criminals. This is the abuse of the phrase "lawful access" to portray the possession of a warrant as a golden ticket to everything law enforcement wishes to obtain.

To be historically clear, a warrant has NEVER guaranteed access to communications. It has only allowed law enforcement to search for them. The implementation of encryption doesn't change this equation. But Barr and others keep pushing this in hopes of persuading the public -- and the tech companies they patronize -- that secret communications are something new and far more dangerous than anything law enforcement has ever encountered prior to the rise of social media and smartphones.

Filed Under: doj, encryption, mark zuckerberg, messenger, peter dutton, priti patel, privacy, security, snooping, william barr
Companies: facebook, instagram, whatsapp

Telcos And Rupert Murdoch Pushing Nonsense Story That Google Helping Keep Your Internet Activity More Private Is An Antitrust Violation

from the oh-really-now? dept

There are all sorts of reasons and ways to hate on big internet companies these days, but as we've warned, some of them are in conflict with one another -- though that doesn't seem to stop those who keep pushing the narrative forward from blindly repeating them anyway. The latest is a positively bonkers article in the Wall Street Journal arguing that Google's (somewhat middle of the road) support for DNS over HTTPS (DoH) is potentially an antitrust violation worthy of Congressional action.

This is (1) utter nonsense and (2) driven by telcos looking to undermine consumer privacy. So if you're a pro-privacy Google hater, you might want to at least reconsider supporting this particular line of attack. If you are unaware, under the current DNS system, you still leak some key metadata every time you visit a site to your DNS provider (which is usually, but not always, your broadband/internet access provider). It used to be that those providers could collect even more, page-level, information, but that is less and less true as more and more of the web itself is encrypted with HTTPS. DoH is an attempt to encrypt the last bit of info that leaks when you surf -- the metadata about the top level domains you are visiting. Mozilla has been strongly pushing support for DoH, and will plan to move most public Firefox users to DoH in the relatively near future. Google, on the other hand, is supportive of the standard, but has shown no inclination to adopt it nearly as widely as Mozilla.

Either way, done correctly, DoH protects your privacy and stops the fairly large metadata loophole that has allowed DNS providers (generally your telco/broadband provider) from being able to snoop on everywhere you surf. There are some reasonable concerns that if browsers automatically force users to use specific DNS resolvers for DoH that it could, potentially, lead to more control/centralization of both those servers, but as EFF points out in the link above, that's mitigated by more ISPs simply adopting DoH themselves.

The problem, of course, is that the biggest telcos, such as AT&T, Verizon, and Comcast don't want to stop spying on you and all of your internet habits. And, so, rather than adopting DoH, they're trying to undermine DoH entirely by pretending that Google's lukewarm interest in supporting DoH is, itself, an antitrust violation. What's kind of incredible, however, is just how open they are about this plan, and that's it's entirely about preventing the big broadband providers from spying on your traffic:

“Because the majority of world-wide internet traffic…runs through the Chrome browser or the Android operating system, Google could become the overwhelmingly predominant DNS lookup provider,” a coalition of internet service providers said in a Sept. 19 letter to lawmakers. “Google would acquire greater control over user data across networks and devices around the world. This could inhibit competitors and possibly foreclose competition in advertising and other industries.”

They urged lawmakers to call on Google not to impose the new standard as a default standard in Chrome and Android.

Google, for it's part, reiterated (as it has in the past) that it has no plans to force users into using its own DNS offerings. While the Wall Street Journal report at least quotes some pushback on this claim, it still seems to present this mostly as a credible antitrust concern, when the reality is that it's clearly an attempt by big broadband players to play an antitrust card to (1) attack Google and (2) to prevent Google from helping consumers better protect their own internet privacy.

There are, of course, plenty of legitimate concerns that people have about Google's own privacy practices. But pushing people towards DoH is a good thing. A few months back we saw UK ISPs laughably attack Mozilla's plans to support DoH by calling the company an "internet villain" claiming that better protecting your privacy would undermine "internet safety standards." To be clear: this is nonsense. What they mean is, like with other forms of encryption, it might make a very tiny number of criminals marginally harder to track down. But, on the flip side, it will massively protect everyone else's privacy from overly snoop happy broadband providers.

We've noted for a while how hypocritical it is for people to focus on "antitrust" and "privacy" claims about the big internet companies, while ignoring the much larger problems on both fronts regarding broadband companies. Similarly, we've talked about how many of the attacks on "big tech" are quietly driven by the big broadband players quietly fanning the flames. But this story combines all of that. It's the big broadband players/telcos pushing a totally bogus monopoly story against Google (which makes no sense at all if you understand the details, and which wouldn't even be a potential monopoly concern at all if those very same broadband companies adopted DoH themselves), in order to stop Google from better protecting your privacy -- so that the broadband providers can better snoop on you.

And, a side note: Rupert Mudoch's Wall Street Journal has been one of the worst in pushing these misleading anti-Google/Facebook stories over the last few months, which is, again, no surprise at all, as it's been revealed before that Murdoch has been eager to attack Google and Facebook and has no problem using the Wall Street Journal to do so. While this story at least includes some balance, the entire narrative arc of it seems to follow the telcos talking points -- and it's notable that while it briefly quotes a section of the telcos letter to Congress, it fails to post the entire letter. I wonder why...

Either way, this kind of thing undermines any serious discussion of either privacy or competition online, by mixing up and conflating an attempt to better protect privacy, and pretending it's an antitrust violation.

Filed Under: antitrust, competition, dns over https, doh, privacy, rupert murdoch, snooping, telcos
Companies: google, mozilla

Facebook Finally Shuts Down Its Snooping, Bullshit 'VPN' After A Full Year Of Complaints

from the with-friends-like-these dept

Just about a year ago we noted how Facebook was taking some heat on the security and privacy fronts for pitching a "privacy protecting" VPN to consumers that actually violated consumer privacy. Based on the Onavo platform acquired by Facebook back in 2013, the company's "Onavo Protect – VPN Security" app informed users that the product would "keep you and your data safe when you browse and share information on the web" and that the "app helps keep your details secure when you login to websites or enter personal information such as bank accounts and credit card numbers."

It didn't take long before many began to notice those claims weren't, well, true.

A wide variety of different news outlets were quick to point out that Facebook was actually using the "privacy" app to track users around the internet when they wandered away from Facebook, then using that data to its own competitive advantage:

"Interviews with more than a dozen people familiar with Facebook’s use of Onavo data show in detail how the social-media giant employs it to measure what people do on their phones beyond Facebook’s own suite of apps. That information shapes Facebook’s product and acquisition strategy—furthering its already formidable competitive edge, the people said."

By August, complaints had heated up enough that Apple announced it would be pulling the service from its app store for misleading its customers and violating the app store policies. Even then, Facebook continued to market and push the VPN as a privacy tool while undermining the whole point of said privacy tool. That continued well into this year until TechCrunch released a story noting that Facebook has also been paying kids to install a “Facebook Research VPN," very similar to the Onavo "VPN," the entire function of which was to sidestep app store bans and continue hoovering up data.

That story, understandably, finally appeared to drive a stake into the heart of Facebook's efforts, as many wondered if the participating kids were actually capable of giving their consent for the project. As such it's now a full year later, and as Facebook faces a wave of endless scandals of its own making, it appears to have finally gotten the message and will be shutting these dubious VPN efforts down:

"With the suspicions about tech giants and looming regulation leading to more intense scrutiny of privacy practices, Facebook has decided that giving users a utility like a VPN in exchange for quietly examining their app usage and mobile browsing data isn’t a wise strategy. Instead, it will focus on paid programs where users explicitly understand what privacy they’re giving up for direct financial compensation."

For one, notice how conventional tech "wisdom" didn't really give a shit that Facebook was misleading users until kids were involved, which speaks pretty loudly to our collective privacy apathy. Two, that it took Facebook a full year to realize this was the correct path forward is astonishing. This is a company that's been facing calls for privacy regulation in the wake of nearly a year of almost weekly scandals, yet just kept stumbling forward on the same path. It's another example that Facebook's biggest problem isn't a mean press (as some Facebook insiders have allegedly declared), it's Facebook's executive "leadership."

Filed Under: misleading, onavo, privacy, snooping, vpn
Companies: facebook

Indian Police Adding Pre-Crime Software To Their Long List Of Snooping Tools

from the mind-your-associations dept

Lots of tech is being deployed by law enforcement around the world -- often far in advance of thorough testing, privacy impact assessments, or public input. Biometric scanning, facial recognition software, cell site simulators, social media monitoring tools, and, of course, "predictive policing."

The last one on the list brings together a bunch of data and tells cops where to go to stop crime before it happens. Pre-crime is no longer relegated to sci-fi movies providing chilling glimpses of a totalitarian future. It's here now and it's converting certain neighborhoods into instant probable cause.

The Chicago PD is only one of several agencies using the software to generate "heat lists" of citizens in need of arresting. There may be no criminal activity occurring when patrols begin, but the algos say it's inevitable, so off the cops go to round up people who may be likely to commit crimes.

India is starting to dip its toes into the pre-crime waters. A new program introduced in Maharashtra will dovetail with the local government's cybersecurity plans, possibly converting the second-largest state into India's leading surveillance state.

The work of enhancing and bolstering cyber security in Maharashtra, started in 2015, is based on five major projects, including developing software to help police department prevent untoward incidents or crimes at specific place and time. The software would work on technologies like Artificial Intelligence and Big Data Analytics, empowered by exhaustive database of crimes and criminal activities, which is now being fed into the system.

SP Cyber, Maharashtra, Balsingh Rajput, who is implementing the state’s elaborate plan to strengthen the IT wing of state police under Special IG Brijesh Singh, said the ‘Predictive policing software’ would use available data sets of police, and open source information available over the internet, to give outputs regarding a probable crime. “Points for location and type of event and probable gang could also be derived well before time using the software,” he said.

The pre-crime software will roll out along with other tools of the tech-law trade. Portable phone forensic devices will be handed out to officers for use in cracking locked cellphones and scraping their contents. New software will allow the police to scan through hours of footage obtained from cameras and drones in a matter of minutes.

This will all be applied on top of India's nationwide surveillance of communications via its "Central Monitoring System."The national government has no qualms about participating in domestic surveillance. That attitude has carried over to the local level, ensuring round-the-clock monitoring of citizens' daily activities in Maharashtra.

Filed Under: india, law enforcement, pre-crime, predictive policing, snooping

Adobe's Half-Assed Response To Spying On All Your eBooks

from the that's-not-gonna-do-it dept

Yesterday, we mentioned the reports kicked off by Nate Hoffelder's research that Adobe was spying on your ebook reading efforts and (even worse) sending the details as unencrypted plaintext. Adobe took its sweet time, but finally responded late last night (obnoxiously, Adobe refused to respond directly to Hoffelder at all, despite the fact that he broke the story). Here's Adobe's mealy-mouthed response that was clearly worked over by a (poorly trained) crisis PR team:

Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers. Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy.

Some of the research into what's going on contradicts the claims of it only looking at books "currently being read," but even if that's true, it doesn't make the snooping any less disturbing. And while it may be true that Adobe has not violated its privacy policy (though, that's arguable), it really just highlights the stupidity of the concept of privacy policies. As we've noted in the past, the only way you get in trouble on privacy is if you violate your own privacy policy. And thus, the incentives are to write a policy that says "we collect absolutely everything, and do whatever we want with it, nyah, nyah, nyah," because that way you won't ever violate it. Since no one reads the policy anyway, and most people assume having a "policy" means protecting privacy (even if it says the opposite), privacy policies (and laws that require them) are often counterproductive. This situation appears to be a perfect example of that in action.

Either way, the response is tone deaf in the extreme. Even if it's "in line" with the privacy policy, does that make it right or acceptable? Adobe makes no effort to respond to the concerns about this snooping on reading habits -- which can be quite revealing. It makes no effort to respond to the serious problems of sending this info in plaintext, creating a massive security hole for private information.

While Adobe has told some that it is working on an update to "address" the issue of transmitting the data in plaintext, it's a bit late in the process to be recognizing that's an issue. The Ars Technica article notes that this may, in fact, violate New Jersey's Reader Privacy Act. EFF wonders about the similar California Reader Privacy Act and whether or not Adobe's efforts here completely undermine that law.

Since Adobe's Digital Editions are commonly used by libraries (my local library uses it, which I've used to take out ebooks), it really raises some serious questions for those libraries. Librarians have a history of strongly standing up for the protection of reader privacy. In fact, for all the talk we've had recently about Section 215 of the PATRIOT Act and how the NSA abuses it, when it was first passed, the people who protested the loudest were the librarians, who feared that it would be used to collect records on what books people were reading! Some people even referred to it as the "library records" provision (even though it was eventually twisted into much more).

And yet, here we are, a decade or so later, and Adobe has completely undermined this kind of trust and privacy which libraries pride themselves on. And, even worse, it's all in the name of some crappy DRM that publishers demand. Librarians and readers should be up in arms over this, and looking for alternatives. Adobe should stop with the bullshit crisis PR response and admit that they screwed up and that the product needs to change to better protect the privacy of individuals and their reading habits.

Filed Under: copyright, digital reader, drm, ebooks, encryption, libraries, privacy, snooping
Companies: adobe

UK Police Abuse Of Anti-Terrorist Snooping Powers To Reveal Journalists' Sources Leads To Widespread Calls For Reform

from the and-they-want-even-more-surveillance-powers??? dept

Last month, we wrote about how the UK police used powers brought in to tackle terrorism and serious crime to snoop on a journalist's phone records in order to reveal his source. Last week, we learned that this was not a one-off: journalists at the UK's Mail on Sunday newspaper were also spied on using the same anti-terrorism law:

Police used anti-terrorism powers to secretly spy on The Mail on Sunday after shamed Cabinet Minister Chris Huhne falsely accused journalists of conspiring to bring him down.

Detectives sidestepped a judge’s agreement to protect the source for our stories exposing how Huhne illegally conspired to have his speeding points put on to his wife's licence. Instead they used far-reaching powers under the controversial Regulation of Investigatory Powers Act (RIPA) -- originally intended to safeguard national security -- to hack MoS phone records and identify the source.

They trawled through thousands of confidential numbers called by journalists from a landline at the busy newsdesk going back an entire year, covering hundreds of stories unrelated to the Huhne case.

These two cases have finally set the alarm bells ringing in the UK. The newspaper affected in the first case has written to the Investigatory Powers Tribunal about the incident:

The Sun has made an official complaint about the Metropolitan police's use of anti-terror laws to snoop on its political editor's phone calls.

It has written to the Investigatory Powers Tribunal to seek a public review of the Met’s use of the Regulation of Investigatory Powers Act to obtain Tom Newton Dunn's phone records.

That's unlikely to have much effect, but a move by Keith Vaz, chair of the powerful home affairs select committee in the UK Parliament, may do:

Every police force in the UK is to be asked by a parliamentary committee to reveal how many times they have secretly snooped on journalists by obtaining their telephone and email records without their consent.

Keith Vaz, chairman of the home affairs select committee, said he wanted a detailed breakdown of police use of the Regulation of Investigatory Powers Act (Ripa) to force telecoms companies to hand over phone records without customers' knowledge.

Indeed, things have become so serious that even the Interception of Communications Commissioner, who oversees this area, is launching his own inquiry (pdf) - but not a public one, which is what The Sun newspaper has requested:

Today I have written to all Chief Constables and directed them under Section 58(1) of RIPA to provide me with full details of all investigations that have used Part I Chapter 2 RIPA powers to acquire communications data to identify journalistic sources. My office will undertake a full inquiry into these matters and report our findings to the Prime Minister and publically so as to develop clarity in relation to the scope and compliance of this activity.

This double-pronged attack should force the UK's top police officers to own up to what they have been doing secretly with RIPA. If it turns out that its powers have been routinely abused, the pressure for reforming the outdated RIPA will be greatly increased. Already, the Liberal Democrats, the junior partner in the UK's coalition government, have called for changes to RIPA that would protect journalists and whistleblowers from state snooping, while Keith Vaz wishes to go even further, as the Guardian reports:

Vaz said Ripa was not fit for purpose and needed "total refurbishment". He said: "It is important that the public and parliamentarians get statistics on the number of times it is being used and how it is being used without journalists having to submit freedom of information requests. All kinds of mistake are being made. Anecdotally we've heard of local authorities using it to check people's addresses when parents make applications for schools."

It's rather rich that at precisely the moment we find out how the UK police have been abusing RIPA's anti-terrorism surveillance capabilities to investigate minor offenses, the head of the UK's National Crime Agency has the gall to ask for even more powers.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: anti-terror, journalists, ripa, snooping, surveillance, uk

Another Case Against GCHQ Filed At The European Court Of Human Rights; Could Overturn UK's Main Snooping Law

from the pressure-keeps-building dept

Just last week we wrote about the growing number of legal challenges to GCHQ spying. Now here's another one, from The Bureau of Investigative Journalism, which is concerned about how blanket surveillance threatens the workings of a free press:

The Bureau of Investigative Journalism is asking a European court to rule on whether UK legislation properly protects journalists' sources and communications from government scrutiny and mass surveillance.

That's an issue because GCHQ's approach of routinely collecting all communications for detailed analysis inevitably means that some data involving journalists will be swept up. As the lawyer Gavin Millar explains:

No one knows anything about what GCHQ does with the journalistic information it pulls in. This is because, startlingly, neither the legislation nor government guidance about its use says anything at all about this.

But it is inevitable that some of GCHQ's minute analysis of the data will be giving it selective access to confidential journalistic material and identifying sources. There is already much evidence that law enforcement agencies increasingly seek to access such information for their own purposes. It is an easy way of advancing their investigations. It can help to identify and deal with embarrassing whistleblowers and can forewarn of awkward stories in the offing. The same is true for the security and intelligence agencies.

Fortunately, Articles 8 and 10 of the European Convention on Human Rights give strong protection to the right to privacy and to freedom of expression. As Millar explains, in earlier judgments the European Court of Human Rights (ECHR) has made it clear that:

this Article 10 right can only be overridden by an order of a judge. And the journalist must first have the opportunity to argue before the court that there is no competing public interest which makes such an order necessary. The law under the Convention is quite clear. Covert state surveillance and accessing of journalistic information cannot be used to circumvent these important rights.

Other journalistic information and activity can only be the subject of such covert surveillance in certain circumstances. Most importantly it must be carried out under laws which are clear, accessible and foreseeable in their effects. These laws must give journalists an adequate indication of how these discretionary surveillance powers might be used against them. They also have to provide protection against arbitrary or disproportionate surveillance measures.

However, the UK law that governs this area, the Regulation of Investigatory Powers Act 2000 (RIPA), is outdated, and does not comply with those rules, Millar believes. So this latest attack on GCHQ's mass surveillance is not just an empty gesture to express annoyance: if the ECHR rules in favor of The Bureau of Investigative Journalism, the British government will be required to review the regulations around the mass collection of communications data -- to update the anachronistic RIPA, in other words.

The good news is that the ECHR has already indicated that it will accept this new case. That offers the hope that the court may be preparing to put it in the fast track along with a similar one that calls into question the UK's compliance with Article 8 of the European Convention on Human Rights. Even if the pace of Snowden's revelations has slowed somewhat in recent months, the impact of earlier leaks continues to grow.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: eu court of human rights, gchq, human rights, investigative journalism, journalism, privacy, snooping, surveillance
Companies: the bureau of investigative journalism