Privacy

We Need To Prepare for the Future of War, NSA Official Says

Your rights online - Tue, 09/10/2019 - 12:10
Glenn S. Gerstell, the general counsel of the National Security Agency, writing at The New York Times: The threats of cyberattack and hypersonic missiles are two examples of easily foreseeable challenges to our national security posed by rapidly developing technology. It is by no means certain that we will be able to cope with those two threats, let alone the even more complicated and unknown challenges presented by the general onrush of technology -- the digital revolution or so-called Fourth Industrial Revolution -- that will be our future for the next few decades. The digital revolution has urgent and profound implications for our federal national security agencies. It is almost impossible to overstate the challenges. If anything, we run the risk of thinking too conventionally about the future. The short period of time our nation has to prepare for the effects of this revolution is already upon us, and it could not come at a more perilous and complicated time for the National Security Agency, Central Intelligence Agency, National Geospatial-Intelligence Agency, Defense Intelligence Agency, Federal Bureau of Investigation and the other components of the intelligence community. Gearing up to deal with those new adversaries, which do not necessarily present merely conventional military threats, is itself a daunting challenge and one that must be undertaken immediately and for at least the next decade or two. But that is precisely when we must put in place a new foundation for dealing with the even more profound and enduring implications of the digital revolution. That revolution will sweep through all aspects of our society so powerfully that our only chance of effectively grappling with its consequences will lie in taking bold steps in the relatively near term. In short, our attention must turn to a far more complex set of threats of multiple dimensions enabled by the digital revolution. While the potential consequences are less catastrophic than nuclear war, they are nonetheless deeply threatening in a range of ways we will have trouble countering.

Read more of this story at Slashdot.

Categories: Privacy

Mozilla Launches VPN as Part of Resurrected Firefox Test Pilot Program

Your rights online - Tue, 09/10/2019 - 11:30
Mozilla is resurrecting its recently expunged Test Pilot program with a renewed focus on privacy-focused tools and products. The Firefox developer today lifted the lid on the first product to emerge from the new Test Pilot, and it appears to be something akin to a virtual private network (VPN) in all but name. From a report: Firefox Private Network, as the new tool is called, is available in beta today for logged-in Firefox desktop users in the U.S. only, and is accessible through a browser extension. By way of a quick recap, Mozilla debuted Firefox Test Pilot a decade ago but then relaunched it back in 2016. Test Pilot went on to attain an average of 100,000 daily users, each looking to test Mozilla's latest developments -- including a price-tracking feature for online shoppers, content recommendations based on browsing activity, and more. Some of these became full-fledged features within Firefox and others did not, but back in January Mozilla announced it was killing its Test Pilot program altogether. This came as something of a surprise given Mozilla's own statements about the success of the program. At the time, Mozilla said it was "evolving" its approach to experimentation and suggested it was looking to ideate more widely across the company. Fast-forward nine months, and Firefox Test Pilot is back for a third time.

Read more of this story at Slashdot.

Categories: Privacy

US Charges Chinese Professor With Fraud For Allegedly Taking Tech From a California Company To Benefit Huawei

Your rights online - Tue, 09/10/2019 - 06:00
U.S. prosecutors have charged a Chinese professor with fraud for allegedly taking technology from a California company to benefit Huawei, in another shot at the embattled Chinese telecommunications equipment maker. From the report: Bo Mao was arrested in Texas on Aug. 14 and released six days later on $100,000 bond after he consented to proceed with the case in New York, according to court documents. Bo Mao was arrested in Texas on Aug. 14 and released six days later on $100,000 bond after he consented to proceed with the case in New York, according to court documents. According to the criminal complaint, Mao entered into an agreement with the unnamed California tech company to obtain its circuit board, claiming it was for academic research. The complaint, however, accuses an unidentified Chinese telecommunications conglomerate, which sources say is Huawei, of trying to steal the technology, and alleges Mao played a role in its alleged scheme. A court document also indicates the case is related to Huawei. Although Huawei has not been charged, the company said it views the case against Mao as the U.S. government's latest instance of "selective prosecution."

Read more of this story at Slashdot.

Categories: Privacy

NYC Mayor and Presidential Hopeful Bill De Blasio Wants a Tax On Robots

Your rights online - Mon, 09/09/2019 - 19:30
In an opinion article published last week on Wired, New York City Mayor and 2020 Democratic presidential candidate Bill de Blasio said as president he would issue a robot tax for corporations displacing humans and would create a federal agency to oversee automation. CNET reports: "The scale of automation in our economy is increasing far faster than most people realize, and its impact on working people in America and across the world, unless corralled, will be devastating," de Blasio wrote. De Blasio would call the new regulator the Federal Automation and Worker Protection Agency, which would safeguard jobs and communities. In addition, his proposed "robot tax" would be imposed on large companies that eliminate jobs as they become more automated. The tax would be equal to five years of payroll taxes for each employee eliminated, according to De Blasio.

Read more of this story at Slashdot.

Categories: Privacy

Web Scraping Doesn't Violate Anti-Hacking Law, Appeal Court Rules

Your rights online - Mon, 09/09/2019 - 18:10
An anonymous reader quotes a report from Ars Technica: Scraping a public website without the approval of the website's owner isn't a violation of the Computer Fraud and Abuse Act, an appeals court ruled on Monday. The ruling comes in a legal battle that pits Microsoft-owned LinkedIn against a small data-analytics company called hiQ Labs. HiQ scrapes data from the public profiles of LinkedIn users, then uses the data to help companies better understand their own workforces. After tolerating hiQ's scraping activities for several years, LinkedIn sent the company a cease-and-desist letter in 2017 demanding that hiQ stop harvesting data from LinkedIn profiles. Among other things, LinkedIn argued that hiQ was violating the Computer Fraud and Abuse Act, America's main anti-hacking law. This posed an existential threat to hiQ because the LinkedIn website is hiQ's main source of data about clients' employees. So hiQ sued LinkedIn, seeking not only a declaration that its scraping activities were not hacking but also an order banning LinkedIn from interfering. A trial court sided with hiQ in 2017. On Monday, the 9th Circuit Appeals Court agreed with the lower court, holding that the Computer Fraud and Abuse Act simply doesn't apply to information that's available to the general public. [...] By contrast, hiQ is only scraping information from public LinkedIn profiles. By definition, any member of the public has authorization to access this information. LinkedIn argued that it could selectively revoke that authorization using a cease-and-desist letter. But the 9th Circuit found this unpersuasive. Ignoring a cease-and-desist letter isn't analogous to hacking into a private computer system. "The CFAA was enacted to prevent intentional intrusion onto someone else's computer -- specifically computer hacking," a three-judge panel wrote. The court notes that members debating the law repeatedly drew analogies to physical crimes like breaking and entering. In the 9th Circuit's view, this implies that the CFAA only applies to information or computer systems that were private to start with -- something website owners typically signal with a password requirement. The court notes that when the CFAA was first enacted in the 1980s, it only applied to certain categories of computers that had military, financial, or other sensitive data. "None of the computers to which the CFAA initially applied were accessible to the general public," the court writes. "Affirmative authorization of some kind was presumptively required."

Read more of this story at Slashdot.

Categories: Privacy

New Chair of EFF’s Board of Directors: Renowned Legal Expert Pamela Samuelson

Deep Links - Mon, 09/09/2019 - 16:54

EFF is proud to announce our newest Chair of our Board of Directors, renowned legal expert Pamela Samuelson. Pam has served on EFF’s board for nearly 20 years, and her deep knowledge of digital copyright law, intellectual property, and information policy has made EFF a stronger organization.

Pam is a co-director of the Berkeley Center for Law and Technology—an internationally respected research center at the University of California, Berkeley, School of Law. Pam is also co-founder and chair of the board of the Authors Alliance, a non-profit group that promotes the public interest in access to knowledge. She has written and spoken extensively about the challenges that new information technologies pose for traditional legal regimes, as well as about privacy, the First Amendment, and other cyberlaw issues.

Pam’s scholarship complements the ongoing work at EFF, demonstrating why fair use and other exceptions and limitations are important to achieving copyright's constitutional goals, why the CASE Act bill to create a small claims board for adjudicating copyright cases is flawed, why the anti-circumvention rules outlawing reverse engineering of technical protection measures should be revised, and why courts should not extend copyright protections to application program interfaces. In addition to writing scholarly articles on these issues, she writes a regular column as a Contributing Editor of the ACM on legal and policy issues affecting computing professionals and frequently files amicus curiae briefs in important cases on behalf of intellectual property professors in cases such as the Oracle v Google case, review of which is pending before the Supreme Court. Pam’s influential work has brought honors from around the world, including a Women of Vision Award from the Anita Borg Institute and the IP3 award from Public Knowledge.

Pam succeeds former board chair Brian Behlendorf, who will now be the vice chair. We are very grateful for Brian’s time as leader of our Board of Directors, and are thrilled that he will continue to bring his technology expertise to our board. Thank you both Pam and Brian!

Categories: Privacy

Americans Deserve Their Day in Court About NSA Mass Surveillance Programs

Deep Links - Mon, 09/09/2019 - 13:45

EFF continues our fight to have the U.S. courts protect you from mass government surveillance. Today in our landmark Jewel v. NSA case, we filed our opening brief in the Ninth Circuit Court of Appeals, asserting that the courts don’t have to turn a blind eye to the government’s actions. Instead, the court must ensure justice for the millions of innocent Americans who have had their communications subjected to the NSA’s mass spying programs since 2001. Just this spring the Ninth Circuit Court of Appeals ruled in a case called Fazaga v. FBI that the state secrets privilege does not apply to cases challenging domestic electronic surveillance for national security.  Instead such cases must go forward to the merits of whether the spying is illegal. Today we asked the appeals court to apply that same reasoning to Jewel v. NSA and reverse a judge’s order of dismissal so our clients, and the American people, can finally have their day in court.

We argue in our brief:

“For over a decade, plaintiffs have sought a determination of whether the government’s acknowledged mass surveillance of the Internet communications and telephone records of hundreds of millions of Americans violates the Constitution and federal statutory law. But the district court refused to do so, defying Congress’s express command that such claims be decided on the merits—a command recently confirmed by this Court.”

This appeal challenges two separate orders of the district court dismissing first our Fourth Amendment claims, and later our statutory claims. Both dismissals were based in substantial part on the district court’s belief that the legality of the spying could not be adjudicated, even under protective court procedures, without revealing to the Judge at least, secret information which the government claims would harm national security.

The district court dismissed our Fourth Amendment claims in February 2015, finding that Jewel and the other plaintiffs could not prove on the available public evidence that they had been caught up in the spying. And the district court dismissed our remaining statutory claims in April 2019, claiming that it would be impossible to analyze the legality of the mass spying without revealing state secrets, and ruling again that the plaintiffs could not prove they were spied on based on the public evidence.

As we argue, the district court’s decisions wrongly deny the American people a ruling on whether the spying programs are legal:

“The district court’s dismissal hands the keys to the courthouse to the Executive, making it impossible to bring any litigation challenging the legality of such surveillance without the Executive’s permission.  It blinds the courts to what the Executive has admitted: the NSA has engaged in mass surveillance of domestic communications carried by the nation’s leading telecommunications companies, and this surveillance touches the communications and records of millions of innocent Americans.

“At stake are the statutory and constitutional bulwarks created to protect “the privacies of life” from the prying eyes of an all-seeing government.  Carpenter v. U.S., __ U.S. __, 138 S. Ct. 2206, 2214 (2018) (citation omitted). From the founding of the Republic, the Executive’s power to surveil has required robust constitutional and statutory limitations—including searching judicial review of the legality of surveillance—to ensure the privacy and freedom of all Americans.”

Our opening brief makes three main arguments:

  • First, the state secrets privilege cannot prevent consideration of whether the spying is legal because Congress created special secrecy procedures to enable courts to decide the legality of electronic communications surveillance. The district court was required to use those procedures (contained in section 1806(f) of FISA). Indeed, the Ninth Circuit ruled just this past February that the state secrets privilege does not apply in these types of cases. We urge the court’s panel of judges to apply the same rule here.
  • Second, even if the secret evidence is excluded, there is ample public evidence, including extensive government admissions, from which a judge could conclude that it is more probable than not that plaintiffs’ phone records were collected, that their Internet communications were intercepted and searched, and that metadata records of their Internet communications were collected. This is all that is needed to establish legal “standing” to bring the lawsuit; the trial judge must thus consider the legality of the spying programs.
  • Third, the Ninth Circuit should rule that the government’s interception of our clients’ Internet communications off of the Internet backbone without a warrant violated the Fourth Amendment.

Amicus briefs in support of our position will be filed next Friday and the government will file its responding brief in the weeks after that. After briefing is completed, the court will schedule a hearing, likely not for several months, with a decision thereafter.

This fight has been long and hard, and it’s likely to continue for some time. But stopping the modern-day version of the general warrants that the founders of the U.S. fought against is tremendously important. EFF is determined to ensure that the network we all increasingly rely on in our daily lives—for communicating with our families, working, participating in community and political activities, shopping, and browsing—is not also an instrument subjecting all of our actions to NSA mass surveillance.

Related Cases: Jewel v. NSAFirst Unitarian Church of Los Angeles v. NSAACLU v. Clapper
Categories: Privacy

Purism Finally Starts Shipping Its Privacy-Focused 'Librem 5' Smartphone

Your rights online - Sun, 09/08/2019 - 18:34
"It's here! Purism announces shipment of the Librem 5," writes long-time Slashdot reader Ocean Consulting: Librem 5 is a landmark mobile device with a dedicated platform, runs PureOS Linux, and is the first mobile phone to seek hardware certification from the Free Software Foundation. Initially a crowd sourced funding campaign, the phone embraces principles of free software and user privacy. IP native communication is supported via Matrix. Privacy features include hardware kill switches for camera, microphone, cellular, wifi, Bluetooth and GPS. "The Librem 5 phone is built from the ground up to respect the privacy, security, and freedoms of society," reads the site's official announcement. "It is a revolutionary approach to solving the issues that people face today around data exploitation -- putting people in control of their own digital lives." They're adopting an "iterative" shipping schedule -- publishing a detailed schedule defining specific batches and their features with corresponding shipping dates. "Each iteration improves upon the prior in a rapid rolling release throughout the entire first version of the phone... As slots in a particular early batch free up, we will open it up for others in a later batch to join in, according to the date of the order."

Read more of this story at Slashdot.

Categories: Privacy

One of America's Biggest Markets for AI-Powered Security Cameras: Schools

Your rights online - Sun, 09/08/2019 - 13:34
New video analytics systems can "identify people, suspicious behavior and guns" in real-time, and the technology is being used by Fortune 500 companies, stadiums, retailers, and police departments, reports the Los Angeles Times. But schools are "among the most enthusiastic adopters," they note, citing an interview with Paul Hildreth, the "emergency operations coordinator" at an Atlanta school district A year after an expelled student killed 17 people at Marjory Stoneman Douglas High School in Parkland, Florida, Broward County installed cameras from Avigilon of Canada throughout the district in February. Hildreth's Atlanta district will spend $16.5 million to put the cameras in its roughly 100 buildings in coming years. In Greeley, Colo., the school district has used Avigilon cameras for about five years, and the technology has advanced rapidly, said John Tait, security manager for Weld County School District 6... Schools are the largest market for video surveillance systems in the U.S., estimated at $450 million in 2018, according to IHS Markit, a London data and information services company. The overall market for real-time video analytics was estimated at $3.2 billion worldwide in 2018 -- and it's expected to grow to $9 billion by 2023, according to one estimate... Shannon Flounnory, executive director for safety and security for Fulton County Schools, said no privacy concerns have been heard there. "The events of Parkland kind of changed the game," he said. "We have not had any arguments or any pushback right now...." One company, Athena Security, has cameras that spot when someone has a weapon. And in a bid to help retailers, it recently expanded its capabilities to help identify big spenders when they visit a store... Both ZeroEyes and Athena Security in Austin, Texas, say their systems can detect weapons with more than 90% accuracy, but acknowledge their products haven't been tested in a real-life scenario. And both systems are unable to detect weapons if they're covered -- a limitation the companies say they are working to overcome.

Read more of this story at Slashdot.

Categories: Privacy

YouTube's Fine Criticized As Proof US Government Is 'Not Serious' About Big Tech Crackdown

Your rights online - Sun, 09/08/2019 - 12:34
YouTube's $170 million fine for illegally collecting data on children "shows the US government is not serious about a Big Tech crackdown," argues an article at CNBC: The FTC's new settlement with YouTube over alleged violations of child privacy rules is just a fraction of the revenue its parent company generates in a single day. Shares of Google parent company Alphabet were up following news of the settlement, just like shares of Facebook after its record FTC fine. The action shows the U.S. government is not prepared for a Big Tech crackdown that will fundamentally alter the business. Momentum is building in Washington to crack down on Big Tech's most free-wheeling practices: the Department of Justice is conducting a broad review of tech companies in addition to a reported antitrust investigation of Google, and Facebook disclosed a new antitrust probe by the Federal Trade Commission in July. But the meager penalties imposed on these companies in recent years, when compared with their size, shows the U.S. government is not yet prepared to take actions that will fundamentally alter the industry... Wednesday's announcement marks the third agreement the FTC has reached with Google since 2011, when it charged the company with using "deceptive" privacy practices at the launch of its now-defunct social network. In 2012, the agency hit Google with a $22.5 million penalty, its highest ever for a violation of a commission order at the time, over charges that it misrepresented its ad-targeting practices to consumers. But in 2019, Google appears none the worse for wear. Google's stock price has grown more than 260% since the time of its historic 2012 FTC penalty and the company's now worth more than $800 billion. Revenue and profits have both more than doubled. The article also notes that "Despite the penalties and noise from politicians about cracking down, Facebook's stock is up more than 40% so far this year," arguing that "the agencies that have so far had the power to force Big Tech to make real changes have opted for more incremental adjustments." Long-time Slashdot reader AndrewFlagg has another suggestion: Stop the madness of fines. Just sentence the leadership to jail and prison time... Don't fine the companies. That just hurts the stockholders who really don't know whats going on in the board room...

Read more of this story at Slashdot.

Categories: Privacy

Firefox Will Soon Encrypt DNS Requests By Default

Your rights online - Sun, 09/08/2019 - 09:34
This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring. Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology. Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic." "We feel confident that enabling DNS-over-HTTPS by default is the right next step."

Read more of this story at Slashdot.

Categories: Privacy

'It Shouldn't Be This Hard To Responsibly Fly a Drone'

Your rights online - Sun, 09/08/2019 - 06:34
The B4UFLY app from America's Federal Aviation Administration tells you where you can and can't fly your drone. But a senior writer for IEEE Spectrum reports that in fact the app "ignores both local and national regulations," and concludes after some field-testing in Oregon that it's "in many situations, worse than useless." Buried in a PDF FAQ (now offline) about the app is this: "Additionally, there may be local laws or ordinances about flying unmanned aircraft affecting your intended flight that are not reflected in this app. It is the responsibility of the operator to know the rules and fly safely at all times." And oh boy is that a huge responsibility that the app itself doesn't even mention, and that enormous loophole means that the B4UFLY app's "good to go" indicator is not just meaningless but in fact giving you the wrong idea entirely.... You could argue that this is worse than no app at all, because the app is actively giving you bad information. You are not, in fact, good to go, and if you're already going, you should stop immediately... When the FAA itself presents the B4UFLY app as a tool that can be used so that "recreational flyers know whether it is safe to fly their drone," that's exactly what it should do. Instead, the app provides only one very limited kind of information about recreational drone safety, without telling the user that it's on them to somehow dig up all the rest of the information that may or may not affect their flight... At the absolute minimum, the B4UFLY app should not tell users that they're "good to go" unless they are flying from an area where drone use is explicitly permitted, like national forests. Anywhere else, users should be instructed to verify that their local laws allow drone use. Is that going to be a huge annoyance that drives users away from the app? Of course. But it's the truth, and if the FAA doesn't like that, they should work with local governments to put the necessary information into the app instead. This article inspired a suggestion from long-time Slashdot reader gurps_npc. "What should be done is that every park that is not too close to an airport or other forbidden zone should set aside a location and a time where they allow and encourage people to use drones."

Read more of this story at Slashdot.

Categories: Privacy

'Google's Chrome Has My Dead Grandpa's Data and He Never Used the Internet'

Your rights online - Sun, 09/08/2019 - 00:34
schwit1 shares a Forbes article by Joe Toscano, a former experience design consultant for Google who in 2017 "decided to step away from my role consulting with Google, due to ethical concerns." This summer he got a big surprise when he looked in Chrome's "addresses" panel at chrome://settings/addresses It turns out Google has info connecting me to my grandma (on my dad's side) who's alive and well but has never had the internet, and my grandpa (on my mom's side), who recently passed away in March 2019 and also never had the internet. This was disturbing for several reasons, the biggest of which being that neither of them had ever logged onto the internet in their lives. Neither even had the internet in their homes their entire lives! Beyond that, Google knew their exact addresses and their middle initials. I couldn't even have told you those things about my grandparents... [T]he data wasn't manually entered by me or anyone using my account, but yet the data is associated with my account? How did that happen? The only thing I can think of is that at one point in history my grandpa gave his information to someone or some company in real life and his information was sold to Google at one point or another... But then that led me to another question: How did his data get associated with my Google account...? Other questions I have: What other information does Google have about me/my family/others that I don't know about...? He's now asking readers if they have any idea how Google connected him to his dead grandpa -- and whether Google is somehow creating an ancestry database. Toscano also discovered Chrome has been creating a list of "Never Saved" passwords at chrome://settings/passwords?search=credentials even though "At no point did I tell Google to create and store a list of websites I had logged into that they didn't get access to but would like access to at some point in the future. Maybe in the Terms of Service/Privacy Policy I agreed to this, but who knows? Not the majority of us, and it's just creepy." And in an update Toscano writes that he hopes the article will "provoke thought" about "why we willingly allow this to happen": Why is it okay that the internet is designed to be a surveillance machine? Why isn't it designed to be private by design? Is this how we want to carry on? Just because something is legal doesn't mean it's right. What would you like to see done? How would you like to see things changed?

Read more of this story at Slashdot.

Categories: Privacy

MIT Media Lab Chief Joi Ito Resigns Following Ronan Farrow's New Yorker Expose

Your rights online - Sat, 09/07/2019 - 21:34
Long-time Slashdot reader theodp writes: It was beginning to look like Joi Ito, the director of the MIT Media Lab, might weather a scandal over accepting donations from the financier and convicted sex offender Jeffrey Epstein. But less than a day after a scathing new expose in the New Yorker by Ronan Farrow alleged the Media Lab had a deeper fund-raising relationship with Epstein than previously acknowledged and attempted to conceal the extent of its contacts with him, Ito resigned from his position. "After giving the matter a great deal of thought over the past several days and weeks, I think that it is best that I resign as director of the media lab and as a professor and employee of the Institute, effective immediately," Ito wrote in an internal e-mail. In a message to the MIT community, MIT President L. Rafael Reif wrote, "Because the accusations in the story are extremely serious, they demand an immediate, thorough and independent investigation," and announced that MIT's general counsel would engage an outside law firm to oversee that investigation. Ronan's damning New Yorker story began: "Dozens of pages of e-mails and other documents obtained by The New Yorker reveal that, although Epstein was listed as 'disqualified' in MIT's official donor database, the Media Lab continued to accept gifts from him, consulted him about the use of the funds, and, by marking his contributions as anonymous, avoided disclosing their full extent, both publicly and within the university. Perhaps most notably, Epstein appeared to serve as an intermediary between the lab and other wealthy donors, soliciting millions of dollars in donations from individuals and organizations, including the technologist and philanthropist Bill Gates and the investor Leon Black." "The effort to conceal the lab's contact with Epstein was so widely known," reports the New Yorker, that some of Ito's staff "referred to Epstein as Voldemort or 'he who must not be named.'"

Read more of this story at Slashdot.

Categories: Privacy

Hong Kong Protesters Using Mesh Messaging App China Can't Block: Usage Up 3685%

Your rights online - Sat, 09/07/2019 - 16:34
An anonymous reader quotes Forbes: How do you communicate when the government censors the internet? With a peer-to-peer mesh broadcasting network that doesn't use the internet. That's exactly what Hong Kong pro-democracy protesters are doing now, thanks to San Francisco startup Bridgefy's Bluetooth-based messaging app. The protesters can communicate with each other — and the public — using no persistent managed network... While you can chat privately with contacts, you can also broadcast to anyone within range, even if they are not a contact. That's clearly an ideal scenario for protesters who are trying to reach people but cannot use traditional SMS texting, email, or the undisputed uber-app of China: WeChat. All of them are monitored by the state. Wednesday another article in Forbes confirmed with Bridgefy that their app uses end-to-end RSA encryption -- though an associate professor at the Johns Hopkins Information Security Institute warns in the same article about the possibility of the Chinese government demanding that telecom providers hand over a list of all users running the app and where they're located. Forbes also notes that "police could sign up to Bridgefy and, at the very least, cause confusion by flooding the network with fake broadcasts" -- or even use the app to spread privacy-compromising malware. "But if they're willing to accept the risk, Bridgefy could remain a useful tool for communicating and organizing in extreme situations."

Read more of this story at Slashdot.

Categories: Privacy

South Africa, UK Acknowledge Mass Surveillance By Tapping Undersea Internet Cables

Your rights online - Sat, 09/07/2019 - 15:34
The South African government has been conducting mass surveillance on all communications in the country, reports Reclaim the Net:, citing a report from Privacy International as well as recently-revealed affidavits and other documents from former State Security Agency (SSA) director-general Arthur Fraser: Interestingly, the mass surveillance has been happening since 2008... The surveillance was supposedly designed to cover information about organized crime and acts of terrorism. It even involves surveillance on food security, water security, and even illegal financial flows. The report also revealed that the South African government has done bulk interception of Internet traffic by way of tapping into fiber-optic cables under the sea. What is not clear though is whether the surveillance covers all Internet traffic or limited only to some of the fiber cables. The SSA said that the automated collection of data was specifically geared for foreign communications that pose threats to state security only. However, even the SSA admits to the fact that it will require human intervention to determine whether any communications that pass through the fiber cables are foreign or not. Hence, it would be difficult to distinguish between foreign and local communications. The iAfrikan site interviewed a digital rights researcher at South Africa's amaBhungane Centre for Investigative Journalism, whose legal filings helped bring this information to light. "We had details of the state's mass surveillance activities at least as early as 2006...." he tells the site, adding later that "The government has been quite upfront that it's collecting data from a vast number of people who are not suspected of any wrongdoing... Essentially, the State Security Agency is collecting as much haystack as it can, just in case it needs to look for a needle." Privacy International reports that the U.K. government has also recently acknowledged their "bulk interception of internet traffic by tapping undersea fibre optic cables." The site describes the work of the two countries as "some of the most pervasive surveillance programmes in human history."

Read more of this story at Slashdot.

Categories: Privacy

COBOL Turns 60. Why It Will Outlive Us All

Your rights online - Sat, 09/07/2019 - 14:34
ZDNet remembers when the only programming languages "were machine and assembler," until Burroughs Corporation programmer Mary Hawes proposed a vendor-neutral language with an English-like vocabulary. (Grace Hopper suggested they approach the Department of Defense, leading to a summit of 41 computer users and manufacturers at the Pentagon in 1959.) But ZDNet argues that 60 years later, COBOL isn't done yet. In 2016, the Government Accountability Office reported the Department of Homeland Security, Department of Veterans Affairs, and the Social Security Administration, to name just three, were still using COBOL. According to a COBOL consulting company, which goes by the delightful name, COBOL Cowboys, 200 billion lines of COBOL code are still in use today and 90% of Fortune 500 companies still having COBOL code keeping the lights on. And, if you've received cash out of an ATM recently, it's almost certain COBOL was running behind the scenes. ZDNet explains that's the largest number of businesses using COBOL are financial institutions, which, according to Micro Focus includes "banking, insurance and wealth management/equities trading. Second is government services (federal, provincial, local)." Micro Focus is the company that now maintains COBOL, and their global director of marketing and "application modernization" tells ZDNet that "the number of organizations running COBOL systems today is in the tens of thousands. It is impossible to estimate the tens of millions of end users who interface with COBOL-based applications on a daily basis, but the language's reliance is clearly seen with its use in 70 percent of global transaction processing systems. Any time you phone a call center, any time you transfer money, or check your account, or pay a mortgage, or renew or get an insurance quote, or when contacting a government department, or shipping a parcel, or ordering some flowers, or buying something online at a whole range of retailers, or booking a vacation, or a flight, or trading stocks, or even checking your favorite baseball team's seasonal statistics, you are interacting with COBOL. ZDNet notes that some people are even moving their COBOL applications into the cloud, concluding "At this rate, COBOL programs will outlive us all."

Read more of this story at Slashdot.

Categories: Privacy

Watering Holes and Million Dollar Dissidents: the Changing Economics of Digital Surveillance

Deep Links - Fri, 09/06/2019 - 20:27

Recently, Google’s Project Zero published a report describing a newly-discovered campaign of surveillance using chains of zero day iOS exploits to spy on iPhones. This campaign employed multiple compromised websites in what is known as a “watering hole” attack. The compromised websites would automatically run the chain of exploits on anyone who visited, with the aim of installing a surveillance implant on the device. Google didn’t reveal the names of the websites or indeed who was being targeted but it soon became clear through other reporting that the likely target of this campaign was the Uyghur community, a Turkic Muslim minority in China facing mass detention and other harsh crackdowns perpetrated by the Chinese government with the most repressive policies coming into place in recent years.

Security company Volexity followed up the week after with detailed reports of similar website exploit chains targeting Android and Windows devices, again hosted on websites with a primarily Uyghur readership. This week, another publication confirmed that the Chinese government had compromised several international telcos in order to perform yet more invasive surveillance on expatriated Uyghurs.

Resetting Our Thinking on States and Zero Days

There are many important things to take away from these astonishing reports by Google and others. The biggest lesson is that we have to re-consider our understanding how state actors use zero days. The dominant thinking among security researchers has long been that governments and law enforcement would only want to use zero-day exploits sparingly and with very specific targets, to reduce the risk that an exploit would be discovered by security researchers or companies, who would then fix the bugs underlying the exploit, thus rendering it useless. 

Zero day exploits can be expensive, with iPhone exploits used against a single activist reportedly fetching upwards of 1 million dollars. Google’s report seemingly upends the traditional logic of zero day economics. This time a zero day was being used to exploit thousands of users, indiscriminately targeting all visitors to a specific set of websites. But if we consider the targets of this campaign and the likely actors behind it, the economics make perfect sense. While it is new to observe a state sponsored actor burning zero-days to target an entire community instead of one individual in the community it is a reasonable tactic in this case.

These attacks likely have the goal of spying on the Uyghur diaspora outside China, to gain as much intelligence as possible on anyone associated with this movement within China or supporting the community from outside of China’s national borders. In the past, China has already arrested many community leaders, Uyghur activists, human rights defenders, as well as their relatives, and is likely interested in discovering any nascent leaders before they become a problem.

Google’s report and Apple’s recent response both miss the mark on the impact of this attack. Google’s Project Zero post  was vague about the targeted nature of the attack saying “There was no target discrimination; simply visiting the hacked site was enough for the exploit server to attack your device … we estimate that these sites receive thousands of visitors per week.” Apple’s response understates the impact of the vulnerability stating, “the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones ‘en masse”’as described." The reality is more complicated, this was a highly targeted attack against every member and supporter of the Uyghur community. Though this is technically a “watering hole” attack, the websites reported by Volexity as having been compromised were all hyper-targeted at the Uyghur community and its supports. Some were written in the Uyghur language, a Turkic language written with the Arabic script, which very few modern Turkic languages use today.

Google's post was light on specifics, but Project Zero researcher and report author Ian Beer highlighted an important way in which this discovery impacts the way we think about device security:

Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them. I hope to guide the general discussion around exploitation away from a focus on the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.

If you are targeting one activist, it might cost one million dollars for the necessary zero day exploit, but if you are able to monitor thousands of activists or an entire ethnic population with a single  exploit suddenly the cost per person drops down to a much more affordable price. It’s unreasonable to think that economics of scale don’t apply to zero day exploits as they do to everything else. Many countries have an interest in targeting specific populations for surveillance (Palestinians in Israel, undocumented immigrants in the US, Kurds in Iran.) With that in mind, it’s likely that this is not the last time we will see a state actor targeting an entire ethnic or activist group  en masse with zero day exploits.

Categories: Privacy

EFF's DEF CON 27 T-Shirt Puzzle

Deep Links - Fri, 09/06/2019 - 17:39

At Hacker Summer Camp 2019, EFF unveiled our 10th-annual limited edition member shirt—available only during the three-day event, and inspired by the DEF CON theme of Technology’s Promise: “a break from the dystopian imagery into a major-key, blue-sky thoughtscape, full of color and light...a future where we have tamed some of the more intractable problems that plague us in the present, where technology supports and inspires instead of controlling and surveilling.” We took cues from the DEF CON 27 Theme Guide, an illustrated ePub detailing thought exercises, media that inspired the theme, and color/style breakdowns. The theme was heavily influenced by the French comic artist Moebius’ piece entitled Alice, a piece that envisions “a future where tech lives up to our highest hopes.”

Shirt Design

EFF’s shirt design is an homage to Moebius, including artwork of a user in a digital future where the downsides of technology have been overcome. She's got a flying machine that is so efficient that it doesn't require her attention; she's got a vintage laptop from the early 21st century that still works thanks to the interoperability of her systems; she can communicate freely, using archaic Morse code, thanks to strong encryption on all of her devices; and of course, she has the ability to change her hair color at will.

As in previous years, we’ve included a secret puzzle built into the design of our exclusive member shirt as a special thanks for the clever, curious EFFers who support our work. Read on for a breakdown of the puzzle design and a walkthrough of the puzzle elements. Or, try to solve it yourself! The puzzle can be found at https://www.eff.org/shr/ and will be available through September 30th. After the 30th, the puzzle can be found on the Internet Archive’s Wayback Machine.

Puzzle Design

We established a technological utopia in our shirt design, and used only one rule to create a fantasy world map of this future: draw like Moebius. With this rule in mind, we wondered - what was under the clouds in the shirt design? Where would this user park her flying machine? We gathered reference materials to inspire us, and studied Le Monde d'Edena to capture Moebius’ distinct architectural and landscape style. We wanted the fantasy map to draw players into the world, where they would get lost in the tiny paths and buildings of this utopian civilization, eventually finding doors and hidden passages to the elements of the puzzle.

Printable version of EFF's DEF CON 27 puzzle map



Puzzle Walkthrough

Players access the puzzle via the morse code URL on the screen of the intrepid user in our shirt design (. ..-. ..-. .-.-.- --- .-. --. -..-. ... .... .-.). After arriving on the website, mousing over the map reveals glowing links in four different locations. The tower holds the final goal, which can only be deciphered after solving the other three puzzles. We decided to make progression through the puzzle non-linear this year in order to facilitate collaboration, and to give solvers time to do other DEF CON activities in between working on the EFF puzzle.

Knitting

The “first” puzzle can be found by hovering over the entrance to the palace. The page displays a knitting pattern in chart form. Knitting was chosen as a theme due to the history of women using knit fabrics for “steganography”—to hold concealed messages in times of war, particularly World War I. We also wanted to highlight skill sets not often represented in the cybersecurity space—someone familiar with knitting can immediately recognize something wrong with this pattern. There are entire rows of open circles, the symbol for a “yarn over” (skipping a stitch to create a hole), which doesn’t make sense. Inspecting the pattern reveals a hint, however: “the yarn overs are blanks”. Here are some examples of common patterns—you can compare to see the difference.

If you aren’t familiar with knitting, searching “yarn over” and identifying the symbol is the first step to solving this puzzle. The next is recognizing that the page title “SOS” is hinting at more morse code. Looking at the image, there are three different kinds of rows: all knits (blank squares), all purls (filled circles), and all yarn overs. We already know that the yarn overs are blanks from the hint, so that means trying the pattern in two ways: one with the knits as dots, and one as dashes. The correct method is converting knits to dots, which gives the morse code string “.-- .- -. -.. . .-.” which translates to “wander”.

“ASCII” Art

The next puzzle’s page is a throwback to an older Internet era, and is located at the docks tunnel. The page contains (mostly) ASCII art, like the following header that was used in EFF’s EFFector mailings (if you haven’t signed up to receive them, you can do so here):

There are a few different ways to identify where the puzzle is on this page: noticing that the whitespace is off in some of the images, such as the computer, or by taking a closer look at the characters in the pieces themselves. Looking at the character codes, the non-ASCII character U+2800, a braille space, can be found in place of a standard ASCII space 32. A hint in the page reads: “the distribution doesn’t matter”— clueing the solver into the idea that the order of the braille spaces within the art doesn’t hold the solution. Using a script to count the occurrences of U+2800 in each art piece gives the following: ”99 101 112 104 97 108 111 112 111 100”, which are ASCII codepoints for “cephalopod”.

If you’re curious, check out the script used to encode the braille. You can count the characters with the following line of ruby, where the text is a single piece of art:

`text.count("\u2800").chr`

Syzygy

The third puzzle, found in the entrance to the temple, consists of this image:


The first hint towards solving this puzzle is in the URL: “5y2y6y” is “leetcode” for “syzygy”, which is a phenomenon where many celestial bodies (at least three) are collinear in the same gravitational system. The image, keeping with the theme of exploration, shows an imagined system of planets. The answer to the puzzle comes from the first number of rotation steps where the planets will all align under the arrow. There are a number of ways to find this number. The number is small enough that you can write a program to brute force the answer. Or, since the periods of the planets are relatively prime, you can use the Chinese remainder theorem. The first full syzygy of this planetary setup is at step 74800, or leetcode for “taboo”.

Final Puzzle

The last puzzle, located at the top of the tower, simply displays:

Inspecting the page gives the hint “O(ne) T(rue) P(airing)”, a reference to the one time pad cipher, a relatively old message encryption technique that is difficult to crack as long as the key is random, as long or longer than the plaintext, never reused, and kept secret. A tool like this one can be used to decrypt the text, or the adventurous can read about one time pads and try their hand at translating it themselves. The key to this one time pad is “wandercephalopodtaboo”, a combination of the answers from the three other puzzles. Using this key to decrypt the ciphertext translates it from “oerbslutpjenclprr” to  “seeyouspacecowboy”, marking the completion of the puzzle!

Winners

The winners of this year’s puzzle are @aaronsteimle,  @_pseudoku, and @0xCryptoK! Their team members also solved our 2013, 2015, 2017, and 2018 DEF CON shirt puzzles.

Thank you to everyone who came by the booth to say hello, donated, and played through our puzzle! Creating this interactive art for our supporters is one of the highlights of our year, and we could not do it without you. If you’d like to support our work, consider becoming a member—and don’t forget to stop by the booth next year.

Until next time: “See you, space cowboy.”

Donate

ENJOYED THE PUZZLE? SUPPORT EFF!

Categories: Privacy

Facebook's Dating Service is Full of Red Flags

Deep Links - Fri, 09/06/2019 - 16:06

If you open Facebook’s mobile app today, it will likely suggest that you try the company’s new Dating service, which just launched in the U.S. after a rollout in 19 other countries last year. But with the company’s track record of mishandling user data, and its business model of monetizing our sensitive information to power third-party targeted advertising, potential users should view Facebook’s desire to peek into our bedrooms as a huge red flag.

Bad at Data Privacy But Good at Dating Privacy? Doubtful

Just this week, Facebook’s lax data privacy practices resulted in a huge database of phone numbers linked to accounts surfacing on a third party’s unprotected server. Generally, this is how the story goes: sensitive user data is leaked or found to be available in a way that Facebook users didn’t expect. But don’t worry, the company says—we’ve updated those practices. While improvements are appreciated, this cycle gets repeated so regularly that you could almost set your watch by it. 

This has created a problem for Facebook. Once upon a time, the company’s main value proposition was to make it easier for friends, or acquaintances, to connect and share info about themselves with one another (and thus with Facebook). And over the years, the company has expanded the amount of data it collects—even as it has become clearer and clearer that it can’t be trusted with all of that sensitive info. 

But after these numerous scandals, many users have spent the last year or two trying to minimize the information they intentionally give to the company (though its ubiquity can make that difficult). Facebook Dating offers a new twist on what the company once promised—connection—in exchange for what the company values most—your data. But at this point, one would have to be pretty desperate to give a company with Facebook’s history any insight into their romantic life. Your friend list alone can reveal all sorts of information about you. With a new service like Dating that gives Facebook access to particularly sensitive information about our love lives—like which of our friends we have a crush on, what we are looking for in a partner, where we met them, etc—users should be very wary that the company will continue to mishandle this especially private info the way it has already mishandled user info for years.  

Third Wheels and Third Parties 

And that’s just the tip of the iceberg. Facebook says it isn’t currently monetizing its dating service. But the company is powered by advertising dollars, paid for by advertisers who want access to the data that Facebook collects. Facebook gathers this information in lots of ways—when you click the “like” button, when you click ads, when you visit other sites that have Facebook’s pixel on them, even when you visit specific stores in person. In all likelihood, dating profile data will prove too valuable an addition to that collection for the company to keep hidden from advertisers, who would love to be the third wheel in your relationship with Facebook’s dating service. Some of that info will almost certainly be available for those third parties to use in their search for ever more detailed data about potential targets.  

To do that, Facebook could combine your dating profile information with the rest of your account data—it’s hard to imagine the company giving up the ability to add its years of data on users with the new data it collects about their dating. If it required informed opt-in consent from users before advertisers could use that data, that might be less worrisome. But we don’t know if there will be any controls at all for those who don’t want their dating life to mingle with the rest of their online profile, or to be shared with advertisers—and that’s a recipe for heartbreak. 

This is not to mention that earlier this year, in a world-class blunder, Facebook was caught (and chastised by the FTC for) using phone numbers for targeted advertising purposes that users had provided only for two-factor authentication. If you can’t trust Facebook with your phone number, can you really trust them to safeguard your dating history? These numerous past mistakes should serve as a warning: if you wouldn’t tell Facebook—and all of its advertisers—the nitty gritty details about what you’re looking for in a partner, you should think twice about asking the company to play matchmaker.

Categories: Privacy
Syndicate content