Brazil Proposes Requiring Servers in Country to Prevent Spying

September 13, 2013 Christy Leos Leave a comment All

The latest backlash of the NSA spying scandal may not be directed squarely at the U.S. government, but at U.S. businesses.  President Rousseff of Brazil is proposing legislation which would require data generated within the country to also be stored on servers within the country.  What kind of data and exactly how this would work given the breadth and complexity of identifying where data originates from in our ever interconnected world is not yet clear.

As this article in Bloomberg points out, Latin Americans have long been suspicious of U.S. spying activities in the continent.  However, Brazil would not be the first country to make such a requirement on technology companies.  Currently, European countries require personal sensitive data to be stored on servers in-country.  Technology advocates cite slower traffic speeds and increased potential problems with the proposed legislation.  Requiring companies to house servers domestically may also result in protectionist measures meant to bolster local technology industries, and perhaps even trade disputes.

 

Expectation of Privacy in Your Email?

September 3, 2013 Joanne Tamarin Leave a comment In the Law

Google doesn’t think so.  In court filings last month, Google argued not only that someone using its service has no reasonable expectation of privacy in the contents of their emails, but that anyone that sends a Gmail user an email has no expectation of privacy.  The main case cited by Google was Smith v. Maryland, whereby the Supreme Court held that the use of a pen register (a device that records all numbers called from a particular phone line) was not a violation of the 4th Amendment because no reasonable expectation of privacy existed in the numbers you were dialing as you were freely giving these to the phone company in order to connect you.

While Google’s arguments may be relevant to the NSA’s metadata collection programs, Google’s algorithms go beyond recording email addresses, but read the content of emails as well.  For this reason, in this author’s opinion, the analogy with Smith is strained to say the least.

In what makes for some interesting reading, the class action complaint filed against Google that has precipitated these 4th Amendment arguments, largely revolves around Google’s decision to change its privacy policies related to all of its products to a single policy which allows Google to use information obtained from one product with a consumers use on any of its products.

Citing an Eric Schmidt quote (Google policy is to get right up to the creepy line and not cross it. – October 2010), the complaint can be summed up by saying that the Plaintiff’s believe that Google has officially crossed the creepy line and into breaking the law territory.

While the blogosphere is hammering Google for this admission, it may actually work in their favor- the more the world knows that Google is reading and using your information (beyond the indiscernible privacy policies that is), the less a person will, in the future, be able to continue to claim that they have an expectation of privacy because they’ve been put on notice about Google practices.  This is exactly, in fact, what Google argues with respect to the named Plaintiffs.  Even knowing this, hundreds of millions of people continue to use Google products because, well, there pretty darn good and they’re free.  Wait…what was that adage again?  Oh yeah-

“If you’re not paying for the product, you are the product.”

A copy of the original complaint (albeit severely redacted) of the lawsuit is available here.

A copy of Google’s motion to dismiss and its arguments relating to reasonable expectation of privacy is available here.

German Government fears US surveillance is being built into Windows 8

August 27, 2013 Christy Leos Leave a comment All

The recent revelations about the NSA’s technological surveillance of American citizens have caused many in the US and overseas to question their level of trust in the US government. The German government and citizens have been particularly vocal about their skepticism of US surveillance practices.  The issue is coloring the recent election season, as the media outlets post encryption techniques and question the use of US based social networking sites. Given the country’s history, it is understandable why they would be particularly attuned to fears of a “surveillance state”. Compared to American data privacy laws, which are few and fragmented, Germany has a single data protection act enforced by 17 state supervisors dedicated protecting individual privacy.

These fears have led to an increased distrust of US technology.  The German Ministry of Economic Affairs has become uneasy over the security of the Windows 8 operating system, particularly in the Trusted Platform Module which is being built into an increasing number of windows PCs.  The TPM chip collects cryptographic data stored for Windows BitLocker, has total control over what programs can and cannot be run on the PC, and even allows remote administration of the device.  What is most striking is that the system cannot be overridden through the operating system.  Fears abound that this technology would allow for an even greater level of secret surveillance, one which PC users would be unable to escape.  Apart from fears of state surveillance, having such a chip raises confidentially issues, should third parties find a method of exploiting the system.

Image provided by windows.com

EU Telecoms Must Report Security Breaches within 24 Hours

August 27, 2013 Christy Leos Leave a comment Business

The European Commission recently passed legislation requiring public telecommunication companies to notify regulators within 24 hours of security breaches of their data.  A more detailed account of the security breach must be reported within 3 days after the initial report.

The Telecom must also notify the private individuals affected by the security breach if it is likely to adversely affect their personal data or privacy- a determination that is left wholly within the hands of the Telecoms itself.  The private individual must be notified without “undue delay,” although no specific timeframe is mandated.

Further information is available at: http://www.mondaq.com/x/258672/data+protection/European+Commission+Tightens+The+Deadline+Data+Breach+Notification+Within+24+Hrs&email_access=on

Security or Bust

August 12, 2013 John Schmidt Leave a comment All

In the wake of Edward Snowden’s release of info on top-secret NSA spying programs, his reported encrypted email service is now shutting its doors rather than, allegedly, complying with U.S. government requests to release confidential information.  Silent Circle, an encrypted email, phone, and text service, reportedly used by not only Snowden, but by the rich, famous, and very private, said it would no longer provide its email services, but would continue to provide its phone and text services.  Lavabit, a similar encrypted email service, also appears to be additional Snowden collateral damage, shuttering its doors in the wake of government requests.  You can check out messages from the founders on their homepages here- Lavabit, Silent Circle.

These takedowns come on the heels of Freedom Hosting, which provides various anonymous services through the Tor network (one of privacy enthusiasts favorite tools), being shut down.   Although the Freedom Hosting takedown appears to be directly related to the site’s hosting of child pornography and its founder reportedly arrested, the FBI has been implicated in infiltrating Freedom Hosting with the use of Malware.  More info from Wired available here.

Whether you think Snowden is a traitor or Jason Bourne (so say young people according to Sen. McCain here), the repercussions for his release of classified info do not appear to be waning any time soon.

Still want the best encrypted email out there?  Check out this post by Extreme Tech.

What about the best encrypted cloud services, you say?  LifeHacker out of Australia has some great recommendations- including ways to encrypt your current non-encrypted more mainstream services (eg dropbox, box.net, SkyDrive, etc.) here.

New Jersey Supreme Court: Police Must Obtain a Warrant to View Cell Phone Location Information.

July 19, 2013 Christy Leos Leave a comment All, Tech for Justice

The Supreme Court of New Jersey has just ruled that under its constitution, police must obtain a warrant before accessing cell phone location information (CSLI) in criminal investigations.  Based on the way that cell phones access service towers, CSLI can often give police a precise record of an individual’s location 24 hours a day for as long as the individual has the phone.  Privacy advocates view this type of monitoring as highly intrusive and well beyond what police are allowed to do under the Fourth Amendment.  Many jurisdictions however recognize this sort of information as public, both because it is being broadcast to a third party (the cell phone company) and because an individual’s movements outside of their home can be observed legally without a warrant, by an undercover detective for example.  Privacy advocates respond by saying that no one intends to broadcast their minute by minute location information simply by having a cell phone, and that this type of surveillance goes well beyond what police would be capable of through traditional methods.

Because federal law has not yet clearly taken a stance on using CSLI data under the Fourth Amendment, the New Jersey Supreme Court ruled under their own constitution, stating that a cell phone user has a reasonable expectation of privacy in their CSLI data.  This decision could persuade other states to take similar stances requiring warrants for access to the data, however as the court ruled under its own constitution, the federal question is still very much open to debate.

Image provided by cbc.ca