Finding the balance between data surveillance and protecting user privacy is an ongoing process, but Blackberry has just chosen to take a stand for the latter. The company has decided to pull operations from Pakistan after demands from their Telecommunications Authority for unrestricted access to Blackberry Enterprise Services. The Pakistani government was basically asking for a “backdoor” to access encrypted message and emails sent or received within Pakistan. Blackberry not only refused to cooperate with the demands in Pakistan but has also stated that they will not submit to any demands for unrestricted “backdoor” access in any country.

While protecting user privacy is important, ensuring safety of citizens sometimes requires governments to conduct data surveillance. Blackberry has stated that these demands from Pakistani government do not fall under the realm of public safety. Rather, “Pakistan was essentially demanding unfettered access to all of our BES customers’ information,” explained Chief Operating Officer Marty Beard. In the blog post Beard released explaining Blackberry’s withdrawal from Pakistan, he stated that while Blackberry is more than willing to assist with law enforcement’s investigations when a crime has been committed, it won’t grant companies “backdoor” access. This shouldn’t come as a shock; Blackberry has displayed that security is a main priority in their interactions with other governments and businesses.

Blackberry has now shown how they will react to requests for access to their customers’ digital data, but they won’t be the only company having to decide how to protect user privacy. As governments decide how important access to encrypted data is to national security, other companies may be faced with tough decisions concerning their positions in the surveillance versus privacy debate.

 

Article via CNET, November 30, 2015

Photo: Blackberry Bold via johncatral [Creative Commons Attribution-NonCommercial-NoDerivs]

With the ISIS attack in Paris still fresh in everyone’s minds, many concerns are being raised about data surveillance laws. Even though there has not been any evidence that the terrorist attacks involved the use of encrypted data, some supporters of expanding data surveillance are citing the attacks as proof that wider-ranging laws are needed. This is nothing new; the ongoing battle between privacy proponents and lawmakers supporting more surveillance is thrust into the spotlight increasingly often. Disagreements over data encryption will likely only increase, with 75% of internet interactions expected to be encrypted in the next ten to fifteen years. And while supporters of internet and data privacy have no problem with this rise in data encryption, it will cause technical problems for government agencies and law officials who need to access information to bring criminals and terrorists to justice.

A compromise has been suggested: some officials have proposed instituting laws that require tech companies to develop methods for police to obtain access to encrypted information, although this may not even be possible. Some companies such as Apple and Google cannot even access data encrypted in their own devices and services. Even if it is possible, the White House has agreed to not move forward with any legislation that would require companies to make encrypted data available whenever the police needed.

Finding a balance between protecting users’ privacy online and surveillance in the name of preserving law and order is an ongoing process and should not be determined quickly in the wake of a crisis. While there should be legal limits on the seizure of encrypted data, there must also be limits on how and what is encrypted. Determining these limits will take time.

Article via The Washington PostNovember 18, 2015

Photo: Point Cloud Data via Daniel V [Creative Commons Attribution-NonCommercial-NoDerivs]

Five years ago, companies like Ancestry.com and 23andMe provided the option of genealogy tracing and medical diagnostic tests for customers who submitted DNA samples. At the time, privacy advocates warned of the potential risks of letting businesses collect genetic databases.

Privacy advocate Jeremy Gruber summed it up in 2010 when he said that genetic material “has serious information about you and your family.” This information, if used beyond the purposes of genealogy tracing, has big implications in law enforcement and government tracking. Wired magazine cautioned, “Your relative’s DNA could turn you into a suspect.”

Currently, the FBI keeps a national genetic database of the DNA of convicts and arrestees. Both companies’ privacy policies state that upon court order, DNA information will be given to law enforcement. Yet, as Wired implicated, people have been wrongly accused of crimes for DNA near-matches in the past.

23andMe recently launched a transparency report, similar to other major tech companies that receive government requests for consumer information, within the next month.

“In the event we are required by law to make a disclosure, we will notify the affected customer through the contact information provided to us, unless doing so would violate the law or a court order,” said the company’s first privacy officer Kate Black.

Ancestry.com will not state explicitly how many government data requests the company has recieved.

“On occasion when required by law to do so… we have cooperated with law enforcement and the courts to provide only the specific information requested,” said a spokesperson.

Article via Fusion, October 16, 2015

Photo: DNA isolation 5 via Patrick Alexander [Creative Commons Attribution-NonCommercial-NoDerivs]

In February of 2014, Maria Nucci attempted to sue Target after she slipped and fell on a work shift. In response, Target requested access to her Facebook profile in order to gather evidence on Nucci’s quality of life following the accident.

Saying that she had a “reasonable expectation of privacy” because of Facebook’s privacy settings, Nucci declined, and 36 photographs were removed from her profile two days following her objection.

The case was taken to the Fourth District Court of Appeals for the State of Florida, where in January of 2015, the three-judge panel ruled in favor of Target’s request for Nucci’s Facebook photographs.

“Because information that an individual shares through social networking websites like Facebook may be copied and disseminated by another,’ the expectation that such information is private, in the traditional sense of the word, is not a reasonable one,” the panel ruled.

Courts are still navigating how to use social media as evidence in legal cases. Currently, the main two issues complicating social media’s role in the courthouse are privacy, as in the Target case, and authentication.

Many social media sites require only an email to sign up, and those who require more don’t use any system to verify whether the person creating an account is in fact who they say they are.

Gibson Dunn partner Jennifer Rearden sums up the difficulties in using social media profiles as evidence: “Anybody can put anything on the Internet, and most Internet sites are not monitored for accuracy, so just because you have a print-out of someone’s profile page doesn’t mean you actually have confirmation they are controlling that page.”

 
Article via Legaltech News, November 2, 2015

Photo: Tumblr via Corrado [Creative Commons Attribution-NonCommercial-NoDerivs]

On Feb. 4, 2010 Maria Nucci sued Target for the injury she sustained while working at the store. However, when Target requested access to her social media account, Nucci objected. As a result, 36 photos were deleted two days later. However, the Fourth District Court of Appeals for the State of Florida granted Target’s motion with respect to all photographs on the Facebook page that included Nucci. She argued she had a right to privacy, but the judges used that very argument against her.

“Because ‘information that an individual shares through social networking websites like Facebook may be copied and disseminated by another,’ the expectation that such information is private, in the traditional sense of the word, is not a reasonable one,” the panel ruled, partially quoting another Florida case. It also added, “Before the right to privacy attaches, there must exist a legitimate expectation of privacy.”

Using social media in court cases continues to skyrocket. It has been used about 80% of the time. According to John Facciola, the information has to be collected. Second, they have to sorted out into what the attorney needs and does not need. Courts are still trying to figure out what to do with social media in discovery and the privacy rights of those whose profiles are in question. This past year, the arguing has centered on two main issues: authentication, and where the expectation of privacy stops.

Social media is notorious for one particular thing: you don’t have to be who you say you are online. This is demonstrated in parody Twitter accounts and multiple Linkedin profiles. State courts have different standards on the authentication of social media. For example, the Maryland standard is that “the judge had to be ‘convinced’ that a social media post wasn’t falsified or created by another user. On the other hand, the Texas approach stipulated that any evidence could be used “as long as the proponent of the evidence can demonstrate to the judge that a jury can reasonably find that evidence to be authentic.” In United States vs. Vayner, Aliaksandr Zhyltsou accused Vladyslav Timku of providing a forged birth certificate for an imaginary infant daughter to avoid compulsory military service in Ukraine. The key piece of evidence was in the defendant’s social media account. However, the federal agent could not provide authenticity. As a result, Maryland revisited their standard and deemed that the judge has to identify which evidence would be sufficient. In other words, the judge has to determine that “there is proof from which a reasonable juror could find that the evidence is what the proponent is claiming.”

Article via Legaltech News , November 2, 2015

Photo: Affiliated Network for Social Accountability- Arab World via World Bank Photo Collection [Creative Commons Attribution-NonCommercial-NoDerivs]

The US Senate voted this past Tuesday to pass the Cybersecurity Information Sharing Act (CISA), which allows companies to share evidence of cyberattacks with the US government, even if that data includes the personal information of individuals.

Those in favor of the bill argue that CISA will help the government protect companies. Most big tech companies comprise the opposition, and say that the new act is another loophole that allows the US government to snoop on citizens. President Obama supports CISA.

Al Franken, a senator from Minnesota and one of 21 who voted against the bill, said in a statement following CISA’s passing, “There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security. This bill doesn’t do that.”

Companies are supposed to remove personal information about customers—such as emails and text messages—before sending data to the government. Currently, however, no accountability system exists to ensure that personal identifiers are in fact deleted before reaching government databases.

CISA was most likely passed in response to recent high-profile hackings, such as those committed against Sony Pictures, Ashley Madison, and United Airlines.

“With security breaches like T-Mobile, Target, and [the US government’s Office of Personnel Management] becoming the norm, Congress knows it needs to do something about cybersecurity,” said Mark Jaycox, Legislative Analyst of the Electronic Frontier Foundation. “It chose to do the wrong thing.”

Article via CNET, October 27, 2015

Photo: The Capitol, in Washington, D.C. US Senate and The House of Representatives via DeusXFlorida [Creative Commons Attribution-NonCommercial-NoDerivs]