Category: Privacy

US Senate passes controversial cybersecurity bill

October 30, 2015 Joyce Varghese Leave a comment Government, Privacy, Security, Tech

On Tuesday, October 27, the US Senate voted to pass the Cybersecurity Information Sharing Act.

This bill allows companies to share evidence of cyber-attacks to the US government even if it violates a person’s privacy. Supporters say this act will make it easier for the government to monitor threats and responses across companies. Others like Apple and other top tech companies argued that this bill could give government more liberty to spy on US citizens.

US Chamber of Commerce President and CEO Thomas Donohue said this legislation is a “positive step toward enhancing our nation’s cybersecurity.”

21 Senators voted against the act. Among them was Minnesota Democrat Al Franken who believes there is a need for “effective legislation that balances security and privacy” and “the CISA does not do that.”

Just last year, the CISA was first introduced and passed by the House but it did not go through the Senate. High profile cyberattacks on companies like Sony Pictures, United Airlines, and Ashley Madison may have prompted the Senate to approve it this time around.

The issue at hand is that personal identifiers such as text messages and e-mails may slip through when sending information to law enforcement and intelligence agencies, even though companies are supposed to delete that information.

US Department of Homeland Security acknowledged that the bill does raise “privacy and civil liberty concerns.”

CISA is now going to a Congressional Conference whose members must match the passed Senate and House bills before sending it to President Obama.

Article via CNET Security News , October 27, 2015

Photo: Washington DC – Capitol Hill: United States Capitol via Wally Gobetz [Creative Commons Attribution-NonCommercial-NoDerivs]

Countries using spyware exposed

October 18, 2015 Abby Shulman Leave a comment Citizen Justice, Cybercrime, Government, Human Rights, Privacy, Security

A Citizen Lab report released Thursday revealed that 33 countries are likely using FinFisher, a prominent spyware program. Many of these countries—including Ethiopia, Bangladesh, and Egypt—have suspect human rights standards.

FinFisher enables an organization or government to capture the keystrokes of a computer, as well as use the device’s microphone and camera to surreptitiously eavesdrop on a target. This type of surveillance tool was once only used by advanced governments, but is now available to anyone willing to invest in the service. In the U.S., journalists and dissidents are especially targeted.

Hackings in the past two years have informed researchers about the mechanics of spyware companies. FinFisher was hacked last year, revealing confidential company logistics, and its competitor Hacking Team was hacked this past year, exposing vital emails and files. Errors in spyware servers help Citizen Lab researchers figure out which governments are using the services of companies like FinFisher or Hacking Team.

Spyware servers used by governments often infect and control target computers with malware disguised behind proxies. Researchers found that 135 servers matched the “technical fingerprint” of shady spyware after scanning the Internet, yet they were always directed to a decoy page after typing the server’s Internet address into a Web browser. The decoy pages were most often www.google.com or www.yahoo.com.

However, the decoy sites showed local search results of the server’s origin, and not of the location that the researchers were in when they used the site. One proxy server seemed to be from the United States, then returned an IP address from Indonesia, indicating that the country’s government may be using FinFisher’s services.

Article via The Washington Post, 16 October 2015

Photo: Patrons use computers in an internet cafe via World Bank Photo Collection [Creative Commons Attribution-NonCommercial-NoDerivs]

Fifth amendment applies to accessing smartphones, new ruling argues

October 14, 2015 Shelby Bice Leave a comment Privacy

Two former data analysts at Capital One are being accused of using their positions as data analysts to calculate sales trends for major U.S. companies and then purchase stocks ahead of the companies’ reported earnings. Using this method, the two former employees allegedly made $2.8 million dollars from $150,000 in investments. Capital One issues company smartphones to each employee, but each employee chooses their own passcode which is unknown to Capital One. Therefore, even though Capital One turned the two data analysts’ phones over to the SEC, who is conducting the investigation, the SEC cannot unlock them and therefore requested that the court order the two defendants to relinquish their passcodes. The defendants are pleading the Fifth Amendment, though. They are of the opinion that being forced to give up the passcodes would be akin to forcing them to testify against themselves, leading to self-incrimination. Self-incrimination would violate the Fifth Amendment.

But does the Fifth Amendment truly apply to this situation? According to a new ruling by Judge Mark Kearney, the court agrees with the defendants’ view. Judge Kearney’s opinion centers around his interpretation of the forgone conclusion doctrine. Essentially, the foregone conclusion doctrine states that that Fifth Amendment cannot be used to refuse an order if the testimonial from complying with the order is known and the testimonial from complying is not what the court is trying to prove. For example, if the court ordered a defendant to relinquish all illegal substances in their possession, the defendant could plead the Fifth Amendment because the act of handing over illegal substances incriminates the defendant. The interpretation of the forgone conclusion doctrine in this case comes down to what testimonial results from giving up the passcodes. The SEC argues that that by giving up the passcodes, the defendants admit to having previously used the phones, which the SEC is aware of and not trying to prove. Judge Kearney, however, argues that foregone conclusion concerns the specific documents that the SEC is seeking, which may or may not be on the phones. Therefore, the forgone conclusion doctrine does not apply.

Who is correct? Some disagree with the Judge Kearney and are of the opinion that gaining access to the phone is independent whatever records may or may not be stored on the phone, and forgone conclusion should apply. Either way, there are other ways that the SEC can word the order for the phones to be unlocked that do fall under the foregone conclusion doctrine. For example, the defendants can be ordered to input the passcodes themselves and then have the opened phones delivered to the SEC, in which case the only testimonial is that the defendants have used the phones enough to be knowledgeable of the passcodes, a fact that is already well known.

Article: Washington Post, September 24, 2015

Photo: iPhone via Jared Earle [Creative Commons Attribution-NonCommercial-NoDerivs]

Lawyers should wipe smartphones after use

October 9, 2015 Astrid Countee Leave a comment Business, Ethics, Privacy, Security

Lawyers, like everyone else, have been quick to adapt to use of smartphones for business use. Having a little computer in your  pocket that is attached to the internet makes it easy for lawyers to reach and respond to clients and keep up with industry news. Law firms have become dependent on this technology and as a result smartphones have become a ubiquitous device. Since the time of the reign of blackberry, lawyers have been handed smartphones for company use on a regular basis.

But what is happening to these phones once the firms are done with them? More specifically, what is happening to all the client data that is collected on these phones while they were in use? Large firms usually have an enterprise solution for handling old smartphones. But it is less likely that the same is the case with smaller firms.

A recent study by the Blanco Technology Group revealed that data is sometimes left behind on second hand devices. They found that one-third of discarded smartphones had residual data left on them. Of the mobile devices with residual data, over half was left there after an attempted deletion. This means that even for those who were trying to protect their data by deleting it, they were unsuccessful and did not realize it.

For lawyers, this type of liability can make the stakes much higher. Possibly leaving confidential client information on a device can be extremely detrimental. This means that law firms, large and small, will need to take extra steps to make sure that their mobile devices are wiped clean. This includes not just smartphones, but also tablets and hard drives as well.

Lawyers will need to upgrade their tech savvy to make sure that their data and their clients stay safe.

Article via Above The Law, 8 October 2015

Photo: The iphone 4 via Jorge Quinteros [Creative Commons Attribution-NonCommercial-NoDerivs]

E.U. ruling invalidates Safe Harbor

October 8, 2015 Abby Shulman Leave a comment Citizen Justice, Court, Government, Privacy, Social Media

In a recent ruling, the European Court of Justice struck down Safe Harbor, which dictated the rules for transatlantic data flow between the United States and the European Union. The invalidation of Safe Harbor carries significant consequence for American e-commerce firms who operate in Europe. Companies like Google and Facebook—as well as the U.S. administration—now must make high-profile decisions in response to the ruling.

Europe has broad legislation protecting the personal information of E.U. citizens from being exploited by businesses. The U.S., in contrast, only codifies privacy against government institutions and for certain high-sensitivity data (e.g. health records, etc.) Safe Harbor’s “principles” are more flexible extensions of the E.U.’s privacy laws; violations of Safe Harbor could result in sanctions from a self-regulatory organization or the Federal trade Commission.

When Europe’s highest court invalidated the agreement, it was under the premise that European citizens were being manipulated by U.S. tech companies as well as by the U.S. government. The ruling was a reflection of a recent decision made by an Irish court on Safe Harbor’s illegality. Any new agreement drafted will have to contain more stringent privacy rules, and will therefore create more limitations for U.S. firms.

Facebook and Google’s immediate options include continuing business practices in a time of legal uncertainty, shutting down their European operations (resulting in major loss), or changing the business model to include more data collection centers in Europe. The last alternative would require companies to keep European and American data completely separate, with the consequence of economic inefficiency.

Article via The Washington Post, 6 October 2015

Photo: Bandiera dell’Unione (EU Flag) via Giampaolo Squarcina [Creative Commons Attribution-NonCommercial-NoDerivs]

Twitter

Snowden enters Twitter

October 1, 2015 Abby Shulman Leave a comment Citizen Justice, Government, Privacy, Social Media

After keeping a relatively low profile since his exile to Moscow in 2013, Edward Snowden has made himself public on Twitter. His first post on Tuesday, “Can you hear me now?”, was a nod to his past whistleblowing as well as a subtle reference to a Verizon television commercial. Within two hours, Snowden had 300,000 followers.

Ben Wizner, one of Snowden’s lawyers, has confirmed that the account is authentic. The fugitive’s first tweet was welcomed by a response tweet—“Yes! Welcome to Twitter.”—from Twitter’s co-founder Jack Dorsey. Astrophysicist and cosmologist Neil deGrasse Tyson also acknowledged Snowden, and ended a Twitter back-and-forth with: “Ed @Snowden, after discussing everything from Chemistry to the Constitute on #StarTalk, you’re a patriot to me. Stay safe.”

Snowden follows only one account, belonging to the NSA.

Article via CNET, 29 September 2015

Photo: Edward Snowden Wired via Mike Motzart [Creative Commons Attribution-NonCommercial-NoDerivs]