The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

CAT | legal

Play

Welcome to Episode 10 of The Privacy Blog Podcast, brought to you by Anonymizer.

In July’s episode, I’ll be talking about the storage capacity of the NSA’s data center in Utah and whether the US really is the most surveilled country in the world. Next, I’ll explain why the new royal baby is trying to hack you and how your own phone’s SIM card could be putting your privacy at risk.

Lastly, I’ll discuss the current legal status of law enforcement geolocation, Yahoo!’s decision to reuse account names, and  some exciting Anonymizer Universal news.

As always, feel free to leave any questions in the comments section. Thanks for listening!

· · · · · · · ·

ArsTechnica has a nice article on a recent ruling by the US Fifth Circuit court of appeals.

In this 2-1 decision, the court ruled that cellular location information is not covered by the fourth amendment, and does not require a warrant. The logic behind this ruling is that the information is part of business records created and stored by the mobile phone carriers in the ordinary course of their business.

Therefor, the data actually belongs to the phone company, and not to you. The Stored Communications Act says that law enforcement must get a warrant to obtain the contents of communications (the body of emails or the audio of a phone call) but not for meta-data like sender, recipient, or location.

The court suggests that if the public wants privacy of location information that they should demand (I suppose through market forces) that providers delete or anonymize the location information, and that legislation be enacted to require warrants for access to it. Until then, they say we have no expectation of privacy in that information.

The Fifth Circuit covers Louisiana, Mississippi, and Texas.

This ruling conflicts with a recent New Jersey Supreme Court, which unanimously ruled that law enforcement does not have that right, which ruling only applies in New Jersey.

Montana has a law requiring a warrant to obtain location information, while in California a similar bill was vetoed.

It seems very likely that one or more of these cases will go to the supreme court.

· · · · ·

Declan McCullagh at CNET writes about the most recent skirmish over whether a person can be forced to decrypt their encrypted files.

In this case, Jeffery Feldman is suspected of having almost 20 terabytes of encrypted child pornography. Evidence of use of eMule, a peer to peer file sharing tool, showed filenames suggestive of such content. Child porn makes for some of the worst case law because it is such an emotionally charged issue.

A judge had ordered Mr. Feldman to decrypt the hard drive, or furnish the pass phrase, by today. After an emergency motion, he has been given more time while the challenge to the order is processed.

The challenge is over whether being compelled to decrypt data is equivalent to forced testimony against one’s self, which is forbidden by the Fifth Amendment. The prosecution position is that an encryption key is similar to a key to a safe, which may be compelled. Some prior cases have come down on the side of forcing the decryption, but not all.

If it was plausible that the suspect might not know how to decrypt the file, that would make things even more interesting. For now, the moral of the story is that you can’t rely on the Fifth Amendment to protect you from contempt of court charges in the United States if you try to protect your encrypted data. Outside the US, your mileage may vary.

· · ·

The ACLU just posted an article about a recent federal magistrate judge’s ruling. It is a somewhat bizarre case.

The DEA had an arrest warrant for a doctor suspected selling prescription pain killer drugs for cash. They then requested a court order to obtain his real time location information from his cell provider.

The judge went along, but then published a 30 page opinion stating that no order or warrant should have been required for the location information because the suspect had no expectation of location privacy. If he wanted privacy, all he had to have done is to turn off his phone (which would have prevented the collection of the information at all, not just established his expectation).

So, if this line of reasoning is picked up and becomes precedent, it is clear than anyone on the run needs to keep their phone off and / or use burner phones paid for with cash.

My concern is that, if there is no expectation of privacy, is there anything preventing government entities from requesting location information on whole populations without any probable cause or court order.

While I think that the use of location information in this case was completely appropriate, I would sleep better if there was the check and balance of the need for a court order before getting it.

This is another situation where technology has run ahead of the law. The Fourth Amendment was written in a time where information was in tangible form, and the only time it was generally in the hands of third parties, was when it was in the mail. Therefor search of mail in transit was specially protected.

Today, cloud and telecommunication providers serve much the same purpose as the US Postal Service, and are used in similar ways. It is high time that the same protection extended to snail mail be applied to the new high tech communications infrastructures we use today.

· · ·

It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used.

SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.

The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.

· · · · ·

Courthouse News Service reports that a virginia judge has ruled Facebook “Likes” are not protected speech.

The case was related to employees of the Hampton VA sheriff’s office who “Liked” the current sheriff’s opponent in the last election. After he was re-elected, he fired many of the people who had supported his opponent.

The judge ruled that posts on Facebook would have been protected, but not simple Likes.

· · · · · ·

While I am encouraged to see the recently announced Consumer Privacy Bill of Rights, it is no reason to become complacent about your privacy.

First, the Consumer Privacy Bill of Rights is a set of fairly general statements. It is unclear if or when we would see real enforcement.

Second, it will be very difficult to enforce this against non-US services, and it is almost impossible for a user to know if some or all of a website she is visiting is being provided by a non-US company.

Third, it is very difficult to tell if the policies are being violated. Unless the website uses the information directly and immediately it is very hard to tie the use of information back to the source of the information. If it is being silently collected, you really can’t tell.

While such policies and statements of principle are a good thing, and one hopes that most major websites will get on board with them, if you actually want to ensure your privacy, you need to take matters into your own hands.

Block cookies, clear out old cookies, and hide your IP address with tools like Anonymizer Universal.

· · ·

The FBI in conjunction with the Bureau of Justice Assistance and Joint Regional Intelligence Center have produced a number of fliers to help the public identify possible terrorists. While some of the points have merit, it is very likely that this will generate an extremely high proportion of false alerts based on perfectly reasonable and legal behaviors.

A big red flag for me were the fliers for cyber cafes and electronics stores. These suggest that the use of privacy protecting services, like Anonymizer, should be deemed suspicious. They also call out Encryption, VoIP, and communicating through video games.

In almost all of the fliers they suggest that wanting to pay cash (legal tender for all debts public and private) is suspicious.

Thanks to Public Intelligence for pulling together PDFs of the documents.

Internet Cafe flier.

Electronics Store flier.

· · ·

The NYTimes.com reports that Kapil Sibal, the acting telecommunications minister for India is pushing Google, Microsoft, Yahoo and Facebook to more actively and effectively screen their content for disparaging, inflammatory and defamatory content.

Specifically Mr. Sibal is telling these companies that automated screening is insufficient and that they should have humans read and approve allmessages before they are posted.

This demand is both absurd and offensive.

  • It is obviously impossible for these companies to have a human review the volume of messages they receive, the numbers are staggering.
  • The demand for human review is either evidence that Mr. Sibal is completely ignorant of the technical realities involved, or this is an attempt to kill social media and their associated free wheeling exchanges of information and opinion.
  • There is no clear objective standard for “disparaging, inflammatory, and defamatory” content, so the companies are assured of getting it wrong in many cases putting them at risk.
  • The example of unacceptable content sighted by Mr. Sibal is a Facebook page that maligned Congress Party president Sonia Gandhi suggesting that this is more about preventing criticism than actually protecting maligned citizens.

· · · ·

There has been a lot of attention recently to the arrest of an alleged LulzSec hacker after his anonymity was compromised by the anonymity service he was using, HideMyAss.com. Some articles on the event are here, here and the provider’s explanation here.

The reason this company was able to compromise the privacy of their user was that they had logs of user activity. They know what IP address is assigned to each user and can use that to attribute any activity back to the real identity of the person behind the account.

The real problem with logs is that they exist or they don’t. You can’t keep logs only for “bad users” but not for responsible “good users” because even if it was possible to identify them as such in advance, you would not find anything like agreement about who should fall in which category.

Many operators of privacy services, including myself, feel very strongly that such tools should be usable in countries like China to circumvent the censorship and surveillance there. Such actions are certainly illegal for the user, and probably for the provider. While being a UK company and only responding to UK court orders, they were “forced” to expose the identity of a person in the US who was then arrested by the FBI.

I don’t know enough about this case to debate whether or not this person is guilty or deserved to be arrested. My concern is that this case has demonstrated that anyone who can cause a UK court order to be severed against this company can expose their users. It also makes them a target for hacking, social engineering, infiltration and other attacks which could gain access to these logs without a UK court order.

As a general rule, if information exists and people want it, there is a very good chance it will escape, if only by accident.

Perhaps we should not be too surprised that this company failed to protect its users, when it has no visible privacy policy on the website, and there are no identifiable people standing behind the product and brand with their personal reputations.

I founded this company, Anonymizer.com, and I personally stand behind our services. We have clear privacy policies, we keep no logs of the surfing activities of our users, we have no way of identifying what user may have visited what website. We have an unblemished record of providing robust privacy since 1995.

As I have said in many previous posts, it all comes down to trust. If you don’t know who is providing the service, and don’t have the ability to research their history and gauge their integrity, you should not use that service.

· · · · · ·

<< Latest posts

Older posts >>