CAT | Tracking
Based on a single line in a Washington Post article, Privacy International has been investigating whether it is possible to track cell phones when they have been turned off. Three of the 8 companies they contacted have responded.
In general they said that when the phone is powered down that there is no radio activity, BUT that might not be the case if the phone had been infected with malware.
It is important to remember that the power button is not really a power switch at all. It is a logical button that tells the phone software that you want to turn the phone off. The phone can then clean up a few loose ends and power down… or not. It could also just behave as though it were shutting down.
They don’t cite any examples of this either in the lab or in the wild, but it certainly seems plausible.
If you really need privacy, you have two options (after turning the phone “off”):
1) If you can remove the phone’s battery, then doing so should ensure that the phone is not communicating.
2) If you can’t remove the battery (hello iPhone) then you need to put the phone in a faraday cage. You can use a few tightly wrapped layers of aluminum foil, or buy a pouch like this one.
Welcome to episode 13 of our podcast for September, 2013.
In this episode I will talk about:
A major security breach at Adobe
How airplane mode can make your iPhone vulnerable to theft
Russian plans to spy on visitors and athletes at the winter Olympics
Whether you should move your cloud storage to the EU to avoid surveillance
Identity thieves buying your personal information from information brokers and credit bureaus
How to stop google using your picture in its ads
Why carelessness lead to the capture of the operator of the Silk Road
And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.
The ACLU just posted an article about a recent federal magistrate judge’s ruling. It is a somewhat bizarre case.
The DEA had an arrest warrant for a doctor suspected selling prescription pain killer drugs for cash. They then requested a court order to obtain his real time location information from his cell provider.
The judge went along, but then published a 30 page opinion stating that no order or warrant should have been required for the location information because the suspect had no expectation of location privacy. If he wanted privacy, all he had to have done is to turn off his phone (which would have prevented the collection of the information at all, not just established his expectation).
So, if this line of reasoning is picked up and becomes precedent, it is clear than anyone on the run needs to keep their phone off and / or use burner phones paid for with cash.
My concern is that, if there is no expectation of privacy, is there anything preventing government entities from requesting location information on whole populations without any probable cause or court order.
While I think that the use of location information in this case was completely appropriate, I would sleep better if there was the check and balance of the need for a court order before getting it.
This is another situation where technology has run ahead of the law. The Fourth Amendment was written in a time where information was in tangible form, and the only time it was generally in the hands of third parties, was when it was in the mail. Therefor search of mail in transit was specially protected.
Today, cloud and telecommunication providers serve much the same purpose as the US Postal Service, and are used in similar ways. It is high time that the same protection extended to snail mail be applied to the new high tech communications infrastructures we use today.
It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used.
SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.
The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.
While I am encouraged to see the recently announced Consumer Privacy Bill of Rights, it is no reason to become complacent about your privacy.
First, the Consumer Privacy Bill of Rights is a set of fairly general statements. It is unclear if or when we would see real enforcement.
Second, it will be very difficult to enforce this against non-US services, and it is almost impossible for a user to know if some or all of a website she is visiting is being provided by a non-US company.
Third, it is very difficult to tell if the policies are being violated. Unless the website uses the information directly and immediately it is very hard to tie the use of information back to the source of the information. If it is being silently collected, you really can’t tell.
While such policies and statements of principle are a good thing, and one hopes that most major websites will get on board with them, if you actually want to ensure your privacy, you need to take matters into your own hands.
Block cookies, clear out old cookies, and hide your IP address with tools like Anonymizer Universal.
Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.
iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.
The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.
Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).
- On your iOS device (iPhone, iPad, iPod Touch) go to “Settings”, select “Safari”, scroll down and “Clear Cookies and Data”. Do this frequently.
- Don’t log into Google or other social media sites through the browser, only use the dedicated apps.
- Use those social media apps to “like” or “+1” content, rather than doing so in the browser.
- Protect your IP address with a tool like Anonymizer Universal so these sites can’t just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.
The WSJ had the first article I saw on this, but it is paywalled.
John Battelle’s searchblog tries to look at this issue from both sides.
It looks like Microsoft got caught using “evercookie” or “supercookie” technologies to recreate tracking cookies even after users have tried to delete them from their browsers.
In theory, your Amazon wish list should allow people to buy you gifts, but should not reveal anything but the list of items you want.
Evidently, if you buy something for someone off their list, you can then see the delivery address in the order reports in your account. (more…)
Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:
Netalyzr’s measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users’ entire web search traffic via Paxfire’s web proxies.
This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.
There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.
If you are running FireFox you can install the “HTTPS Everywhere” extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.
Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.
I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.