TAG | surveillance
Security firm Kryptowire discovered that at least hundreds of thousands of Android phones in the US are configured to automatically send all text messages, call logs, location information, contact lists and more to servers in China every 72 hours. This is all invisible to the end user. (more…)
In two separate cases recently Uber has, or has talked about, abusing its information about their customer’s movements.
First a Buzzed reporter Johana Bhuiyan was told that she was tracked on the way to a meeting by Josh Mohrer, general manager of Uber New York.
Next Emil Michael, SVP of business for Uber, talked at a private dinner about the possibility of using the information Uber has about hostile reporters to gather dirt on them. (more…)
Recently a colleague was reading a blog post by a Russian based VPN provider which talked about their privacy stance. He was incredulous. “Why would anyone trust a Russian VPN company?!?!”
It is a reasonable question about many locations. Russia, China, Iran, and many other companies are justifiably known for Internet monitoring and censorship. Of course, in the post Snowden era, a lot of attention has been focused on US surveillance as well.
I think that many people have the feeling that they should trust anyone but their own governments. After all, foreign intelligence services are unlikely to do anything about any intercepts unless they see some kind of global doomsday scenario. You might worry that your local intelligence agency could pass along information to local law enforcement, but that too seems generally unlikely. Exposing such intercepts would also expose sources and methods, which are some of the most highly protected secrets out there.
To me the question is what the VPN / Privacy provider is ALLOWED to keep private. It is clear that many governments put a huge amount of pressure, or actually pass laws, on companies to keep all kinds of user activity records. Interestingly that is not the case in the United States.
Anonymizer has no requirement to keep any records about what our users do through our service, or any way to identify associate any activity with a given user. Our systems are architected so that we don’t need to refuse to provide any of that information, we are simply incapable of doing so.
If this amendment passes, it will significantly reduce the perceived advantages of using servers outside the US. No only would the server still be subject to whatever legal process exists in the hosting country, but they would also be open to legal hacking by the USG.
When you think your phone is connected to your wireless provider, you might actually be connected to a rogue tower set up to capture your data.
Such devices have been demonstrated at the Black Hat security conference and a law enforcement fake tower called “Stingray” has been known for some time. Recently sophisticated secure phones have been able to detect these fake towers and people are starting to map them. Popular Science covered it here, and here.
There is very little transparency around law enforcement or US Intelligence use of such devices, so the could just as easily be operated by foreign intelligence services, criminals, or hackers. If we had strong end to end encryption there would be little to worry about, but many Internet connections and all phone calls are vulnerable to this attack.
Here is a new “as a service” offering I had never considered. Companies are supporting ISPs in responding to classified FISA court search warrants for the ISPs, including helping to capture the data and deciding if the request is proper.
Ars technica in conjunction with NPR conducted an excellent experiment showing how much and what kind of information can be obtained through capture off the wire. This is the type of information that a national intelligence service would see by tapping into ISPs.
They simulated this by using a penetration testing device installed at NPR reporter Steve Henn’s house (with his cooperation).
The amount of information is amazing. Even seemingly inactive devices are constantly making requests and connecting to services.
While many connections to key services like email and banking are encrypted, most others are not, revealing a great deal about Steve’s research activities.
It is absolutely worth a read.
Vodafone recently released a “Law Enforcement Disclosure Report”. Because Vodafone provides services in so many countries, this provides a unique insight into the range of surveillance capabilities and requirements across a spectrum of nations. In six countries they are required to provide direct connections to their network for the local government. This allows those governments to capture content and meta-data without making individual requests to Vodafone. They are not saying which 6 countries those are out of fear of penalties or retaliation.
In Albania, Egypt, Hungary, India, Malta, Qatar, Romania, South Africa and Turkey it is illegal to reveal information about various kinds of intercepts, so the report does not provide information on those countries.
The report also provides good information on the frequency of requests for information from various countries.
One lesson from this is, despite the impression one might have gotten from the Snowden leaks, the US is far from the only country doing this kind of surveillance.
Attorney General’s new war on encrypted web services – Security – Technology – News – iTnews.com.au
Australia’s Attorney-General’s department is proposing that all providers of Internet services ensure that they can decrypt user communications when so ordered. Any services where the provider has the keys will obviously be able to do this.
Australians may want to start to start taking steps to protect themselves now.
End to end encryption is your friend. At least that way, you need to be informed and compelled if they want access to your data.
Another important step is to get your “in the clear” communications into another jurisdiction using a VPN service like Anonymizer Universal.
Finally, let your voice be heard on this issue by reaching out to your members of parliament.
In episode 16 of the Privacy Blog Podcast for January, Twenty Fourteen I talk about:
Biological Advanced Persistent Threats
The Apps on your mobile devices that may be enabling surveillance
Why you may soon know more about how much information your service providers are revealing to the government
The total compromise of the TorMail anonymous email service
How the British government is using pornography as a trojan horse for Internet Censorship.
And finally why continued use of a deprecated cryptographic signature algorithm could undermine the security of the Web