TAG | tracking
This is episode 14 of the Privacy Blog Podcast for November,2013.
In this episode I talk about:
How your phone might be tracked, even if it is off
The hidden second operating system in your phone
Advertising privacy settings in Android KitKat
How Google is using your profile in caller ID
and the lengths to which Obama has to go to avoid surveillance when traveling.
Based on a single line in a Washington Post article, Privacy International has been investigating whether it is possible to track cell phones when they have been turned off. Three of the 8 companies they contacted have responded.
In general they said that when the phone is powered down that there is no radio activity, BUT that might not be the case if the phone had been infected with malware.
It is important to remember that the power button is not really a power switch at all. It is a logical button that tells the phone software that you want to turn the phone off. The phone can then clean up a few loose ends and power down… or not. It could also just behave as though it were shutting down.
They don’t cite any examples of this either in the lab or in the wild, but it certainly seems plausible.
If you really need privacy, you have two options (after turning the phone “off”):
1) If you can remove the phone’s battery, then doing so should ensure that the phone is not communicating.
2) If you can’t remove the battery (hello iPhone) then you need to put the phone in a faraday cage. You can use a few tightly wrapped layers of aluminum foil, or buy a pouch like this one.
Welcome to episode 13 of our podcast for September, 2013.
In this episode I will talk about:
A major security breach at Adobe
How airplane mode can make your iPhone vulnerable to theft
Russian plans to spy on visitors and athletes at the winter Olympics
Whether you should move your cloud storage to the EU to avoid surveillance
Identity thieves buying your personal information from information brokers and credit bureaus
How to stop google using your picture in its ads
Why carelessness lead to the capture of the operator of the Silk Road
And how Browser Fingerprinting allows websites to track you without cookies.
Please let me know what you think, and leave suggestions for future content, in the comments.
ArsTechnica has a nice article on a recent ruling by the US Fifth Circuit court of appeals.
In this 2-1 decision, the court ruled that cellular location information is not covered by the fourth amendment, and does not require a warrant. The logic behind this ruling is that the information is part of business records created and stored by the mobile phone carriers in the ordinary course of their business.
Therefor, the data actually belongs to the phone company, and not to you. The Stored Communications Act says that law enforcement must get a warrant to obtain the contents of communications (the body of emails or the audio of a phone call) but not for meta-data like sender, recipient, or location.
The court suggests that if the public wants privacy of location information that they should demand (I suppose through market forces) that providers delete or anonymize the location information, and that legislation be enacted to require warrants for access to it. Until then, they say we have no expectation of privacy in that information.
The Fifth Circuit covers Louisiana, Mississippi, and Texas.
This ruling conflicts with a recent New Jersey Supreme Court, which unanimously ruled that law enforcement does not have that right, which ruling only applies in New Jersey.
Montana has a law requiring a warrant to obtain location information, while in California a similar bill was vetoed.
It seems very likely that one or more of these cases will go to the supreme court.
The ACLU just posted an article about a recent federal magistrate judge’s ruling. It is a somewhat bizarre case.
The DEA had an arrest warrant for a doctor suspected selling prescription pain killer drugs for cash. They then requested a court order to obtain his real time location information from his cell provider.
The judge went along, but then published a 30 page opinion stating that no order or warrant should have been required for the location information because the suspect had no expectation of location privacy. If he wanted privacy, all he had to have done is to turn off his phone (which would have prevented the collection of the information at all, not just established his expectation).
So, if this line of reasoning is picked up and becomes precedent, it is clear than anyone on the run needs to keep their phone off and / or use burner phones paid for with cash.
My concern is that, if there is no expectation of privacy, is there anything preventing government entities from requesting location information on whole populations without any probable cause or court order.
While I think that the use of location information in this case was completely appropriate, I would sleep better if there was the check and balance of the need for a court order before getting it.
This is another situation where technology has run ahead of the law. The Fourth Amendment was written in a time where information was in tangible form, and the only time it was generally in the hands of third parties, was when it was in the mail. Therefor search of mail in transit was specially protected.
Today, cloud and telecommunication providers serve much the same purpose as the US Postal Service, and are used in similar ways. It is high time that the same protection extended to snail mail be applied to the new high tech communications infrastructures we use today.
The House Judiciary Committee is going to be discussing the Electronic Communications Privacy Act. There is a chance that they will strengthen it.
This act was written decades ago, before there were any real cloud solutions. Email was downloaded by your email client, and immediately deleted from the server. They law assumed that any email left on a server more than 180 days had been abandoned, and so no warrant was required for law enforcement to obtain it.
These days, with services like gmail, we tend to keep our email on the servers for years, with no thought that it has been abandoned. Law enforcement is opposing reforms of this law because it would make their work more difficult. Doubtless it would, as does almost any civil liberty.
Earlier this month Zoe Lofgren introduced the Online Communications and Geolocation Protection act, amending ECPA. It would require a warrant to obtain cell phone location information. There is clearly some momentum for reform.
It has long been known in security circles that many printers embed nearly invisible watermarks in all printed documents which uniquely identify the printer used.
SpringyLeaks reports that a recent FOIA request revealed the names of printer companies who embed such markings and have worked with law enforcement to identify the printers used in various cases.
The article also suggest that these watermarks can be used to aid reconstruction of shredded documents.
Google and other online advertising companies like Vibrant Media, Media Innovation Group, and PointRoll, are using a flaw in Safari on iOS to track you despite your privacy settings.
iOS Safari is set by default to reject tracking cookies from 3rd party websites. That means that unless you are directly and intentionally interacting with a site it should not be able to cookie and track you. Specifically that is intended to prevent tracking by advertisers displaying banner ads on websites.
The hack is that these advertisers use a script within the website to cause submit an invisible web form to the advertising website, which looks to Safari like you directly interacted with that site and so allows the site to send a cookie. Another flaw in Safari causes those cookies to be returned to the 3rd party sites once they have been set.
Apple is saying that they will address the issue. Google is blaming Apple for breaking with web standards (even though almost all browsers support blocking 3rd party cookies iOS Safari is unusual in making this the default).
- On your iOS device (iPhone, iPad, iPod Touch) go to “Settings”, select “Safari”, scroll down and “Clear Cookies and Data”. Do this frequently.
- Don’t log into Google or other social media sites through the browser, only use the dedicated apps.
- Use those social media apps to “like” or “+1” content, rather than doing so in the browser.
- Protect your IP address with a tool like Anonymizer Universal so these sites can’t just use your IP address in place of cookies to track you when you are at home or work on a WiFi connection with a long term IP address.
The WSJ had the first article I saw on this, but it is paywalled.
John Battelle’s searchblog tries to look at this issue from both sides.
It looks like Microsoft got caught using “evercookie” or “supercookie” technologies to recreate tracking cookies even after users have tried to delete them from their browsers.
Researchers analyzing results from the ICSI Netalyzer project have found ISPs redirecting traffic bound for Yahoo! and Bing to third parties like Paxfire, Barefruit, and Golog. According to this EFF article:
Netalyzr’s measurements show that approximately a dozen US Internet Service Providers (ISPs), including DirecPC, Frontier, Hughes, and Wide Open West, deliberately and with no visible indication route thousands of users’ entire web search traffic via Paxfire’s web proxies.
This appears to be done by returning the IP address of the intercepting server rather than the true IP address when you do a DNS lookup of the server (www.yahoo.com for example). Your browser then connects to Paxfire or one of the other companies, rather than yahoo, allowing them to collect data on your activity and possibly modify the results.
There are some things you can do to protect yourself. If your connection to the website is using SSL, or if you have a VPN, your ISP can not intercept or modify your connection.
If you are running FireFox you can install the “HTTPS Everywhere” extension, which will ensure that your connection uses SSL for most of the most popular sites on the Internet.
Using Anonymizer Universal will ensure 100% of your traffic goes over an encrypted connection which will prevent this kind of interception for all websites.
I encourage all of you to visit the ICSI Netalyzer website to test your connection and your ISP for this kind of interception, and to contribute information for their research to detect this kind of strange and/or nefarious activity.