Last week, Google banned 20 Android apps from its Play Store for their extraction of users’ emails, texts, location, and calls. The apps “rooted” devices with older Android operating systems, meaning they were able to bypass newer security protections. The expelled apps generally advertised as cleanup tech for unwanted files or as backup utilities. It is suspected that the apps were developed by Equus Technologies, a cyber arms company, and had been installed on 100 phones. Google is calling these apps “Lipizzan.” The same day Google announced the banning of these apps, antivirus company Sophos disclosed two Android apps surreptitiously collecting text messages: an app store shortcut and a skin care magazine. These have been downloaded up to 500,000 times.
In a state whose largest city recently passed a sweeping privacy regulation, a new bill expanding police surveillance of license plates has passed the state’s House. The objective is to catch uninsured out-of-state motorists driving on RI highways and fine them up to $120. The bill’s sponsor, Robert Jacquard (D-Cranston), says that each license plate scanned by highway cameras will be erased in one minute following review by law enforcement, though many questions remain about the storage and sharing of this location data. Jacquard sees this technology as simply an extension of red-light cameras that already use automatic license plate recognition (ALPR). However, Rhode Island law enforcement would need to access license plate data from every state to make this work. Privacy groups and some auto insurers stand against this bill, with insurers pointing out the difficulty of getting other states to share personal data about their drivers with Rhode Island.
Privacy International is condemning Kenyan President Uhuru Kenyatta’s party for its hiring of Western data firm Cambridge Analytica to sway his re-election bid. The firm is also tied to the election of Donald Trump and Brexit. Cambridge Analytica occupies an entire floor of a building owned by Kenyatta’s coalition, and it ties data such as income, health status, political opinions, websites visited, and hobbies to individual-level voter registration records. Cambridge Analytica also creates psychometric profiles, essentially a quantification of personality: i.e. how neurotic or extroverted someone is. These data are used to target political advertising to the individual, possibly resulting in psychological manipulation or campaigns of misinformation (fake news?). Privacy International argues that this individual profiling is especially dangerous in Kenya, where ethnicity remains extremely political. Kenya also has no data protection laws, or rules governing how data are collected, stored, and accessed, leaving this voter database, and those in it, vulnerable. Privacy International is asking Cambridge Analytica to provide information on their risk assessment of mass data profiling in Kenya and how it will protect data privacy.
EFF is suing the FBI through the Freedom of Information Act to obtain information on how it recruits Best Buy Geek Squad employees to report on illegal contents of devices they take in. This interest originates from a federal case in California, where Best Buy confirmed that members of its Geek Squad in Kentucky received compensation for reporting on customers who possessed child pornography on their devices. If the FBI is recruiting private industry employees to spy on personal computers, EFF argues, it constitutes an unlawful government search in violation of the Fourth Amendment. Relying on private vendors represents a means of accessing hidden data without the requirement to file a warrant, thus circumventing traditional protections for privacy. Best Buy has stated that the employees’ decision to accept payment goes against its policies. However, when you drop a device off at Geek Squad, you sign a document acknowledging that Best Buy will turn over devices containing child pornography to the FBI. Employees cannot search for such material; they instead must come across it while conducting the customer-requested service. Court documents from the California case demonstrate suspiciously close ties with the Geek Squad, referring to the employees as “sources.” It will be interesting to see what documents EFF’s FOIA suit uncovers regarding the cozy relationship between the FBI and private industry.
Source: SF Chronicle
Former U.S. Director of National Intelligence (under the Obama administration) James Clapper spoke in Australia last week, calling on Silicon Valley to develop encryption that allows law enforcement to access the encrypted content while investigating criminal acts. He claims that technology companies have a “social responsibility” to provide this access to the government. Clapper likened full encryption to giving a “pass” to “criminals, terrorists, rapids, murderers, et cetera.” The encryption debate came to widespread public attention following the 2015 San Bernardino shooting, after which Apple refused to unlock the iPhone 5c used by the shooter. The FBI sidestepped Apple by working with a third party to unlock the phone. Clapper also called for filtering out “some of the more egregious material that appears on social media.” At the same time, the former intelligence chief has also been outspoken in his criticism of Trump, stating last week that the Watergate scandal “pales” in comparison with Trump’s strong pro-Russia stance in the face of evidence of Russian interference in the 2016 election.
Director of National Intelligence Dan Coats promised at his confirmation hearing to obtain and reveal the number of Americans affected by NSA surveillance. At a hearing this week before the Senate Intelligence Committee, Coats reversed course on this, claiming that it is infeasible to provide such an estimate. He argued that revealing this statistic would potentially violate privacy by verifying subject identities [I don’t follow…]. Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is used to justify “upstream” mass collection of email and phone call data, is set to expire this year. The Trump administration is looking to make this surveillance statute permanent. In a strange twist, NSA Director Mike Rogers argued this week that Section 702 surveillance allowed the NSA to generate “insights” on Russian interference with the 2016 election [what are those insights?].
The recent arrest of Reality Winner, the 25-year-old NSA contractor accused of leaking classified documents on Russian efforts to hack U.S. voting systems, has brought light to tracking embedded in paper printouts. Security professionals believe that Winner was caught due to tiny yellow dots printed on the documents–and on every piece of paper that goes through particular printers. These dots, which can be revealed by shining a blue light or by digital magnification, typically include the date/time of the printout and a printer serial number. It is speculated that the information revealed from the yellow dots was used to tie Winner’s work printer history to the documents. EFF has previously decoded the yellow dots for some printers, and has created a guide.
One argument for the inclusion of the tracking dots is to prevent counterfeiting, such as attempts to print money. EFF writes that printed page tracking is a result of the government asking printer companies to include it without the law’s requirement and that it represents a lack of transparency.
The Supreme Court has granted certiorari to Carpenter v. United States, a case about historical cell phone location data. In question is whether police need a warrant to obtain historical customer location data from cell phone companies. In this case, a group of men committed a series of armed robberies, after which one of the men confessed and provided cell phone numbers for 16 others in the group. Investigators obtained cell site information for Carpenter through a court order under the Stored Communications Act, which required the government to provide evidence of reasonable suspicion, rather than the stricter test of probable cause. Metro PCS then provided 127 days of cell-site records for Carpenter. Lower courts have deferred to the precedent set in the 1979 Smith v. Maryland decision. In that case, the Court ruled that a robbery suspect had no reasonable expectation of privacy for phone numbers dialed, because he had voluntarily provided that information to a third party: the phone company. The third-party doctrine, said the lower courts, allows investigators to retrieve cell phone locations without a warrant.
Will be waiting to see the justices’ arguments and verdict in this appeal!
A wrongful termination suit brought by a former forensic investigator for Uber has brought to light Uber’s specific data fields used to track ride-hailers. Ward Spangenberg, who brought the suit, claims that employees inappropriately used application data to track exes and celebrities, such as Beyoncé. The Uber argument is that the company collects only just enough data to do the job. However, the evidence presented in the suit includes a list of 500 variables derived by Uber about riders.
Spreadsheet posted by Gizmodo
The term “greyball” in the above figure may refer to the deceptive program that gives some riders a modified app, different from the regular Uber app. The Justice Department is currently investigating whether Uber “greyballed” Portland officials so that they could not hail rides under UberX, a service that was illegal under local laws.
Here are some of the data Uber extracts from your location and payment history: GPS points for trips you often take, how often you’ve cancelled, and how often you’ve changed a credit card. Data such as these are then used to populate fields like “suspected_clique_rider” and “potential_rider_driver_collusion” based on the frequency of trips you take with the same driver.
Uber is also under scrutiny for a program called Hell, in which it tracked Lyft drivers by creating fake Lyft driver accounts, which essentially gave them a map of other drivers.
Allegations from an anonymous whistleblower claim that London’s Metropolitan Police enlisted the services of hackers in India to access email accounts of activists, including campaign organizers and journalists. The whistleblower claims to be a current detective and accuses the Met’s Domestic Extremism unit of unlawfully tracking such email activity for years. As proof, the anonymous tipster provided email passwords of 10 individuals claimed to be targeted, five of which have been independently confirmed as correct. One of the targets, Greenpeace activist Colin Newman, reports feeling violated, as his email account contains not just event planning but intimate details of personal counseling. The Independent Police Complaints Commission is now investigating the unit’s collection of email data and shredding of a large volume of documents in 2014. The interception of emails without evidence of investigating serious crimes constitutes unlawful spying on protest groups.
Source: UK ArsTechnica