Thursday, 29 January 2015

Don’t spy on your kids

A BBC article about parents using apps to spy on their kids.  Parents, don’t do that.

Some of these apps report on texts, calls, social media posts, sites visited etc. Some send push notifications when the phone user breaks the speed limit or goes outside a pre-determined boundary.  Some can be used covertly.  Some disable the phone if the child doesn’t call back or switches their phone off.

There are all sorts of problems with this aside from it being plain creepy.  For one thing, of course, all this data could be misused by a parent, spouse or boss.  It could be abused by a hacker.  It could be abused by the companies selling these apps.  It also seems likely to cause children to engage in risky behaviour such as leaving their phone with a friend if they want to go somewhere they’re not supposed to.  Besides, spying on people is just as dodgy as hell.

We have to be both more frank and more trusting with our kids than we used to.  There really are dangers out there and children must be able to recognise, avoid and confront them.  They need to know they can go to parents if they encounter a problem without those parents overreacting.  They also need to be able to communicate in secret.  They will find ways to do that regardless of any technical restrictions placed on them and will likely put themselves at more risk in doing so than if we simply trusted them.

I know that this is a lot more difficult than it sounds, but spying on kids, overtly or covertly, is definitely not the answer.

Wednesday, 28 January 2015

Some people declare themselves watchdog of the Internet of Things

I don’t know what the Federal Trade Commission is but it’s setting up a watchdog for the Internet of Things. Watching, that is, for privacy violations.  Which is surely better than not doing it, even if they don’t have any useful powers.  The Internet of Things has enormous potential to snoop into every aspect of our lives, offering useful but not necessarily valuable services in return.

The new watchdog is saying some sensible enough things and understands the fact that companies should be more open about what data they collect about us and what they do with it. They seem to want customers to be in control of what data they reveal.

But they seem more focused on security than on consumer education and choice.  I’d like to see a watchdog that could ensure that companies were honest and straightforward about what data they collect and how they use it, communicating this in a way that their customers could easily understand and decide whether or not to agree with.  I’d like to see some enforcement of consumer choice.  For example, I might prefer to pay a larger mobile phone tariff in exchange for certain privacy guarantees. 

The current problem is that for the most part we don’t really know what we’re signing up for; we don’t know whether the services we use are giving us appropriate value for privacy; there’s little or no way to manage our relationships with the companies that hoard our data; and we aren’t usually given the option of more expensive but less privacy-breaking services.

I want a watchdog that can do that.  By the sound of it, this one has the right sort of idea and that’s encouraging, but I think we deserve more information from IoT companies than the watchdog is prepared (or able) to demand right now.  So as usual I’m optimistic and pessimistic at the same time.

Oops

Apparently today is International Data Privacy Day.

You’d think that’s the sort of thing I ought to know.

Evil Wednesday privacy roundup

The latest stealth attempt to bring in the Snooper’s Charter was dropped without a vote due to it being stupid and wrong. It’s by no means dead, though.  Keep your eyes open.

DDoS attacks in the name of often dubious hacktivism is on the rise.

CCTV is mostly useless.

Talk Talk is blocking it’s customers’ Internet access until they opt in or out of porn.

China is aggressively blocking VPN services so it’s citizens can’t bypass the firewall.

Pinterest selling customer-generated data.

Instant messaging with an undo button.  The app also prevents people in threads from adding new participants, copying messages and taking screenshots.

Google is trying to force awful terms and conditions on musicians then seems to lie about it.

Now the DEA Is spying on US citizens without oversight.

An Ohio police officer used force to take a video camera from a disabled woman to stop her filming. Surprisingly, she (the cop) is facing criminal charges.  I guess police officers have to kill someone before they can get away with being thugs.

Monday, 26 January 2015

Snooper’s Charter update

The proposal we were told was entirely vital to our national security was dropped by its proposers without a vote after a debate yesterday.  You can’t take your eyes off them for a second, can you?  I doubt we’d have been so lucky if it weren’t for organisations like ORG and EFF. You can thank them by supporting them.

A telling quote from the debate by the former Defence Secretary and later champion of the Intelligence and Security Committee, Lord King of Bridgewater:

I am not a tweeter. We have Facebook and Twitter. Somebody tried to explain WhatsApp to me; somebody else tried to explain Snapchat. I do not know about them, but it is absolutely clear that the terrorists and jihadists do.

Brilliant.

Cameron’s firewall blocks abuse charities

Remind me who said this would happen? Oh, that’s right, it was everyone ever.

Sky and TalkTalk are for some reason doing what David Cameron wants and implementing default porn filters.  As I understand it, in Sky’s case, the new default applies only to new customers, who will have to specifically opt in to porn if they want it. Existing users can continue to feast their eyes on whatever they like without having to sign anything.  As if it would like to outdo Sky on terribleness of behaviour, TalkTalk will apply the filter to all accounts, new and extant, unless the account holders specifically opt-in to porn. That means that existing users will have to navigate to an opt-in page, read the terms and conditions, and click something if they want to keep getting the service they signed up and already paid for.

BT and Virgin are being ‘urged’ (whatever that means) to follow suit.  Virgin has been advertising it’s optional porn filter via on-screen pop-ups for months, but less than 10% of its customers use the filter, which suggests that most people don’t want it. This is backed up by other evidence:

A report from Ofcom last July said that on average only 13% of new internet users opted to turn on filtering software that was offered to them.

So let people opt out of being able to see porn if they want, rather than the other way around.  A list of people who have opted to suckle on their broadband unfiltered seems dangerous to me.  It seems in particular a very good way to generate statistics that suggest whatever a government wants.  For example, that internet access be even more tightly controlled.

Another problem with all filters is the false positives. Things that aren’t porn will inevitably be blocked and some of them will be resources people need to understand sex and sexuality, learn how to protect themselves in a sexual relationship and how to get help when they are sexually abused.

And it’s not just sex that’s filtered, of course. It’s drugs. And it’s whatever a current government decides it doesn’t like.  I hope it’s clear how dangerous this idea is. But in the meantime, there’s this:

A website discussing the legalisation of cannabis found itself blocked, as did several small wine dealers, said Pam Cowburn of the transparency campaignOpen Rights Group. Last year research by the group found that 54 registered charities had their websites blocked by one or another of the filters.

Several were offering support and services to young people escaping abuse or alcohol dependency. One such charity, Alcohol Support, based in Aberdeen, called it a “big brother” approach.

“It’s still a problem; it isn’t being tackled in the rush to block what is deemed unsuitable.

Another example of a ‘security’ countermeasure that has nothing to do with the actual threat. And there’ll inevitably be false negatives, too: sex and drugs will get through any filter with a bit of practice.

Vicki Shotbolt, CEO and founder of social enterprise project the ParentZone, said: “Filters are at best a distraction from the most important way to look after your family online.” Open conversations and keeping informed were the way forward, she said.

She’s more charitable than I.  Such filters are at best an abdication of responsibility.

Here’s responsibility: I won’t teach anyone how to get past filters, adult or child. But I’ll sure as shit teach anyone who asks how to find out how to do it.

I’ll bet half my kingdom and my cat’s hand in marriage that I’ll never need to.

Kyoto taxi drivers/crime fighters

In Kyoto  convenience store owners can put a sign in their windows indicating that taxi drivers on breaks can park there for as long as they like on the grounds that this reduces crime.  And it seems to work, if the reports are to be believed:

Since the program started in September 2013 the number of armed robberies among participating stores dropped to four compared to 18 in the previous year. On the other hand, the shops which were not in the Midnight Defender Strategy saw an increase in robberies, up from seven to nine incidents compared to the year before.Overall the total number of robberies was nearly halved in the prefecture.

(emphasis not mine)

I haven’t seen the data, but it seems like a good idea to me.  Unless the taxi drivers start getting robbed, of course.

Sunday, 25 January 2015

But the government will keep our data safe…

This weekend someone phoned GCHQ and managed to con someone into handing over the director’s mobile number.  Someone (I don’t know whether it was the same person) claiming to be the GCHQ director also called the Downing Street switchboard and managed to get connected to the Prime Minister, who talked to hoaxer before realising something was wrong and hanging up.

These incidents do not make me feel confident that the government will be able to keep our data safe if today’s Snooper’s Charter vote goes badly or Cameron’s “no communications we can’t read” proposal goes through.

Today’s the day peers debate the Snooper’s Charter

https://www.openrightsgroup.org/ourwork/reports/abuse-of-parliamentary-procedure

Keep the pressure on…

Saturday, 24 January 2015

I’ll write (urgently) to a Lord

As I wrote yesterday, a handful of peers (Lord Carlisle, Lord King, Lord Blair and Lord West) have introduced the rejected Draft Communications Bill of 2013 as an amendment to the Counter-Terrorism and Security Bill, which is due to be debated by the Lords on Monday. The clauses of the amendment are virtually unchanged from that filed bill apart from – very worryingly indeed – the fact that some clauses insisting on oversight have been removed.

By inserting this as an amendment, the peers in question are submitting a complex 18 page change to an already complicated bill at pretty much the last minute.  The Lords cannot possibly have time to consider the proposal or to understand its implications prior to the vote.  In addition, the tactic bypasses the Commons entirely.  This is a clear abuse of procedure and a sign that the government is determined to pass these draconian laws regardless of their effectiveness, workability, cost, legality or agreement of the UK population.

So not being able to think of anything else to do about it, I wrote to a Lord.  In this case, Lord Sawyer of Darlington, since he’s local. There are certainly better criteria for picking a Lord but I decided that since time is so short, it would be better to just pick one more or less at random and fire off a letter, trusting that groups like the ORG and EFF are doing a better job at targeting Lords with the right sympathies, assuming any exist.

I urge you to take a few minutes to write to a Lord too, asking them to debate the #SnoopersCharter on Monday.

The ORG wants you to do it too.  That’s a link to their newsletter, which has a bunch of other activities you might also want to get involved with.

Here’s the letter I wrote.  Feel free to use it or copy it outright if you want.  You can also find the ORG’s statement (with useful sources and other links) here.

Dear Lord Sawyer,

I'm writing to urge you to attend Monday's debate on the Counter Terrorism and Security Bill.

This bill includes an 18 page amendment, which is virtually identical to the highly problematic Draft Communications Bill of 2013.  That bill was scrutinised by a cross-party committee, which said that “the draft Bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data.”  It also criticised the estimated cost to the taxpayer of £1.8 billion to be "fanciful and misleading", believing that the true cost would exceed this by a considerable margin.

Including this rejected bill as an amendment to the Counter Terrorism and Security Bill is an abuse of procedure.  The Lords cannot possibly have time to properly consider the bill and the opportunity for the Commons to debate the amendment clauses is altogether denied.

I believe the implications of the amendment to be highly destructive of privacy and freedom and that considered scrutiny of the proposal is critical at the earliest possible stage.  I hope I can count on you to provide some of this scrutiny.

The Open Rights Group has issued a briefing on this matter with links to source and related material.  This can be found here: https://www.openrightsgroup.org/ourwork/reports/abuse-of-parliamentary-procedure#sdendnote2sym

Yours sincerely,

Thursday, 22 January 2015

I feel another letter coming on

Mike Adams says, in Little Atoms:

Peers launch attempt to make rejected Snooper’s Charter law

Four backbench Peers are attempting to introduce key measures from the controversial draft Communications Data Bill into law by amending the Counter-Terrorism and Security Bill to include the majority of its clauses.

You remember that bill? The one that was going to introduce that terrifying surveillance and was defeated because it couldn’t be justified?  The one they tried to sneak in at the last minute so MPs wouldn’t have time to read it before voting?  And for which there was a three-line-whip anyway?  The cross-party committee decided that:

“we believe that the draft Bill pays insufficient attention to the duty to respect the right to privacy, and goes much further than it need or should for the purpose of providing necessary and justifiable official access to communications data.”

Apparently it is now suddenly justified after all.

The Peers - Lord Carlisle, Lord King, Lord Blair, Lord West - have tabled amendments which if passed will grant the intelligence agencies in the UK the most draconian surveillance powers of any established democracy.

They’re not trying to get the whole bill through, though.  They’ve removed the bits about oversight. And they haven’t addressed any of the concerns raised by the cross-party committee.

If the legislation passes, it will grant the Home Secretary the power to retain the personal communications data of every citizen in the UK for an undefined purpose for up to a year. ISPs could be forced to build server farms to capture all data as it is transmitted and received. Manufacturers of communications equipment could be forced to install hardware such as ‘black boxes’ on their products to make spying easier and by default. The scale of this state surveillance will place the UK in line with countries such as Kazakhstan, China and Iran and could place the UK on a collision course with the European Court of Human Rights and the European Court of Justice.

The proposal has again been submitted at the last minute ensuring that the Lords won’t have time to consider it.

David Cameron’s absurd anti-privacy, anti-freedom, anti-software and unworkable proposal

David Cameron recently announced that there must be "no means of communication" which "we" (the government and security forces) "cannot read."  This is as absurd as it is terrifying.  I wrote to my MP about it and I urge all UK residents to do the same.  If you don’t know how to contact your MP, this is how to find out: http://www.parliament.uk/mps-lords-and-offices/mps/

 

Here’s the letter I wrote:

Mr Wilson,

David Cameron recently announced that there must be "no means of communication" which "we" (the government and security forces) "cannot read."

While I share his outrage at terrorist attacks and other crime, there are serious moral, technical, practical, economic and political problems with Mr Cameron's proposal. Any serious attempt to achieve that vision would be unworkable, any non-serious attempt would be extremely easy to circumvent, and any attempt at all would have serious implications for the privacy and freedom of UK citizens.

I suspect that Mr Cameron's intent is to force software creators, presumably through legislation, to introduce a 'back door' into any software it writes that uses encrypted communications. Effectively, the security forces would possess a key that could unlock any of these communications and see what's inside.

The problems with this are enormous. First, there is no such thing as a back door that will only let good guys in. A back door is a deliberately introduced flaw in an encryption scheme and sooner or later the bad guys will discover the vulnerability and they too will have access to all our communications. This means criminals, terrorists, foreign spies etc. but also domestic law enforcement officers who will abuse their powers for any number of reasons (jealous ones snooping on their spouses, corrupt ones spying on business communication for profit or blackmail, seriously corrupt ones engaging in organised crime or orchestrating cover-ups). We know from recent experience that such abuse of power is not uncommon even here in the UK.

There is also concern that once powers of snooping are granted, their expansion is inevitable. Successes and failures alike will be used to justify the granting of more powers, in this case more and more legal reasons to access private and business communication. There is no guarantee that we'll even be aware of the extent of these powers of access.

These scenarios should terrify us all, even those of us who feel we have nothing to hide.

But aside from these moral objections, any technical solution is unworkable for a variety of reasons. It would require that the makers of Operating Systems (most prominently, Apple, Microsoft and Google) rebuild their products from the ground up so that only government-sanctioned software can be run on them. Otherwise, those Operating Systems could run code that uses unbroken encryption. Even if Mr Cameron manages to force - through an act of parliament - those companies to capitulate, the problem would not be solved. It's easy to jailbreak smartphones so they can run unsanctioned software. It's easier still to buy one from abroad which doesn't have the restrictions Mr Cameron's demands will require. Desktops, laptops and tablets could easily circumvent this action too. For instance, computers using old versions of Operating Systems without the restrictions would not be affected. Better still, computers running open source Operating Systems would be specifically designed to use encryption technology without a back door. Existing distributions of Linux already do this out of the box and shutting down or compromising the main Linux distributors will have no effect at all. The Linux source code is out in the wild and there are any number of people capable of turning it into a working - and secure - operating system. There are vast communities of volunteers dedicated to keeping Linux safe, secure and available to everyone in the world, free of charge.

But the problem goes further even than that. The government would have to control all software developed in the UK and prevent software developed outside its jurisdiction from entering the UK. This is impossible. The security forces would have to implement a Firewall such as those deployed (very ineffectively) in places like China, Syria and Russia. We know that these can be defeated with a little technical knowledge and we know that they block things they ought not to. There are countless reports of school students being unable to access information needed for their studies and - even worse - oppressed, abused and otherwise desperate people unable to access information that would aid them.

Such a firewall would have to be very sophisticated indeed. Communication protocols can be hidden inside other communications protocols and these are very difficult to detect. The security community could make spotting illegally encrypted traffic virtually impossible.

But even if all these practically impossible feats were pulled off, the government would also have to prevent people entering or leaving the country with phones, laptops, tablets or storage devices of any kind.

David Cameron's proposal would make all our communications unsafe, because deliberately introduced flaws in encryption would not remain hidden for long. It would make us all vulnerable to as yet unforeseen changes in government policy by this or successive governments on how our private data may be accessed. It would require the tyrannical control by the government of the software industry and of what data crosses our shores either via the Internet or in carry-on luggage. And it would spell the death of the software industry.

Anything less would be entirely ineffective, but the required solution would be impossible in technical, practical, economic and political terms. It would also be a vastly disproportionate countermeasure to the types and levels of threat we face.

I believe that attempts to implement Mr Cameron's proposal will be both disastrous and ineffective on many levels. I urge you to question and fight the proposals in favour of laws which can be shown to directly, proportionately and with all possible transparency counter the threats our nation faces.

A good resource for some of these issues (and an organisation I am not affiliated with) is the Electronic Frontier Foundation, which you can find at https://www.eff.org/

Regards,

Wednesday, 21 January 2015

Uber planning to share ride data with government

http://www.washingtonpost.com/blogs/wonkblog/wp/2015/01/13/uber-offers-cities-an-olive-branch-its-valuable-trip-data/?Post+generic=%3Ftid%3Dsm_twitter_washingtonpost

Trying to get back in their good books.

Evil Wednesday Roundup: a weekish in privacy news

Police radar sees through walls.  The problem here is that police no longer need a warrant to see the inside of your house. And, of course, that people who aren’t police will get hold of them too.

Sky blocks pornography by default. Customers have to opt out if they want porn.  Lists of people who want to be able to see porn are dangerous.  For one thing, they’re bound to lead to moralistic blaming of people who turn porn on for all sorts of stuff.

The UK government is the most open and transparent in the world. Kind of makes me wonder who came second…. (it’s the US).

Dating apps leak location data. Not very surprising since they tell users how far they are away from each other.  Hackers have found a way to spoof the servers to get at people’s location data, but I’d be more concerned about the site owners having it.

Hollywood apparently portrays hacking realistically in Blackhat.

Angela Merkel urges new EU law on data tracking. It’s not very clear what she wants to be into the law, she just seems to really want one.  It’s a start, I guess.

Funding cut for CCTV in the UK.  Speculation that it signals the end of the ‘CCTV era’ in the UK seem wildly optimistic.  Just wait until we get reliable real-time face recognition from CCTV pictures….

Zoe Quinn launches anti-harassment task force. It’s bound to fan the flames.  I’m glad Quinn is strong enough to cope with it.

Eradicate DRM within a decade! Let’s hope so.  The right people are involved.

Spies spying on spies who are spying on spies.

Leaked US cybersecurity report singles out crypto as essential for security of private data. And yet our Prime Minister is trying to break it. More on that here.

Obama is creating a Cyber Police State. Why it’s bad.

The White House doesn’t think there’s any need for net neutrality law.

Monday, 5 January 2015

*rolls sleeves up*

OK, these are some of the things that happened over Christmas in the world of privacy and security in no particular order, chronological or otherwise.  And some things that happened before Christmas that I didn’t get round to.  I call it Procrastination Monday. May contain teasers:

Know your cell phone rights: The link is US-centric but much of it applies in other places too, such as here in the UK.  I’m working on a similar guide about the legals and technicals of taking mobile phones to protests. You’ll see it here first when it’s finished.

We’re used to the idea that hackers might steal our data if we let other people store it.  It’s a real danger but not the only nor the most dangerous danger. The companies that store our data can and often do look at it for reasons.  We need to get better at knowing what’s happening to our data, but that’s not in the interests of the people we let store it.

Police filming encounters with the public: Sounds like a no-brainer: if police have body cams that record their interactions with the public, there’ll be no more she-said she-said, right?  There’ll be no more abuses of power because it’ll all be on camera….right?  It’s not that simple, for several reasons. For one, it’s all too easy for batteries to run out, technical faults to occur and cameras to be damaged during altercations.  It wouldn’t be difficult to disappear footage.  For another, body cams aren’t very useful at recording close-up scuffles.And what’s to stop police officers shouting things like “stop resisting arrest” while they’re beating suspects?  Suspects could muddy those waters, too, but I’m more concerned about abuses of power.  There are ways to improve the reliability of cop-cam footage that have to do with the conflicting motives of the players involved, maybe I’ll write about them sometime.

We’re often told that security and especially privacy decisions are about assessing the trades-off between security/privacy and convenience. I don’t know why we’re told this, however, because it’s obviously wrong.  I’ll definitely write something about this very soon.  Here’s something that looks like a classic trade-off between convenience (or service) and privacy but, as the article suggests, it’s a bit more complicated than that. It’s complicated for the usual reason that there’s an imbalance of power between corporations and individuals as well as a clear conflict of interest.  This limits our options as individuals. We can only begin to address these issues when we take action as a group, using market, political and social pressure to demand new options.

Blackphone announces privacy-oriented app store: I’ll be watching with interest how this works out. I’m optimistic in the abstract. Hopefully we’ll learn something about how to run privacy-oriented app stores because when I think about how I’d do it I get two different kinds of mental alarm bell. The first says RUN THE FUCK AWAY, but I don’t like listening to that sort of alarm. The other says that there’s lots of consultancy to be done here. I like that kind of alarm better.

IBM’s banking software demands the right to spy on you if it really wants to, Let’s be clear: “In other words, IBM is allowed to gank any file on your computer, if it thinks it looks suspicious, and if that file turns out to be sensitive, confidential, or compromising, tough shit.” – Cory Doctorow.

OK, first privacy-burst of the new year over. There’ll probably be more before I’m finished.

Procrastination

I’ve been slacking over the Christmas period but things insisted on happening anyway.  Expect some densely-packed updates throughout the day.  I’ve also been working on some longer and hopefully more thoughtful posts which will appear when I’ve tidied them up.