Month: April 2011

Available at:
http://news.yahoo.com/s/ap/20110424/ap_on_hi_te/us_wi_fi_warning

In Buffalo, a 25-year-old guy logged in to his neighbor house’s Wi-Fi connection and downloaded child pornography through the wireless signal.

Firstly, the FBI agents suspected the homeowners. They denied and agents tapped away at the homeowner’s desktop computer, eventually taking it with them, along with his and his wife’s iPads and iPhones.

Within three days, investigators determined the homeowner had been telling the truth: If someone was downloading child pornography through his wireless signal, it wasn’t him. About a week later, agents arrested the guy and charged him with distribution of child pornography. The case is pending in federal court.

Experts say the more savvy hackers can go beyond just connecting to the Internet on the host’s dime and monitor Internet activity and steal passwords or other sensitive information.

This case revealed two major issues. One is how to protect privacy of Wi-Fi users and the other is whether internet users are legally responsible to secure their wireless connections to prevent others from illegally downloading data.

Controversy over revelations regarding iPhone and iPad location tracking has been growing quickly. As the New York Times reports, the German, French, and Italian governments have either started or will soon start investigations into whether the tracking violates those countries’ respective privacy laws. In the United States, Senator Al Franken of Minnesota and Congressman Edward Markey of Massachusetts have sent letters asking for further explanation from Apple.

A letter from Apple’s general counsel to Congressman Markey last July suggests that the data is in fact being transmitted to Apple for use in its location-based services. However, the letter indicates that location data is anonymized and only collected when users agree to use location-based services. Last Friday, Google confirmed that it collected similar data from Android users for similar location-based service purposes, again anonymized and with user consent.

Some commentators have questioned the need for retaining the location data on users’ devices, arguing that it leaves them vulnerable to hackers who would be able to learn a user’s day-to-day movements. Others question whether users are fully informed about the extent of location tracking due to the sometimes-vague and difficult-to-understand privacy policies that describe its use.

The New York Times article also reports that the data has been used for law enforcement purposes, raising interesting questions about the applicability of the Stored Communications Act and the 4th Amendment to such data. Though the article doesn’t specify the legal basis upon which law enforcement gathered this data, it seems possible that the SCA would apply. Would a court hold that compelling Apple to produce such data under the SCA but without a warrant violates the 4th amendment, much like the compelled e-mail production in United States v. Warshak? On a related note, the ACLU recently reported that Michigan State Police officers have been using forensic cellphone analyzers to download the contents of smartphones during routine traffic stops. The ACLU has issued a FOIA request for more information on this practice, but the Michigan Police have requested over $500,000 from the ACLU to cover the costs of retrieving and assembling such documents. Given the recent revelations about location tracking on Apple products it seems plausible that such data collection from Apple users could include the location-tracking file, thus possibly giving the police information about the user’s every move for the past few months.

http://legaltimes.typepad.com/blt/2011/04/doj-pitches-gps-surveillance-case-to-supreme-court.html

http://legaltimes.typepad.com/files/doj_gps_cert.pdf

On Friday, the Solicitor General filed a certiorari petition with the Supreme Court to resolve a circuit split on whether a warrant is required for GPS surveillance. The case, United States v. Jones, involves the government’s use of GPS tracking technology to monitor a person’s movements on public roads for an extended period of time.

As part of an investigation into the defendant’s supposed narcotics distribution, the FBI placed a GPS tracking device on defendant Jones’s Jeep, tracking its movements 24 hours a day for 4 weeks. The FBI’s prolonged tracking of Jones without a warrant raised serious 4th Amendment and privacy concerns. On appeal of his conviction in the D.C. Circuit, Jones argued that the Government’s use of a GPS device constituted a violation of his reasonable expectation of privacy and was a breach of his 4th Amendment right. The Government relied on United States v. Knotts for the position that the tracking of a suspect on public roads does not constitute a search. In Knotts a beeper was placed in a container containing chemicals used in the production of methamphetamine to track the suspect’s vehicle from the purchase location to his cabin. The Court of Appeals held that Knotts did not control as it did not address the issue of a prolonged, dragnet type surveillance. The Court reasoned that while the movement of the defendant in Knotts, from one location to another, was readily exposed to the public, the totality of Jones’s movements over the course of a month was not. The aggregation of Jones’s movements for an entire month reveals intimate details that a single trip would not and therefore there was a reasonable expectation of privacy in those movements.

The D.C. Circuit’s adoption of this “mosaic theory” of privacy puts it at odds with the Seventh, Eighth, and Ninth Circuits, all of which permit warrantless GPS surveillance. The Government maintains that the D.C. Circuit’s contrary holding will hamper the ability of law enforcement to collect evidence to establish probable cause at the onset of an investigation. It also makes a slippery slope argument, fearing that wider acceptance of the “mosaic theory” will jeopardize other longstanding investigatory techniques used to collect public information on criminal suspects.

The Jones case presents the Court with the opportunity to revisit its thirty-year-old holding in Knotts and squarely address whether the aggregation of otherwise public information through sophisticated technological means changes the nature of a suspect’s privacy expectations. It remains to be seen whether the Court will, in Jones or a future case, follow the lead of a number of states that have imposed a warrant requirement in these circumstances.

Article Link: http://www.latimes.com/business/la-fi-do-not-track-20110406,0,3461978,full.story
Link to Bill: http://dist27.casen.govoffice.com/index.asp?Type=B_BASIC&SEC={2C530FAF-6F85-4236-BB30-293D33F815E5}

Continuing the groundswell of support for Do-Not-Track across the nation, California State Senator Alan Lowenthal (D-Long Beach) introduced legislation that would force Internet companies doing business in California to allow consumers to opt out of online monitoring. If passed, California would be the first state to have a do-not-track law. Lowenthal is hoping that passage in democratically controlled California could act as a “stimulus to the rest of the nation.”

The proposed bill broadly applies to all connected devices, likely requiring software updates to many existing smart phones, computers, tablets, and Internet TVs. It empowers the state attorney general to issue regulation requiring that websites give users a simple method to block tracking. The bill allows individuals and the state attorney general to target violations with civil suits.
The bill is backed by a number of advocacy groups, including Consumer Watchdog, Privacy Rights Clearing House, Common Sense Media, and the California Consumer Federation. However, the Interactive Advertising Bureau, a digital marketing industry group, criticized that a strict reading of the legislation, SB761, would prevent websites from collecting innocuous information that could hurt the user experience. IAB also believes that the bill could be an unconstitutional restriction on interstate commerce.

Not long ago, denizens of the web were thrown into a frenzy by Chatroulette, an innovative website that randomly paired visitors with webcams for impromptu video chats.

Hot off the HackerNews presses, meet RandTXT – Chatroulette for text messages. RandTXT allows anyone with a cell phone to anonymously send a text message to a randomly selected person and receive an anonymous reply from that person.

The instructions are simple: “(1) Send a (random, funny) text message to (650) 681-0830; (2) you’ll immediately receive a random text message from another person; (3) reply to the random text you just got; (4); get a reply to the original random text you sent.” All chat exchanges are posted to a public website that displays the originating phone’s area code but nothing else.

As with Chatroulette, the content runs the gamut from extremely obscene to serious, with almost anything in the middle. My favorite exchange so far:

Original Message: Is a hippopotamus a hippopotamus or just a really cool opotamus?
Reply Message: The latter

At first blush, this probably seems like a very minor addition to the technological landscape. After all, Twitter basically allows users to do the same thing – send short text messages. Yet there is something deep at the heart of RandTXT that is missing in Twitter – intimacy. Up until now, SMS has retained its status as a uniquely personal mode of communication. Unlike a tweet, which is broadcast to the world (or a limited number of followers), an SMS message is plain text’s version of the phone call. As a result, it brings with it a different set of contextually-rooted principles of information flow.

To give an example, one might well tweet one’s breakfast (particularly a delicious one), but one would probably not send an SMS to one’s friend solely to report this fact. While Twitter has become a forum for open contemplation and whimsical revelation, SMS is, or at least has been, a tool for more formal and personal communication. The social importance of SMS is evident in the sheer number of SMS-oriented applications that have proliferated on the iOS and Android mobile operating systems. Fast Society, Beluga, Disco, GroupMe – the list could go on. These applications offer very little that email does not. Yet they are extremely popular. For some reason, the SMS message holds a degree of appeal that other forms of communication can’t match.

If you buy my assertion that SMS is a more intimate protocol, then RandTXT becomes a lot more exciting. This is because RandTXT brazenly pulls SMS inside-out. The resulting cognitive dissonance – of using a private non-anonymous protocol (SMS) in a decidedly public and anonymous way – is thrilling.

OK – so it’s thrilling. Lots of online experiences are. But why should we care about this one? The thrill of services such as RandTXT and Chatroulette draws people into a mode of interaction they can’t find elsewhere. As a result, these services have enormous expressive potential. This is not to say that such open-ended services don’t have problems. As Jonathan Zittrain has famously pointed out, generativity can be a risky proposition. Plenty of objectionable content has surfaced on services such as RandTXT and will continue to do so. Yet insofar as Chatroulette and RandTXT users enjoy a social surplus from the new experience, and this surplus outweighs the loss caused by objectionable content, these services are worth supporting.

Which brings me to what I suppose is the point of this post – specifically (a) that opportunities for anonymity and pseudonymity on the web are shrinking, and (b) that this isn’t a good thing. While false identity allows those with impure motives to wreak havoc, it also empowers new (and old) methods of communication and human interaction. These methods of communication and interaction can advance not only our constantly-evolving discourse but also our understanding of ourselves. To the extent that privacy law exists to protect our right of expression, it should take care to make sure that the increasingly “identifying” Internet preserves a place for the delightfully obscured.

Available at: http://online.wsj.com/article_email/SB10001424052748703467304575383522318244234-lMyQjAxMTAxMDAwMzEwNDMyWj.html; Stalkers Exploit Cellphone GPS – Mobile Location Tracking – WSJ.com

In August of 2010, the Wall Street Journal reported that global-positioning-system (GPS) technology offered by cellular carriers is being used by stalkers. Although the technology is intended to rescue lost drivers, locate kidnap victims and enable other noble endeavors, it has had the unintended consequence of allowing stalkers to more easily track their victims. According to the article, cellular GPS technology has become the easiest, and possibly the most common, way for stalkers to locate their targets.

Certain carriers, such as AT&T, offered deals to consumers allowing them to “sign up” for these tracking services. However, although the carrier alerts phone users when tracking functions are activated, such users do not have the right to refuse to be tracked by the account holder. Their only option to avoid detection is to turn off their phone.

Carriers will also agree to deactivate GPS tracking functions if requested to do so by law enforcement officials. As of August 2010, no carriers had been asked to alter their GPS programs.

According to the article, the ease of access to GPS tracking capabilities is, in part, an unintended consequence of federal regulations that require the installation of GPS chips into cellular phones. The intent of these regulations was to allow easier access to emergency services, and the regulations have been largely successful in this area.

Unfortunately, GPS capabilities have also had negative consequences, as tech companies have found other uses for tracking data. For instance, software manufacturers have developed software that can be surreptitiously loaded on someone else’s cellular phone and used to track that person’s movements through the already-existing GPS technology. This allows any third party (i.e. someone other than the cellular carrier) to track someone else’s location. This unintended usage has proven especially problematic for victims of domestic violence, and has even driven certain domestic violence shelters to dismantle the phones of the victims who they house. These systems have also been abused by law enforcement officers who have reportedly used location data for personal reasons. They are able to do so because federal law allows carriers to turn such data over in emergencies without subpoenas, but carriers are unable to verify whether an emergency situation truly exists.

Available at:
http://www.cnn.com/2011/TECH/mobile/03/31/google.face/index.html; Google making app that would identify people’s faces – CNN.com

Google has announced that it is working on a mobile application that would allow users to take pictures of people’s faces in order to access their personal information. The product would include a user’s name, phone number, and e-mail address, but Google has not indicated what other personal data might be available. Indications are that the system could be programmed to obtain publicly available pictures from third-party websites, such as Facebook.

Privacy advocates have expressed concern with this ability, especially in the wake of Google’s recent privacy “missteps.” For example, Google recently settled over grievances relating to its social networking service, Buzz. Google is also in the midst of inquiries by numerous government agencies concerning its Street View program.

Perhaps in response to privacy concerns, Google plans to use an “opt-in” model, whereby people would have to agree to give Google permission to access their personal information via facial recognition. Although this would limit the application’s utility, Google foresees many circumstances in which people would agree to be found.

Surely most of you have seen Google’s “new” feature, Gmail Motion. If not, check out the video below:

Gmail Motion

The April Fools’ posting has become a bit of a tradition at Google. My personal favorite is Google Gulp. There’s a lot of fun to be had here for sure. But there’s also a lesson to be learned – or at least something serious to think about.

The Google pranks work because, like it or not, they are presented in the same “trust us, it’s OK” fashion as the rest of Google’s services. Like it or not, we have become accustomed to filling in forms, following links, and generally passively interacting with services we use online. When Google says “click here to find out about this amazing new service,” we probably do so. And when Google shows us a video about this new service, we expect to be (and are perhaps conditioned to think) that everything the video demonstrates is as great as it purports it to be.

Google, of course, capitalizes on this in building the visual elements of the prank. For example, the link to the prank is subtly included at the top right of the Gmail webmail client and below the Google homepage search field. These locations are precisely where Google draws us into legitimate new products. So we click.

The prank deepens with the landing page, the video on which is linked to above. The page is decked out just like any other Google product page. The usual language, font set, graphical flare – it’s all there. It draws us in in such a way that it might take a few minutes before we actually think critically about the substance. And, depending on how strong this effect is, we might be half through a tweet or Facebook posting about the service before we realize we’ve been duped. Not because we’re stupid. But because we’re operating on some sort of aesthetically-driven autopilot.

The point is that trusted parties such as Google have enormous ability to leverage the trust of users. In this case, the harm is minimal. A little embarrassment, if anything. This won’t always be the case. Google (and other major providers such as Facebook) are adept at using visual architecture, friendly tone, and other “trust cues.” Where the end result is a short video that informs you of the prank, there’s not much to worry about. But where the end result is unwitting participation in a terrible service such as Buzz, the ante is significantly upped.

The solution isn’t, of course, that we shouldn’t trust anything online. Services such as Gmail exist because we all trust Google with our content. Such trust, unmitigated, is problematic. But such trust, properly limited, is necessary to ensure the societal surplus that results when we can all use a valuable service such as Gmail. Rather, the problem is the risk of passive use and acculturation – the problem of “clicking here” or filling out a form by rote and without proper consideration.

I don’t have a solution for this problem in mind. For the moment, I’d just suggest that while we laugh at Google’s gag, we take a moment to think about why it’s so effective – and how the engine of that efficacy drives more serious and problematic privacy issues online.