ILI Student Blog

Year: 2016

  • PRG News Roundup: October 5th

    By Taylor Black

    On Tuesday, Reuters reported that Yahoo secretly installed a program in all user email accounts to search incoming emails for specific information. Since that report, journalists have also uncovered allegations that internal engineering built a siphon system on behalf of NSA to run every email looking for sets of characters. Yahoo states that they are “a law abiding company which complies with the laws of the United States.”

    An investigative journalist published in the New York Review of Books on Oct. 2 that Italian author Elena Ferrante, who writes under a pseudonym, had been unmasked, resulting in controversy over the ethical concerns around the potential identity reveal.

    Apple text message metadata: Content of messages are encrypted, but Apple retains logs of who you’re writing to for ~30days. More info forthcoming?

    Signal received a grand jury subpeona earlier in 2016, which they were permitted to disclose this week.

    Johnson and Johnson warns they have recently learned of a security vulnerability in one of its insulin pumps which could leave patients open to a malicious exploit, though they also stated the risk of such an exploit is low.

    An Austrian teenager is suing her parents for violating her privacy by posting childhood pictures to Facebook, and for refusing to take the photos down at her request.

     

     

  • PRG News Roundup: September 28th

    By Eliana Pfeffer

    Yahoo has experienced a number embarrassing security failures over the last four years. Last week, the company disclosed that hackers backed by what it believed was an unnamed foreign government stole the credentials of 500 million users in a breach that went undetected for two years. It was the biggest known intrusion into one company’s network, and the episode is now under investigation by both Yahoo and the Federal Bureau of Investigation. The company is currently facing lawsuits from people who fear their accounts have been hacked and claim the company was “grossly negligent,” putting their financial and personal data at risk. http://www.nytimes.com/2016/09/29/technology/yahoo-data-breach-hacking.html ; http://money.cnn.com/2016/09/23/news/companies/yahoo-sued-data-breach/

    What Facebook Thinks You Like, is a new project from ProPublica. The tool, an extension for Google’s Chrome browser, let users see exactly what activities, brands and products Facebook, based on its data, thinks they like. The tool also tells users which — and how many — advertising categories those interests place them in.https://www.propublica.org/article/breaking-the-black-box-what-facebook-knows-about-you

    Snapchat will start selling subglasses that record 10-second snippets of video this fall. new glasses: http://www.cnbc.com/2016/09/26/why-snapchats-new-glasses-could-be-more-than-just-a-toy.html

    Woman sues We-Vibe maker over secretly amassing ‘highly sensitive, personally identifiable information’ from vibrator that can be controlled by a smartphone.https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit

    Intel’s new office in Israel will be ultra-smart, and feature face recognition software that replaces the need for identification badges, software that suggest carpooling with other users if an individual is often late to work, and recommend that an individual eat healthier based on their lunchtime diet. http://www.cnbc.com/2016/09/26/intels-office-of-the-future-is-a-micromanaging-monster.html?utm_source=twitterfeed&utm_medium=twitter

    A German data protection commissioner ordered Facebook on Tuesday to stop collecting and storing data on WhatsApp users in Germany. http://www.nytimes.com/2016/09/28/technology/whatsapp-facebook-germany.html

  • PRG News Roundup: September 21st

    The U.S. government officially endorsed driverless cars: http://www.nytimes.com/2016/09/20/technology/self-driving-cars-guidelines.html?_r=0

    Google unveiled its highly anticipated messaging app Allo which partially relies on Artificial Intelligence (AI) technologies: http://www.nytimes.com/2016/09/22/technology/personaltech/allos-tryout-5-days-with-googles-annoying-office-intern.html

    There’s a class-action lawsuit over the privacy policies of a Canadian sex toy producer: http://arstechnica.com/tech-policy/2016/09/sex-toys-and-the-internet-of-things-collide-what-could-go-wrong/

    Chelsea bombing was one of the first testing beds for New York City’s “ring of steel” as well as the Wireless Emergency Alerts messaging system: http://www.nbcnews.com/storyline/ny-nj-bombings/more-8-000-cameras-helped-snare-bomb-suspect-ahmad-rahami-n650891 and http://www.nytimes.com/2016/09/20/nyregion/cellphone-alerts-used-in-search-of-manhattan-bombing-suspect.html

    Two new court cases on suspicion requirements came out from the 10th Circuit and the Massachusetts Supreme Court.

  • Laura Poitras at the Whitney

    Laura Poitras at the Whitney

    By: Kayla Wieche

    http://whitney.org/Exhibitions/LauraPoitras

    http://www.nytimes.com/2016/02/05/arts/design/laura-poitras-astro-noise-examines-surveillance-and-the-new-normal.html?_r=0

    http://www.newyorker.com/podcast/political-scene/laura-poitras-and-david-remnick-visit-the-whitney-museum

    Until May 1, visitors to the Whitney Museum’s eighth floor will encounter ‘Astro Noise,’ the multi-sensory exhibit by artist and journalist Laura Poitras. Poitras is best known for her involvement with the Snowden revelations and her documentary Citizenfour, which features NSA whistleblower Edward Snowden detailing and describing classified documents on government surveillance. ‘Astro Noise,’ named after an encrypted file that Snowden gave to Poitras in their initial communication over two years ago, continues to probe the tension between privacy rights and government surveillance.

    The exhibit features visual presentations of various components of the government surveillance program – detention, torture, drones, data mining – and the legal reasoning that enables and supports it. After exiting the elevator, visitors are greeted by large prints depicting images of an American and British intelligence hack of Israeli drone feeds. The first room houses a screen with one side streaming video footage of passersby’s faces reacting to the site where the Twin Towers had stood in the days after the Sept. 11 attacks, and the opposite side projecting video of prisoner interrogations in Afghanistan. Following this striking display is an interactive video and sound exhibit relating to drone surveillance. Next, the visitor is guided through a dark hallway perforated with brightly lit peepholes through which intelligence documents legally justifying these programs are displayed. The exhibit ends with indications that all visitors have been surveilled during it.

    The sense of unease generated by visiting ‘Astro Noise’ is purposeful and powerful; it is intended to make the visitor critically question the validity of and take action against privacy violations committed in the name of national security. Poitras told The New Yorker “we create the political landscape in which we live and we can change that landscape.” The gift shop sells US Constitutions, perhaps suggesting that visitors use it as a tool to begin to enact that change.

  • Your Next Ride Might Be Used by The Government and Third Parties to Track Your Steps

    Your Next Ride Might Be Used by The Government and Third Parties to Track Your Steps

    By: Felipe Palhares

    April 21, 2016

    Link: https://www.theguardian.com/technology/2016/apr/12/uber-us-regulators-data-passengers-report

    Taking a ride with Uber might reveal more than you think about your whereabouts, especially to the government and to regulatory agencies. Uber has recently disclosed that state and local transport agencies requested data of more than 11 million user accounts and half a million drivers between July and December. This includes GPS coordinates, route maps and addresses.

    Although this data is supposedly anonymized, thus not direct revealing the name of the users, it is not clear exactly what data is being informed by Uber to the authorities besides those identified above and this could impose a great concern regarding the privacy of Uber’s users. Even if users’ names are not disclosed, it should not be difficult to discover this information after looking through the other kind of data being disclosed to the regulators. If Uber is being forced to reveal the model and color of the car, plate numbers and a specific ID number unique to each user, it would only take a little bit of research and surveillance to allow someone to discover their real identity.

    Furthermore, considering that you can set your home and work address to your Uber account, those data could also be used to easily match an ID number to a person’s identity. The implications of this type of data being provided to third parties are fairly dangerous. For one, according to the article some of the data is available to the public through record requests, which means that anyone could discover where you live, where you work, the places you frequent, how often you frequent these places, what time of the day you usually leave home and what time you come back, along with a lot of other information that you might not want to have disclosed to the world.

    After all, the places that you frequent might reveal a lot about you, such as your political, religion and sexual preferences, aspects of your life that you would not expect to have revealed only for choosing to take a ride with Uber. This could also be dangerous for your safety. According to a study conducted by the CDC (National Intimate Partner and Sexual Violence Survey: 2010 Summary Report), one in 6 women (16.2%) and one in 19 men (5.2%) in the United States have experienced stalking victimization at some point during their lifetime. Hence, revealing your whereabouts to the public could allow stalkers to track you more easily and increase unnecessary risks to your personal safety.

    Moreover, if this data is immediately available for everyone, or at least for the authorities, it could also be used by the government or the police to track your steps and investigate your life without applying for or being granted a search warrant. Therefore, collecting and providing all this information to transport regulators upon blank requests without explaining why the information is needed raises serious concerns about users’ privacy. This should be clearly and expressly communicated to users, allowing them to make an informed decision before calling their next Uber ride.

  • “Microsoft Sues Justice Department to Protest Electronic Gag Order”

    “Microsoft Sues Justice Department to Protest Electronic Gag Order”

    By: Yilu Zhang

    April 20th,2016

    http://www.nytimes.com/2016/04/15/technology/microsoft-sues-us-over-orders-barring-it-from-revealing-surveillance.html?_r=0

    Last week, Microsoft launched a court battle on the offensive against the US government’s use of the Electronic Communications Privacy Act to request consumer information under the cloak of gag orders. In a public move, which seems to parallel Apple’s recent opposition against the FBI’s request to code backdoor access into its iPhone devices, Microsoft may also be leveraging the court of public opinion, by taking a stand for its customers’ privacy rights over more furtive government intrusions.

    Microsoft is not claiming that government orders should never proceed secretly; rather, the company cites to the thousands of secrecy orders received over the last 18 months, raising doubts that the government is, in good faith, employing these secrecy orders only when there is a real risk of harm to others or to the evidence sought. Furthermore, the statute does not specify with any particularity the standard for establishing “reason to believe” that disclosure would hinder an investigation, and Microsoft is never privy to those rationales anyway, as it only sees the warrant that comes out of the other end. Microsoft also points out that the majority of these government secrecy orders contain no specified end date. These gag orders under ECPA are arguably unconstitutional on two fronts. First, being forbidden from alerting Microsoft’s customers that their information has been disclosed to government agents violates the customers’ 4th Amendment rights of reasonable search and seizure. Second, Microsoft contends its compelled silence violates its First Amendment speech rights.

    Microsoft’s suit also highlights the growing obsolescence of ECPA, which was passed in 1986. In this current technological era, cloud computing has emerged as a significant means of data transmission and storage. ECPA, however, fails to protect cloud data in the same manner it protects government access to physical information (e.g., documents in a drawer) or email. The government is therefore able to take advantage of this growing loophole (as Microsoft would see it) to demand customer data without a corresponding notification to targeted customers. This discriminatory treatment of cloud computing is indeed questionable, as the technology becomes increasingly prevalent and individuals store greater and greater volumes of data in the cloud. Keeping an outdated ECPA provision alive in the cloud computing era permits the government to access these large stores of individuals’ data directly through a third party without ever leaving a trace of such access.

    As an aside to the constitutional challenges, Law Professor Michael Froomkin of the University of Miami, makes an interesting note that “Most people do think of their email as their personal property, wherever it happens to reside… But there is a disconnect between behavior and expectations and the statute. And Microsoft is inviting a court to bring the law in line with people’s expectations.” 4th Amendment jurisprudence, which has evolved to focus heavily on reasonable expectations of privacy, sets up a debate as to how society’s expectations of privacy are to be measured—whether from a descriptive stance (e.g., by conducting surveys of actual social expectations) or from a normative stance (which may acknowledge the possible circularity that emerges from legal norms shaping social expectations). As a policy matter, to the extent that we care to match expectations with legal reality under either approach, this Microsoft suit shines a light on the existing mismatch between consumer beliefs and the wider latitude that ECPA actually affords the government.

  • New surveillance program in the NJ transit system sparks privacy concerns

    New surveillance program in the NJ transit system sparks privacy concerns

    By: Rodrigo Moncho Stefani

    April 20th, 2016

    Panel 1

    Video surveillance seems relatively normal in modern society. Maybe not all video surveillance systems are as prevalent as the one that London has in place all around the city, but it has become normal to see signs that warn “You are being videotaped”. Nowadays one is expected to be under video surveillance pretty much in every business, or spaces with access to the general public, especially if that place is a public institution.

    In terms of privacy protection and regulations, this reality could be translated into the fact that there is little to no privacy expectation when we are in a place that we know (because we have been warned by one of the abovementioned signs) or we should know (because we are in a bank, a transit terminal or similar places) that we are under video surveillance. That being said, in those situations people expect to be videotaped, meaning that a camera is capturing their image, and the information is possibly being stored for certain amount of time. But those cameras usually only capture images, and even in some instances not particularly good or very defined images, as the video from the recent scandal surrounding Trump’s campaign manager showed.

    Therefore, it could be argued that one cannot expect in those places to have privacy about one’s image, actions and physical interactions, but those expectations could remain for the contents of one private conversations. Cameras can see you, how you are dressed, what you are doing, and maybe even who you are talking to, but there is no way of knowing what you are saying. A similar distinction has been made between meta data on an email, or the address on a letter, and their contents, the latter having a stronger protection than the former. The feeling of intrusion is different if an observer can see a person or an interaction, than if that observer can also listen to a conversation.

    That seems to be the case in the recent announcement that the New Jersey transit authority would begin recording audio in some of the trains that it operates in the state, on top of the video surveillance that it already conducted (http://www.nytimes.com/aponline/2016/04/12/us/ap-us-nj-transit-surveillance-systems.html?_r=0).

    The trains are limited to the light rail trains, and the change has not taken place in the entire system, but still the announcement brought some reactions from privacy advocates. There is a feeling that from now on, riding those trains would be like being in a place where the walls have ears. The questions are generally around whether the privacy invasions that the new system would imply, are justified by the law enforcement and crime prevention benefits that it can bring.

    It seems clear that the benefits of a measure like this will hardly outweigh the privacy invasion that some train users might feel. Any benefit that the audio of an event could bring, would seem to be the same as those that a video could provide (not including of course the sounds in the driver cockpit). And also, if the recordings are going to be used in a targeted investigation, it seems that a specific warrant should be required.

    That being said, it should also be noted that these types of systems are very hard to monitor constantly, even when they are only video systems, clearly a constant monitoring of an audio surveillance system would almost require of an army of officers hearing to every conversation, which would mean that the actual harm could be limited.

  • PRG News Roundup: April 20th

    Today’s news roundup:

    • Google continues to run afoul of European antitrust regulators.
    • A newly-declassified FISA Court judgement from November ruled that “backdoor” warrantless email searches are legal under the Constitution.
    • Microsoft has sued the US Department of Justice over ECPA gag orders.
    • The 6th Circuit Court of Appeal ruled that cell-site location information is not protected under the 4th Amendment.
    • The Supreme Court heard oral arguments regarding whether applicants for a drivers license can be compelled to agree to warrantless breathalyzer testing under the 4th Amendment.
    • Shortened URLs can be used to spy on people.
    • The 7th Circuit makes it easier for individuals to sue for prospective future harm resulting from data breaches.
    • And the New York Times gets a little muddled on the parameters of Google’s responsibilities regarding the “right to be forgotten.”

    As per today’s conversation, Ed Amoroso’s keynote introduction to network security from the Princeton 5G Summit is viewable here.

  • PRG News Roundup: April 13th

    Article 29 Working Party expresses “strong concerns” over EU-U.S. Privacy Shield: http://www.mondaq.com/unitedstates/x/483814/Data+Protection+Privacy/Article+29+Working+Party+Expresses+Strong+Concerns+about+the+EUUS+Privacy+Shield+Agreement

    Daniel Radcliffe to star in “Privacy” play off broadway: http://variety.com/2016/legit/news/daniel-radcliffe-privacy-play-off-broadway-1201751421/

    MaxMind locates digital center of the U.S. at a farm in Potwin, Kansas, creating all kinds of privacy problems for residents: http://fusion.net/story/290772/ip-mapping-maxmind-new-us-default-location/

    ECJ to consider legality of UK surveillance laws: http://www.theguardian.com/world/2016/apr/11/european-court-to-consider-legality-of-uk-surveillance-laws

     

  • Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption

    PANAMA PAPERS: A RESULT OF SELECTIVE GOVERNMENT SURVEILLANCE

    Topic: Government Surveillance

    By: Aluizio Porcaro Rausch (Panel 2)

    Post: Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption

    Link:  https://panamapapers.icij.org/20160403-panama-papers-global-overview.html

    The International Consortium of Investigative Journalists (ICIJ), a team of more than 370 journalists from 76 different countries, and other news organizations around the world recently exposed a large number of politicians, businessmen, celebrities and criminals of hiding funds in tax havens. Leaking around 11.5 million records of secret financial deals performed under the assistance of Mossak Fonseca, a Panama law firm, and several well-known banks, these journalists revealed to the public a globe network of money laundering and tax evasion from 1977 to 2015.

    Among the many individuals and entities involved in this long-standing underworld industry are Russian President Vladmir Putin, prime ministers of Iceland and Pakistan, Chinese President Xi Jinping, British Prime Minister David Cameron, soccer player Lionel Messi, UBS and HSBC. Although not directly touching US jurisdiction, the leak also includes 33 people and companies blacklisted by the US government – such as drug lords and terrorists – and a US businessman that signed documents for a off-shore creation while serving prison sentence in New Jersey.

    In a time of Base Erosion and Profit Shifting counter movements promoted by the

    Organization for Economic Co-operation and Development (OECD) and by the most developed countries in the world, this leakage points out even more complex tax evasion schemes and ineffectiveness of governments’ fiscal information access. The involvement of several world leaders also raises doubts about the seriousness of formal commitments for more transparency of tax systems.

    Specifically about the U.S., it is important to mention that the Foreign Account Tax Compliance Act (FATCA), enacted in 2010, set higher standards for fiscal data disclosure worldwide, as many countries followed American example. Nevertheless, this effort does not seem sufficient to eradicate abusive tax planning.

    Selectivity of law enforcement and government surveillance is an old issue. In the US History, its roots are in the abusive procedures adopted by the colonizer British towards the colonies, as Justice Stewart summarizes in Standford v. Texas. Unsurprisingly, it is still a current issue in many other jurisdictions as well. Despite all governments’ resources, the wealthy and powerful are protected from official surveillance. If not for non-governmental entities such as ICIJ, the general public would remain in the dark.

    Aluizio Porcaro Rausch