Category: Uncategorized

Are Smart Toys Spying on Your Kids?

By: Christa Kaila

February 8th, 2017

Toy company Genesis Toys, which specializes in tech toys, has caused controversy with its interactive toys My Friend Cayla and i-Que. According to a complaint filed with the Federal Trade Commission (FTC) on December 6, 2016 by a coalition of consumer privacy advocates, these spying toys pose a threat to the “safety and security of children in the United States”. The complaint alleges violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices, as well as violations of the Children’s Online Privacy Protection Act (COPPA). The coalition, including the Electronic Privacy Information Center (EPIC), names in its complaint both Genesis Toys, which manufactures the toys, and Nuance Communications, which is the company in charge of the software used in the toys.

The Cayla toy, which resembles a traditional doll toy, and i-Que, which looks more like a robot, are both smart toys that can talk and interact with kids. The toys are an example of the so-called Internet of Things, as they are connected to the internet via an app that users will download on their phones. When a user asks the toy a question, the toy will record it, send it to the app, which will look up an answer to the question online so that the toy can give an answer. Although this might sound like an appealing and innovative idea, there are also various troubling aspects. The recordings themselves are not deleted after the questions have been answered, but instead sent to Nuance, which, according to the complaint, uses the recordings to enhance its other types of products and services that are sold to military, intelligence, and law enforcement agencies. Another issue is that the toy will ask the child to answer certain questions about themselves, including their own name, their parents’ name and the name of their school and hometown. The toy will also invite the child to set their physical location, and the app collects the users IP address.

This is clearly problematic, as COPPA has strict rules on how personal information can be collected from children. COPPA requires the operator of the online service to verify that the parents have given their consent for this type of collection, which according to EPIC, Genesis and Nuance has failed to do. The complaint also highlights issues with the Terms of Service and Privacy Policies of the companies; they are vague, subject to change without notice and difficult to access. Yet another problem is that the toy connects to the app via Bluetooth, and this connection simply isn’t safe. Outsiders can easily access the toy with their own phones without any advanced hacker skills. There are also videos online where Cayla has been hacked by “ethical hacker” Ken Munro, who makes Cayla say things like “Calm down or I will kick the shit out of you”. Definitely not something parents would want their kid’s toy to be able to say.

This is not the first time that concerns are raised about spying smart toys. Genesis has also been targeted by consumer agencies in Europe. In 2015, Mattel came out with its Hello Barbie, which was criticized by privacy rights groups too. Already in 1999, there was discussion about whether the owl-like must-have Furby toy in fact was a spy, and it was banned from entering the premises of the National Security Agency (NSA). In this case, however, it seems like the privacy violations are so egregious that the FTC cannot just turn a blind eye to it, as the enforcer of COPPA.

Article in Consumerist:

https://consumerist.com/2016/12/06/these-toys-dont-just-listen-to-your-kid-they-send-what-they-hear-to-a-defense-contractor/

Complaint filed with the FTC:

https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf

Video of Cayla:

https://www.youtube.com/watch?v=EvMb_TusPPs

FTC Announces $2.2 Million Settlement with VIZIO

February 8th, 2017

By: Danielle Dobrusin

On February 6, 2017, the FTC announced that it has reached a settlement with VIZIO, Inc. – “one of the world’s largest manufacturers and sellers of internet-connected ‘smart’ televisions.”[1] The settlement is in response to charges brought by both the FTC and the Office of the New Jersey Attorney General claiming that VIZIO “installed software on its TVs to collect viewing data on 11 million consumer TVs without the consumers’ knowledge or consent.”[2]

The FTC brought this action under Section 13(b) of the Federal Trade Commission Act,  15  U.S.C.  §53(b)  (“FTC  Act”), alleging that VIZIO engaged in unfair and deceptive acts or practices  in  violation  of  Section  5(a) of the Act. In their complaint, the FTC alleged that beginning in February 2014, VIZIO and an affiliated company manufactured VIZIO smart TVs that captured detailed information about video displayed on the TV. The complaint also alleged that VIZIO facilitated the collection of specific demographic information of the viewer including: sex, age, income, marital status, household size, education level, home ownership, and household value.

Under the stipulated federal court order, VIZIO must pay $2.2 million to settle the charges and must prominently disclose and obtain affirmative express content for its data collection and sharing practices. The order also prohibits VIZIO form making misrepresentations about the privacy, securing, or confidentiality of consumer information that they collect.

[1] https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it

[2] https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it

COPPA: Ignorance is Bliss for Websites

By: Abdurrahman Erkam Ilhan

February 8th, 2017

Internet has transferred our social life from the real world to a virtual environment by making us addicted to social media platforms. More importantly, this trend is not only limited to adults but also extends to children, whom are even more vulnerable to privacy threats of social platforms. Supporting this point, a recent research shows that, on average, children get their first smartphones at the age of 12 (see the link below). Therefore, a particular concern for the protection of children’s information on internet is essential.

The US adopted the Children’s Online Privacy Protection Act (COPPA) in 1998 and authorized the FTC to enforce the Act’s protections. COPPA brings important safeguards such as notice and parental consent requirements but only applies to websites that gather information from children under age 13. In order to avoid these requirements, many websites prohibit children under 13 to use their services. As a result, many children lie about their age when they sign up for a social media platform, and the enforcement mechanism becomes ineffective for them. Knowing this basic fact, internet platforms should cooperate and try to find a way for a better protection. However, it seems that they prefer to benefit from this fact, since they are not held accountable for their users’ fake ages.

According to a recent NY Times article, Musical.ly is one of the many applications that claim ignorance to avoid the COPPA. Unlike other applications that have mixed user portfolio, Musical.ly became popular particularly among the youth. Although this was not the initial goal of the company, it obviously benefits from this incident. According to the news article, many of these users are in grade school ages. Similar to other applications, Musical.ly also prohibits children under 13 to use its services. Nevertheless, it does not collect age information from its users, which allows children to use the application without even lying about their age.

While Musical.ly simply avoids the COPPA by not collecting age information and claiming ignorance, FTC enforces the COPPA against companies that does the very same thing but also collect age information. In the Xanga.com settlement, the company prohibited children under 13 to use their services (in their terms) but allowed them to create an account when they provided a birthdate indicating that they were under 13. The mere difference between Musical.ly and Xanga.com was that one collected age information while other did not in order to circumvent the laws. In reality, both companies knew for sure that they had users under 13 but having collected its users’ age information, Xanga.com’s practice is held more culpable under the COPPA mechanism.

As seen in this example, the current privacy protection mechanisms for children in the US might result with bizarre situations. In the current system, a company can easily circumvent the COPPA’s protections by not collecting its users’ birthdates and placing an extra provision in its terms that it does not allow children under 13 to use its services. Therefore, the COPPA’s protections are very limited in reality for websites that do not specifically address to children. One way to solve this problem is to hold websites accountable for deceitful accounts. It might be controversial to design such a responsibility but it would certainly incentivize websites to prevent children from creating deceitful accounts.

Link to the news article: https://www.nytimes.com/2016/09/17/business/media/a-social-network-frequented-by-children-tests-the-limits-of-online-regulation.html

Laura Poitras at the Whitney

By: Kayla Wieche

http://whitney.org/Exhibitions/LauraPoitras

http://www.nytimes.com/2016/02/05/arts/design/laura-poitras-astro-noise-examines-surveillance-and-the-new-normal.html?_r=0

http://www.newyorker.com/podcast/political-scene/laura-poitras-and-david-remnick-visit-the-whitney-museum

Until May 1, visitors to the Whitney Museum’s eighth floor will encounter ‘Astro Noise,’ the multi-sensory exhibit by artist and journalist Laura Poitras. Poitras is best known for her involvement with the Snowden revelations and her documentary Citizenfour, which features NSA whistleblower Edward Snowden detailing and describing classified documents on government surveillance. ‘Astro Noise,’ named after an encrypted file that Snowden gave to Poitras in their initial communication over two years ago, continues to probe the tension between privacy rights and government surveillance.

The exhibit features visual presentations of various components of the government surveillance program – detention, torture, drones, data mining – and the legal reasoning that enables and supports it. After exiting the elevator, visitors are greeted by large prints depicting images of an American and British intelligence hack of Israeli drone feeds. The first room houses a screen with one side streaming video footage of passersby’s faces reacting to the site where the Twin Towers had stood in the days after the Sept. 11 attacks, and the opposite side projecting video of prisoner interrogations in Afghanistan. Following this striking display is an interactive video and sound exhibit relating to drone surveillance. Next, the visitor is guided through a dark hallway perforated with brightly lit peepholes through which intelligence documents legally justifying these programs are displayed. The exhibit ends with indications that all visitors have been surveilled during it.

The sense of unease generated by visiting ‘Astro Noise’ is purposeful and powerful; it is intended to make the visitor critically question the validity of and take action against privacy violations committed in the name of national security. Poitras told The New Yorker “we create the political landscape in which we live and we can change that landscape.” The gift shop sells US Constitutions, perhaps suggesting that visitors use it as a tool to begin to enact that change.

Your Next Ride Might Be Used by The Government and Third Parties to Track Your Steps

By: Felipe Palhares

April 21, 2016

Link: https://www.theguardian.com/technology/2016/apr/12/uber-us-regulators-data-passengers-report

Taking a ride with Uber might reveal more than you think about your whereabouts, especially to the government and to regulatory agencies. Uber has recently disclosed that state and local transport agencies requested data of more than 11 million user accounts and half a million drivers between July and December. This includes GPS coordinates, route maps and addresses.

Although this data is supposedly anonymized, thus not direct revealing the name of the users, it is not clear exactly what data is being informed by Uber to the authorities besides those identified above and this could impose a great concern regarding the privacy of Uber’s users. Even if users’ names are not disclosed, it should not be difficult to discover this information after looking through the other kind of data being disclosed to the regulators. If Uber is being forced to reveal the model and color of the car, plate numbers and a specific ID number unique to each user, it would only take a little bit of research and surveillance to allow someone to discover their real identity.

Furthermore, considering that you can set your home and work address to your Uber account, those data could also be used to easily match an ID number to a person’s identity. The implications of this type of data being provided to third parties are fairly dangerous. For one, according to the article some of the data is available to the public through record requests, which means that anyone could discover where you live, where you work, the places you frequent, how often you frequent these places, what time of the day you usually leave home and what time you come back, along with a lot of other information that you might not want to have disclosed to the world.

After all, the places that you frequent might reveal a lot about you, such as your political, religion and sexual preferences, aspects of your life that you would not expect to have revealed only for choosing to take a ride with Uber. This could also be dangerous for your safety. According to a study conducted by the CDC (National Intimate Partner and Sexual Violence Survey: 2010 Summary Report), one in 6 women (16.2%) and one in 19 men (5.2%) in the United States have experienced stalking victimization at some point during their lifetime. Hence, revealing your whereabouts to the public could allow stalkers to track you more easily and increase unnecessary risks to your personal safety.

Moreover, if this data is immediately available for everyone, or at least for the authorities, it could also be used by the government or the police to track your steps and investigate your life without applying for or being granted a search warrant. Therefore, collecting and providing all this information to transport regulators upon blank requests without explaining why the information is needed raises serious concerns about users’ privacy. This should be clearly and expressly communicated to users, allowing them to make an informed decision before calling their next Uber ride.

“Microsoft Sues Justice Department to Protest Electronic Gag Order”

By: Yilu Zhang

April 20th,2016

http://www.nytimes.com/2016/04/15/technology/microsoft-sues-us-over-orders-barring-it-from-revealing-surveillance.html?_r=0

Last week, Microsoft launched a court battle on the offensive against the US government’s use of the Electronic Communications Privacy Act to request consumer information under the cloak of gag orders. In a public move, which seems to parallel Apple’s recent opposition against the FBI’s request to code backdoor access into its iPhone devices, Microsoft may also be leveraging the court of public opinion, by taking a stand for its customers’ privacy rights over more furtive government intrusions.

Microsoft is not claiming that government orders should never proceed secretly; rather, the company cites to the thousands of secrecy orders received over the last 18 months, raising doubts that the government is, in good faith, employing these secrecy orders only when there is a real risk of harm to others or to the evidence sought. Furthermore, the statute does not specify with any particularity the standard for establishing “reason to believe” that disclosure would hinder an investigation, and Microsoft is never privy to those rationales anyway, as it only sees the warrant that comes out of the other end. Microsoft also points out that the majority of these government secrecy orders contain no specified end date. These gag orders under ECPA are arguably unconstitutional on two fronts. First, being forbidden from alerting Microsoft’s customers that their information has been disclosed to government agents violates the customers’ 4th Amendment rights of reasonable search and seizure. Second, Microsoft contends its compelled silence violates its First Amendment speech rights.

Microsoft’s suit also highlights the growing obsolescence of ECPA, which was passed in 1986. In this current technological era, cloud computing has emerged as a significant means of data transmission and storage. ECPA, however, fails to protect cloud data in the same manner it protects government access to physical information (e.g., documents in a drawer) or email. The government is therefore able to take advantage of this growing loophole (as Microsoft would see it) to demand customer data without a corresponding notification to targeted customers. This discriminatory treatment of cloud computing is indeed questionable, as the technology becomes increasingly prevalent and individuals store greater and greater volumes of data in the cloud. Keeping an outdated ECPA provision alive in the cloud computing era permits the government to access these large stores of individuals’ data directly through a third party without ever leaving a trace of such access.

As an aside to the constitutional challenges, Law Professor Michael Froomkin of the University of Miami, makes an interesting note that “Most people do think of their email as their personal property, wherever it happens to reside… But there is a disconnect between behavior and expectations and the statute. And Microsoft is inviting a court to bring the law in line with people’s expectations.” 4th Amendment jurisprudence, which has evolved to focus heavily on reasonable expectations of privacy, sets up a debate as to how society’s expectations of privacy are to be measured—whether from a descriptive stance (e.g., by conducting surveys of actual social expectations) or from a normative stance (which may acknowledge the possible circularity that emerges from legal norms shaping social expectations). As a policy matter, to the extent that we care to match expectations with legal reality under either approach, this Microsoft suit shines a light on the existing mismatch between consumer beliefs and the wider latitude that ECPA actually affords the government.

New surveillance program in the NJ transit system sparks privacy concerns

By: Rodrigo Moncho Stefani

April 20th, 2016

Panel 1

Video surveillance seems relatively normal in modern society. Maybe not all video surveillance systems are as prevalent as the one that London has in place all around the city, but it has become normal to see signs that warn “You are being videotaped”. Nowadays one is expected to be under video surveillance pretty much in every business, or spaces with access to the general public, especially if that place is a public institution.

In terms of privacy protection and regulations, this reality could be translated into the fact that there is little to no privacy expectation when we are in a place that we know (because we have been warned by one of the abovementioned signs) or we should know (because we are in a bank, a transit terminal or similar places) that we are under video surveillance. That being said, in those situations people expect to be videotaped, meaning that a camera is capturing their image, and the information is possibly being stored for certain amount of time. But those cameras usually only capture images, and even in some instances not particularly good or very defined images, as the video from the recent scandal surrounding Trump’s campaign manager showed.

Therefore, it could be argued that one cannot expect in those places to have privacy about one’s image, actions and physical interactions, but those expectations could remain for the contents of one private conversations. Cameras can see you, how you are dressed, what you are doing, and maybe even who you are talking to, but there is no way of knowing what you are saying. A similar distinction has been made between meta data on an email, or the address on a letter, and their contents, the latter having a stronger protection than the former. The feeling of intrusion is different if an observer can see a person or an interaction, than if that observer can also listen to a conversation.

That seems to be the case in the recent announcement that the New Jersey transit authority would begin recording audio in some of the trains that it operates in the state, on top of the video surveillance that it already conducted (http://www.nytimes.com/aponline/2016/04/12/us/ap-us-nj-transit-surveillance-systems.html?_r=0).

The trains are limited to the light rail trains, and the change has not taken place in the entire system, but still the announcement brought some reactions from privacy advocates. There is a feeling that from now on, riding those trains would be like being in a place where the walls have ears. The questions are generally around whether the privacy invasions that the new system would imply, are justified by the law enforcement and crime prevention benefits that it can bring.

It seems clear that the benefits of a measure like this will hardly outweigh the privacy invasion that some train users might feel. Any benefit that the audio of an event could bring, would seem to be the same as those that a video could provide (not including of course the sounds in the driver cockpit). And also, if the recordings are going to be used in a targeted investigation, it seems that a specific warrant should be required.

That being said, it should also be noted that these types of systems are very hard to monitor constantly, even when they are only video systems, clearly a constant monitoring of an audio surveillance system would almost require of an army of officers hearing to every conversation, which would mean that the actual harm could be limited.

Today’s news roundup:

• Google continues to run afoul of European antitrust regulators.
• A newly-declassified FISA Court judgement from November ruled that “backdoor” warrantless email searches are legal under the Constitution.
• Microsoft has sued the US Department of Justice over ECPA gag orders.
• The 6th Circuit Court of Appeal ruled that cell-site location information is not protected under the 4th Amendment.
• The Supreme Court heard oral arguments regarding whether applicants for a drivers license can be compelled to agree to warrantless breathalyzer testing under the 4th Amendment.
• Shortened URLs can be used to spy on people.
• The 7th Circuit makes it easier for individuals to sue for prospective future harm resulting from data breaches.
• And the New York Times gets a little muddled on the parameters of Google’s responsibilities regarding the “right to be forgotten.”

As per today’s conversation, Ed Amoroso’s keynote introduction to network security from the Princeton 5G Summit is viewable here.

PANAMA PAPERS: A RESULT OF SELECTIVE GOVERNMENT SURVEILLANCE

Topic: Government Surveillance

By: Aluizio Porcaro Rausch (Panel 2)

Post: Giant Leak of Offshore Financial Records Exposes Global Array of Crime and Corruption

Link:  https://panamapapers.icij.org/20160403-panama-papers-global-overview.html

The International Consortium of Investigative Journalists (ICIJ), a team of more than 370 journalists from 76 different countries, and other news organizations around the world recently exposed a large number of politicians, businessmen, celebrities and criminals of hiding funds in tax havens. Leaking around 11.5 million records of secret financial deals performed under the assistance of Mossak Fonseca, a Panama law firm, and several well-known banks, these journalists revealed to the public a globe network of money laundering and tax evasion from 1977 to 2015.

Among the many individuals and entities involved in this long-standing underworld industry are Russian President Vladmir Putin, prime ministers of Iceland and Pakistan, Chinese President Xi Jinping, British Prime Minister David Cameron, soccer player Lionel Messi, UBS and HSBC. Although not directly touching US jurisdiction, the leak also includes 33 people and companies blacklisted by the US government – such as drug lords and terrorists – and a US businessman that signed documents for a off-shore creation while serving prison sentence in New Jersey.

In a time of Base Erosion and Profit Shifting counter movements promoted by the

Organization for Economic Co-operation and Development (OECD) and by the most developed countries in the world, this leakage points out even more complex tax evasion schemes and ineffectiveness of governments’ fiscal information access. The involvement of several world leaders also raises doubts about the seriousness of formal commitments for more transparency of tax systems.

Specifically about the U.S., it is important to mention that the Foreign Account Tax Compliance Act (FATCA), enacted in 2010, set higher standards for fiscal data disclosure worldwide, as many countries followed American example. Nevertheless, this effort does not seem sufficient to eradicate abusive tax planning.

Selectivity of law enforcement and government surveillance is an old issue. In the US History, its roots are in the abusive procedures adopted by the colonizer British towards the colonies, as Justice Stewart summarizes in Standford v. Texas. Unsurprisingly, it is still a current issue in many other jurisdictions as well. Despite all governments’ resources, the wealthy and powerful are protected from official surveillance. If not for non-governmental entities such as ICIJ, the general public would remain in the dark.

Aluizio Porcaro Rausch

April 14^th, 2016

Cell Site Location Information and United States v. Jones

By: William Simoneaux

This post by the Electronic Frontier Foundation discusses a recent decision upholding the lawfulness of the FBI’s warrantless request for cell site location information (CSLI), used to help convict two defendants by linking them to the locations of various robberies. In United States v. Carpenter, the Sixth Circuit reasoned that the location information was conveyance information necessary to make the call, as distinct from the content of the call itself.

The EFF filed an amicus brief in the case arguing for the opposite result. It pointed out that, despite the Sixth Circuit’s point that the information was not as precise as GPS data, it was precise enough “to place one of the defendants at church every Sunday.”  Additionally, the EFF argued that the volume of information collected, three to four months worth, was problematic, especially when compared to the 28 days of monitoring that took place in United States v. Jones.

Based on the reasoning of both the Sixth Circuit’s opinion and the EFF’s response, any resolution of the relationship between the government’s use of CSLI and the Fourth Amendment should involve Jones. It is the Supreme Court case that most directly touches the question of the privacy interests involved in the government’s tracking of individuals’ location over time. The difficulty in looking to Jones for guidance, however, is that that case involved the physical placement of a GPS device on the defendant’s car, the deciding factor in Justice Scalia’s plurality opinion. With CSLI, no physical trespass ever need occur.

Justice Alito’s concurrence in Jones did not rely on the physical trespass argument, but rather on the duration and precision of the monitoring of the individual’s location. On the other hand, what does it mean that CSLI is possibly less precise than the GPS data in Jones, but still precise enough to glean information that touches on the privacy interests of the Fourth Amendment? Ultimately, clarification from the Supreme Court on just how great the privacy interest in one’s location over an extended period of time may be required.

https://www.eff.org/deeplinks/2016/04/sixth-circuit-disregards-privacy-new-cell-site-location-information-decision