ILI Student Blog

Category: Uncategorized

  • The Mosaic Theory, Riley, and the Legacy of Jones

    March 12th, 2015

    The Mosaic Theory, Riley, and the Legacy of Jones

    USA v. Timothy Carpenter (Amicus Brief), Brennan Center for Justice, http://www.brennancenter.org/legal-work/usa-v-timothy-carpenter-amicus-brief

    “EFF Fights Government’s Effort to Get Cell Location Records Without a Warrant,” Electronic Frontier Foundation,” https://www.eff.org/deeplinks/2014/11/new-eff-brief-explains-why-cell-phone-location-records-are-private-and-government

    “The Mosaic Theory of the Fourth Amendment,” Orin S. Kerr, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2032821

    By: David G. Krone

    In U.S. v. Jones, five U.S. Supreme Court justices signed or joined concurring opinions indicating they would support a “mosaic theory” of the Fourth Amendment whereby the aggregation of locational information would have amounted to a search. As Justice Alito wrote, “relatively short-term monitoring of a person’s movements on public streets accords with expectations of privacy that our society has recognized as reasonable. But the use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.” In that case, the Supreme Court ultimately ruled in favor of the appellant based on a theory of physical trespass on the appellant’s car. Since that case, organizations such as the Brennan Center for Justice at NYU the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have pushed courts to recognize the privacy Interest in cell tower through amicus briefs filed in cases involving convictions based on the data. In particular, they have cited the Supreme Court’s ruling in California v. Riley, relating the privacy interest that the Court found in the type and quantity of data on a cell phone to the interest a defendant would have in cell tower data that is just as potentially invasive.

    Most recently, an amicus brief signed by all three organizations the specifically addresses USA v. Timothy Carpenter in the 6th Circuit. In Carpenter, the defendant is appealing his conviction of robbery charges based of evidence that “included five months of cell site data procured without a warrant.” The amicae argue, firstly, that, much like the GPS surveillance information in Jones, the cell site location information (CSLI) acquires reveals invasive and precise information about the defendant’s locations. The amicae note that, during that five month period, the CSLI records the defendant’s location at the beginning and end of each phone call—revealing, in addition to his proximity to the robbery, when he was at church, at home and when he slept away from home. Secondly, the amicus brief argues that the CSLI record was a Fourth Amendment search requiring a warrant by citing both the Alito and Sotomayor concurrences in Jones, as well as the Court’s assessment of the of cell phone data in Riley. As the brief states, “The expectation that a cell phone will not be tracked is even more acute than is the expectation that cars will not be tracked because individuals are in their cars for discrete (and typically brief) periods of time, but carry their cell phones with them wherever they go.” In fact there is potentially greater privacy interest in the here than in in Jones because, because CSLI may include information recorded while in the defendant’s home. Finally, the brief also argues that the third-party doctrine (as articulated in Smith v. Maryland) should not apply, because people, “do not input or knowingly input their location information to their wireless carrier” (emphasis added).

    The 6th Circuit has yet to hear oral arguments in USA v. Carpenter. However, other circuits have remained conflicted. In 2013, the EFF and the ACLU submitted an amicus brief in the 11th Circuit case, United States v. Davis, similarly basing their argument on the quantitative and qualitative differences in CSLI. In June 2014, the Court sided with the amicae, but later elected to rehear the case en banc, seeking further arguments on whether the CSLI acquisition violated the Fourth Amendment. Courts do face considerable concerns in adopting a “mosaic theory” approach to Fourth Amendment searches. As Georgetown Washington Law Professor Orin Kerr points out in his seminal article on “The Mosaic Theory of the Fourth Amendment,” adopting this approach would require future courts to tackle issues in applying the standard. For instance, Courts would have to determine what standard should apply and whether data collection alone would meet the threshold, or whether post-collection analysis or use would also be required. The Courts would also have to decide the scope of the mosaic theory not only in terms of duration and scale but which surveillance methods count. Finally, the Courts will also have to address issues of constitutional reasonableness and whether remedies such as the exclusionary rule will apply.

    Nevertheless, as Kerr himself notes, Courts are accustomed to dealing with ambiguity in defining Fourth Amendment protections. The Supreme Court has consistently recognized in cases ranging from Kyllo to Riley the need to shape the law in anticipation of the persistent march of technology. For better or for worse, the bulk, machine-readable data is gaining an increasingly prominent role in society, from our cell phones to Facebook. As Justice Roberts colorfully pointed out in the unanimous Riley opinion, comparing cell phone data to the evidence found in a physical object like a wallet, “is like saying a ride on horseback is materially indistinguishable from a flight to the moon. Both are ways of getting from point A to point B, but little else justifies lumping them together.”

     

  • “Smart” Cars – In the Fast Lane to Government Regulation

    March 12th, 2015

    “Smart” Cars – In the Fast Lane to Government Regulation

    By: Thomas A. Warns

    https://www.lexology.com/library/detail.aspx?g=57d1ca69-4db8-42eb-a56c-c9d198547db3

    Last month, Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced legislation aimed at establishing federal data security and privacy standards for Internet-connected automobiles, generally referred to as “smart cars.” This development was novel in many respects worthy of mention.

    First, the report comes on the heels of an FTC report in January which recommended a technology-neutral data security approach to the “Internet of Things.” That report suggested general standards for all internet connected objects; instead, the Senate bill for smart cars continues to general trend of “sectoral” data privacy legislation. In contrast with practices typical in the EU, the United States generally legislates on an industry by industry basis when it comes to data privacy, rather than creating one standard for all. Many businesses praise this approach because it allows for flexibility in approaching the different nuances of industries with different practices; consumer advocates warn that the lack of any statutory privacy baseline leaves consumers unable or unwilling to effectively wade through the different privacy standards in each field.

    The Senators’ bill is based on a report that examined the data privacy practices of sixteen car companies, and found that these manufacturers collected driver and passenger data but had “alarmingly incomplete or inconsistent” privacy and data security practices. The bill alleviates these problems by demanding certain testing of wireless security, making consumers explicitly aware of when information is collected, giving them the option to allow the collection, prohibiting manufacturers from using the information for advertising purposes, and creating a new security rating to be displayed on vehicles, much like fuel economy information is also included on new cars.

    This broaches several relevant issues in the regulatory sphere. First, it is a massive deviation from the self-regulation that persists in the U.S. automobile industry prior to the legislation. Some will question the wisdom of this decision. Industry leaders often prefer self-regulation because it allows companies to innovate in a rapidly changing technological field; Congressional laws take so long to pass, and are so difficult to amend, that they may become outdated rather quickly, and only serve to stifle development in important fields. Likewise, they would argue that regulation will impede the efficient allocation of privacy that has already been achieved by the market. While consumers may express opinions that data privacy and security have value to them, they often assign a very low value to it when they are confronted with voluntary transactions that trade information for a product or application. Perhaps consumers believe that the collection of data by companies to target advertising is completely benign, or perhaps will even enhance their welfare, since they are given more relevant advertisements. The companies want this information because it lowers the costs of advertising for them, potentially creating a socially desirable outcome. If some consumers do truly value their privacy at a higher value than many others, then companies can compete to deliver the most data-secure smart cars.

    That picture, however, may be challenged on several grounds. Consumers may not be able to fully comprehend the “cost” of surrendering their personal information. For one, it is almost impossible to quantify the information into a monetary value, like we do with most other transactions. For another, consumers aren’t even sure what data collection means. Privacy policies may spell out some of the terms of use, but it is often unclear how long the collection will last, what exactly will be collected, who the information is shared with, and whether it will be stored and aggregated with other information from other sources indefinitely. If consumers are unable to understand the cost when deciding to surrender their personal information, a top-down command and control style regulation may be the optimal solution.

    One of the virtues of this bill then, is that it attempts to combat the information gap that may lead to a widespread market failure. The bill lets customers explicitly know when their information is being collected, and forbids the information from being shared for advertising purposes. Knowing when their data is being collected may make the “cost” more salient and encourage more drivers to opt-out of the data collection; the flip-side of this argument, however, is that drivers may not opt-out when informed of later data collection out of a sense that all hope is lost, and that they have already lost control over their data. Likewise, the complete prohibition on sharing info for advertising purposes may cut off a revenue stream for car companies, and force price hikes onto the backs of consumers who may otherwise prioritize a price discount over data privacy.

    This Senate bill will undoubtedly improve personal data privacy for drivers, but it may do so at the expensive of socially good data collection and use by car companies. Perhaps a better alternative would be co-regulation, which has had demonstrated success in the field of environmental law. Co-regulation involves placing the regulator, the regulated, and interested third parties in a position to negotiate directly with each other over regulations, rather than indirectly through notice and comment rulemaking. This allows each stakeholder to make tradeoffs and over concessions in ways that best reflect their own priorities.

    As Professor Ira Rubinstein notes, co-regulation tends to succeed because there is greater legitimacy and industry “buy-in” when the industry has a hand in creating its own rules. The effect of this is likely a decrease in litigation, as there are fewer court battles over the interpretation of an agency’s regulation when the regulated parties and interested citizen groups participated in writing it. One criticism to this approach is that it places too much weight in the hands of interested private parties, as opposed to disinterested government agencies working towards the public good. Anyone who has studied administrative law, however, knows that agencies are already subject to capture by special interests. Further, as long as the agency involved ensures equal participation by industry and consumers, and is the ultimate arbiter of any regulation, fairness can be protected. While this co-regulatory approach would be intelligent, smart car regulation is likely destined to drive down a road towards traditional agency regulation with notice and comment rulemaking.

    Read the story, “Smart Car Legislation Suggests a Different Approach to the Internet of Things Regulation”, at https://www.lexology.com/library/detail.aspx?g=57d1ca69-4db8-42eb-a56c-c9d198547db3

  • Digital Advertising and the Apple Watch

    March 12, 2015

    Digital Advertising and the Apple Watch

    By: Daniel Lin

    This blog post discusses how the material for our March 12, 2015 class, appertaining to models of digital advertising, might be pertinent with regards to the potential widespread public adaptation of increasingly personalized tech items such as the upcoming Apple Watch. (Link to relevant article: http://www.theatlantic.com/technology/archive/2015/03/if-apple-watch-isnt-a-watch-what-is-it/387067/)

    Apple has established a reputation for (and fortune by) making complicated technology simple to use for the “regular” consumer. In her article “If Apple Watch Isn’t a Watch, What Is It?” Adrienne LaFrance subscribes to the notion that Apple Watch as “the most personal product [Apple has] ever made” in part because of its tracking capabilities (right down to the number of “times your heart beats in a day”!). LaFrance posits that the Watch will be a “device that saves you the trouble of pulling out your phone” (the logic being that user will customize on their Watch what phone notifications are most important to her/him, such that they will only go to their phone if the notification meets such idiosyncratic, personalized criteria). The ultimate postulation of LaFrance’s article is that the Watch will be greatly revelatory as to the user’s most unique and intimate preferences. How will users be affected by the increasingly personalized third party applications that will crop up in response to the Watch’s greater user personalization abilities? Without question, third party application creators, subscribing to the behavioral advertising model, must be salivating at such a notion.

    Professor Strandburg, in her article “Free Fall: The Online Market’s Consumer Preference Disconnect,” outlines three “broadcast advertising business models,” which include: (1) the broadcast advertising model [generic advertisements, geared towards the broadest swath of the consuming public possible]; (2) the online contextual advertising business model [more specialized advertising, which assumes a relation between site visit and interest], and (3) the behavioral advertising business model [the most specialized form of advertising, which also entails the most data collection].

    As articulated in Professor Strandburg’s article, an adverse consequence to the consumer of the behavioral advertising model is a sort of information dissonance, in that the user will not be able to accurately anticipate the effects of his interaction with a digital output, and thus adapt her/his behavior according to a manner that best reflects his consuming and personal preferences. If it is a valid assumption that few users first read a software application’s privacy strictures before interacting with it, then the fact that Apple products rely so heavily on third party application creators (a major selling point of Apple products over Android and other products is the Apple’s extensive application ecosystem) the behavioral advertising problem, as described by Professor Strandburg, is exacerbated (the logic being a glut of third party applications means a glut of independent privacy outlines, which is more off-putting to a user focused on convenience and efficiency).

    In practical terms, the user faces the daily (or however often he interacts with an application) “one-or-the-other” decision of whether to make use of the convenience of an app (the reason why you purchased an Apple product in the first place!), or whether to take hours and read the each application’s publicly proffered privacy programs (and thus lose the benefit/purpose for which you purchased the Apple product). One can easily grasp the ramifications of this mindset transposed from an app ecosystem primarily offering contextual advertising (as currently appears to be the case) into one portended by the increased personalization offered by the Apple Watch, wherein behavioral advertising appears imminent, if the third party should so choose to offer this information to support their “free” applications.

    Perhaps the user’s interaction with his Watch will be no more personal than his interaction with his iPhone. But if indeed LaFrance’s position is accurate, that use of the Watch and the iPhone will not only be coterminous (one cannot use the Watch without the iPhone), but also complementary, and users do end up using the Watch as means of personalizing their iPhone and broader digital experience even further, then the privacy implications are great, because then advertisers will have before them not just data regarding the user’s personal information and personal activity, but data regarding the user’s attitudes towards this information and activity (a second piece to the puzzle for advertisers, as alluded to in Professor Strandburg’s article)!

  • Privacy Concerns Rise as Consumers Seek Substitutes for Traditional Television

    March 12th, 2015

    Panel 6

    Privacy Concerns Rise as Consumers Seek Substitutes for Traditional Television

    http://www.washingtonpost.com/news/business/wp/2015/03/11/americans-are-moving-faster-than-ever-away-from-traditional-tv/

    By: Gerard Cicer

    For broadcast and cable networks, the writing is on the wall. Any person with an eye or ear toward pop culture and consumer trends knows that traditional television viewership is declining. Whether it be network news casts that have been replaced by internet news aggregators or former staples, such as premium cable movie channels—uprooted in favor of paid streaming services, consumer tastes have shifted away from the tube, towards alternative internet based programming. A recent Washington Post article, found here, gives little hope to traditional television media, in a chronicle of the accelerating trend towards internet based substitutions. However, in the wake of accelerating biannual decline, to the tune of almost 10 percent, author Cecilia King reveals that broadcast and cable networks are fighting back. These networks are attempting to claw back some market share, by entering the very market that is quickly eroding their decades old platform.

    The last few years has seen a rise of online video viewership, as the Post article points out, roughly “40 percent of U.S. homes”, up from just 36 percent last year, subscribe to at least one paid internet streaming service like Netflix or Hulu. For traditional networks, hungry for advertising fees and licensing arrangements, this trend is difficult to ignore. Networks such as HBO, NBC, and CBS have either launched or announced plans for streaming services to compete with current internet incumbents. While new service providers in an already dense market unquestionably strokes the public’s desire for more price and quality competition, the increase in service options comes with a matched increase in opportunities for consumer privacy information appropriations and mishaps.

    With these new entrants, the internet programming industry is becoming more diffuse. Consumers will likely no longer be giving information merely to the cable company and one other internet provider such as Netflix. For example, I have already eschewed cable for a combination, though not simultaneously, of Netflix, Amazon Prime, HBO-Go and Hulu subscriptions as well as “free” providers like YouTube and Twitch.tv. As in my case, consumers are no longer putting their identifying information, address, credit card information, email address, viewing habits in the hands of one or two companies. Rather, in order to match and surpass the level of choice they once had through network and cable TV, consumers may very well sign up for multiple streaming services, the combined cost of which is still less than traditional television. The rub of course is, that to access these services, consumers must in effect deal with multiple companies and provide varied information to each of them. This raises privacy concerns that are much more nascent than when there was only one video entertainment provider.

    Ask any regular user of “free” video providers such as YouTube and they will tell you that the website has an uncanny ability to recommend new videos based on your history and subscriptions, as well as tailor advertising towards your interests. While you do not necessarily have to sign-up to YouTube to access its content, linking your Google account to YouTube arguably enhances your experience and augments this tailoring. Paid subscription services like Netflix operate similarly by tracking your preferences and spitting out recommendations. There is no doubt that this preference data, collected by Google, Netflix, and the like, is valuable—evidenced by the ubiquitous tailored advertising located on many websites. In addition to preference metadata, paid services require you provide them billing information, meaning, that you must give them, among other things, your credit card information and name. With the entry of more paid services, consumers must give this static data to more and more companies. A short example may shed light on one concern presented by only one provider. Perusing Netflix’s stated privacy policy as of March 12, 2015, reveals that it sends consumer information oversees for what it bills as provision of services. Netflix notes that “the countries to which we may transfer information may not have as comprehensive a level of data protection as in your country, although your personal information will continue to be protected in accordance with the standards described in this policy.” While it is comforting that Netflix will endeavor to protect our information, the information is not invulnerable to theft or misappropriation overseas.

    But what is a consumer supposed to do when faced with an increased number of service providers, each with their own informational requirements and privacy policy? The question is daunting and may call for a more unified industry wide standard to bring privacy sharing policies back in line with consumer expectations as to traditional television providers. While this is by no means the correct answer to the question, one thing is clear, with more market participants, the opportunities for perceived and actual privacy breaches increase, an unsettling proposition for consumers.

     

  • Behind the Times: Playing Catch-Up with Privacy Law

    March 9th, 2015

    Behind the Times: Playing Catch-Up with Privacy Law

    By: Otis Comorau

    Article: Law Firm Founds Project to Fight ‘Revenge Porn, The New York Times, Jan. 29, 2015

    http://dealbook.nytimes.com/2015/01/29/law-firm-founds-project-to-fight-revenge-porn/

    While it is no secret that technological advancement often outpaces legal development, the problem is especially severe in the information privacy context. As a recent New York Times article points out, victims of ‘revenge porn’ – pornography uploaded to the internet (frequently by ex-partners) with the intent to shame and humiliate – have resorted to filing copyright claims against websites displaying the embarrassing photographs or videos.

    Indeed, despite the near-universal consensus that uploading this kind of information should, without the consent of those pictured, be strictly prohibited, the law is remarkably unclear and outdated. While some states have recently passed statutes criminalizing revenge porn, the majority have failed to address the issue at all. Moreover, under existing tort doctrine, claims for “intentional infliction of emotional distress” are notoriously difficult to win.

    Similarly, at the national level, the Federal Trade Commission is just now beginning to recognize the importance of the issue. It is finally taking a more aggressive stance against the practice. Federal prosecutors are following suit as best they can, as they attempt to charge perpetrators under existing “online stalking” and “unauthorized computer access” laws. Such prosecutions are, however, fairly uncommon.

    While these changes are laudable, they are grossly insufficient. Modern, technology-based disputes regarding informational privacy are simply poor fits for traditional civil and criminal laws. In the linked article above, for example, the New York Times points out that victims of revenge porn can only file copyright complaints if 1) they took the photographs and/or videos themselves, and 2) they register the photos and/or videos with the United States Copyright Office. Obviously, these requirements present a huge (and wildly unnecessary) constraint upon information privacy enforcement.

    But that is exactly the problem, isn’t it? Copyright laws were never designed to meet the needs of revenge-porn victims. Similarly, charging perpetrators with “online stalking” or “unauthorized computer access” is merely a bait and switch. The issue, as everyone knows, is not really “stalking,” or whether an ex-partner “downloaded a file without permission.” The issue is that, through whatever means, extremely personal information ended up on the internet for everyone to see. This is unacceptable. Everyone has, or should have, a right to keep such information private. Unauthorized publication of that information should be prohibited, end of story.

    In short, the status quo is unacceptable. Revenge porn disputes cannot be adequately addressed through the existing tort system, the copyright office, or federal “stalking” charges. On the contrary, they present new, technology-based concerns that do not fit well into existing legal doctrine. The country should therefore follow the lead of the 12 states that criminalized revenge porn last year. It is time to pass a national law outlawing the practice.

  • Federal Judge Dismisses Challenge of NSA’s Internet Surveillance

    March 9th, 2015

    Federal Judge Dismisses Challenge of NSA’s Internet Surveillance

    By: Nicholas Morales

    https://www.eff.org/deeplinks/2015/02/jewel-v-nsa-making-sense-disappointing-decision-over-mass-surveillance

    https://www.eff.org/cases/jewel

    Last month marked a blow for plaintiffs in Electronic Frontier Foundation’s (EFF) lawsuit against mass surveillance, Jewel v. NSA. EFF filed the class action suit on behalf of AT&T customers whose Internet history is being recorded by the National Security Agency.

    The case was filed on September 18, 2008 after various documents were made public by whistleblower and former AT&T employee Mark Klein. Klein’s documents along with testimony by NSA whistleblower William Binney revealed a tap on AT&T’s fiber optic Internet backbone. As details began to emerge, many began to suspect that the NSA was engaging in Upstream collection, a surveillance technique that stores Internet users’ traffic history as it traverses the backbone. In their filing, EFF’s clients alleged that the Upstream collection, as well as the collection of telephone call detail records, violated the First and Fourth Amendments to the Constitution, as well as several other laws related to electronic surveillance.

    On February 10, 2015 Judge Jeffrey White of the U.S. District Court for the Northern District of California dismissed the challenge of the constitutionality of the Internet data collection program. In his ruling, Judge White stated that the challenge would require an impermissible disclosure of secret information that could jeopardize national security and also ruled that the plaintiffs did not have standing to pursue the claims. The court also found that the plaintiffs lacked proper standing. Judge White stated that because plaintiffs could not prove that the surveillance occurred as they alleged, they did not have the standing to challenge the program’s constitutionality.

    EFF criticized the ruling for allowing state secrets to “trump the judicial process” and vowed to continue its case against the NSA. It should be noted that Judge White’s ruling did not decide the legality of the NSA’s Internet surveillance practices, nor does the ruling apply to the challenge of the constitutionality of the NSA’s surveillance of telephone records.

     

  • Future of NSA Phone Surveillance Program Remains Unclear

    March 5th, 2015

    Future of NSA Phone Surveillance Program Remains Unclear

    By: Matt Daly-Grafstein

    http://www.newsmax.com/US/nsa-megadata-phone-records/2015/03/03/id/627966/

    http://www.defenseone.com/politics/2015/03/clock-ticking-congress-produce-nsa-surveillance-reform/106653/

    Last week the Foreign Intelligence Surveillance Court (FISC) extended a mandate for the operation of the NSA’s phone surveillance program until June 1st after receiving a specific request from the Obama administration. At issue remains certain provisions of the Patriot Act, including section 215 which grants the NSA extremely broad access to a variety of civilian records under the Foreign Intelligence Surveillance Act (FISA). If the June 1st deadline passes and Congress takes no further action, then the NSA will ostensibly lose the legal authority to continue mining American phone records.

    Currently it appears that Congress has no plans in place to allow the continuation of the NSA’s operations. Several bills have been previously introduced to the previous Congress in an attempt to reform how the NSA goes about its collection of American phone records but none were ultimately passed. The USA Freedom Act, introduced this past November, by Dem. Sen. Patrick Leahy, came the closest but fell a mere two votes shorts of advancing. There are no bills that have been introduced in the current Congress that address the issue.

    Critics are worried that the lack of action by Congress may be evidence that a last-minute bill will be rushed through that will grant the same broad powers that were given under the much maligned Patriot Act. The same type of debate surrounding the failed USA Freedom Act that led many to believe that it reflected a true bipartisan effort may not be possible given the less than 100 days until the expiration of the current laws. This past year Obama had proposed that data should remain with telephone companies and that the government should only be able to access data through specific individual court orders, a proposal that may have more favorable support from critics of the current government surveillance programs. No legislation to date however has incorporated this suggestion.

    The short window remaining to pass new legislation may also mean that Congress simply lets Section 215 and its related provisions expire. This would legally end the ability for the NSA to continue its current efforts in gathering bulk phone data. While it’s unclear the true efficacy of the program given the unwillingness of the NSA to share detailed data about its operations it’s enough for some in Congress and the intelligence community to worry that the vacuum created may mean that the USA will be less effective in preventing future terrorist operations within the country. In any case, we should know for certain the future of the NSA surveillance program within the next few months.

  • To Beep or Not to Beep: The Ups and Downs of Smartphone Privacy

     March 5th, 2015

    To Beep or Not to Beep: The Ups and Downs of Smartphone Privacy

     By Eliza Cohen

     http://www.economist.com/news/leaders/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones

    http://www.economist.com/news/briefing/21645130-watch-out-hackersand-spooks-spy-your-pocket

    On February 19, the Intercept revealed that spies at GCHQ (Britain’s equivalent to the NSA) had stolen hundreds of thousands of encryption keys coded into Gemalto SIM cards in order to access conversations and data. The story was based on documents that were leaked by Edward Snowden, the government contractor who began to publicly disclose classified NSA documents in June 2013.

    On the heels of this latest report, The Economist has published a two-story briefing in its issue of February 28. In “Smartphone Security: The Spy in Your Pocket,” the magazine paints a harrowing picture of cellular security, described as “mostly an afterthought in a booming industry that has always seen market share as the priority.” Organizations such as the NSA have entire departments whose job it is to breach cell phone encryptions and other protective mechanisms. Criminal malware is described as an ever-growing industry, and an alarming number of apps are guilty of transmitting unencrypted data that may be read at will. Though industry players and consumers are cognizant of data protection issues, The Economist writes that “there is still a lot for the industry and its users to learn.”

    In its second briefing, “Planet of the Smartphones,” The Economist plays its own devil’s advocate. The magazine enumerates three benefits that militate against the threat to privacy posed by smartphones. First, “the same phones that allow governments to spy on their citizens also record the brutality of officials and spread information and dissenting opinions.” Thus, the magazine writes that smartphones empower the ordinary individual to challenge government authoritarianism. Second, the same personal data that companies may seek to exploit can also used to advance the public good. Smartphones are described as “digital census-takers” that create an unprecedentedly detailed view of society in real time. This data may be used for a variety of social purposes, including crime prevention and the monitoring of global epidemics. Third, The Economist holds that smartphones provide immense economic benefit. Smartphones have the potential to remake entire industries at lightning speed. The phone itself is the platform, which is conducive to the development of cheap startups (like WhatsApp and Uber) that may one day be valued in the millions or billions. Though cell phones present important privacy considerations, The Economist opines that society must adapt to these new realities, and develop norms and methods of accountability for smartphone use.

    The Economist is right about one thing: the smartphone has changed the world, and is an invaluable source of economic and social good. However, by focusing on the benefits that accrue from smartphone usage, the magazine is adopting an oversimplified approach to information privacy. The mere fact that cellular data may be used to advance the public good is not a justification for the breach of privacy on a universal scale. In Riley v. California, the court states: “the fact that technology now allows an individual to carry such information in his hand does not make the information any less worthy of protection.” Smartphones may be used to combat authoritarian regimes, to aggregate useful data, and to remake entire industries — but not at the expense of global privacy. Widespread government spying and corporate data-mining are not necessary corollaries of cell phone usage. Though data monitoring may be necessary in certain instances for the purposes of national security, these usages should be circumscribed, and governments must be held accountable for their actions to the greatest extent possible. In United States v. Warshak, the court held that “the Fourth Amendment must keep pace with the inexorable march of technological progress, or its guarantees will whither and perish.” Since the NSA wiretapping scandal first came to light, it has become glaringly apparent that the age of “reasonable” privacy is over, and that we are more in need of Fourth Amendment protections now than ever before. Yes, The Economist is correct in stating that cell phones are “ubiquitous, addictive and transformative” — but ultimately, at what cost?

     

     

  • Gemalto hacking shows that NSA and GCHQ are not shy about targeting market leaders to weaken phone encryption security

    February 27, 2015

    Gemalto hacking shows that NSA and GCHQ are not shy about targeting market leaders to weaken phone encryption security

    https://firstlook.org/theintercept/2015/02/19/great-sim-heist/

    http://www.gemalto.com/press/Pages/Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.aspx

    https://firstlook.org/theintercept/2015/02/25/gemalto-doesnt-know-doesnt-know/

    http://www.theregister.co.uk/2015/02/20/gemalto_sim_surveillance_fallout/

    By: Edwin Mok

    On February 19, 2015, The Intercept reported that in 2010-2011 the American and British spy agencies had hacked the world’s largest manufacturer of SIM cards and stolen encryption keys, potentially allowing intelligence agencies to “monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments”. The report was based on top-secret documents provided by NSA whistleblower Edward Snowden. According to a 2010 document, the NSA and the Government Communications Headquarters (GCHQ) – the NSA’s British counterpart – conducted a joint operation targeting Gemalto, which makes chips used in mobile phones and credit cards, and whose clients include “AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world”.

    Six days later, on February 25, 2015, Gemalto released a statement confirming that “in 2010 and 2011, [the company] detected two particularly sophisticated intrusions” upon their internal computer networks. It continues: “At the time we were unable to identify the perpetrators but we now think that they could be related to the NSA and GCHQ operation”. However, Gemalto asserts that the intrusions “only breached its office networks and could not have resulted in a massive theft of SIM encryption keys”. It speculates that its dominance in the SIM card market may have made it the “target of choice for the intelligence services in order to reach the highest number of mobile phones”.

    SIM cards store information used to identify and authenticate subscribers on a telecommunications network. They are also used to store information such as contacts, text messages, and phone numbers. Domestically, the FBI and other agencies can force U.S.-based telecommunications companies to give up such information through court orders. However, this sort of data collection is much more difficult at the international level, because foreign governments and companies will not typically allow the NSA or other intelligence agencies to access the communications on their networks. Possession of the encryption keys would, according the The Intercept article, give the NSA “the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted”.

    Although Gemalto claims that no encryption keys were stolen – and some experts have expressed serious doubts as to the thoroughness of their investigation – the fact that the hacking attempt occurred is significant. It shows that the NSA and the GCHQ have in the recent past attempted to seriously compromise phone security on a vast and global scale. And it shows that they are not shy about targeting the biggest players in the market. It is notable that Gemalto is headquartered in Amsterdam, that is, not within any country part of the “Five Eyes” intelligence alliance (comprised of Australia, Canada, New Zealand, the U.K., and the U.S.). It seems, at the very least, the NSA and the GCHQ view any company based outside of those five countries as fair game.

    There is an additional important wrinkle to this story. The article by The Intercept resulted in a $470 million loss to Gemalto’s stock price. While that stock price has since rebounded (helped no doubt by Gemalto’s assurances that no encryption keys were stolen), this situation raises the specter of state-sanctioned electronic espionage as an economic, investment, and insurance risk for international companies operating in the telecommunications space. It is one thing when such attacks purportedly originate from China or North Korea. It’s quite another to learn that such attacks have been occurring between supposedly friendly nations. And it begs the question: who else has been in the NSA’s crosshairs?

    The message is clear. If you are an international company with information viewed as strategic to the NSA or other spy agencies, you’re a potential target. Indeed, they may already have targeted you.

     

     

  • Do we have information privacy at the era of smartphone?

    February 26th, 2015

    Do we have information privacy at the era of smartphone?”

    By: Ying Zhang, L.L.M

    http://en.miui.com/thread-67462-1-1.html

    In Riley v. California, the Supreme Court found that “Cell phones differ in both a quantitative and a qualitative sense from other objects that might be kept on an arrestee’s person.” The Supreme Court pointed out that one of the most distinguishing features of modern cell phone is their immense storage capacity; the storage capacity of cell phones has several interrelated consequences for privacy. Further, the Supreme Courts believed that the data stored on a cell phone is not only distinguished from physical records by quantity, certain types of data are also qualitative different. For example, an Internet search and browsing history could reveal an individual’s private interest or concerns; historic location information can reconstruct someone’s specific movement; mobile application software on a cell phone offers a range of tools for managing detailed information about all aspects of a person’s life. The Supreme Court held that “a cell phone search would typically expose to the government far more than the most exhaustive search of a house…”. Based on the above, among others, the Supreme Court finally determined that the police must get a warrant before searching a cell phone seized incident to an arrest.

    In the above ruling, the Supreme Court recognizes that the decision will bring an impact on the ability of law enforcement to combat crime, but why does the Supreme Court still make the ruling? Is the Supreme Court proactive in its ruling or did the Court exaggerate the influence of cell p hone on our daily life? Let’s see a related data in relation cell phone from China.

    The linked article below is about a transcript of the interview with Jun LEI by Russell Flannery of Forbes Shanghai. Jun LEI is a founder and the CEO of the biggest Chinese cell phone manufacturer XIAO MI. LEI was recently crowned as Forbes’ Business Man of The Year in Asia. In accordance with the interview, we may conclude that the Supreme Court does not overstate impact of cell phone to our life; moreover, our information privacy is highly threatened by the data that we believe are stored in our cell phone even if we hold our cell phone with us 24 hours a day.

    1. A cell phone itself does not only store large quantity of information, since a cell phone now is able to connect to Internet any time and places, a cell phone may store more and more information on various types of “big data cloud services” from time to time. LEI mentioned that only the cell phones that are manufactured and sold by XIAO MI will uploads 380 Terabytes content to the cloud storage that is provided by XIAO MI. One Terabytes equals 1024 Gigabytes; if data of 380 Terabytes is all about pictures in cellphone phones, this implies that users of XIAO MI cell phones uploads over 0.1 billion pieces of pictures every day.
    2. In addition to the quantity of the information that is stored in a cell phone, XIAO MI cell phones are also connected with TC, Box, wearable devices, router, and smart home devices; this decides a cell phone can collect and store various types of information. Therefore, through the cell phones it sold, XIAO MI acquires massive data not only phone numbers and communication log, but also other valuable and sensitive information, such as health records.

     

    1. Cell phone service providers and cloud storage service providers plan to make profits upon acquiring and controlling these data. LEI predicted that XIAO MI will have more than 1000 Petabytes of data after year 2015 which will need more servers, machines, IDCs, bandwidth. In accordance with LEI, 1 Petabyte storage services (1 Petabyte amounts to 1000 Terabytes) requires cost of RMB 3 million; 1000 Petabytes will cost XIAO MI around RMB 3 billion. Once cell phone users store their data, for free, on the cloud storages that are provided by XIAO MI at its own expenses, XIAO MI will ask every user’s permit to read very the user’s data. Once a user permits, XIAO MI can use machines to read and analyze the data and make many commercial decisions. For example, XIAO MI may determine whether it can give a user a loan. If the data reveals that a user has a stable income, pay your credit card debts on time, never goes out of New York city, then XIAO MI might decide to hire the user and lend the user one hundred thousand RMB without “fear” that the user will leave, because XIAO MI owns all data of the user.

    After all, LEI believes that mobile networking is still in its explosive growth phase and will continue for 5 to10 years. Smartphones will be the center of the world. Everything is within our control via a smart phone, house’s air, water quality, and safety; this also means that others can use our smart phone to do so too