Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘#apple’

android-png-cf

700 million Android phones have spying firmware preinstalled

December 21, 2016

The term “mobile phone security” is something of a joke these days, with the number of exploits, bugs, and breaches that are endlessly assaulting us and putting our personal information at risk. So, when security outfit Kryptowire sounded the alarm on Chinese company Adups for using its preinstalled apps to spy on Android users with Blu smartphones, it wasn’t exactly a shock. Now, however, the impact of Adups alleged spying is growing in magnitude, and it’s dragging other Android device manufaturers into the quagmire.

Don’t Miss: Accidental drops? Water dunks? The AirPods seem to be practically indestructible

Adups is a company that facilitates over-the-air updates for mobile devices, so its firmware is preinstalled on lots of devices. However, the firmware does much more than it claims, and has the ability to snoop in areas that it shouldn’t, and without the user ever knowing. That information can then be collected by Adups for whatever purposes it desires.

Trustlook, another digital security firm, dug deeper on what devices utilize Adups and could be used by the Chinese company to scrape your private information, and the list is absolutely massive. Trustlook says that over 700 million Android smartphones have Adups firmware installed that puts the user at risk of having text messages, call histories, and device information collected without their knowledge or consent.

Many of the manufacturers who utilize Adups are smaller companies who only release their devices in Asia or specific smaller markets. However, there are a few notable names on the list, including Lenovo, ZTE, and the aforementioned Blu.

The Blu R1 HD was the first device found to be relaying this sensitive information back to Adups, and the company took action to halt the app’s nefarious habits, but it’s now up to the rest of the dozens and dozens of manufacturers on the list to do the same. The best course of action right now seems to be keeping the phone as updated as possible, and installing any security patches that come down the pipeline.

Tags: , ,

featured image 7

Here’s why the FBI forcing Apple to break into an iPhone is a big deal

February 17, 2016

When U.S. Magistrate Sheri Pym ruled that Apple must help the FBI break into an iPhone belonging to one of the killers in the San Bernardino, Calif., shootings, the tech world shuddered.

Why? The battle of encryption “backdoors” has been longstanding in Silicon Valley, where a company’s success could be made or broken based on its ability to protect customer data.

The issue came into the spotlight after Edward Snowden disclosed the extent to which technology and phone companies were letting the U.S. federal government spy on data being transmitted through their network.

Since Edward Snowden’s whistleblowing revelations, Facebook, Apple and Twitter have unilaterally said they are not going to create such backdoors anymore.

So here’s the “backdoor” the FBI wants: Right now, iPhone users have the option to set a security feature that only allows a certain number of tries to guess the correct passcode to unlock the phone before all the data on the iPhone is deleted. It’s a security measure Apple put in place to keep important data out of the wrong hands.

Federal prosecutors looking for more information behind the San Bernardino shootings don’t know the phone’s passcode. If they guess incorrectly too many times, the data they hope to find will be deleted.

That’s why the FBI wants Apple to disable the security feature. Once the security is crippled, agents would be able to guess as many combinations as possible.

Kurt Opsahl, general counsel for the Electronic Frontier Foundation, a San Francisco-based digital rights non-profit, explained that this “backdoor” means Apple will have to to write brand new code that will compromise key features of the phone’s security. Apple has five business days to respond to the request.

What does Apple have to say about this? Apple CEO Tim Cook said late Tuesday that the company would oppose the ruling. In a message to customers published on Apple’s website, he said: “We can find no precedent for an American company being forced to expose its customers to a greater risk of attack. For years, cryptologists and national security experts have been warning against weakening encryption. Doing so would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data.”

Back in December, Cook defended the company’s use of encryption on its mobile devices, saying users should not have to trade privacy for national security, in a broad interview with 60 Minutes. In the interview, Cook stood by the company’s stance of refusing to offer encrypted texts and messages from users.

What does this mean for the next time the government wants access? The order doesn’t create a precedent in the sense that other courts will be compelled to follow it, but it will give the government more ammunition.

What do digital rights experts have to say? There are two things that make this order very dangerous, Opsahl said. The first is the question is raises about who can make this type of demand. If the U.S. government can force Apple to do this, why can’t the Chinese or Russian governments?

The second is that while the government is requesting a program to allow it to break into this one, specific iPhone, once the program is created it will essentially be a master key. It would be possible for the government to take this key, modify it and use it on other phones. That risks a lot, that the government will have this power and it will not be misused, he said.

And the lawmakers? Well, they are torn. Key House Democrat, Rep. Adam Schiff, D-Calif., says Congress shouldn’t force tech companies to have encryption backdoors. Congress is struggling with how to handle the complex issue.

On the other side of things, Senate Intelligence Committee Chairman Richard Burr, R-N.C., and Vice Chair Dianne Feinstein, D-Calif., say they want to require tech companies to provide a backdoor into encrypted communication when law enforcement officials obtain a court order to investigate a specific person.

What now? This could push the tech companies to give users access to unbreakable encryption. To some extent, it’s already happening. Companies like Apple and Google — responding to consumer demands for privacy — have developed smart phones and other devices with encryption that is so strong that even the companies can’t break it.

Tags: , , , , , , ,

featured image 6

How Justice Scalia Defended Your Digital Privacy—and Also Held It Back

February 15, 2016

A new Supreme Court justice could tip the scales away from the controversial third party doctrine.

The passing of Justice Antonin Scalia has brought a wave of speculation about current and future U.S. Supreme Court cases. One area where there might be a significant impact will be the 4th Amendment, which provides the primary constitutional protection against government surveillance and information gathering. A new justice could usher in a dramatic expansion in 4th Amendment protections against government surveillance.

Justice Scalia was not antagonistic to the 4th Amendment, and in many cases he supported 4th Amendment protections. Most notably, in Kyllo v. United States, 533 U.S. 27 (2001), Justice Scalia wrote for the majority in a 5-4 decision holding that the 4th Amendment required a warrant to use thermal sensors to detect heat patterns emanating from inside a home. Justice Scalia also wrote the majority opinion in United States v. Jones, 132 S. Ct. 945 (2012), holding that the police needed a warrant to affix a GPS surveillance device to a car.

Kyllo and Jones are two of the most important U.S. Supreme Court cases of this century involving technology, and both come out in favor of 4th Amendment protection. So why would a new justice potentially lead to more 4th Amendment protection?

Justice Antonin Scalia Speaks with Staff at the U.S. Mission in Geneva. Photo via WikiCommons
Justice Scalia hearkened back to a very old test for when a search falls under the scope of the 4th Amendment

The reason is that Justice Scalia had a narrow view of original intent. Kyllo turned heavily on the fact that the thermal sensor was used on a home—the quintessential private place to the Framers of the Constitution. Scalia’s opinion in Jones turned on the placement of the GPS device on a car—a trespass to a person’s property. Hearkening back to a very old test for when a search falls under the scope of the 4th Amendment, Justice Scalia focused on the fact that putting the device on the car was a physical trespass. This led to a very narrow holding. Five justices in concurring opinions suggested a much broader approach, holding that people had a reasonable expectation of privacy in not being exposed to very extensive surveillance—even in public.

THE COMING DEMISE OF THE THIRD PARTY DOCTRINE

The first issue in a 4th Amendment case is whether a particular instance of government surveillance or data gathering activity even falls under the 4th Amendment’s scope. If the 4th Amendment is implicated, then the 4th Amendment generally provides protection by requiring the government to obtain a warrant supported by probable cause—the government must justify its search, and the judiciary evaluates. Searches are circumscribed and limited. The prevailing test for whether the 4th Amendment applies is whether there is a reasonable expectation of privacy in what the government is searching.

When the 4th Amendment applies, a warrant and probable cause aren’t always required—there are a lot of exceptions—but if the 4th Amendment doesn’t apply, then there is often no protection at all against a particular instance of government surveillance unless there is a federal statute restricting it. State constitutions and state statutes can limit state law enforcement, but not federal officials. An enormous amount of government surveillance and information gathering is not regulated by federal statute, so if the 4th Amendment doesn’t apply, there might be nothing to require any oversight or limitation on these government surveillance powers. Thus the determination of whether certain government surveillance measures fall within the scope of the 4th Amendment is often one of enormous significance.

A new justice replacing Justice Scalia might take a more expansive approach to the applicability of the 4th Amendment, and be the vote that tips the scales against a controversial doctrine that has dramatically limited the scope of the 4th Amendment in the digital age: the third party doctrine.

Under the third party doctrine, the U.S. Supreme Court has held that that there is no reasonable expectation in privacy for information known or exposed to third parties. In United States v. Miller, 425 U.S. 435 (1976), the Court held that there is no reasonable expectation of privacy in financial records maintained by one’s bank because “the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.” In Smith v. Maryland, 442 U.S. 735 (1979), the Court concluded that there was no reasonable expectation of privacy when the government obtained a list of phone numbers a person dialed from the phone company because people “know that they must convey numerical information to the phone company” and cannot “harbor any general expectation that the numbers they dial will remain secret.”

The implications of the third party doctrine for the digital age are enormous. Today, so much of our data is maintained by third parties. Countless companies maintain records about us. We store documents and photos with cloud service providers. Credit card companies keep detailed records about our purchases. Our location information is available to telecommunications companies. Our Web surfing activity is in the hands of ISPs. Merchants such as Amazon.com have records about our purchases of books and movies and other things. The government no longer needs to enter a person’s home to learn about that person—the books that person is reading, the person’s communications, hobbies, interests, intellectual exploration, and more can all be learned from third party records. I wonder whether the justices writing in the 1970s had any idea of how profound the implications of the third party doctrine would be in today’s age.

The third party doctrine is one of the main reasons why the 4th Amendment has often not had much relevance when digital data is involved. Several courts have held that broad government surveillance programs, including some of the NSA’s surveillance programs, escape the reach of 4th Amendment protection due to the third party doctrine.

A GPS tracking device like that involved in the Jones case. Photo via iFixit
Actually, Justice Scalia’s opinion in Jones provides very little protection against government location tracking

Justice Scalia’s opinion in Jones actually provides very little protection against government location tracking. Only the physical affixing of a GPS device to a car violates the 4th Amendment according to his view. But under the third party doctrine, the government can readily obtain GPS data from third parties that provide GPS services without a physical trespass to the car. People’s location can also be tracked from their phones. Scalia’s view misses a key fact: It’s not the device that matters; it’s the data.

Jones is a bizarre case because five justices wrote or joined concurring opinions that suggested a much bolder approach to the reasonable expectation of privacy. Until Jones, U.S. Supreme Court cases had generally held in a rather binary way that there is no reasonable expectation of privacy from surveillance in public places. The five concurring justices articulated a different view that extensive surveillance—even in public—could fall under the scope of the 4th Amendment.

Justice Sotomayor, writing a solo concurring opinion, explicitly called the third party doctrine into question. She stated that “it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily exposed to third parties. This approach is ill suited to the digital age.”

The other concurring opinion, authored by Justice Alito, doesn’t say anything about the third party doctrine. My sense is that Justice Alito might be tepid about how far he would expand 4th Amendment protection. The other three justices joining Alito’s concurrence—Justices Ginsburg, Breyer, and Kagan—all might be good candidates to join Justice Sotomayor in reversing the third party doctrine sometime in the future. One more vote is needed for five votes, and that could be the demise of the third party doctrine.

The end of the third party doctrine would herald a dramatic increase in 4th Amendment protection in today’s digital age. The third party doctrine is, in my view, the most significant and wrongheaded impediment to effective 4th Amendment regulation of government surveillance. (For more about my concerns about the third party doctrine, see my 2002 Southern California Law Review article, Digital Dossiers and the Dissipation of Fourth Amendment Privacy.)

CLAPPER AND NSA SURVEILLANCE

Another key case turning on Justice Scalia’s vote was Clapper v. Amnesty International, 568 U.S. __ (2013). There the Supreme Court held, with Justice Alito writing for the majority, that plaintiffs lacked standing to challenge NSA surveillance because they couldn’t know for sure that they were subjected to it. The fact of whether they were under surveillance was classified, so the government had quite the chutzpah to argue that the plaintiffs’s case should be dismissed because they couldn’t prove they were under surveillance.

The plaintiffs put forth evidence that they were very likely under surveillance and claimed that they were harmed because they had to expend time and money to take measures to avoid the surveillance. The U.S. Supreme Court held that they failed to show the required injury for standing because all they couldn’t confirm the surveillance with certainty and their evasive measures were just an attempt to “manufacture standing based on hypothetical future harm.” Justice Scalia was in the majority. Justices Breyer, Ginsburg, Sotomayor, and Kagan dissented. So a change in Scalia’s vote would mean the case would come out the other way 5-4.

NSA Utah Data Center. Photo via Parker Higgins / EFF
A different outcome on Clapper would have a significant impact on future cases challenging government surveillance. It would also have an impact on data breach litigation cases, which often cite to Clapper to hold that plaintiffs whose data is compromised in a data breach lack standing to sue because they are not yet harmed.

But would the Supreme Court overrule Clapper so soon after it was decided? Ironically, perhaps, Justice Scalia would have no problem with that.

Dissenting in South Carolina v. Gathers, 490 U.S. 95 (1989), Justice Scalia wrote:

Overrulings of precedent rarely occur without a change in the Court’s personnel. The only distinctive feature here is that the overruling would follow not long after the original decision. . . . Indeed, I had thought that the respect accorded prior decisions increases, rather than decreases, with their antiquity, as the society adjusts itself to their existence, and the surrounding law becomes premised upon their validity. The freshness of error not only deprives it of the respect to which long established practice is entitled, but also counsels that the opportunity of correction be seized at once, before state and federal laws and practices have been adjusted to embody it.
The U.S. Supreme Court appears to be very close to making some dramatic changes in 4th Amendment law. With Justice Scalia’s passing, a sometimes-champion of the 4th Amendment has been lost. Will the next justice also have a narrow version of originalism or will he or she have a more progressive approach? If the latter, we might see some dramatic shifts in 4th Amendment protection of government surveillance.

Daniel J. Solove is the John Harlan Marshall Research Professor of Law at the George Washington University Law School. He founded TeachPrivacy, a company providing privacy and data security training.

Tags: , , , , , ,

featured image 5

According to these court documents, turning your phone on is consent to being tracked

February 12, 2016

In 2014, Baltimore Police obtained a warrant for the arrest of Kerron Andrews for attempted murder. To find him, law enforcement requested a pen register to record his location data and all outgoing phone calls. The request, however, didn’t ask about using a Hailstorm (a type of Stingray — a bulk collection device meant to intercept data meant for cell towers) to collect this data.

The police used it anyway.

Warrantless bulk collection by use of a Stingray isn’t anything new. The secrecy is often due to an NDA (like this one) between law enforcement and the FBI itself.

After learning about the non-disclosure of the use of a Stingray, a judge concluded the police had violated Andrews’ Fourth Amendment right and granted the defense’s request to suppress the evidence collected by the Stingray.

But here’s where it gets interesting.

The state appealed the decision.

It argued that the court erred in its original ruling by claiming that Andrews voluntarily shared his cellphone information with law enforcement (and other third parties) when he turned the phone on.

Screen Shot 2016-02-11 at 9.46.11 AM
This is dangerous precedent.

If the Maryland court overturns the ruling and says that the suppressed evidence collected by the Stingray device is admissible, look for other state courts to begin citing this ruling when justifying the use of bulk collection tools without a warrant.

For now, just revel in the fact that, according to the State of Maryland, turning your phone on is giving implicit consent to being tracked.

Tags: , , , , , ,

15826-12353-fitness_lockup_large_2x-m

February 8, 2016

By AppleInsider Staff
Monday, February 08, 2016, 07:22 am PT (10:22 am ET)

When it comes to the privacy and security of user data, the Apple Watch and its accompanying software ecosystem are the most well-designed products in the wearable marketplace, a new study shows.
Bluetooth privacy protections — or lack thereof — were central the study’s findings. Of the eight devices tested, Apple’s wearable was the only one which regularly altered the MAC address broadcast by its Bluetooth radio.

Randomization of the MAC address on Bluetooth Low Energy products is accomplished by a BLE feature known as “LE Privacy.” This is important, because unpaired Bluetooth products are designed to send “advertising” packets at regular intervals for discovery — that’s how your iPhone knows that there’s a nearby Apple Watch available for pairing.

Without this feature, researchers at Canadian privacy non-profit Open Effect and the University of Toronto note that it’s relatively trivial to track the movements of individual users when their fitness bands are not actively paired with a device.
Fitbit blamed the “fragmented Android ecosystem” for the lack of LE Privacy support.
Contacted by the researchers about the fault, Fitbit noted that compatibility issues within the “fragmented Android ecosystem” prevent them from adding LE Privacy, despite hardware support in their products. Through corporate parent Intel, Basis noted that using the Peak while not paired to a smartphone was an edge case and did not commit to a fix.

None of the other companies in the test — Garmin, Jawbone, Mio, Withings, or Xiaomi — came back with “notable responses.”

In addition to the Bluetooth issues, several companion software packages were found to be insecure. The researchers were variously able to intercept and read fitness data or write false data to disk.

The Garmin Connect app does not use HTTPs for connections, allowing a man-in-the-middle attack to read and write data. A similar attack was possible against Withings’s Health Mate app on Android, while Jawbone’s Up could allow users to send arbitrary fitness data to the cloud, an issue with potentially severe consequences:

“These findings concerning fitness tracker data integrity could call into question several real-world uses of fitness data,” the researchers wrote. “Fitness tracking data has been introduced as evidence in court cases…meaning that at least some attorneys are relying upon generated fitness data as a possibly objective indicator of a person’s activities at a given point in time. For Jawbone and Withings we created fraudulent fitness data which indicated that a passive measuring device, the fitness device, recorded a person taking steps at a specific time when no such steps occurred.”

Tags: , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
main-snowden
Edward Snowden’s Autobiography Makes a Plea for the Fourth Amendment, the Right to Privacy, and Encryption
September 24, 2019

America's most famous whistleblower calls for restricting the power of government. Article by SCO...

Read more
ph
Chinese deepfake app Zao sparks privacy row after going viral
September 3, 2019

Critics say face-swap app could spread misinformation on a massive scale A Chinese app that lets ...

Read more
1463600977631262
Google tightens grip on some Android data over privacy fears, report says
August 19, 2019

The search giant ends a program that provided network coverage data to wireless carriers. BY CARR...

Read more
4000
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
venmo_pub_priv
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more