Tag Archives: Privacy

The Spy Among Us

Multiple sources are reporting a feature of iPhone apps that is a major privacy concern.  This is not new and it also is an issue on Android phones, but, for some reason, everyone seems to be highlighting the problem with iPhones.  PERHAPS, that is because it it is being exploited in the wild on iPhones – I don’t know.

The short version goes like this –

IF you EVER allow an app to access your phone’s cameras, you have lost control of it.  That app can access your camera – both front facing and rear facing – whenever it wants to.  It does not have to ask you to access the camera.

You are trusting that app not to abuse that trust.

Actually, it kind of depends on whether YOU installed the app or someone else installed it – with or without your knowledge.  For example, here are 5 spying apps that people intentionally install.  It may be a parent or a spouse, but it is likely not you who installed the app.  Sometimes parents want to track what their kids are doing.  Sometimes a spouse wants to spy on their significant other.

The app could upload the photos to the net and/or it could process the images – say to examine your facial images as you look at the screen.

One part of the problem is that there is no indication that the camera, front or back, is on.  As a side note, while there is a light on many PCs indicating the camera is running, that is a bit of software and the camera COULD be turned on without the light being on.

Apple (and Google) could change the camera rules and require the user to approve camera access every single time the camera wants to turn on – but that would be inconvenient.

One of my contacts at the FBI forwarded an alert about this today, so I suspect that this is being actively exploited.

The FBI gave a couple of suggestions –

  1. Only install apps from the official app store, not anyplace else.
  2. Don’t click on links in emails

In reality, the only recommendation that the FBI made that will actually work is this next one:

3. Place a piece of tape over the front and rear camera.

Ponder this thought –

The camera sits on your table in front of you;  it is in your bedroom, potentially capturing whatever you do there; it is in your bathroom. You get the idea.

Just in case your were not paranoid enough before.

Information for this post came from The Hacker News and The Register.

Facebooktwitterredditlinkedinmailby feather

How To Digitally Erase All Your Stuff When You Quit Your Job

Wired ran a piece a few weeks ago with the title of this post.  An alternative title might be “How to get yourself arrested and prosecuted“.

While Wired’s heart was in the right place, they probably should have consulted an attorney before they published the article.

The basic premise of the article is that you should copy all of your personal stuff off your work computer and then wipe your work computer.

The problem is that your work computer is not your property and wiping it could be considered destroying company property and you could be prosecuted under any of a number of laws.  You could be liable for all of the costs to reconstruct the data that was stored on your computer.

That being said, lets look at what they suggested:

  1. Before wiping out your computer entirely, make sure to back up anything important.  PDFs, photos, your resume, anything dear to your heart.  Do it with a flash drive or USB disk.

The problem is that this is about protecting YOUR stuff and not your employer’s stuff.  And, if you do this without your employer’s permission you could be ACCUSED of stealing company information – even if you didn’t.  Remember, being charged with a crime is different than being convicted, other than both will cost you a lot of money, damage your reputation and distract your attention from a new job.

2, Check USB slots for cables, flash drives, etc.

That is probably OK as long as you only take stuff which is yours, personally.

3. Shut down your Voicemail.  Record a new greeting telling people that you left the company and who to bug.  Delete all the messages in your voicemail inbox.

Don’t do this unless your employer approves.  Those voice mails are not your property – they belong to the company.  Ask your employer what they want you to do regarding your voice mails.  More than likely they will want you to preserve them until they have a chance to go through them.  They may or may not want to make your departure public right now, so they may not want you to change your greeting.  In any case, it is their choice, not yours.

4. Shut down your email.  Delete all your emails.  In Wired’s defense, at least here they say make sure it is within your company’s policies to do so.

I doubt your company is going to want to you to delete ANY emails.  They are going to want to back everything up first, then probably they are going to want to go through them.

5.  Wipe your computer.  Wipe the puppy clean, they say.

I say that doing this could subject you to a felony.

6. Wipe your phone.  Here they are partially right.  If the phone is your property, the company cannot tell you what to do with it, but if it is yours, you are probably not going to want to wipe it.

If it is company property, you don’t have the right to destroy the data on it.  Again, potential felony charges, depending on how much it costs the company to reconstruct the data and if they consider it willful destruction of company property or sabotage.

7.  Log out of any applications like Slack, Hipchat or your browser.

I think this one is safe.  If it a company account, they will have the means to log back in.

Bottom line, if the device is owned by the company, coordinate with your manager, HR and/or IT.   If in doubt, don’t do it.  If you own the device you have a lot more latitude in terms of what you can do with it.

One simple way to do things, if your company allows it, is to store YOUR stuff on your own personal flash drive.  Also don’t comingle work and personal email messages.  Keep personal personal and work work.  That way, you don’t store anything on the company computer and you don’t have to remove anything.  Don’t log on to your personal email or social media accounts from your work computer.  Remember, even if log out from social media or email accounts or delete your social media and email passwords, your company may have them anyway in a variety of different ways.

If in doubt, contact an attorney.  Before you act.

Information for this post came from Wired.

 

Facebooktwitterredditlinkedinmailby feather

Google To Appeal Court’s Order To Disclose Emails Stored Abroad

Google has been ordered by a magistrate judge in Philadelphia to turn over emails stored abroad.  While we don’t have all the details of the case, it appears to be related to a domestic fraud case.

The emails in question are stored in a foreign country.  The case is a domestic case.

Last summer, the Second Circuit Court of Appeals agreed that Microsoft did not have to turn over emails stored in Ireland.  The court’s logic was that U.S. law does not apply in foreign countries.

In this case, a magistrate judge (a much lower level court proceeding than an appeals court) said that Google did have to turn over emails stored in a foreign country.  The magistrate’s logic is, in my opinion, somewhat convoluted.  The judge said that since Google could take those emails stored internationally and electronically copy them to the United States and then hand them over to U.S. authorities in California, the search would occur in the United States and, somehow, would not violate foreign laws.

By this logic, U.S. authorities could demand a U.S. based corporation to violate international law at any time by telling the U.S. company to bring data stored in a foreign country back to the U.S. and give it to U.S. authorities, here.

Google has said that it will appeal this order.  If this order stands, U.S. based tech businesses run the risk of being charged with crimes in foreign countries and also run the risk of losing the business of international customers.  This is the rock and a hard place that Google (and Microsoft) are stuck between.

Absent an order from a court of competent jurisdiction in a foreign country to turn over data, Google would potentially be in violation of laws such as the EU’s General Data Protection Regulation.

From a user’s standpoint, in many cases the owner of the email would not even be informed of the court order, since the order is often sealed, sometimes forever,  sometimes for years.

The only way a user has any control over the situation is if the data is encrypted from end to end AND the provider does not control the encryption keys.  Absio Dispatch is an example of an email solution that allows for this; Threema is an example of a messaging application that works this way.

None of the big commercial email applications such as GMail, Yahoo Mail, and Microsoft  Office 365 meet these requirements.

For most users, this is a matter of convenience,  and they don’t worry about the government reading their mail.

For other users, this is a matter privacy and they don’t want the government poking their nose in their private matters.

The good news is that there are options and if it matters to you you can choose whether you want to do something about it or not.  However, if you do want to do something, you need to understand that it will require change for you and your communication buddies.

Information for this post came from the Telegraph.

Facebooktwitterredditlinkedinmailby feather

What You Say Can Be Used Against You

The 5th Amendment to the U.S. Constitution guarantees that you cannot be forced to testify against yourself.

All that is about to change and I don’t mean that the Constitution is going to change.

Like the Apple-FBI fight earlier this year, Amazon is in a fight with the law and I don’t think it is going to come down the same way.

In Apple’s case, the Feds invoked a 200+ year old law to try and get Apple to develop new software to hack one of their phones.

In this case, police in Arkansas want Amazon to turn over the data from a defendant’s Amazon Echo that Amazon already has in its possession.  Amazon, so far, has refused to turn over the data.  Since the Echo doesn’t have a right against self incrimination or the incrimination of its owner, I am not clear what Amazon’s plans are.

They have already turned over purchase records and other account information – just not the data from the defendant’s Echo.

Amazon says that it will only turn over the data upon presentation of a proper warrant – one that is valid and legally binding, not overly broad or otherwise inappropriate – whatever that means – they are not explaining, but I am sure they will explain, eventually, to the court.

The case in question is a murder case.  A friend of the defendant’s was found floating in the defendant’s hot tub, somewhat worse for the wear – i.e. dead.

The police want to hear what he told his Echo and what his Echo told him.

The police already know, they say, how much hot water he used – due to a smart water meter.

I think, eventually, Amazon will turn over the data.  Whether the defendant asked his Echo “Hey Amazon, how do I kill my friend” or “Hey Echo, Can I get bleach from Amazon today?”

But what is going to be true in the future is that there is an amazing amount of data about you that can be used against you.

Whether it is GPS data from your phone, location and other data from your car or information from your water meter, there is an amazing amount of data about you.

Your smart TV is listening. Maybe so is your baby monitor.

Consider that many people have Echos in their bedrooms.  Then consider what might be said in your bedroom.  Do you want to reconsider whether that Echo in your bedroom is a good idea?

Some people have webcams inside their house.  More amazingly, some people have webcams in their bedrooms (there was a recent story about a webcam in a Houston family’s kid’s bedroom that went viral on the Internet, no doubt with some inappropriate footage.

The framers of the Constitution never considered that there would be an Internet of Things and the implications thereof.

This case is a murder case and I am sure that Amazon is grandstanding to make sure that its customers understand that it takes privacy seriously, but I predict they will turn over the data.

You may recall a couple of months ago the Director of National Intelligence said that he didn’t care much about encrypted phones because there was so much other data available for them to hack.

Guess what he was talking about?  Yup, that is it.

And while the NSA has some of the best and the brightest in terms of  hacking into devices, if recent news accounts of various IoT breaches are any indication, hacking many of these devices is like taking candy from a baby.

So while we do not know how the Amazon story will wind up, it is different than the Apple story because Amazon CAN turn over the data.

Here is an interesting question.  What if Amazon does not want to turn over the data because they are collecting more data than we think they are?  I know that borders on conspiracy theory, but ….

And, of course, subpoenaing your water heater is not limited to murder cases.  It certainly could apply to civil lawsuits as well.

Consider this.  Could your Amazon Echo testify against you in a divorce case?  Or your webcams?  Or any other appliance in your house.  Or even your car.  There is a lot of data in them there devices.

And, for those of you with legal expertise, ponder this.  In both criminal and civil cases, parties may have a “duty to preserve”, meaning that you are not allowed to destroy (read: delete) any evidence that may be relevant to the case.

How, exactly, do you preserve the data in your water heater?

Do you even know what data might exist in smart devices?

What if the data is stored in the cloud?  By a third party.  Do you even have the ABILITY to preserve it?  Who pays to preserve it?

There is NO legal precedent in this area of law.

Could you be held in contempt or lose a case because you didn’t preserve the data in your smart TV?  Seems far fetched, but I promise you, at some point, it WILL come up.

Just food for thought.

Information for this  post came from International Business Times.

Facebooktwitterredditlinkedinmailby feather

Your Tweets Could Affect Your Insurance Rates

While the big data vs. insurance rates battle is in its infancy, that does not mean that insurers don’t have plans.  They do.

Some are already using data from consumers to affect rates.  Some insurers say that the data that consumers give them could lower rates and SOME insurers say that the data won’t be used to raise rates.  Since this is still in its infancy, don’t count on those statements for much.

Swiss Re, one of the biggest reinsurers (the insurance companies’ insurance company) just bought digi.me .  Digi.me is currently allowing consumers to aggregate data in their system .  That data will be shared with businesses to give consumers targeted ads and discounts.  At least for now.

Discovery’s Vitality program collects diet, exercise and other information.  Make the “right” choices and you might get a premium discount or cash back.  Make the wrong choices and…

Allstate’s Drivewise gives drivers who install a gizmo in their car which sends driving data to Allstate discounts if you drive “appropriately”.  That is only a short step from penalizing you if you drive like Mario Andretti.

They could also use people’s public social media posts to affect rates too.  Have a salad for dinner and get discount points.  Have a burger and beer and your rates go up.

Refuse to share data and maybe you can’t get insurance at any price.

There are very few laws in the United States that control what insurance companies can do with “public” data or even data that they buy from the likes of R.L. Polk (owned by IHS now), A.C. Nielsen and others, each of which have data on tens of millions of people.

Also remember that the Internet never forgets.  Even if you improve your behavior, that data is still there in those databases.  Articles that I wrote in the 1990s are available.

And with things like smart TVs and smart refrigerators, what you eat and what you watch might affect your ability to get insurance.  Or your rates.

This is complete conjecture at this point but I sure wouldn’t rule it out.

Information for this post came from Reuters.

Facebooktwitterredditlinkedinmailby feather

New York tracks you by your license plate – and keeps it

According to an item in USA Today, counties in New York State not only snap pictures of your license plate, but keep them in a database with date-time and location information.

The data is accessible by police throughout the state as well has the Department of Homeland Security.

If you take a bunch of pictures of your license plate at different times, you can piece together a picture of where you go, what you do and who you connect with.

I suspect that the courts will say that when you are out and about you have no reasonable expectation of privacy.  You and I might view it differently, but I doubt the courts will.

Here is the interesting part of this.  While the cameras can be used to ferret out stolen cars, wanted people and expired license plates, that group, collectively, probably represents 1/100th of 1 percent of the pictures taken.  The rest are people going out about their daily business, not committing a crime and being watched.

There is no central database;  each county does their own thing and there are no statewide rules about it.

Here is a little data:

  • Monroe, Albany, Westchester and New York City keep the data for 5 years.
  • The New York State Police keeps the data for 5 years also.  They have 140 cameras.
  • Erie and Onondaga counties keep the data for 1 year.
  • Monroe county had 3.7 million snapshots as of last week
  • Onondaga county had 5.2 million as of a couple of weeks ago
  • Albany county, where the state capital is, had 37 million pictures
  • Erie county said they have the capacity to store 12 million pictures and plan to add more storage.
  • Most agencies declined to say how many pictures they had.

In a sense, this is like the NSA – no rules, no watchdogs, no transparency – just trust us.

To me, that doesn’t seem like a really good plan – just saying!

 

 

Facebooktwitterredditlinkedinmailby feather