Tag Archives: Spying

Another Public Private Partnership Between Police and Hackers

A few days ago I wrote about a public-private partnership between the Russian spy folks and Russian hackers that was uncovered when the Feds indicted two hackers and two Russian spies.  In that case, the hackers gave the Russians the data that they wanted and kept and used the rest for themselves.

Now there are reports of a similar but different arrangement with the Metropolitan Police in London.  These reports are unsubstantiated as of right now.

The anonymous person who used to work for the intelligence community (or so they say), said it worked this way.

Scotland Yard worked with the Indian police who hired hackers to hack the emails of political dissidents.  The hacked passwords were supposedly then returned to Scotland Yard so that they could then read the emails of environmental campaigners and journalists.  It is not clear how the hackers benefited from this other than for being paid for their work.  How the public-private partnership between the Indian hackers and Indian police worked may come out in the future – or may not.

Some of the passwords were verified by their owners as being their passwords, which certainly adds some legitimacy to the conversation.

The person who reported the crime said that the police had been rummaging through journalist’s and activist’s emails for several years.

The complaint was referred to the Independent Police Complaints Commission (IPCC) and they are reported to be investigating.  The IPCC is already investigating a complaint that the intelligence unit shredded large numbers documents in 2014 in spite of an order to preserve the documents for review by the court.  The complainer said that documents had been shredded on a far greater scale than the IPCC seems to be aware of.

Lawyers who received the letter in question said it contained 10 userids and passwords and they were able to confirm that five were the correct password for those users and one more was almost identical.

The Metropolitan Police said that they need to keep track of thousands activists to detect the few bad apples. They didn’t explain HOW they might do that – legal or otherwise.

Combine this with the details that WikiLeaks revealed about CIA efforts to hack into iPhones and there certainly is the appearance of widespread efforts to eavesdrop on people’s emails.

Certainly law enforcement has authority to a certain amount of eavesdropping, based on a set of rules laid out by law.  Those laws vary from country to country.

On the other hand, there is sometimes a bit of fuzziness as to what is legal and what is not.

It may be easier – although likely much less legal – to obtain the password of people they want to monitor such as journalists – than to get multiple warrants.  It is also likely difficult to get a warrant to monitor the emails of journalists if the journalist is just reporting the news.

For those people who wear tin foil hats (i.e. think the government is out to get them), this is just more evidence that they are right.

For people who just want to increase their level of privacy, using two factor authentication definitely helps to make it more difficult for this tactic to work – at the cost of a little more effort to log in.

For those people who want to go the extra privacy mile, using a solution that encrypts your email from end to end where you keep control of the encryption keys is a more secure solution.  This solution, while significantly improving the privacy of your email, is also significantly more complicated to use.

Email solutions that claim to be encrypted but do not require you to know or manage any encryption keys likely do not provide much additional privacy for a variety of reasons.

Bottom line is that it depends on your level of paranoia and the length that you are willing to go to in order to gain some additional privacy.

For most people, keeping the contents of their email private is, at best, a nuisance.  For other people, including journalists and investigators, privacy likely rises to a higher level.

Certainly interesting.

Information for this post came from The Guardian.

Facebooktwitterredditlinkedinmailby feather

UK “Snoopers Charter” Will Require All Companies To Bake In Back Doors

Britain is following in the United States’ footsteps.  Just like with the U.S. Foreign Intelligence Surveillance Act Court or FISA Court, The new bill in Britain called The Snoopers’ Charter by people who don’t like it (and called the Investigatory Powers Bill by the government) would require any company to bake in a back door to hack their users and, most importantly, like with US FISA Court orders would be prohibited from publicly challenging the order or even telling users that they have added a back door.

The British call it a technical capabilities notice rather than calling it a demand to secretly spy on your customers, but by either name it is still eavesdropping.  The bill as it is currently written says that anyone who receives one of these notices is under a duty not to disclose either the contents or existence of that notice.

With the exception of companies who have less than 10,000 users, all companies will be required to provide a permanent technical capability to spy on its customers.  Smaller companies will be required to build such a capability if the government asks.

The bill also allows the government to serve a warrant on a software company outside the U.K. to spy on its customers if asked to.  It would seem that their ability to enforce such a warrant is limited.  Say they want Daesh (ISIS) to build them a back door.  It is not clear exactly who they would serve it on, but it is pretty clear it would be ignored.  In fact, since the Germans, for example, have stated clearly that they do not support such a law, it could be hard to enforce in Germany.

The British government could try to stop users from downloading German or other software, but that is likely hard to do unless they disconnect from the Internet, which would likely cause bigger problems for the British economy.

The British Parliament committees who have looked at this bill have had significant concerns and since the process of legislating in the U.K, like in the U.S., is  similar to watching sausage being made (i.e. somewhat nauseating), we shall see comes of this.

Information for this post came from Tech Crunch.

Facebooktwitterredditlinkedinmailby feather

New York tracks you by your license plate – and keeps it

According to an item in USA Today, counties in New York State not only snap pictures of your license plate, but keep them in a database with date-time and location information.

The data is accessible by police throughout the state as well has the Department of Homeland Security.

If you take a bunch of pictures of your license plate at different times, you can piece together a picture of where you go, what you do and who you connect with.

I suspect that the courts will say that when you are out and about you have no reasonable expectation of privacy.  You and I might view it differently, but I doubt the courts will.

Here is the interesting part of this.  While the cameras can be used to ferret out stolen cars, wanted people and expired license plates, that group, collectively, probably represents 1/100th of 1 percent of the pictures taken.  The rest are people going out about their daily business, not committing a crime and being watched.

There is no central database;  each county does their own thing and there are no statewide rules about it.

Here is a little data:

  • Monroe, Albany, Westchester and New York City keep the data for 5 years.
  • The New York State Police keeps the data for 5 years also.  They have 140 cameras.
  • Erie and Onondaga counties keep the data for 1 year.
  • Monroe county had 3.7 million snapshots as of last week
  • Onondaga county had 5.2 million as of a couple of weeks ago
  • Albany county, where the state capital is, had 37 million pictures
  • Erie county said they have the capacity to store 12 million pictures and plan to add more storage.
  • Most agencies declined to say how many pictures they had.

In a sense, this is like the NSA – no rules, no watchdogs, no transparency – just trust us.

To me, that doesn’t seem like a really good plan – just saying!

 

 

Facebooktwitterredditlinkedinmailby feather