Internet | HazDat

27Jan/11

Mixed Messages: US Govt. Tells Companies to Collect User Data, But Not To Use It

Last month the US Federal Trade Commission testified before Congress in order to establish "Do Not Track" legislation, challenging companies to either self-regulate, or face potentially stiff laws prohibiting the tracking of Internet users. This week the US Department of Justice testified before congress to establish regulations requiring data retention for the purposes of investigation and prosecution.

"Data retention is fundamental to the department's work in investigating and prosecuting almost every type of crime," US deputy assistant attorney general Jason Weinstein told a congressional subcommittee on Tuesday. "In some ways, the problem of investigations being stymied by a lack of data retention is growing worse." Weinstein acknowledged that greater data retention requirements raise legitimate privacy concerns but "any privacy concerns about data retention should be balanced against the needs of law enforcement to keep the public safe."

Emphasizing the vast disparity between the testimony of these two Federal organizations is the following statement from the FTC's own prepared statement to Congress expressing a principal of "reasonable security and limited retention for consumer data" among companies collecting sensitive data.

"A key to protecting privacy is to minimize the amount of data collected and held by ISPs and online companies in the first place," according to John Morris, general counsel at the non-profit Center for Democracy & Technology. "Mandatory data retention laws would require companies to maintain large databases of subscribers' personal information, which would be vulnerable to hackers, accidental disclosure, and government or other third party access."

The DOJ's request would require "an entire industry to retain billions of discrete electronic records due to the possibility that a tiny percentage of them might contain evidence related to a crime," says Kate Dean, executive director of the Internet Service Provider Association. "We think that it is important to weigh that potential value against the impact on the millions of innocent Internet users' privacy."

Similar Blog & News Articles

Privacy Law’s Gone Ex Parte Like it’s 1986…or 1984

A byproduct of life in the 21st Century is that many of the perks of a post-centennial lifestyle require the abdication of a fair bit of privacy to cyberspace. That means that the paper records that once required a search warrant to read (and maybe the forceful extraction from your cold-dead-hands), are now in the possession of companies who don't. Of course there's Facebook and Twitter. Those didn't exist in the 20th. Century. But, what about your phone records and email? While your phone company has long been subject to a warrant or subpoena, in the 21st. Century new "self-service" tools have been developed to help telcos manage the onslaught of requests made particularly attractive by the fact that most of us carry what amounts to a homing-beacon in our pockets. Similarly, while email has always been an attractive source of discovery, until recently most of it resided on each correspondent's physical, and virtual, desktop waiting to get written-over by something more current. Today, it's more likely been put out to pasture in a seemingly-endless "server farm", waiting to be picked by a custodian of records.

Even our personal computers, which have always required a search warrant, and often require a cascading series of search warrants covering various regions of storage space and categories of searches, are rapidly being replaced by windows to the web -- sleek sheets of glass and sculpted-aluminum that act as a portal to your virtual existence. Like a supermodel, these tablets are thin and beautiful, but two-dimensional, with very little substance inside. What makes these devices a reality today is a combination of near-ubiquitous Internet connectivity and access to your personal online data once it's established. Even the notion of "backing up" is becoming a thing of the past, because the data you see, isn't really here. It's somewhere else, presumably safe from destruction, but not necessarily from dissemination. Like many things in life, it's a trade-off.

But, not when it comes to fighting crime. The shift of discovery from physical space to cyberspace is a decided advantage for law enforcement. In fact, Google reports that it responded to more than 4200 discovery requests in the first-half of 2010 alone. One of the reasons these requests have become so popular is that online data is easier seize than a laptop, and often much more useful. Much of what can be had requires no search warrant at all, and thanks to online tools, can be had without even so much as contacting the service provider. Why? Because, unlike the data on your hard drive, you don't necessarily own your data when it's stored in cyberspace.

The Electronic Communications Privacy Act was enacted by Congress in 1986 -- long before most people had access to the Internet, email, or a cellphone. When Mark Zuckerberg's only friends were his stuffed animals. Mind you, it was revolutionary for it's time -- enacted to extend government restrictions on wire taps from telephone calls to also include transmissions of electronic data by computer. But, it doesn't address current evolution. Today, far more can be gleaned from a historical records search than any telephone wiretap. Perhaps that's why last year the Department of Justice argued in favor of warantless email searches. Or why in the same year the DOJ argued that cellphone users had abdicated any expectation of privacy by using a service that stores location data.

Similar Blog & News Articles

Winona Ryder Fears Accidentally Opting-Into Al Queda

Careful What You Click F

Actress Winona Ryder doesn't use the Internet. She just got her first smartphone, but finds it unpredictable. She had a laptop, but rarely used it.

She's fearful of technology. And that just might make her smarter than you.

As evidenced in her "Late Night" interview with Jimmy Fallon, these days, such concerns are the fodder for comedians. It's the current equivalent of being afraid to drive or swim. In the late 20th. Century, it might have been a fear of handing one's money over to an ATM machine. Or more recently, making a purchase online. But, well over 30,000 people died in car accidents in 2009. Another 24,000 were injured. In a similar period, more that 3000 people died from drowning. Fear is not necessarily a bad thing. Not if it keeps you safe.

Most of us either fear what we don't know, or fear what we do. There's also a whole complicated subset of irrational, or misguided fears that really fall into the first category. According to her own interview, Ryder falls into the former classification.

Ryder told Fallon, "We're a button away from joining Al Queda!"

How many times have you accidentally opted yourself into joining a mailing list because you forgot to un-approve your pre-approved consent? What about that time when you accidentally installed a bunch of "trial-ware" that came along with a program you legitimately wanted to use. Somewhere, before or after the end-user-license agreement you didn't read, it may have been an option. In the 90's one of my attorney-client's accidentally sold a good investment when he was dabbling with online day trading. I have met people who accidentally purchased cars on eBay. Meanwhile, I promise (though I don't recommend confirming it) that many forms of contraband are just a few clicks, or even a typo, away from where you sit this very moment. Last Summer I gave National Public Radio (NPR) a glimpse into just how easy it can be. Even if you bleed apple pie filling, you're still just a click away from looking like someone else.

I haven't tried it myself, but I'll bet joining Al Queda requires, at least, the completion of an annoying CAPTCHA in order to submit a membership application. While I'm sure Ryder has no interest in joining, just the accusation, or even a rumor, that she ever supported a terrorist organization, or had some other frighting interest, could be just as detrimental. Remember Christine O'Donnell, the Republican Party's most famous witch? In some parts of the country that's harder to understand than extremism.

Ryder: "We're a button away from joining Al Queda."

Remember, Ryder works in the industry that was most famously asked, "Are you, or have you ever been a member of the Communist Party?"

Maybe -- even if unwittingly -- she's on to something. Maybe we'd have several thousand fewer vehicular deaths every year if more drivers understood the engineering that goes into the highway, or a car, it's tires, or even just its brakes and safety systems. Sure, it might scare a few people out of driving altogether. But it might make the rest think a little harder before they accelerated into a turn, or tried to beat a red light across a wet intersection. Maybe, if more people really understood the Internet better before hopping on the "Information Superhighway", law enforcement might have fewer accidents to investigate.

Similar Blog & News Articles

Tagged as: al queda No Comments

10Jan/11

Filed Under “Things You Thought You Could Take for Granted”: Court Holds there is a Reasonable Expectation of Privacy in the Contents of Emails

Show of hands: How many people have a reasonable expectation of privacy when you send an email? It turns out, as late as December 2010, you may have had no reasonable expectation of privacy when it came to your email correspondence -- at least that was the opinion of the United States Department of Justice (DOJ). And, between your Internet Service Provider's (ISP) Terms of Service (TOS), and the 1986 Stored Communications Act (18 U.S.C. §§ 2701-2712), you may not have under various circumstances.

M. Scott Koller, of McKennon | Schindler in Newport Beach, CA has written a very comprehensive overview of the decision, why it was ever in doubt, and the 1986 act that got us here in the first place.

Similar Blog & News Articles

McAfee Predicts Mobile Devices May Be Corporate America’s Real Trojan Horse

If security firm McAfee is right, 2011 may be the tablet computer takes over corporate America. Or more specifically, the year the tablet takes over corporate networks. McAfee predicts that the onslaught of consumer-owned and lent smartphone and tablet devices entering and exiting the office space may pose a new unanticipated threat to corporate security. Their concern is that, not only is the consumer largely ill-prepared to secure devices that may amount to a hole in the Trojan wall big enough to drive a wooden horse into, but that the lack of comprehensive security tools designed around the likes of iPhones, iPads and Android devices, leaves them ill-equipped, even if they were prepared. Potentially, this could mean that personal gadgetry may become the host du jour for new infectious computer viruses, malware, and most alarmingly, remote access to the network the form of "Trojan horses".

While McAfee, one of the world's largest anti-virus software manufacturers, is understandably concerned about the interconnection of consumer-maintained -- and largely unsecured -- devices to more secure corporate networks, I think they may be missing an even bigger threat. While for years USB "thumb drives" have been cheap and affordable, and available in sizes small enough to swallow, they still required the physical removal of data from the premises. This meant exhaustively copying and then walking data out of the building. (See "sneakernet".) And, while every year these storage devices hold more and more data, so does the average corporate server. It's unlikely that portable media will ever quite catchup.

On the other hand, the prevalence of high-powered personal computing devices (yes, I'm talking about your average smartphone) connected to the corporate network allows, not only for the immediate transmission of data off-the-premises, but potentially even the cheapest, least sophisticated, pre-paid Android phone, left "cradled" overnight to a desktop computer, (the same cradle used to charge the battery, and synchronize contacts and calendar events,) could allow for unrestricted unauthorized remote network access over a hard-to-trace personal cellular data connection. Not only is this possible today, but it doesn't require a sophisticated computer virus to accomplish.

Similar Blog & News Articles

Obama Looks to Silicon Valley to Solve Identity Crisis

The federal government thinks identity and passwords need to be fixed to keep the internet healthy, but is declining, thankfully, to try to fix it themselves. Instead, they are pushing internet entrepreneurs to build something robust and open.

Read full article at http://feeds.wired.com/~r/wired/index/~3/3Uts2JG5xFc/

Similar Blog & News Articles

White House Calls for Internet Identity Ecosystem to Protect Online Users :: eWeek - RSS Feed

Filed under: Better Late Than Never, Computers, Crime, Future Proof, Hacking, Identity Theft, Internet, Privacy, Security No Comments

8Jan/11

When it comes to last year’s holiday gifts, Uncle Sam wants to know if you’ve been bad or good. So be good for goodness sake!

Via EFF:

What do an online donation to the International Red Cross, a bank transfer to family members living in Vietnam, and a payment sent through PayPal for an expensive rug in Turkey have in common? The government wants to know about them. And, if new rules proposed by the Financial Crimes Enforcement Network, or FinCEN, go into effect, the government will — along with your name, address, bank account number, and other sensitive financial information.

In September, FinCEN, an agency component of the Department of the Treasury, proposed a set of rules (pdf) that would require banks and money transmitters to report to the government any cross-border electronic funds transfer. Yesterday, we submitted a comment (pdf) opposing the agency’s proposal.

Essentially, under the proposed rules, anytime you electronically transfer money into or out of the country, the government wants to know. The proposed rules require banks and money transmitters, like PayPal or Western Union, to submit reports documenting the amount of money sent or received, where that money came from, and where it is going. Depending on the type of transfer, a variety of information would be included in the reports, including the name, address, bank account number, and taxpayer ID number of the sender; the amount and currency of the funds transfer; and the name and address of the recipient. Passport numbers or alien ID numbers could also be required for some transfers.

The government wants reports on all electronic bank-to-bank transfers, regardless of whether the transfer is $1 or $1,000,000. For money transmitters, reports would be filed for transfers at or above $1,000. FinCEN estimates it will receive 750 million reports every year, and the agency wants to keep the data for ten years. Once the reports are filed with FinCEN, other federal law enforcement agencies — the FBI, IRS, ICE, and the DEA — would all have access to the data.

Shortly after FinCEN announced the rules in September, EFF filed a FOIA request seeking documentation that would justify the agency’s law enforcement need for the regulations. We also sought information demonstrating that FinCEN had taken adequate data-security precautions for handling such a massive amount of sensitive information. The agency produced some records, but the documents provided no evidence that the proposed rules are necessary to deter money laundering and terrorism financing, or that the agency had adequately assessed the privacy implications of the proposed rules.

In our comment, we opposed the rules for three reasons:

1. The new reports are unlikely to be effective in preventing terrorism financing — the primary impetus behind the regulations in the first place.

2. While the agency sought the advice of financial institutions, other law enforcement agencies, and even foreign governments when developing the rule, FinCEN never solicited the opinions of privacy advocates during the drafting process.

3. The agency has not provided any evidence that the technological systems are in place to safely receive, transmit, and store the vast quantities of highly-sensitive information the rules would require.

We strongly oppose the government’s attempt to pry into the sensitive financial dealings of citizens, especially when there is no demonstrated need and no evidence that the agency is equipped to handle that much sensitive information. Comments on the proposed rules are due December 29th, and can be submitted here. We urge you to join us in opposing these intrusive new regulations.

Read full article at http://www.eff.org/deeplinks/2010/12/sending-money-overseas-holidays-government-wants

Filed under: Big Brother, Crime, Future Proof, Internet, Law, Politics, Privacy, Search & Seizure, Surveillance No Comments

8Jan/11

Department of Justice Subpoenas Twitter Records of WikiLeaks Volunteers

Source: Freebase

Via Gawker:

The Department of Justice has subpoenaed many people's Twitter accounts who were associated with WikiLeaks. The subpoena states that there is "reasonable ground to believe that the records or other information sought are relevant and material to an ongoing criminal investigation."

Read full article at http://feeds.gawker.com/~r/gizmodo/full/~3/JyTdxSjSU5o/department-of-justice-subpoenas-twitter-records-of-wikileaks-volunteers

Similar Blog & News Articles

Filed under: Big Brother, Internet, Law, Politics, Privacy No Comments

3Dec/10

FTC Want Eat Cookies. Om nom nom nom.

The Federal Trade Commission testified before congress this week on what it calls "Do Not Track Legislation". According to the FTC's web site, "The testimony describes the FTC’s efforts to protect consumer privacy for 40 years through law enforcement, education, and policy initiatives. It also provides highlights from the FTC staff’s new report on consumer privacy, released yesterday, and proposes a framework to promote privacy, transparency, business innovation, and consumer choice."

The commission suggests that tracking should be controlled at a user (likely browser) level, but could be enacted either via strict legislation or industry-supported self-regulation.

Cookie Settings

For the most part, the mechanisms utilized by web sites to track user activity are inherent in the browsers themselves, and have retained an element of user-control since their inception. The most common method is through the use of what is known as a "browser cookie"--a small piece of unique data saved by a web site into the the web browser for later retrieval. Although users have the ability to "flush" cookies from their browsers, or simply configure the browser not to accept cookies at all, these features tend to be buried well within the browser settings, and difficult for most people to understand. What's worse, enabling such privacy features often renders many web site features semi or non-functional.

The FTC is not calling for specific mandates at this time, but rather for comment.