Month: February 2015

From your hard drives to your SIM cards: how interesting are you?

Let's see how can we hack these?

Let’s see how can we hack these?

Just recently, the Investigatory Powers Tribunal (IPT), the Court that oversees British intelligence services’ activities, declared that the electronic mass surveillance of mobile phones and other private communications data retrieved from USA surveillance programs, such as Prism, conducted prior to December 2014, contravened Articles 8, referring to the right to private and family life, and 10, referring to freedom of expression, of the European Convention on Human Rights.

One is not so optimistic as to expect that this would suffice to make intelligence agencies cease sharing this kind of information. Mainly because the same Court already recognized that the current legal framework governing data collection by intelligence agencies no longer violates human rights.

However, the decision was still applauded by many with the expectation that, at least, large-scale uncontrolled surveillance activities would not be so bluntly practiced.

Let’s just say that such expectation did not last long.

According to Kaspersky Lab this week’s revelations, it seems that the NSA was able to hide spying software in any hard drive produced by some top manufacturers such as Toshiba, IBM and Samsung. Consequently, it has been able to monitor a large majority of personal, governmental and businesses’ (among which, financial institutions, telecommunications, oil and gas, transportation companies) computers worldwide.

Similarly, the Intercept reported that the NSA and GCHQ were able to get access to the encryption keys used on mobile phone SIM cards intending to protect the privacy of mobile communications manufactured by Gemalto. Normally, an encrypted communication, even if intercepted, would be indecipherable. That would cease to be the case if the intercepting party has the encryption key as it is able to decrypt that communication.

What awe-inspiring ways to circumvent the consent of telecommunications companies and the authorization of foreign governments! Isn’t it dignifying and trustworthy when intelligence services just behave as hackers?

Somehow, and unfortunately, such news almost lacks of any surprising effect, considering well, everything we already know, really… From the Snowden’s revelations to the logic-challenging- argumentation subsequent to Apple and Google’s plans regarding the encryption of communications…

Thus said, perhaps we should all feel flattered to be spied upon. After all, as former NSA Director points out, the agency does not spy on “bad people” but on “interesting people”. Those pretty much convinced – as myself – of being just regular individuals must now be reassured with this extra boost of self-esteem.

A spy in your living room: ‘Tu quoque mi’ TV?

How smart are you?

How smart are you?

So, it seems that the room we have for our privacy to bloom is getting smaller and smaller. We already knew that being at home did not automatically imply seclusion. Still, nosy neighbours were, for quite a long time, the only enemies of home privacy.

However, thicker walls and darker window blinds no longer protect us from external snooping as, nowadays, the enemy seems to hide in our living room or even bedroom.

Indeed, it seems that when we bought our super duper and very expensive Smart TV, we actually may have brought to our home a very sneaky and effective – although apparently innocent – spy.

As you may (or may not) already know, TV with Internet connectivity allow for the collection of its users’ data, including voice recognition and viewing habits. A few days ago many people would praise those capabilities, as the voice recognition feature is applied to our convenience, i.e., to improve the TV’s response to our voice commands and the collection of data is intended to provide a customized and more comfortable experience. Currently, I seriously doubt that most of us do look at our TV screens the same way.

To start with, there was the realization that usage information, such as our favourite programs and online behaviour, and other not intended/expected to be collected information, are in fact collected by LG Smart TV in order to present targeting ads. And this happens even if the user actually switches off the option of having his data collected to that end. Worse, the data collected even respected external USB hard drive.

More recently, the Samsung Smart TV was also put in the spotlight due to its privacy policy. Someone having attentively read the Samsung Smart TV’s user manual, shared the following excerpt online:

To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. (…)

Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

And people seemed to have abruptly waken up to the realization that this voice recognition feature is not only directed to specific commands in order to allow for a better interaction between an user and the device, as it also may actually involve the capture and recording of personal and sensitive information, considering the conversation taking place nearby. No need to be a techie to know that this does not amount to performance improvement. This is eavesdropping. And to make it worse, the data is transferred to a third-party.

In the aftermath, Samsung has clarified that it did not retain voice data nor sell the audio being collected. It further explained that a microphone icon is visible on the screen when voice activation was turned on and, consequently, no unexpected recording takes place.

Of course you can now be more careful about what you say around your TV. But as users can activate or deactivate this voice recognition feature, my guess is that most will actually prefer to use the old remote control and to keep the TV as dumb as possible. I mean, just the idea of the possibility of private conversations taking place in front of your TV screen being involuntarily recorded is enough motivation.

Also, it should be pointed out that, considering the personal data at stake (relating to an identified or identifiable person) involved, there are very relevant data protection concerns regarding these situations. Can it simply be accepted that the user has consented to the Terms and Conditions on the TV acquired? Were these very significant terms made clear at any point? It is quite certain that there users could not have foreseen, at the time of the purchase, that such deep and extended collection would actually take place. And if so, such consent cannot be considered to have been freely given. It suffices to think that the features used for the collection of data are what make the TV smart in the first place and, therefore, the main reason for buying the product. Moreover, is this collection strictly necessary to the pretended service to be provided? When the data at stake involves data from other devices or other wording than the voice commands, the answer cannot be positive. And the transmission of personal data to third parties only makes all this worse as it is not specified under what conditions data is transmitted to a third party or who that third party actually is. Adding to this, if we consider that these settings mostly come by default, they are certainly not privacy-friendly and amount to stealthily monitoring. Last but not the least, it still remains to be seen if the proper data anonymisation/pseudinonymisation techniques are effectively put in place.

Nevertheless, these situations brought back into the spotlight the risks to privacy associated with personal devices in the Internet of Things era. As smart devices are more and more present in our households, we are smoothly loosing privacy or, at least, our privacy faces greater risks. In fact, it is quite difficult to live nowadays without these technologies which undoubtedly make our lives so much more comfortable and easier. It is time for people to realize that all this convenience comes with a cost. And an high one.

Sex in the city: Is there a reasonable expectation of privacy when having sex with the lights on?

When I read this post I could not help remembering the discussions within the Privacy module of the post grad learning programme I have recently enrolled in. A particular issue discussed was precisely the legitimate expectation of privacy regarding events which take place in public, such as those analysed in the Peck, Campbell or Von Hannover cases.

In the situation at stake, two office colleagues had sex in the workplace premises, with the lights on, having forgotten to pull the blinds down… and therefore in full view of transients and the customers of the pub located right across the street, who were able to observe the full scene, unnoticed from the inside.

The events were recorded by many (how useful are Smartphones in these situations!) and uploaded to the Internet. Obviously, it did not take long to spread both on social media and on the press and very quickly the couple has inadvertently become a viral sensation. Their sexual performance has been broadly gossiped, commented, assessed and rated. They have been publicly identified since then and details regarding their personal lives have been exposed.

Putting aside other pertinent considerations in regards of what internal proceedings the company should take, I would like to focus on the privacy issues at stake.

Our expectation of privacy does not forcefully depends of the place where the events take place. It is not because something happens in a public space or is visible by the public or from a public place that any reasonable expectation of privacy is automatically excluded. It suffices to think that most of our private life, such as conversations or encounters,  actually happens in public. How unfortunate would it be if that mere fact would ultimately deprive us of any expectation of living our lives discreetly. It would not be remotely reasonable to accept that people abdicate of their privacy expectations once they leave their homes. Specially when considering all the buzz surrounding smart TVs, our privacy is at risk even in our own households.

In this particular case, it was late in the evening and the couple expected to be alone in the office and away from peering eyes. It is unquestionbly a quite different situation than that of having sex in broad day light in a busy street, which would be more appropriately qualified as exhibicionism.

Moreover, the revealing and intimate nature of the activity cannot be ignored, considering that they were undressed and, well, having sex. I would say with some certainty that it is not something that most of us do not mind to be watched, recorded and commented, over and over, on a large-scale. And, in spite of being something that the public finds interesting, there is certainly not any public interest at stake.

Furthermore, despite acting on plain sight, the couple was absolutely unaware that their activities were being observed, let alone filmed. They did not give their consent – nor explicitly, nor implicitly – for their image to be captured. But, more relevant, they were certainly oblivious that those images and recordings would be disseminated at a large-scale. To be put within the public eye and the public attention which ensued were neither expected nor desired.

The moral damages at stake are evident. On a personal level, the couple has been publicly exposed, scorned, humiliated and shamed. Their dignity and self-esteem have been incessantly injured. At least for one of them, being married and with children, this exposure has also far more reaching consequences, affecting the family members concerned.

To say that the lesson to be learnt from this is to turn the lights off next time you intend to have sex is the easiest joke to make. However, such situations should not be socially treated so light-heartedly. Namely because with the advanced technologies available, it is getting easier to photograph and record events humiliating for someone. That is how many of the known cyber bullying situations actually start.  Technologies are evolving so fast that the general awareness and sensitivity are having a hard time keeping track of the issues at stake.

Perahps a very good first step would be for people to start accepting that it is not because they can see something, and are able to easily record it and quickly share it online, that it is legitimate to do so.It is so easy to laugh at someone’s expenses. And the next big joke could be any of us.

 

The many dangers of the international agreements’ top secret negotiations

One thing we can agree on is that nobody has to know.

One thing we can agree on is that nobody has to know. 1)Copyright by Bigwillyoliver under the Creative Commons Attribution-Share Alike 3.0 Unported

The EU has been quite active on its external relations through the secretive negotiations for the Transatlantic Trade and Investment Partnership (TTIP) or the Trade in Services Agreement (TISA).

The irony is that, considering the unavoidable wide-ranging effects which are expected, the public at large would have great interest in scrutinizing the ongoing negotiations. However, it seems that not many individuals are fully aware of what is going on. Indeed, if some negotiating documents were not leaked, the general population – where you and I belong – would not even know what most of them is about. In this context, it is difficult to explain and believe in the need of such confidentially to ensure the conducting of effective negotiations.

One would have expected that some lessons were learned with the strong opposition from the public faced by the controversial Anti-Counterfeiting Trade Agreement (ACTA), where the same secretive strategy was employed. History, it seems, keeps repeating itself. Nevertheless, following the European Ombudsman pressure for more transparency and accessibility to the public, the European Commission published last month some TTIP negotiating documents.

Thus said, this exacerbated confidentiality and limited public participation has a serious impact regarding the awareness of the threat that their successful conclusion will entail for individuals. People are not able to contest or agree on what they do not know about. To keep information in the dark is, since the beginning of times, the most effective way to ensure that no opposition is raised.

Being negotiated by 23 member countries of the World Trade Organisation (WTO), including the EU, TISA, according to recent leaked documents, will have serious implications regarding transfer, access, processing or storing of information, including personal data, implying looser rules for service suppliers in international data transfers. Indeed, countries with stronger data protection regimes would be required to put those standards aside in order to comply with the agreement.

Similarly, the recognition that consumers should be able to access and use services and applications of their choice available on the Internet, subject to reasonable network management, raises concerns regarding net neutrality, which is an unfortunate outcome considering the progress achieved by the European Parliament on this issue in regards of the Telecoms Single Market.

Not to mention all the contentious issues at so many levels surrounding TTIP, being negotiated by the USA and the EU… From food regulations, to environmental standards, intellectual property, to the investor state dispute settlement, and data protection. If you think about any specific concern, you might actually find it associated with TTIP.

Due to time and space restrictions, I do not intend to address here in detail all the issues at stake. Moreover, and to be honest, I have not fully read the entirety of texts leaked or otherwise publicly made available. Nevertheless, I am fully aware that those versions no longer correspond to the most recent state of play of those negotiations. And no relief can be found in such circumstance.

Thus said, none withstanding all the controversies concerning the abovementioned agreements, the EU should also pay attention to the other agreements in which negotiating it does not participate. I am specifically referring to the Trans-Pacific Partnership (TPP), between the USA and 11 Asia–Pacific countries, which include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam, some of which the EU is also bilaterally engaging.

In this context, I certainly do not want to miss raising two of my favourite issues (or should I say prior concerns?) associated with DRM (Digital Rights Management) and copyright.

Indeed, the TPP contains a chapter on intellectual property covering copyright, trademarks, and patents, intedning to address a vast range of issues, such as trade secrets, circumvention of DRM, ISP liability, copyright term lengths, and criminal enforcement measures, establishing far more restrictive standards than those currently existing on an international level.

DRM, as you may be quite well aware, refers to technical measures aiming to restrict copyrighted content, namely limiting the number of devices on which you can play a video you legally purchased. So, yes, when you try to read an eBook or listen to a song on a different platform, it can be illegal. All in the name of the ‘anti-piracy’ slogan. But do not despair: you can always buy the same book or the same song again in order to be able to use it in another format. Publishers and studios: 1 – you and I: 0.

Besides being directly prejudicial to consumers, these are also indirectly affected as such technical measures also jeopardize the exercise of fair use rights, or the ability to use copyrighted work without interfering with the copyright owner’s right. Competition and innovation are consequently choked. And considering the not so past events, I could not go on without mentioning that the technologies associated with DRM can actually involve serious security risks to consumers. It suffices to remember that, a few years ago, Sony sold millions of music CDs with software technologies which would install undisclosed files on users’ computers, exposing them to attacks by third parties.

As for the copyright term protections, TPP will extend the length of such protection. We are talking, for instance, of approximately one hundred years after publication or after creation for corporate owned works, far longer than what is currently required by the Berne Convention (WIPO) or the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

While it is unquestionable that copyright is needed in order to provide an incentive for creativity, it is difficult to imagine how such lengthy regimes can actually be an incentive to creativity. They certainly are highly detrimental to the general interest and I really cannot fathom who, besides large corporations, actually financially benefit from such outcome. Broader copyright regimes, which delay the entrance of works into the public domain, require obviously the payment of continued royalties for content. And considering that authors and creators usually receive low royalties, it mostly serves the interests of large corporations. It is like Mickey Mouse v. public domain all over again but now at a much larger scale.

In this context, and as if it wasn’t enough, service providers may be intended to be private enforcers of copyright, removing infringing content from the Internet without a court order. This represents a serious threat for the exercise of freedoms of expression and of speech on the Internet.

Moreover, users can be held liable for criminal copyright infringement in regards of non-commercial acts, i.e., who were not seeking financial gain from sharing or making available copyrighted works.

Why is this a much bigger problem than it already seems?

Well, despite being negotiated by twelve countries, TPP will evidently affect other countries beyond those involved in the negotiations, as those will likely also be required to comply to its requirements as a condition of bilateral trade agreements with its signatory members.

If its current spirit is indeed to be maintained, it will lead to a pressure for an extension of restrictive IP laws worldwide, affecting the freedom of speech, right to privacy of users and the possibility of creation and innovation across the globe.

Considering all this, while the EU itself has struggling over the Internet and copyright, the TPP is also something it should worry about.

References   [ + ]

1. Copyright by Bigwillyoliver under the Creative Commons Attribution-Share Alike 3.0 Unported

Mobile spyware or how to be connected with the last person you want to be connected with… your ex, who else?

Just be careful and monitor the apps installed in your phone.

Just be careful and monitor the apps installed in your phone.1)Copyright by LG under the Creative Commons Attribution 2.0 Generic

In my professional experience, I have dealt with and witnessed some quite serious and delicate situations subsequent to the ending of relationships and marriages. Stalking, threats, violence, harassment, attacks against property, home trespassing, defamation, nuisance to family members and closer friends, blackmail, outbursts of rage in the ex’s workplace or neighbourhood… I could go on, really, but you get the point. Let’s just euphemistically say that love has a very unromantic side which is not usually portrayed on romantic comedies.

In spite of all the good brought by technologies, they have a dark side which this blog – as you might have figured it out already by now – is usually about. Today’s post is not an exception. In fact, technologies have made a lot easier for unloved lovers to actually turn their partner’s or ex’s lives into hell.

How?

Well, with mobile monitoring software. This kind of technology has been legally around for quite a while now and is deemed the favourite tool for jealous (psycho?) lovers. Well, it suffices to type “app spy ex” on your favourite search engine to get a clear idea about their popularity.

You would be surprised about how easy it actually is. To start with, there are plenty of apps available in the market. A quick online search will give you an idea about the diversity of the options available. They are cheap, accessible and they are easy and quick to install.

Therefore, it suffices to gain a short access to the targeted mobile phone, let’s say, when the owner is taking a shower or trustfully provide the phone for a call. The app can even be set up before the Smartphone is offered as a birthday or a Christmas gift. How thoughtful!

In this regard, I would like to point out that when the app is side loaded (for instance, not from a legitimate app store such as Google playstore), there is the double risk of installing monitoring backdoors which could enable the access for third parties (besides your very personal spy) for unknown purposes.

Another sneakily effective way to monitor someone’s activities is to access the information contained in the cloud. It suffices to know the username and password, elements easily given away to your partner when you are in a trustful relationship. Cloud storage is another particular issue in itself due to its link to computers. As spyware could have been installed remotely through the e-mail, it is useless to change the login details for the cloud on the mobile phone, as those can be accessed on the computer.

What happens next?

Well, your unacknowledged personal spy will be able to access almost all activity which takes place on your cell phone: listen to and record your calls, scrutinize your messages, track your location, watch the photos and videos you shoot and monitor your online activities… or really just browse your Facebook account which actually contains by itself almost all this information.

As this wasn’t enough, these tracking technologies can run imperceptibility in the background, making it difficult to be detected. So unless your covert ‘admirer’ cannot help himself/herself but giving away hints about his/her privileged awareness of your life, you might not even suspect its existence.

The truth is a jealous partner or an ex who does not accept the ending of the relationship will be almost as effective as intelligence services in tracking you down. In fact, this kind of technology is increasingly becoming the favourite tool for abusers. Let’s not fool ourselves here. Women are the main victims of these technologies. Many do not even realise that they have a cloud account associated to their Smartphone.

Women experiencing domestic violence are particularly vulnerable in this context, as these technologies allow for the perpetuation of persecuting and intimidating behaviour when they try to flee an abusive relationship.

Of course, this kind of behaviour has always existed. From the old fashion ways of going through the pockets of a coat, listening to conversations, reading letters, looking for a trace of lipstick on a shirt, for a new piece of jewellery, to hiring a private detective or following the victim around… However, technologies have made all this so much easier and invasive.

Obviously technologies are not to blame. The subjacent motivations are. They are just a tool with great potential put to bad use. For instance, the very same technologies can be used for parent monitoring which is acceptable to a certain extent.

Thus said, I do not want to sound alarmist. But if you recently ended up a romantic relationship, and it happens that your ex was the jealous and possessive type, and/or that person suspiciously appears to know a lot about your current whereabouts and social activities, I would say that there is a fairly high chance that your phone is being spied on!

I would therefore advise you to have your mobile phone checked to confirm or exclude that possibility and, subsequently, be able to assess if you are the aim of any other kind of stalking.

Lastly, I would like to outline that such secretive interception of electronic communications is illegal, thus I would also recommend for you to seek legal advice in that regard.

References   [ + ]

1. Copyright by LG under the Creative Commons Attribution 2.0 Generic

© 2017 The Public Privacy

Theme by Anders NorenUp ↑