The Public Privacy

Category: Cloud

Microsoft or the rider on a white horse of modern times

January 19, 2015 / / 0 Comments
My hero!

My hero!

Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.

The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?

As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency[1]The concept refers to the time it takes for data to get from one designated point to another..

In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.

In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.

Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.

And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.

But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the Court which issued the warrant, the specific nature of an SCA[2]The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order. warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.

The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.

There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.

For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.

There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.

However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.

Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.

The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.

Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive[3]Directive 95/46/EC and the Framework Decision which regulates data transfers to non-EU Member States[4]The Council Framework Decision 2008/977/JHA.

In this context, in a statement issued last November, the Article 29 WP stated as follows:

a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.

Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!

Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.

This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.

While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.

References

References
1 The concept refers to the time it takes for data to get from one designated point to another.
2 The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order.
3 Directive 95/46/EC
4 The Council Framework Decision 2008/977/JHA

Celebgate or The Cloud Conundrum

September 17, 2014 / / 0 Comments
iCloudy with a chance of pictures.

iCloudy with a chance of pictures.

So, after women being already the main target of social engineering, street harassment, cyber harassment, workplace harassment, sexual harassment, or revenge porn, and all the other creepy forms of gender orientated attacks, the online world has recently assisted to the leak of hundreds of intimate pictures of celebrities, such as Jennifer Lawrence, Kristin Dunst, Rihanna and Kim Kardashian.

Well, the word ‘leak’ might not be the most suitable, considering the outlines of the situation… Theft, break-in, hacking, privacy violation, online assault or pirating are far more realistic expressions.

So what happened, really?

Someone – who I just cannot help but picturing as a disgusting and sexually frustrated slobbering pervert with no sense of civility – accessed the iCloud accounts of some targeted celebrities and disclosed their personal pictures online. [1]For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their … Continue reading

What do all the victims have in common? Well, to start with, they all are worldly known for some reason… and all are women.

I really cannot understand why someone would be tempted to access intimate pictures of women against their consent, even celebrities, when the internet is full of websites with pictures of women who willingly or professionally display their naked selves.

It was an evident gender orientated attack, which seems to be a usual and sick practice on the Internet nowadays, intended to publicly expose and shame the victims. As far as I am aware, men are not usually targeted by such endeavours.

Anyway, the central hubs for the displaying and divulgation of the links to the pictures were the websites Reddit and 4chan. The photos then have spread across the Internet like wildfire and the case has been inimitably nicknamed as ‘Celebgate’.

This incident has leaded the public attention to an immediate question: how could attractive young women even dare to take pictures of them or let themselves to be photographed in erotic or sexual poses or situations? For a vast – and scary – amount of internet users, the victims are therefore the major culprits for their own violation. Being celebrities (or should I say women?) they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted.

On a second thought, this occurrence lead the internet users to reflect on how really private is our private information. A very legitimate concern considering the revelations of Edward Snowden, the recent data breaches news regarding American retailers, as Target and Home Depot, and the hacking conducted on Chinese hospitals’ medical record.

But the incident has put the spotlight on the online security in general. After all, it is very likely that hackers gained access to much more sensitive data than pictures and videos. And if celebrities’ accounts can be hacked, it can happen to anybody, right?

Apple denied having suffered a data security breach and insisted that none of the material was obtained from the company’s servers directly. In a released statement, it affirmed having discovered; instead, that the hacking seemed to be the result of a brute-force attack on users names, passwords and security questions.

Notwithstanding, while the poor choice in passwords and the non implementation of Apple’s two-factor authentication might have been a hinder in terms of security, the vulnerabilities on the security software were undeniable. For instance, iCloud specific backup system did not implement adequate safeguards against brute-force attacks. [2]Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.

Apple’s announcement that it will strengthen its security measures for its cloud storage platform iCloud thus might not come as a coincidence. Tim Cook informed that users will receive an alert when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Moreover, Apple intends to broaden its use of an enhanced two-factor authentication security system.

Despite the unfortunate implications for the victims, it has drawn the very much needed attention and raised awareness – as no other incident so far – to how people share, store and secure their personal and sensitive data.

There are valuable lessons to learn from this incident. The apparent ugly truth is that if someone with the proper time, knowledge and means wants to access your personal data, they will try to and might get it if the proper security measures are not taken. So it is better to assume that nobody is safe from a similar assault.

It is therefore necessary to improve our personal security posture and implement all the available tools to prevent the success of potential future attacks.

To start with, you must be aware if you use services that automatically backup your data and choose if it is convenient for you to keep that feature on or to turn it off. If you intend to use a cloud service, choose one which will encrypt your data.

Secondly, it is very important to implement strong login credentials. A multifactor authentication and the use of a complex and unique password for each online account are usually highly recommended. You can go even further and use passphrases instead of passwords. A password manager will allow you to achieve a deeper protection. [3]The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the … Continue reading

These are some basic and well-known measures but the ‘Celebgate’ is here to remind us that everybody, and not only women, needs to take a better care of their online selves. Women might be the main target of hacking intended to publicly humiliate them, but anybody can be a target of hacking with all intends and purposes, with more or less serious and far-reaching consequences: to creepily spy on friends or family or the girl that rejected them; for ‘intellectual’ challenge; to steal services and valuable files, namely regarding intellectual propriety; to collect credit cards details or engage in other forms of credit card fraud; computer take-over; identity theft; mail hacking to disseminate spam…

Some might prefer to judge the victims and to look at their pictures. But the big picture to look at is: use whatever devices and services you want, but use them knowingly and safely. Nobody will protect you online better than yourself.

References

References
1 For those who might not be aware, the Cloud is a storage and back-up system which enables users to keep personal information. As the data is kept online, it allows users to save space in their computers, smartphones or tablets, while being able to access them from any device and from anywhere. Companies as Apple, Google, Microsoft and Amazon, just to name a few, all provide cloud-based storage.
2 Brute-force attacks refer to repetitive attempts to break into a user’s account by trying possible combinations of letters, numbers and symbols in order to discover the correct password.
3 The two factor authentication implies two elements: something you know and something you have. Therefore, besides the password (what you know), you will asked for a second form of identification the first time you log onto an account from a new device. It normally involves being sent a code by text message (what you have/can access).

© 2023 The Public Privacy

Theme by Anders NorenUp ↑