Tag: Cloud

Mobile spyware or how to be connected with the last person you want to be connected with… your ex, who else?

Just be careful and monitor the apps installed in your phone.

Just be careful and monitor the apps installed in your phone.1)Copyright by LG under the Creative Commons Attribution 2.0 Generic

In my professional experience, I have dealt with and witnessed some quite serious and delicate situations subsequent to the ending of relationships and marriages. Stalking, threats, violence, harassment, attacks against property, home trespassing, defamation, nuisance to family members and closer friends, blackmail, outbursts of rage in the ex’s workplace or neighbourhood… I could go on, really, but you get the point. Let’s just euphemistically say that love has a very unromantic side which is not usually portrayed on romantic comedies.

In spite of all the good brought by technologies, they have a dark side which this blog – as you might have figured it out already by now – is usually about. Today’s post is not an exception. In fact, technologies have made a lot easier for unloved lovers to actually turn their partner’s or ex’s lives into hell.

How?

Well, with mobile monitoring software. This kind of technology has been legally around for quite a while now and is deemed the favourite tool for jealous (psycho?) lovers. Well, it suffices to type “app spy ex” on your favourite search engine to get a clear idea about their popularity.

You would be surprised about how easy it actually is. To start with, there are plenty of apps available in the market. A quick online search will give you an idea about the diversity of the options available. They are cheap, accessible and they are easy and quick to install.

Therefore, it suffices to gain a short access to the targeted mobile phone, let’s say, when the owner is taking a shower or trustfully provide the phone for a call. The app can even be set up before the Smartphone is offered as a birthday or a Christmas gift. How thoughtful!

In this regard, I would like to point out that when the app is side loaded (for instance, not from a legitimate app store such as Google playstore), there is the double risk of installing monitoring backdoors which could enable the access for third parties (besides your very personal spy) for unknown purposes.

Another sneakily effective way to monitor someone’s activities is to access the information contained in the cloud. It suffices to know the username and password, elements easily given away to your partner when you are in a trustful relationship. Cloud storage is another particular issue in itself due to its link to computers. As spyware could have been installed remotely through the e-mail, it is useless to change the login details for the cloud on the mobile phone, as those can be accessed on the computer.

What happens next?

Well, your unacknowledged personal spy will be able to access almost all activity which takes place on your cell phone: listen to and record your calls, scrutinize your messages, track your location, watch the photos and videos you shoot and monitor your online activities… or really just browse your Facebook account which actually contains by itself almost all this information.

As this wasn’t enough, these tracking technologies can run imperceptibility in the background, making it difficult to be detected. So unless your covert ‘admirer’ cannot help himself/herself but giving away hints about his/her privileged awareness of your life, you might not even suspect its existence.

The truth is a jealous partner or an ex who does not accept the ending of the relationship will be almost as effective as intelligence services in tracking you down. In fact, this kind of technology is increasingly becoming the favourite tool for abusers. Let’s not fool ourselves here. Women are the main victims of these technologies. Many do not even realise that they have a cloud account associated to their Smartphone.

Women experiencing domestic violence are particularly vulnerable in this context, as these technologies allow for the perpetuation of persecuting and intimidating behaviour when they try to flee an abusive relationship.

Of course, this kind of behaviour has always existed. From the old fashion ways of going through the pockets of a coat, listening to conversations, reading letters, looking for a trace of lipstick on a shirt, for a new piece of jewellery, to hiring a private detective or following the victim around… However, technologies have made all this so much easier and invasive.

Obviously technologies are not to blame. The subjacent motivations are. They are just a tool with great potential put to bad use. For instance, the very same technologies can be used for parent monitoring which is acceptable to a certain extent.

Thus said, I do not want to sound alarmist. But if you recently ended up a romantic relationship, and it happens that your ex was the jealous and possessive type, and/or that person suspiciously appears to know a lot about your current whereabouts and social activities, I would say that there is a fairly high chance that your phone is being spied on!

I would therefore advise you to have your mobile phone checked to confirm or exclude that possibility and, subsequently, be able to assess if you are the aim of any other kind of stalking.

Lastly, I would like to outline that such secretive interception of electronic communications is illegal, thus I would also recommend for you to seek legal advice in that regard.

References   [ + ]

1. Copyright by LG under the Creative Commons Attribution 2.0 Generic

Microsoft or the rider on a white horse of modern times

My hero!

My hero!

Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.

The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?

As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency1)The concept refers to the time it takes for data to get from one designated point to another..

In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.

In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.

Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.

And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.

But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the Court which issued the warrant, the specific nature of an SCA2)The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order. warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.

The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.

There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.

For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.

There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.

However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.

Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.

The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.

Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive3)Directive 95/46/EC and the Framework Decision which regulates data transfers to non-EU Member States4)The Council Framework Decision 2008/977/JHA.

In this context, in a statement issued last November, the Article 29 WP stated as follows:

a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.

Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!

Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.

This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.

While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.

References   [ + ]

1. The concept refers to the time it takes for data to get from one designated point to another.
2. The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order.
3. Directive 95/46/EC
4. The Council Framework Decision 2008/977/JHA

Mirror Mirror on the Wall, Who Is the Stupidest of Them All?

Half serious Günther Oettinger.

Half serious Günther Oettinger.

So, the European Parliament has begun its hearings in order to evaluate the Commissioners designated by the European Commission’s President Jean-Claude Juncker. But the hearings have shown quite a few surprises…

After Cecilia Malmström, it was up to Günther Oettinger, appointed to be the commissioner responsible for ‘digital economy and society’, to be in the spotlight last Monday. This time, however, it was not due to some compromising correspondence, but to some highly questionable answers.

The MEPs’ questions focused on issues such as roaming and net neutrality, data protection, mass surveillance, the ‘right to be forgotten’ ruling, and copyright law. On the overall, Oettinger was vague and superficial and mainly dodged the questions, namely regarding net neutrality. However, infrastructure (whatever this is supposed to mean) appeared to be one of its main priorities, as it came up in almost every statement.

But what  this hearing will always be remembered for is by how he referred to the recent data breach involving several  female celebrities, which I have previously addressed here.

According to Oettinger, it would not be his role as a commissioner to protect celebrities who have taken under-dressed pictures of themselves, and his precise words were as follows:

We should say: We can mitigate or even eliminate some risks. But like with any technology, you can’t exclude all risks. I’ll give an example. This may be a little, um… semi-serious. The fact that recently there have been an increasing number of public lamentations about nude photos of celebrities who took selfies – I just can’t believe it! If someone is dumb enough to as a celebrity take a nude photo of themselves and put it online, they surely can’t expect us to protect them. I mean, stupidity is something you can not – or only partly – save people from.

In conclusion, Oettinger obviously  considered (half-seriously?? is this remotely funny in any sense?) that the private photos that female celebrities took of themselves would be a good example for whichever point he wanted to make concerning the limitations of technological security.

Of course it didn’t help at all that he might seem oblivious to the outlines of the case, as to the fact that the pictures have not been put online by the victims themselves, but were, instead,stored in private cloud accounts belonging to the celebrities, accessed by third-parties following a hacking attack and then published against their authorisation. Quite a relevant little detail… And quite astonishing that  the upcoming head of EU digital policy would fail to distinguish privately accessed cloud services and the open Internet.

No wonder that Green MEP Jan Philipp Albrecht considered that, by putting Oettinger in charge of the digital economy, Juncker has committed a fatal mistake:

Oettinger does not even use social media, for example. He barely communicates publicly with people on the internet. Instead, he is a man of classical media. As regional prime minister and as energy commissioner he devoted himself to traditional issue areas. This will be an enormous challenge for him.

Currently, many – myself included – wonder if he is a suitable candidate for the intended position. The fact that data protection will very likely become the direct responsibility of designated justice, consumers and gender equality commissioner Vera Jourová is therefore a relief.

Anyway, in a dubious harmony with the opinion of a vast amount of internet users, the designated commissioner believes that the victims – all women, let’s not forget – are the major culprits for their own privacy’s violation. As any other good moralist would easily point out, being celebrities they should have known better than to take pictures intended to remain private or only to be shared with whoever they wanted. How dared they?

Unfortunately, Oettinger completely failed to consider the big picture of the incident: online security in general. He therefore missed the ugly truth that is: anybody can be a target of hacking attacks for the most diversified purposes, with more or less serious and far-reaching consequences. If, instead of private pictures, the ‘celebgate’ would have referred to intellectual property or credit cards information theft, would it have been so light-heartedly approached? One should not be so naïve as to think that this is only about pictures or videos. More sensitive data is at stake.

As understandable as it can be that, being Oettinger the previous commissioner for energy, he might feel more comfortable among gas and oil pipes,  his comments raised a strong and welcomed criticism within the public opinion. One particular MEP, Julia Reda, who represents the Pirate Party, elaborated better than I could have on all the issues brought up by these foolish comments.

But besides being strange, at the very least, that a likely to be commissioner (after all, the European Commission is the guardian of the treaties) would, in front of the MEPs (being the European Parliament the only European institution which directly represents the voice of the 500 million EU citizens), focus on the fact that the pictures were taken in the first place, it is not only disappointing but also mainly worrying.

It is indeed deeply dramatic that nowadays, in the European Union, and at this high level, one can still so blatantly find the very same reflections of the sexism and victim blaming that have been manifested online when the news of the hacking came out. It is all very wrong when a commissioner not only agrees with those moralists but feels at ease to joke about it publicly. Where are we heading to? How ironic would it be that, among all the challenges brought by the technological progress, we would somehow recede to the early stages of discussions concerning  equal rights and gender discrimination but this time – because Oettinger is a man of his time and the access to the right to vote is so last century! -within the upcoming era of Internet of Things.

Furthermore, it is quite distressful that, in regards to the data security breaches news that make, almost everyday, the headlines of worldwide newspapers, the really important point to be made – the raising of awareness regarding the risks associated to technology and the need for a more secure data storage systems, namely cloud-based  – was just overshadowed by such misogynist  remarks…

Considering all this,  Oettinger’s own words are fairly applicable:

Stupidity is something you can not – or only partly – save people from.

 

© 2017 The Public Privacy

Theme by Anders NorenUp ↑