Ben Lincoln discovered that his Motorola Droid X2 was silently sending an enormous amount of private, sensitive information to Motorola
, without permission -- much of it without any encryption. He carefully documented the scope of the leaks, and gave the steps necessary to repeat his work. It's a terrible, and potentially criminal, design decision by Motorola, and demands full disclosure from the company and full investigation by independent researchers. (via /.
today that it will now allow advertisers to tailor ads for you based on your activities off of Twitter (for instance, browsing third-party websites), and will also use personal information like email addresses to target the ads you see.
"Users won’t see more ads on Twitter, but they may see better ones," wrote Twitter's Senior Director of Product and Revenue, Kevin Weil, touting the change as a way to make the service "more useful" to users.
Privacy-minded folks won't be too happy.
Read the rest
[Video Link] Mark Hurst, founder of the Gel conference, says. "Duck Duck Go founder Gabriel Weinberg gave a great talk (about his search engine, and Google's practices that people may not know about) at Gel."
This 15-minute talk is full of eye-opening stuff. Every year, more lawyers are requesting users' Google records for court cases, for example.
Hello again, Happy Mutants! Please take a moment to read our new Terms of Service
describing your (and our) behavior and rights related to content, privacy, and laws!
We also have new Community Guidelines for the Boing Boing BBS forums launching today.
Thank you all for your continued support of Boing Boing!
We therefore call on EU policy makers:
• to oppose corporate lobbying and to prevent the erosion of privacy protections in the European Union,
• to set a high standard and ensure that EU data protection law sets a global standard for privacy;
• to ensure specific rights of individuals are being preserved, such as explicit consent to personal data processing, the right to access, rectification and certain rights to erasure that are in the existing European legal framework,
• to ensure basic principles that would help protect citizens against untargeted and disproportionate surveillance measures, such as data minimization, purpose limitation, limited storage periods and notification procedures,
• to ensure that personal data processed in the EU is not transferred to third country authorities without a determination that there are adequate privacy safeguards.
The Washington Statement"
In Support of Data Protection
The Guardian has published two more top-secret NSA memos, courtesy of whistleblower Edward Snowden. The memos are appendices to "Procedures used by NSA to target non-US persons" (1, 2), and they detail the systems the NSA uses to notionally adhere to the law that prohibits them from spying on Americans.
More importantly, they expose the "truth" behind NSA director James Clapper's assertion that "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." This turns out to be technically, narrowly true, but false in its implication, as Declan McCullagh explains on CNet:
Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations.
"The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.
Read the rest
The NSA's first large-scale domestic surveillance project began in 1945 — when the organization began reading American's telegrams. — Maggie
The Internet Archive's Brewster Kahle has done the math on building a data-center that could hold all of America's voice-calls, and concluded that this it wouldn't quite fit within the $20M price-tag reported for Prism, though it's not far off.
These estimates show only $27M in capital cost, and $2M in electricity and take less than 5,000 square feet of space to store and process all US phonecalls made in a year. The NSA seems to be spending $1.7 billion on a 100k square foot datacenter that could easily handle this and much much more. Therefore, money and technology would not hold back such a project– it would be held back if someone did not have the opportunity or will.
Another study concluded about 4x my data estimates others have suggested the data could be compressed 10:1, and the power bill would be lower in Utah.
Here's a shared spreadsheet with Kahle's calculations.
Cost to Store All US Phonecalls Made in a Year in Cloud Storage so it could be Datamined
I got tired of people savvying me about the revelations of NSA surveillance and asking why anyone would care about secret, intrusive spying, so I wrote a new Guardian column about it, "The NSA's Prism: why we should care."
We're bad at privacy because the consequences of privacy disclosures are separated by a lot of time and space from the disclosures themselves. It's like trying to get good at cricket by swinging the bat, closing your eyes before you see where the ball is headed, and then being told, months later, somewhere else, where the ball went. So of course we're bad at privacy: almost all our privacy disclosures do no harm, and some of them cause grotesque harm, but when this happens, it happens so far away from the disclosure that we can't learn from it.
You should care about privacy because privacy isn't secrecy. I know what you do in the toilet, but that doesn't mean you don't want to close the door when you go in the stall.
You should care about privacy because if the data says you've done something wrong, then the person reading the data will interpret everything else you do through that light. Naked Citizens, a short, free documentary, documents several horrifying cases of police being told by computers that someone might be up to something suspicious, and thereafter interpreting everything they learn about that suspect as evidence of wrongdoing. For example, when a computer programmer named David Mery entered a tube station wearing a jacket in warm weather, an algorithm monitoring the CCTV brought him to the attention of a human operator as someone suspicious. When Mery let a train go by without boarding, the operator decided it was alarming behaviour. The police arrested him, searched him, asked him to explain every scrap of paper in his flat. A doodle consisting of random scribbles was characterised as a map of the tube station. Though he was never convicted of a crime, Mery is still on file as a potential terrorist eight years later, and can't get a visa to travel abroad. Once a computer ascribes suspiciousness to someone, everything else in that person's life becomes sinister and inexplicable.
The NSA's Prism: why we should care
Michael Rigley created this beautiful animation, titled "Network," for his BFA design thesis project at the California College of Art. It's about personal data captured by cell phone providers and is quite relevant this week.
Ai Wei Wei, the renowned Chinese dissident who has been relentlessly persecuted by his own government, has written an op-ed for the Guardian comparing Chinese totalitarian surveillance with Prism and related NSA spying:
I lived in the United States for 12 years. This abuse of state power goes totally against my understanding of what it means to be a civilised society, and it will be shocking for me if American citizens allow this to continue. The US has a great tradition of individualism and privacy and has long been a centre for free thinking and creativity as a result.
In our experience in China, basically there is no privacy at all – that is why China is far behind the world in important respects: even though it has become so rich, it trails behind in terms of passion, imagination and creativity.
During my detention in China I was watched 24 hours a day. The light was always on. There were two guards on two-hour shifts standing next to me – even watching when I swallowed a pill; I had to open mouth so they could see my throat. You have to take a shower in front of them; they watch you while you brush your teeth, in the name of making sure you're not hurting yourself. They had three surveillance cameras to make sure the guards would not communicate with me.
But the guards whispered to me. They told stories about themselves. There is always humanity and privacy, even under the most restrictive conditions.
NSA surveillance: The US is behaving like China
In the Guardian, Glenn Greenwald and Ewen MacAskill leak a description of another NSA top-secret program, this one codenamed "BOUNDLESSINFORMANT." This is apparently a tool that helps spies keep track of which snooping tools they can deploy in which countries, and it produces pretty, color-coded maps showing where the NSA spying powers are strongest. The Guardian has excellent notes on how this fits in with the ongoing fight between the US Senate and the NSA on whether and how the NSA spies on Americans:
The Boundless Informant documents show the agency collecting almost 3 billion pieces of intelligence from US computer networks over a 30-day period ending in March 2013. One document says it is designed to give NSA officials answers to questions like, "What type of coverage do we have on country X" in "near real-time by asking the SIGINT [signals intelligence] infrastructure."
An NSA factsheet about the program, acquired by the Guardian, says: "The tool allows users to select a country on a map and view the metadata volume and select details about the collections against that country."
Under the heading "Sample use cases", the factsheet also states the tool shows information including: "How many records (and what type) are collected against a particular country."
A snapshot of the Boundless Informant data, contained in a top secret NSA "global heat map" seen by the Guardian, shows that in March 2013 the agency collected 97bn pieces of intelligence from computer networks worldwide.
They quote Judith Emmel, an NSA spokesperson who says, "The continued publication of these allegations about highly classified issues, and other information taken out of context, makes it impossible to conduct a reasonable discussion on the merits of these programs." However, the NSA would not admit the existence of these programs (not even to the senate), prior to this.
Boundless Informant: the NSA's secret tool to track global surveillance data
On Engadget, Richard Lawler paraphrases a NYT theory on how the companies identified as participating in the NSA's PRISM program are able to deny participation without technically lying; this is followed up with a quote from Google's chief legal officer denying this theory:
So why the quick denials about something the companies listed (including AOL, parent company of Engadget) may actually have ties to? Because FISA requests are by their nature secret, the report claims employees that deal with the requests can't discuss the details, even with their fellow employees. Notably, although companies must by law respond to the requests, they're not legally obligated to make it easy, and the article points out Twitter as a company that has declined to participate. Because of that, even if PRISM is more a streamlining of bureaucratic processes than a government backdoor into your Candy Crush Saga level, the semantic differences of company denials may not sit well with users, much less citizens voting for the officials who oversee the programs.
Update: Google Chief Legal Officer David Drummond has chimed in once again via a post on Google+, denying (again) that the government has any access to Google servers. That includes directly, through a back door, or any kind of "drop box" as the Times report mentions had been discussed. Meanwhile, CNET has an alternate source who corroborates the company's claims of no direct access, describing the system as a "formalized legal process."
NYT explains how tech companies allow PRISM, yet deny 'direct server access' happened (update)
Bruce Schneier writes in The Atlantic to comment on the leaked court order showing that the NSA has been secretly engaged in bulk domestic surveillance, recording who everyone is talking to, when, for how long, and where they are when they do. Schneier points out -- as many have -- that this is the tip of the iceberg, and lays out a set of government secrets that we need whistleblowers to disclose in order to grasp the full scope of the new, total surveillance state:
We need details on the full extent of the FBI's spying capabilities. We don't know what information it routinely collects on American citizens, what extra information it collects on those on various watch lists, and what legal justifications it invokes for its actions. We don't know its plans for future data collection. We don't know what scandals and illegal actions -- either past or present -- are currently being covered up.
We also need information about what data the NSA gathers, either domestically or internationally. We don't know how much it collects surreptitiously, and how much it relies on arrangements with various companies. We don't know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities. We don't know whether it deliberately inserts backdoors into systems it wants to monitor, either with or without the permission of the communications-system vendors.
And we need details about the sorts of analysis the organizations perform. We don't know what they quickly cull at the point of collection, and what they store for later analysis -- and how long they store it. We don't know what sort of database profiling they do, how extensive their CCTV and surveillance-drone analysis is, how much they perform behavioral analysis, or how extensively they trace friends of people on their watch lists.
We don't know how big the U.S. surveillance apparatus is today, either in terms of money and people or in terms of how many people are monitored or how much data is collected. Modern technology makes it possible to monitor vastly more people -- yesterday's NSA revelations demonstrate that they could easily surveil everyone -- than could ever be done manually.
What We Don't Know About Spying on Citizens: Scarier Than What We Know
The DHS has responded to a Freedom of Information Act request filed by the ACLU asking when and how it decides whose laptop to search at the border. It explained its legal rationale for conducting these searches with a blank page:
On Page 18 of the 52-page document under the section entitled “First Amendment,” several paragraphs are completely blacked out. They simply end with the sentence: “The laptop border searches in the [Immigration and Customs Enforcement] and [Customs and Border Protection] do not violate travelers’ First Amendment rights as defined by the courts."
More excellence from "the most transparent administration in American history." Also, the DHS rejected claims that it should limit searches to situations where it had reasonable grounds for suspicion, because then they would have to explain their suspicion:
First, commonplace decisions to search electronic devices might be opened to litigation challenging the reasons for the search. In addition to interfering with a carefully constructed border security system, the litigation could directly undermine national security by requiring the government to produce sensitive investigative and national security information to justify some of the most critical searches. Even a policy change entirely unenforceable by courts might be problematic; we have been presented with some noteworthy CBP and ICE success stories based on hard-to-articulate intuitions or hunches based on officer experience and judgment. Under a reasonable suspicion requirement, officers might hesitate to search an individual's device without the presence of articulable factors capable of being formally defended, despite having an intuition or hunch based on experience that justified a search.
Feds say they can search your laptop at the border but won’t say why [Cyrus Farivar/Ars Technica]