Cory Doctorow at 7:53 am • 
• 
My friend Jen Urban of UC Berkeley and her colleagues Chris Jay Hoofnagle and Su Li have just published Mobile Phones and Privacy, a paper in the BCLT Research Paper Series, and a summary. In a nutshell, people totally overestimate the privacy of the data on their mobile phones, they oppose all the current legislative directions on mobile privacy, including the ability of the police to plunder their phones for "suspicious" information and the practice of carriers retaining detailed logs of their activity.
We've just released another tranche of data from our 2012 consumer privacy survey. This one focuses upon privacy issues surrounding mobile phones. As with our other studies, this is a telephonic (landline and wireless) survey of Americans with a sample size of about 1,200 people. Some highlights:
We asked consumers whether they thought information on their mobile phones was private in three different ways:
* A large majority—78%—of Americans consider information on their mobile phones at least as private as that on their home computers. Fifty-nine percent consider it “about as private” and 19% consider it “more private.” Those under 45 were more likely than those over 45 to respond that data on phones was more private than data on home computers.
* A large majority rejected the idea that law enforcement should be automatically able to search a cell phone of someone who is arrested. 76% supported requiring officers to get permission from a court prior to searching a mobile phone in this situation.
* We asked consumers whether they would be willing to lend their phones to others. While most would lend it to a spouse or close friend, most would not lend their phone to an acquaintance or work colleague. When we probed for explanations, privacy rationales dominated the resistance to lending the phone to others.
In addition to determining individuals expectations around privacy, we asked a number of specific questions about business practices:
* A large majority objected to the basic premise behind the established business relationship. 74% said that businesses that they frequent should not be able to call them, even if the consumer provides the cashier with her phone number.
* We asked about the information practices of apps and found rejection of common business models. 81% of respondents said they would “definitely not allow” (51%) or “probably not allow” (30%) sharing contact lists in order to receive more connection suggestions.
* Americans support strong limits on data retention in the wireless context. 46% answered that wireless phone location data should not be kept at all. The next largest group—28% of respondents—answered that the data should be kept less than a year.
Cory Doctorow at 9:00 am • •
Douglas Rushkoff writes on CNN about the new US "six strikes" copyright regime, an unholy alliance between the major entertainment companies the the nation's largest ISPs, which gives your ISP carte blanche to spy on all your private Internet traffic on the off chance that you might be interfering with Universal Music's profit-maximization scheme. If you attract enough unsubstantiated copyright accusations, you and your family -- or your business -- could lose your Internet access.
As I understand the new agreement and subsequent comments, which are about as cryptic as a copy-protected DVD, ISP's have agreed to implement a standardized "graduated response plan" through which offending users are warned, restricted and eventually cut off from the Internet for successive violations. The companies are supposed to be developing systems that keep track of all this, so that the letters and usage restrictions happen automatically. The fact that they are all agreeing to participate makes it harder for any one company to win the disgruntled customers of those who have been disciplined by another.
But now that they're free from individual blame, there's also the strong possibility that the ISPs will be doing the data monitoring directly. That's a much bigger deal. So instead of reaching out to the Internet to track down illegally flowing bits of their movies, the studios will sit back while ISP's "sniff" the packets of data coming to and from their customers' computers. While they're simply claiming to be protecting copyright holders, ISPs have a lot to gain from all this as well.
For instance, in many cases the Internet subscriber might have no knowledge of the infraction that the ISP detects. A houseguest might log onto one's home network simply to check e-mail. Because his sharing software might be running in the background (even when he's not downloading files himself) he is in effect sharing his own movie files wherever he goes. Your ISP sniffs the packets, so you are nabbed. The same is true for those of us who run "open networks" so that neighbors and others nearby can get free Internet access when they need it. (In the old days, that used to be considered polite.)
Will your Internet provider be spying on you?
Cory Doctorow at 10:40 am • •
Michael Geist sez,
Canada's proposed Internet surveillance was back in the news last week after speculation grew that government intends to keep the bill in legislative limbo until it dies on the order paper. Public Safety Minister Vic Toews denied the reports, maintaining that Bill C-30 will still be sent to committee for further study.
My weekly technology law column reveals that behind the scenes, Canada's telecom companies have worked actively with government officials to identify key issues and to develop a secret Industry - Government Collaborative Forum on Lawful Access.
The secret working group includes virtually all the major telecom and cable companies, whose representatives have been granted Government of Canada Secret level security clearance and signed non-disclosure agreements. The group is led by Bell Canada on the industry side and Public Safety for the government.
It is designed to create an open channel for discussion between telecom providers and government. As the uproar over Bill C-30 was generating front-page news across the country, Bell reached out to government to indicate that "it was working its way through C-30 with great interest" and expressed desire for a meeting to discuss disclosure of subscriber information. A few weeks later, it sent another request seeking details on equipment obligations to assist in its costing exercises.
At a September 2011 meeting that included Bell Canada, Cogeco, RIM, Telus, Rogers, Microsoft, and the Information Technology Association of Canada, government officials provided a lawful access regulations policy document that offered guidance on plans for extensive regulations that will ultimately accompany the Internet surveillance legislation.
The 17-page document indicates that providers will be required to disclose certain subscriber information without a warrant within 48 hours and within 30 minutes in exceptional circumstances. Interceptions of communications may also need to be established within 30 minutes of a request with capabilities that include simultaneous interceptions for five law enforcement agencies.
How Canada's Telecom Companies Have Secretly Supported Internet Surveillance Legislation
Ot from the Dutch technology activist group Bits of Freedom writes, "Good news from The Netherlands: on 8 May 2012
The Netherlands adopted crucial legislation to safeguard an open and secure internet. It is the first country in Europe to implement net neutrality in the law. In addition, it adopted provisions protecting users against disconnection and wiretapping by providers. Digital rights movement Bits of Freedom calls on other countries to follow the Dutch example." (
Thanks Ot!)
— Cory
•
Cory Doctorow at 3:08 pm • •
Christopher sez, "We just released a 90 second animated video that explains why communities build their own broadband networks, often in competition with big cable. For those who want all the details, we just released a massive 75 page white paper examining 3 community fiber networks in depth - Chattanooga, Tennessee; Lafayette, Louisiana; and Bristol, Virginia that is available here."
Community Broadband Networks
(via Christopher!)
Cory Doctorow at 11:00 am • •
The California Location Privacy Bill (SB 1434) proposes to require cellular phone companies to stop their practice of giving your location data to the police without a warrant. Phone companies would still be allowed to give your information to the police if they got a warrant, first.
Naturally, the CTIA -- the mobile carriers' industry association -- opposes it. They say that it will be "unduly burdensome" to have to say no when the police show up without a warrant, and to keep track of how often they give your information to the cops, and why. Cyrus Farivar has more on Ars Technica:
In an April 12, 2012 letter addressed (PDF) to State Senator Mark Leno (author of the bill), CTIA says it is opposed to SB 1434 because it may "create confusion for wireless providers and hamper their response to legitimate law enforcement investigations." The group also states that "[the bill will] create unduly burdensome and costly mandates on providers and their employees and are unnecessary as they will not serve wireless consumers."
Earlier this month, the ACLU said it received over 5,500 pages from 200 local law enforcement agencies about their tracking policies. The organization concluded that "while cell phone tracking is routine, few agencies consistently obtain warrants. Importantly, however, some agencies do obtain warrants, showing that law enforcement agencies can protect Americans' privacy while also meeting law enforcement needs." In short, it seems like law enforcement can stay within the law, even when it takes the trouble to get a warrant—how is that confusing?
Cellphone industry opposes California location privacy bill
(via /.)
Cory Doctorow at 9:20 pm • •
My latest Guardian column is "Why did an MPAA executive join the Internet Society?" which digs into the backstory on the appointment of former MPAA CTO Paul Brigner as North American director of the copyright-reforming, pro-net-neutrality Network Society group, which manages the .ORG domain name registry.
I asked Brigner whether his statements about DNS blocking and seizure and net neutrality had been sincere. "There are certainly a number of statements attributed to me that demonstrate my past thoughts on DNS and other issues," he answered. "I would not have stated them if I didn't believe them. But the true nature of my work was focused on trying to build bridges with the technology community and the content community and find solutions to our common problems. As I became more ingrained in the debate, I became more educated on the realities of these issues, and the reality is that a mandated technical solution just isn't a viable option for the future of the internet. When presented with the facts over time, it was clear I had to adjust my thinking.
"My views have evolved over the last year as I engaged with leading technologists on DNSSEC. Through those discussions, I came to believe that legislating technological approaches to fight copyright violations threatens the architecture of the internet. However, I do think that voluntary measures could be developed and implemented to help address the issue.
"I will most definitely advocate on Internet Society's behalf in favor of all issues listed, and I share the organization's views on all of those topics. I would not have joined the organisation otherwise, and I look forward to advocating on its behalf."
Update: Joly sez, "After his appointment we (ISOC-NY) did pull Paul up on the carpet to explain himself - you can find the salient MPAA passage here
Why did an MPAA executive join the Internet Society?
(Image: Stop SOPA!, a Creative Commons Attribution (2.0) image from 51295441@N07's photostream)
Cory Doctorow at 8:13 pm • •
On the Vintage Ads LJ group, a widescreen, two-page Mary Blair ad for AT&T and Disneyland's Tomorrowland. It's everything I love about Blair's illustration in an x-wide package. There's a 1600px+ wide version that deserves your scrutiny.
Tuesday Two-Pagers: AT&T/Disney/Mary Blair
Cory Doctorow at 7:50 am • •
Jon sez, "Nicholas Merrill, who previously first challenged the expansion of the National Secret Letter in the Patriot Act, is working on building a ISP infrastructure based on privacy. Help him raise funds on IndieGogo." Here's Declan McCullagh on CNet:
"The idea that we are working on is to not be capable of complying" with requests from the FBI for stored e-mail and similar demands, Merrill says.
A 1994 federal law called the Communications Assistance for Law Enforcement Act was highly controversial when it was enacted because it required telecommunications carriers to configure their networks for easy wiretappability by the FBI. But even CALEA says that ISPs "shall not be responsible for decrypting" communications if they don't possess "the information necessary to decrypt."
Translation: make sure your customers own their data and only they can decrypt it.
Merrill has formed an advisory board with members including Sascha Meinrath from the New America Foundation; former NSA technical director Brian Snow; and Jacob Appelbaum from the Tor Project.
Merrill's looking to raise $1M on IndieGogo; he got his first $28,000 overnight, and has 64 days to go. I just kicked in a hundred bucks.
This Internet provider pledges to put your privacy first. Always.
(Thanks, Jon!)
Cory Doctorow at 5:43 am • •
Concerned by the San Francisco BART system's decision to suspend cellular service to frustrate coordination among protesters angered by the fatal transit police shooting of an unarmed passenger, the FCC is holding a public inquiry seeking comment on who should be allowed to order cellular service shutoffs, and when. Here's the notice, with instructions for replying. Ars Technica's Megan Geuss writes:
But the FCC's public notice also states that law enforcement personnel have raised concerns that, "wireless service could be used to trigger the detonation of an explosive device or to organize the activities of a violent flash mob," suggesting local government authorities like BART should be allowed to retain some autonomy over service in its stations.
The FCC's decision will most likely set a clear precedent for other local government agencies. So far, two electronic public comments have been posted (the FCC lets you post comments online or send them in by mail), both in favor of more severe restrictions on who can turn off cell phone service and when. "The only time it should be legal to shut down a wireless network is when it is necessary to do so to repair a defect, or when it is necessary to prevent an attack that is compromising the ability of the network to function." said one commenter, "the government and government agencies are not wise enough to judge any other scenario in which one might think about shutting down a network."
Who can shut down cell phone service? FCC seeks public comment
Cory Doctorow at 6:59 pm • •
FCC Commissioner Robert M. McDowell has a WSJ op-ed condemning a treaty proposed at the International Telecommunications Union, the UN agency that oversees global phone systems, which would transfer much of Internet governance to the UN.
Commissioner McDowell correctly asserts that transferring governance to the ITU would be bad for Internet freedom. There are few UN specialized agencies that are more ossified and more prone to being gamed by the world's totalitarian regimes than the ITU. One UN acquaintance of mine memorably referred to the ITU as the place "where superannuated telco bureaucrats go to die." And let's not forget the vital role that ITU designates filled in creating surveillance and censorship regimes established by the failing governments of Tunisia and Egypt (and the similar role they're likely playing in other regional nations in the midst of popular uprisings).
But it's pretty rich for someone from the Obama administration US government to go around talking about how the Internet is in danger from political interference from special interests. This is the administration that gave us SOPA and the TPP, that argues that ACTA can be put into law without an act of Congress, and that has made a habit of extrajudicially seizing .com and .net domains on the sloppy say-so of its political donors from the entertainment industry.
I agree with Commissioner McDowell that the Internet needs to be free of political interference. I agree that this won't happen at the ITU.
But that's where we part ways. McDowell describes a present-day Internet where wise American stewards neutrally steer the net's course. I see a world where political hacks and appointees from the lobbyist/regulator revolving-door are ready to destroy the Internet to maximize profits for one or another industry, and where an amok defense industry is ready to destroy whatever is left after Big Content gets through with its dirty work.
The Internet does need stewards, and the Obama administration has spectacularly demonstrated that it is unfit to carry out that stewardship.
Merely saying "no" to any changes to the current structure of Internet governance is likely to be a losing proposition. A more successful strategy would be for proponents of Internet freedom and prosperity within every nation to encourage a dialogue among all interested parties, including governments and the ITU, to broaden the multi-stakeholder umbrella with the goal of reaching consensus to address reasonable concerns. As part of this conversation, we should underscore the tremendous benefits that the Internet has yielded for the developing world through the multi-stakeholder model.
Upending this model with a new regulatory treaty is likely to partition the Internet as some countries would inevitably choose to opt out. A balkanized Internet would be devastating to global free trade and national sovereignty. It would impair Internet growth most severely in the developing world but also globally as technologists are forced to seek bureaucratic permission to innovate and invest. This would also undermine the proliferation of new cross-border technologies, such as cloud computing.
The U.N. Threat to Internet Freedom
(via Reddit)
The Beastie Boys' Michael "Mike D" Diamond is part of an AT&T investor group
seeking to put a net neutrality question on the shareholder ballot: "The shareholder resolution would recommend each company 'publicly commit to operate its wireless broadband network consistent with network neutrality principles,' the letter said. The companies should not discriminate based on the “source, ownership or destination” of data sent over their wireless infrastructure." (
via Consumerist)
— Cory
•
Cory Doctorow at 12:44 pm • •
For the second year running, AT&T has taken top honors in the list of America's worst phone companies -- a hotly contested spot!
While AT&T's satisfaction score in 2011 wasn't as bad as its score from 2010, the Dallas-based cell phone provider, which recently discontinued its bid to acquire its better rival T-Mobile, still ranked at the bottom of the pack. Last year, AT&T was the only carrier for the Apple iPhone, but still managed to receive the lowest scores. The company issued a statement in response.
"We take this seriously and we continually look for new ways to improve the customer experience," it said. "Hard data from independent drive tests confirms AT&T has the nation's fastest mobile broadband network with our nearest competitor 20 percent slower on average nationwide and our largest competitor 60 percent slower on average nationwide. And, our dropped call rate is within 1/10 of a percent - the equivalent of just one call in a thousand - of the industry leader."
Verizon Wireless Trumps AT&T Again in Consumer Reports Survey
(via /.)
(Image: $ at&t, a Creative Commons Attribution (2.0) image from zombieite's photostream)
Cory Doctorow at 6:31 am • •
Ars Technica has a small gallery of the latest Wikileaks dump, consisting of brochures from companies that sell malicious software to governments for use in spying on their citizens. I spoke at length with one of the sources for these and we agreed that it was freakishly weird and scary -- I've spent the past two months in a bit of a paranoid stupor as a result. On the other hand, I have seen enough product brochures to know that companies often stretch the truth when they're pimping their products, and I wouldn't expect truth-in-advertising ethics from vichy nerds that specialize in violating the UN Declaration of Human Rights.
One product marketed by HackingTeam is the Remote Control System, malware that infects computers and smartphones in order to enable covert surveillance. The company says that its trojan can intercept encrypted communication, including Skype voice calls. They prominently advertise the fact that the malware can be installed remotely. They say that it can scale up to monitor "hundreds of thousands of targets" and is capable of being deployed to Apple, Android, Symbian, and Blackberry mobile devices.
Gallery: how the surveillance industry markets spyware to governments
Cory Doctorow at 6:47 pm • •
Alan sez, "TechCrunch and others are reporting that a program called "Carrier IQ" that comes pre-installed on Sprint phones has some pretty amazing spyware capabilities, right down to keylogging everything you do on the phone."
Note the careful use of the words “record,” “provide,” “inspect,” and “report.” It’s obvious from this video that the application has access to the information in question, and whether it records, provides, inspects, or reports it is simply a setting they can choose. The purposes for which CIQ says their software is installed — identifying trending problems in the fleet, for instance — don’t seem to me to require the level of access the software has granted itself. Add this to the fact that users are not informed at any step of the fact that their information is passing through “quality assurance” layer (sometimes before the user layer itself is aware of it), and their indignant denial begins to ring hollow.
Furthermore, as many developers have pointed out, the mere presence of the software is detrimental. Removing the software has reportedly improved performance and battery life. Furthermore, secure handshake information over wifi is passed through the software unencrypted, something that has little to do with carrier quality assurance. And if that information is cached even temporarily, that’s a security risk.
CarrierIQ, makers of the rootkit/spyware, threatened legal action against Trevor Eckhart, the researcher who reported on this, and backed down after EFF took up his case.
Carrier IQ Video Shows Alarming Capabilities Of Mobile Tracking Software
(Thanks, Alan!)
