Tag Archives: Privacy

Google’s transparency report shows US second only to Brazil in court-ordered removal requests

Google has published another transparency report, showing the number of court, police and other requests for data removal that they’ve received over a six month period. The report includes a blog post and a handily-filterable chart. The results? Well, surprising or not, the United States is second only to Brazil in the number of court-ordered removal requests to Google’s offices. And whereas Google complied with 69% of Brazil’s requests, they complied with only 40% of the US requests.

On the subject of police and other requests, the United States stands in third place behind South Korea and leading the pack, India. Clearly, India has some unreasonable requests, as Google complied with only twenty percent. But they complied with 80% of S. Korea’s requests compared to a dismal 44% of the US requests.

It’s hard to get too worked up over these numbers, as we’re accepting a private company’s interpretation of law and privacy. It would also be interesting to see these same numbers normalized by population: its hard to imagine a scenario where Switzerland would make more removal requests than the United States, given the huge difference in population. There is also a potential content disparity: studies have estimated that 68% of content on the web is in English, with a large share of that coming from the United States. Mo pages, mo problems.

Still, it does make me curious just what the United States is requesting and what branches and levels of our government are making these requests. It would be easy – and misguided – to assume that the Black Helicopter crew at the NSA was secretly conducting cyber-info-warfare on the populace. But since the report does not specifically differentiate between federal and local governments, its hard to know exactly where the requests are coming from.

Government – Google Transparency Report

Like other technology and communications companies, Google regularly receives requests from government agencies and courts around the world to remove content from our services. In this report, we disclose the number of requests we receive from each government in six-month periods with certain limitations.

Game theory: how RIT students beat some of IT security’s best minds.

On March 9th, an RIT team traveled to Franklin, Massachusetts to compete in the annual Northeast Collegiate Cyber Defense Competition. The competition tests students on their ability to protect and prevent computers and networks from being susceptible to hackers or viruses floating over the Internet. Without protection, a company’s private information could be stolen and released, or its network could be destroyed.

Upon arrival to the event, all 12 teams participating in the regional competition had their cell phones, cameras, USB drives and all other electronics taken away for the weekend. Each group of 8 was put in a room with 8 desktop computers, a router switch and a printer network for a total of 20 hours over the three-day weekend. Their mission was to hypothetically replace a previous IT team of a small company and make sure that their client, a blog site, was constantly up and running and safe from attacks by the “Red Team.” The “Red Team” was made up of a group of professionals who were assigned to break into the system and networks of the fake companies that the students were required to protect.

“The first fifteen minutes are critical because everything is wide open with no security in place,” 4th year Applied Network Systems Administration student Jeremy Pollard said. “Getting those first couple of actions to muscle memory is crucial.”

The RIT team set up triggers and alarms to monitor the network traffic; logging the information as website viewers or as someone trying to hack into the account. They used firewalls to protect the inbound and outbound traffic and were required to defend all outward facing nodes, storage, the website, emails and the network printer.

“In addition to securing the company’s current infrastructure,” 4th year Information Security and Computer Forensics student Neil Zimmerman explained. “We were required to build upon it by implementing new technologies, and to write policies to ensure future safety.”

For each attack that got through their system the team lost points. In order to gain these points back the team would need to complete an “instant response report” which explained what happened and how they fixed it.

The team believes they had a leg up on the competition because their teammate, 4th year Information Security and Forensics major Griffith Chaffee, competed on last year’s winning team. The team also believes this because they were taught how to configure systems and networks in school, as opposed to other teams who only knew how to program.

“We had experience from extensive lab work and co-ops,” Pollard said. “Other teams didn’t have any job experience,” Zimmerman agreed.
Although beating teams like Harvard University in the Northeast regional competition was a “nice feeling,” returning member Chaffee says the team still has a lot to prepare for.

“The computers out number you,” Chaffee said. “There are 12-16 computers so you really have to manage resources. Also, the red team is much, much better. The best in the business.”

So until the National round in April, the RIT team will be spending their free time practicing and learning things that they aren’t too familiar with. The team has also ordered new equipment to study and will practice having teammates take over for each other if one should become too overwhelmed.

“We are all from various backgrounds so we divide up work really well,” Zimmerman said.

They will be competing for the national title in Texas against nine other regional winners, including Texas A&M University, Air Force Academy, UNC Charlotte and last year’s winner, University of Washington.

In #Wegmans pine nut Salmonella outbreak, CDC reports Shopper’s Club cards analyzed.

The most recent CDC report on the Salmonella outbreak linked to pine nuts sold at Wegmans states that 42 people are known to have been infected and two hospitalized. Those affected either bought the pine nuts in bulk sections of the store or ate prepared foods with pine nuts in them. Specifically Caprese salads and asparagus with pine nuts in them, including pesto.

The report notes that, while they’re treating all 42 people as a group, only 39 had information available and of those, 25 positively reported eating pine nuts from Wegmans. They know this in part because the affected people’s Shoppers Club cards appear to have been analyzed. Per the report:

Early in the investigation, shopper card information was collected and used to identify which specific products to suspect as sources of illness. Ill persons gave permission for public health officials to retrieve shopper card purchase information. A review of shopper card records identified that ill persons had purchased the same type of Turkish pine nuts from bulk bins at different locations of Wegmans grocery stores before becoming ill.

To find out more about the Wegmans pine nut recall – which includes bulk pine nuts sold in New York, Pennsylvania, New Jersey, Virginia, and Maryland, see their corporate page here. The recall does not include pestos.

For its part, the CDC is recommending that shoppers not eat any pine nuts bought in bulk at Wegmans between July 1, 2011 and October 18, 2011, including those items that contain pesto, since pesto is made with pine nuts as well. For more information from the CDC, check the link below:

CDC – November 3, 2011 – Salmonella Enteritidis Infections Linked to Turkish Pine Nuts.

How young is too young for #Facebook? Parents fake kids ages to get them accounts.

Would you let your kids lie about their age to get into an adult website? Probably not, but new research finds that a lot of parents are helping their kids get onto Facebook by lying about their ages.

Danah Boyd, the lead researcher on the project, suggests that the reason is an unintended consequence of the COPPA act: the Children’s Online Privacy Protection Act. Because the act requires a parent’s permission to enter commercial sites that require registration, many companies including Facebook have opted to simply not allow children under the age of 13 to have an account, period. Because many parents would like their kids to have Facebook accounts, they’re lying about the kid’s age:

Many general-purpose communication platforms and social media sites restrict access to only those 13+ in response to a law meant to empower parents: the Children’s Online Privacy Protection Act (COPPA). This forces parents to make a difficult choice: help uphold the minimum age requirements and limit their children’s access to services that let kids connect with family and friends OR help their children lie about their age to circumvent the age-based restrictions and eschew the protections that COPPA is meant to provide.

Its probably easier to let grammy know what the kiddos are doing by letting them post to Facebook than sending an email because, well, who uses email any more? But allowing kids to post their goings-on online presents all manner of privacy concerns. Not to mention the notion that future employers of your 12 year old get to read their entire life’s history.

In many ways, this puts the general problem of online privacy for all people in sharp relief, simply by highlighting the problem for kids. If participation in social networking is now becoming part of the norm, participation becomes compulsory in many ways. For more on the study, read the report linked below:

Why parents help their children lie to Facebook about age: Unintended consequences of the ‘Children’s Online Privacy Protection Act’ – Danah Boyd, University of Illinois at Chicago.

What a 24 yo German lawyer knows about what you’re doing on Facebook

Think you deleted that message about scoring pot from your buddy on Facebook? You might be surprised to find out that no, you didn’t. Quick: smoke now, before the cops show up. I’ll wait.

You cool? Ok, so here’s what a German law student discovered about the information Facebook’s got on you. Not only did he find 1200 printed pages of documentation on himself, but he also discovered messages sent through Facebook which he had “deleted.” Those messages still existed, but were flagged as ‘deleted.’ In other words: while the law student could no longer see the message, anybody else with access to this data could. And he found out that it was all available through a form on the web:

IdentityBlog – Digital Identity, Privacy, and the Internets Missing Identity Layer.

While I’m not at all immune to paranoia under certain conditions, I’m not inclined to think of this as a show-stopper. The fact is: data such as this is already being collected about you every day. Google Analytics tracks what many would find a frightening amount of information on you just by visiting a website. Now Facebook is as well.

In fact, as we go forward, I’m finding it hard to even accept the idea of some sort of universal data retention law. The sheer volume of data available and shared on a day-to-day basis seems to make the concept impractical, requiring not just Facebook but any owner of any website to delete massive amounts of data on a regular basis or be subject to, dare I say it, “privacy trolls.”

What the article points to, if nothing else, is the lack of understanding we have for what data actually is. You cannot make an educated decision about how your data should be kept private or not without understanding what data actually is and means.

German police use trojan snooper that bounces data to US servers.

Consider this the next time you want to browse a German language website: the German government might just end up with access to your computer. Reading the excellent Schneier on Security blog, I ran across the latest in what appears to be a long-standing fight among German police forces to allow them to snoop computers using different types of malware and trojans. Bundestrojaner, they call those.

The hacking website Chaos Computer Club has discovered a new form of this malware that takes screenshots of the infected computer’s currently-open window, sending that image along to the police. But in what seems like an attempt to evade detection by other law enforcement, the information is bounced to an American server first. Data laundering, you might call that.

This data transfer almost certainly violates both German and US law. But the fun doesn’t stop there: the team that reverse engineered the trojan also discovered the ability to remotely install other software on command. So, not only do German police have the ability to watch what you’re doing on your own machine, but they can install software that might allow them remote access.

It is doubtful that the laws violated by this trojan will be enforced, though we may hope that the German government has enough politicians with an electoral interest in personal privacy to kill the program. But such software has the potential to open up embarrassing and uncomfortable confrontations between many governments, as both law enforcement and military interests continue to seek out purchase on the digital realm. In such an environment, what constitutes a military program or a civilian police program is murky at best.

CCC | Chaos Computer Club analyzes government malware

What’s on that memory card you got, there?

Reporting today out of the Internet Storm Center (basically a watchdog group for Internet security concerns) discusses the curious problems associated with the now-ubiquitous use of SSD memory in electronic devices.

Whereas in the past, spinning disk drives like your PC’s hard drive left traces of old data even after you “formatted” the drive, giving forensic investigators a lead towards sensitive information, SSD drives do not necessarily even leave data on the drive moments after its deleted. This is because of systems built into the storage units that’s meant to always compact and organize data on the drive for maximum space. Rather than either you or you phone/camera/Rooba having to tell your memory card to “defrag,” the memory card does it all for you.

That sounds good for your personal privacy, right? Right, except that the opposite is equally true: you also cannot reliably erase data off an SSD card through conventional means because the card itself manages the data. “Erase” data, and the card interprets the data as useless, thus erasing at the first available moment. But what if that moment doesn’t come?

For more details, check this link and the attached studies.

Are cops tracking your phone?

The short answer is yes, they do track your phone if you become somehow involved in an investigation. And without a warrant, that’s supposed to be unconstitutional. A new court victory for the Electronic Freedom Foundation is getting us one step closer to our legal system honoring our Constitution where technology is concerned:

FOIA Victory Will Shed More Light on Warrantless Tracking of Cell Phones | Electronic Frontier Foundation.

The D.C. Circuit Court of Appeals ruled on Tuesday (pdf) that the government must turn over information from criminal prosecutions in which federal law enforcement agencies obtained cell-site location information without a warrant. The suit, filed as part of EFF’s FLAG Project and in conjunction with the ACLU, sought the release of the case numbers and case names in which the government had tracked the location of a person’s cell phone without obtaining a warrant.

Google Plus: What’s in a (Pseudo)nym?

This weekend, many Google Plus users got a rude awakening, when they discovered that their Google Plus user accounts – along with all other associated Google Accounts – were unceremoniously deleted from the Google system. This without the slightest notification or recourse. The reason, as explained in a CNet news piece, is that Google would like to maintain a friendly air at Google Plus and therefore prefers real names:

Why Google+ requires real names | Digital media – CNET News:

In a reported conversation Sunday night with tech blogger Robert Scoble, Google’s senior vice president of social, Vic Gundotra, acknowledged that Google has made mistakes in its first pass with Google+. But he explained that the requirement to use real names is an attempt to set a positive tone, “like when a restaurant doesn’t allow people who aren’t wearing shirts to enter.”

The comparison to a restaurant’s shirt and shoes policy is cute but not at all apt. There are perfectly legitimate sanitary concerns about walking around barefoot in a restaurant, plus half-naked Baby Boomers do not belong anywhere near my garbage plate, thank you very much.

Using a real or assumed name on the Internet is a trickier issue. One of the luxuries of being on the Internet is the ability to remain anonymous and I think we eliminate anonymity on the Internet at our peril. It is easy to discount the importance of not being associated with an account when we see trolls on websites, but the reality is that, whether looking into deeply-personal medical information or just wanting more information of a type that might hurt one’s relationships or career, there are plenty of times when the freedom to not have to identify yourself is paramount. And its important also to remember that, whereas in the past you simply looked at websites completely anonymously anyway, the social nature of the modern Internet means you can’t ever really be sure which sites are hooked into which of your social networks.

Put it another way: if Google’s intent is to allow you to maintain your own personal data and keep privacy as you see it, then Google also has to acknowledge that your identity is itself a piece of personal data. To be shared or kept private.

Rupe’s Peeps Contact Yankee PI for 911 Details on 912

Via CNET Security News

When this story originally broke, I was under the impression that 911 victims had possibly been hacked maybe a few years *after* the attack. Now the suggestion – reported by the Daily Mail out of the UK – is that no, the hacking attempts began the day of the attack. From the CNET article:

via FBI investigating News Corp. over 9/11 claims | The Digital Home – CNET News.

Until earlier this week, the U.S. had remained out of the scandal in Britain surrounding News Corp. over cell phone hacking. However, the Daily Mail in the U.K. reported on Monday that News Corp.-owned News of the World, a British tabloid, had contacted a private investigator and former New York police officer to try to hack phone data of British victims of the September 11 attacks. The Daily Mail said that the investigator, who was contacted in the wake of the horrific event, refused to do so.

Emily Good: A Word on Cameras, in General

Its probably easier to assume that anybody you come into contact with has a camera on them than to wonder. Every phone takes photos and videos these days, and your entire world is potentially being video taped.

Which makes privacy laws concerning video pretty impossible to enforce. This is important in the context of the Emily Good incident because it may well be the “secret” taping of the officer that comes into question once this goes to court. Its not supposed to be legal to film people without their consent, but in the context of our modern era, its commonplace.

Its also commonplace for police cruisers to have cameras mounted in their dashes and stop lights to have cameras monitoring them. But there’s no sign that says “this light is being video recorded,” nor am I allowed to ask a video tape of me getting pulled over be erased. Why not? Isn’t that illegal?

Black Boxes for your Car? Washington Says They’re Coming

This has been a pretty quiet thing up till now, but I suspect it will get noisier soon. New Federal regulations now require that all new cars have a Black Box, a la airplanes, installed into them. The idea is to be able to reconstruct events prior to an accident:

New Federal Rules To Require Black Boxes to Record Driver Activity in Every Car | Popular Science.

To the extent that they can clarify the events leading up to an accident – which may point to anything from alcohol intoxication to malfunctions in equipment – this seems like a good thing. But its also a privacy issue that needs to be address. How long is this data being stored and who has access to it?

There is also an issue of data interpretation: because certain conditions were present at the time of an accident does not necessarily mean that a single conclusion could be made. Add to that, as the article points out, the fact that your phone is tracking you too and it starts to look a whole lot less benign.