Archive for the ‘Internet Snooping’ Category

Read more bw.htm at MelonFarmers.co.uk

urban dictionary logoThe mobile phone companies use an algorithmic approach to the blocking of websites for mobile device users who are under 18 or else adults who have not got themselves verified as adults.The BBFC acts to decide appeals against the phone company decisions. Note that the only options available to the BBFC are for websites to made available to all or else restricted to verified adults.

The BBFC commendably publish these appeal decisions.

From the latest batch of two appeals in the preceding 3 months, the BBFC have considered

Urban Dictionary

The Urban Dictionary provides factual definitions of slang terms which often involves string language and sex references. For Example:

Censorshit

the idea that censorship is bullshit….nothing needs to be censored…..if you don’t want to watch swearing, violence, or sexual content, DON’T WATCH IT! simple as that…..nobody is making you watch it…..they have disclaimers for a reason….and if you don’t want your kids watching that shit, tell your kids what they can and cannot watch…..and if they don’t listen to you then you are a bad parent for not teaching your kids to do what you say.

every time i watch tv there’s nothing but censorshit everywhere.

that movie sucked because of the censorshit.

The BBFC advised that the website should be blocked to under 18s, explaining:

We noted that it was an online dictionary of slang words and phrases. While a broad range of terms were explained (with definitions from a broad range of contributors), we found that very strong language and sex references were present in a significant minority of these explanations. Sex references included crude descriptions of activities including masturbation, oral sex, and urination and defecation during sex. In addition, there were references to rape and paedophilia, and definitions of discriminatory terms, which were delivered in an irreverent tone intended to shock or amuse. Given the crude and potentially offensive nature of this content, and the lackof context that accompanied it, we did not consider the website suitable for people under the age of 18.

It seems bizarre that teenagers should be blocked from a dictionary explaining their own terms, but there you go, that’s censorshit for you.

Read more awwb.htm at MelonFarmers.co.uk

Amazon Echo - BlackAmazon has refused to hand over recordings from an Echo smart speaker to US police investigating a murder in Arkansas. Police issued a warrant to Amazon to turn over recordings and other information associated with the device.Amazon twice declined to provide the police with the information they requested from the device, although it did provide account information and purchase history.

Although the Echo is known for having always-on microphones to enable its voice-controlled features, the vast majority of the recordings it makes are not saved for longer than the few seconds it takes to determine if a pre-set wake word (usually Alexa ) has been said. Only if that wake word has been heard does the device’s full complement of microphones come on and begin transmitting audio to Amazon.

However the police pursuit of the data suggests there is more of interest up for grabs than Amazon is admitting.

Amazon’s reluctance to part with user information fits a familiar pattern. Tech companies often see law enforcement requests for data as invasive and damaging to an industry. It is clearly an issue for sales of a home microphone system if it is easy for the authorities to grab recordings.

Other devices have also been good data sources for police investigations.  Wristwatch-style Fitbit activity trackers have cropped up in a few cases eg for checking alibis against sleep patterns or activity.

A smart water meter has also been used in a murder case as evidence of a blood clean up operation,

Read more eu.htm at MelonFarmers.co.uk

The European Court of Justice has passed judgement on several linked cases in Europe requiring that ISP retain extensive records of all phone and internet communications. This includes a challenge by Labour’s Tom Watson. The court wrote in a press release:

european court of justice logoThe Members States may not impose a general obligation to retain data on providers of electronic communications services

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.

In today’s judgment, the Court’s answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data.

The Court confirms first that the national measures at issue fall within the scope of the directive. The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures taken by all persons other than users, whether by private persons or bodies, or by State bodies.

Next, the Court finds that while that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in particular to the prohibition on storage of data laid down by that directive, becoming the rule.

Further, the Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is strictly necessary. The Court applies that case-law to the rules governing the retention of data and those governing access to the retained data.

The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.

The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.

The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia, providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.

The Court makes clear however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse. The legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that the scope of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is likely to reveal a link with serious criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.

As regards the access of the competent national authorities to the retained data, the Court confirms that the national legislation concerned cannot be limited to requiring that access should be for one of the objectives referred to in the directive, even if that objective is to fight serious crime, but must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. That legislation must be based on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data. Access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be inferred that that data might, in a specific case, make an effective contribution to combating such activities.

Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, the competent national authorities to whom access to retained data has been granted must notify the persons concerned of that fact.

Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end of the retention period.

The view of the authorities

david andersonDavid Anderson, the Independent Reviewer of Terrorism Legislation gives a lucid response outlining the government’s case for mass surveillance. However the official justification is easily summarised as it clearly assists in the detection of serious crime. He simply does not mention that the government having justified grabbing the data on grounds of serious crime detection, will share it willy nilly with all sorts of government departments for their own convenience, way beyond the reasons set out in the official justification.

And when the authorities talk about their fight against ‘serious’ crime, recent governments have been updating legislation to redefine practically all crimes as ‘serious’ crimes. Eg possessing a single spliff may in practice be a trivial crime, but the law on possession has a high maximum sentence that qualifies it as a ‘serious’ crime. It does not become trivial until it goes to court and the a trivia punishment has been handed down. So using mass snooping data would be easily justified to track down trivial drug users.

See  article from terrorismlegislationreviewer.independent.gov.uk

The Open Rights Group comments

See  article from openrightsgroup.org

open rights group 2016 logoThe judgment relates to a case brought by Deputy Leader of the Labour Party, Tom Watson MP, over intrusive data retention powers. The ruling says that:

  • – Blanket data retention is not permissible
  • – Access to data must be authorised by an independent body
  • – Only data belonging to people who are suspected of serious crimes can be accessed
  • – Individuals need to be notified if their data is accessed.

At present, none of these conditions are met by UK law.

Open Rights Group intervened in the case together with Privacy International, arguing that the Data Retention and Investigatory Powers Act (DRIPA), rushed through parliament in 2014, was incompatible with EU law. While the Judgment will no longer affect DRIPA, which expires at the end of 2016, it has major implications for the Investigatory Powers Act.

Executive Director Jim Killock said:

The CJEU has sent a clear message to the UK Government: blanket surveillance of our communications is intrusive and unacceptable in a democracy.

The Government knew this judgment was coming but Theresa May was determined to push through her snoopers’ charter regardless. The Government must act quickly to re-write the IPA or be prepared to go to court again.

Data retention powers in the Investigatory Powers Act will come into effect on 30 Dec 2016. These mean that ISPs and mobile phone providers can be obliged to keep data about our communications, including a record of the websites we visit and the apps we use. This data can be accessed by the police but also a wide range of organisations like the Food Standards Agency, the Health and Safety Executive and the Department of Health.

Read more gcnews.htm at MelonFarmers.co.uk

arms of the british governmentjpg logoAmong the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand technical changes to software and systems.

Communications Service Providers (CSP) subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

As per the final wording of the law, comms providers on the receiving end of a technical capacity notice will be obliged to do various things on demand for government snoops — such as disclosing details of any system upgrades and removing electronic protection on encrypted communications.

Read more awwb.htm at MelonFarmers.co.uk

android logoKryptowire, a security firm, recently identified several models of Android mobile devices that have preinstalled permanent software that serves as backdoor collecting sensitive personal data, including text messages, geolocations, contact lists, call logs, and transmits them to a server in Shanghai, China.

Without users’ consent, the code can bypass Android’s permission model. This could allow anyone interested in a mobile user’s data — from government officials to malicious hackers — to execute remote commands with system privileges and even reprogram the devices.

The firmware was developed by Chinese company Shanghai ADUPS Technology Company. ADUPS confirmed the report with a bollox statement claiming that it was somehow to do with identifying junk texts.

Kryptowire’s research reveals that the collected information was protected with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other personally identifiable information.

ADUPS also explained that the “accustomed” firmware was ‘accidentally’ built into 120,000 mobile products of one American phone manufacturer, BLU Products. After BLU raised the issue, ADUPS explained that the software was not designed for American phones and deactivated the program on Blu phones.

The news has been widely reported in foreign media as ADUPS is among the largest FOTA (firmware over the air) providers in the world. The company provides a cloud platform for mobile device management to over 700 million active users in 200 countries, which is equivalent to 70% of the global market share as it works closely with the world largest cheap mobile phone manufacturers ZTE and Huawei, both of which are based in China. In 2015 alone, Huawei sold more than 100 million smartphones.

Chinese netizens have not been surprised by the news. Reports about spyware preinstalled in Chinese mobile brands have circulated for many years among mainland and overseas Chinese speaking-communities. In 2014, Hong Kong Android Magazine reported that Xiaomi’s smartphones designed for overseas markets were automatically connecting to an IP in Beijing and that all documents, SMS and phone logs, and video files downloaded were being transmitted to a Beijing server.

In 2015, Germany-based security company G-Data also found out that at least 26 Android mobile brands had preinstalled spyware in their smartphones. The three biggest Chinese smartphone manufacturers, Xiaomi, Huawei and Lenovo were all listed.

China’s newly passed Cybersecurity Law has provided legal ground for the smartphone’s backdoor operation. The law requires “critical information infrastructure operators” to store users’ “personal information and other important business data” in China.

In response to the news, many Chinese netizens are pointing out the abusive use of personal data and government surveillance has become the norm.

Read more Liberty News at MelonFarmers.co.uk

at and t logo AT&T developed a product for spying on all its customers and made millions selling it to warrantless copsAT&T’s secret Hemisphere product is a database of calls and call-records on all its customers, tracking their location, movements, and interactions — this data was then sold in secret to American police forces for investigating crimes big and small (even Medicare fraud), on the condition that they never reveal the program’s existence.

The gag order that came with the data likely incentivized police officers to lie about their investigations at trial — something we saw happen repeatedly in the case of Stingrays, whose use was also bound by secrecy demands from their manufacturers. Because the data was sold by AT&T and not compelled by government, all of the Hemisphere surveillance was undertaken without a warrant or judicial review (indeed, it’s likely judges were never told the true story of where the data being entered into evidence by the police really came from — again, something that routinely happened before the existence of Stingray surveillance was revealed).

The millions given to AT&T for its customers’ data came from the federal government under the granting program that also allowed city and town police forces to buy military equipment for civilian policing needs. Cities paid up to a million dollars a year for access to AT&T’s customer records.

A statement of work from 2014 shows how hush-hush AT&T wants to keep Hemisphere:

The Government agency agrees not to use the data as evidence in any judicial or administrative proceedings unless there is no other available and admissible probative evidence.

But those charged with a crime are entitled to know the evidence against them come trial. Adam Schwartz, staff attorney for activist group Electronic Frontier Foundation, said that means AT&T may leave investigators no choice but to construct a false investigative narrative to hide how they use Hemisphere if they plan to prosecute anyone.

EFF is suing the US government to reveal DoJ records on the use of Hemisphere data.

Read more UK Parliament Watch at MelonFarmers.co.uk

House of Commons logo The UK government has introduced an amendment to the Investigatory Powers Bill currently going through Parliament, to make ensure that data retention orders cannot require ISPs to collect and retain third party data. The Home Office had previously said that they didn’t need powers to force ISPs to collect third party data, but until now refused to provide guarantees in law.Third party data is defined as communications data (sender, receiver, date, time etc) for messages sent within a website as opposed to messages sent by more direct methods such as email. It is obviously a bit tricky for ISPs to try and decode what is going on within websites as messaging data formats are generally proprietary, and in the general case, simply not de-cypherable by ISPs.

The Government will therefore snoop on messages sent, for example via Facebook, by demanding the communication details from Facebook themselves.