Archive for the ‘Internet Snooping’ Category

Read more awwb.htm at MelonFarmers.co.uk

gchq logoA challenge to GCHQ’s use of non-specific warrants to authorise the bulk hacking of smartphones, computers and networks in the UK is starting at the court of appeal.The case, brought by the campaign group Privacy International (PI), is the latest twist in a protracted battle about both the legality of mass snooping and the primacy of civil courts over an intelligence tribunal that operates partly in secret.

The original claim dates back to 2014 and was brought at the investigatory powers tribunal (IPT) following revelations by the American whistleblower Edward Snowden. The IPT hears complaints about government surveillance and the intelligence services. Some of its hearings are held behind closed doors.

PI, along with seven internet service providers, argued that computer network exploitation (CNE) carried out by GCHQ , the government monitoring station in Cheltenham, breaches human rights.

Advertisements
Read more inap.htm at MelonFarmers.co.uk

jing wangResidents of Xinjiang, an ethnic minority region of western China, are being forced to install spyware on their mobile phones.On July 10, mobile phone users in the Tianshan District of Urumqi City received a mobile phone notification from the district government instructing them to install a surveillance application called Jingwang (or Web Cleansing). The message said the app was intended to prevent [them] from accessing terrorist information.

But authorities may be using the app for more than just counter-terrorism. According to an exclusive report from Radio Free Asia, 10 Kazakh women from Ili Kazakh Autonomous Prefecture were arrested for messages sent to a private WeChat group chat soon after they installed the app.

The notification from police said the application would locate and track the sources and distribution paths of terrorists, along with illegal religious activity and harmful information, including videos, images, ebooks and documents.

Jingwang’s website describes the application as follows:

Jingwang is a protection service with an adult and child categorization system introduced by Jiangsu Telecom. The main function is to block pornographic websites, online scams, trojan horses, and phishing sites; to alert users of how much time they spend online; and to enable remote control of one’s home network. The tool is intended to help kids develop a healthy lifestyle by building a safe web filter for the minors.

Of course, any tool with these capabilities could be used in multiple ways. For example, the app’s remote control feature could enable state actors or even hackers to manipulate or steal from a person’s home network.

The move is consistent with other measures of control over digital activities in the region. While stories of digital censorship in China often focus on the experiences of users in major cities in the east and south, the reality is often more bleak for those living in remote, embattled ethnic minority regions such as Xinjiang and Tibet. Seeking to contain unrest and discontent in conflict areas, authorities often impose extreme censorship and surveillance measures and routine Internet shutdowns .

Authorities from Xinjiang are checking to make sure that people are using the official Jingwang application. A mobile notification demanded people install the app within 10 days. If they are caught at a checkpoint and their devices do not have the software, they could be detained for 10 days. This is a setback on the development of technology. They forced people to use devices designed for the elderly. It is a form of confinement by through surveillance technology. We are back to Mao’s China.

Images from mainland China also posted a product description of Jingwang which explained that the tool can negate the password requirement of a Windows operating system and access the computer hard disk with no restrictions. Once installed with Jingwang, computers and mobiles in Xinjiang, would become electronic handcuffs.

Read more uk_internet_censors.htm at MelonFarmers.co.uk

open rights group 2016 logo A Freedom of Information request to the DCMS has revealed that porn company MindGeek suggested that the BBFC should potentially block millions of porn sites if they didn’t comply with Age Verification requirements outlined in the Digital Economy Act.

MindGeek, who are also developing Age Verification technology, said that the Government’s plans to prevent children from seeing pornography would not be effective unless millions of sites could be blocked.

Notes made by the company and sent to the DCMS state:

A greylist of 4M URLs already exists from Sky, but lets assume that’s actually much smaller as these URLs will I suspect, be page- level blocks, not TLDs. The regulator should contact them all within that 12 months, explaining that if they do not demonstrate they are AV ready by the enforcement date then they will be enforced against. “On the enforcement date, all sites on the greylist turn black or white depending upon what they have demonstrated to the regulator.

Corey Price, VP of Pornhub, separately noted:

It is our corporate responsibility as part of the global tech community to promote ethical and responsible behavior. We firmly believe that parents are best placed to police their children’s online activity using the plethora of tools already available in modern operating systems. The law has the potential to send a message to parents that they no longer need to monitor their children’s online activity, so it is therefore essential that the Act is robustly enforced.

Despite the law, those seeking adult content can still circumvent age verification using simple proxy/VPN services. Consequently the intent of the legislation is to only protect children who stumble across adult content in an un-protected environment. There are over 4 million domains containing adult content, and unless sites are enforced against equally, stumbling across adult content will be no harder than at present. If the regulator pursues a proportionate approach we may only see the Top 50 sites being effected 203 this is wholly unacceptable as the law will then be completely ineffective, and simply discriminate against compliant sites. We are therefore informing, and closely monitoring the development of the regulations, to be published later this year, to see if they achieve the intended goals of the Act.

MindGeek could stand to gain commercially if competitor websites are blocked from UK visitors, or if the industry takes up their Age Verification product.

Executive Director of Open Rights Group, Jim Killock said:

There is nothing in the Act to stop the BBFC from blocking 4.6 million pornographic websites. The only constraint is cash.

This leaves the BBFC wide open to pressure for mass website blocking without any need for a change in the law.

When giving evidence to the Public Bill Committee , the chief executive of the British Board of Film Classification, David Austin implied that only tens of sites would be targeted:

We would start with the top 50 and work our way through those, but we would not stop there. We would look to get new data every quarter, for example. As you say, sites will come in and out of popularity. We will keep up to date and focus on those most popular sites for children.

Read more bw.htm at MelonFarmers.co.uk

urban dictionary logoThe mobile phone companies use an algorithmic approach to the blocking of websites for mobile device users who are under 18 or else adults who have not got themselves verified as adults.The BBFC acts to decide appeals against the phone company decisions. Note that the only options available to the BBFC are for websites to made available to all or else restricted to verified adults.

The BBFC commendably publish these appeal decisions.

From the latest batch of two appeals in the preceding 3 months, the BBFC have considered

Urban Dictionary

The Urban Dictionary provides factual definitions of slang terms which often involves string language and sex references. For Example:

Censorshit

the idea that censorship is bullshit….nothing needs to be censored…..if you don’t want to watch swearing, violence, or sexual content, DON’T WATCH IT! simple as that…..nobody is making you watch it…..they have disclaimers for a reason….and if you don’t want your kids watching that shit, tell your kids what they can and cannot watch…..and if they don’t listen to you then you are a bad parent for not teaching your kids to do what you say.

every time i watch tv there’s nothing but censorshit everywhere.

that movie sucked because of the censorshit.

The BBFC advised that the website should be blocked to under 18s, explaining:

We noted that it was an online dictionary of slang words and phrases. While a broad range of terms were explained (with definitions from a broad range of contributors), we found that very strong language and sex references were present in a significant minority of these explanations. Sex references included crude descriptions of activities including masturbation, oral sex, and urination and defecation during sex. In addition, there were references to rape and paedophilia, and definitions of discriminatory terms, which were delivered in an irreverent tone intended to shock or amuse. Given the crude and potentially offensive nature of this content, and the lackof context that accompanied it, we did not consider the website suitable for people under the age of 18.

It seems bizarre that teenagers should be blocked from a dictionary explaining their own terms, but there you go, that’s censorshit for you.

Read more awwb.htm at MelonFarmers.co.uk

Amazon Echo - BlackAmazon has refused to hand over recordings from an Echo smart speaker to US police investigating a murder in Arkansas. Police issued a warrant to Amazon to turn over recordings and other information associated with the device.Amazon twice declined to provide the police with the information they requested from the device, although it did provide account information and purchase history.

Although the Echo is known for having always-on microphones to enable its voice-controlled features, the vast majority of the recordings it makes are not saved for longer than the few seconds it takes to determine if a pre-set wake word (usually Alexa ) has been said. Only if that wake word has been heard does the device’s full complement of microphones come on and begin transmitting audio to Amazon.

However the police pursuit of the data suggests there is more of interest up for grabs than Amazon is admitting.

Amazon’s reluctance to part with user information fits a familiar pattern. Tech companies often see law enforcement requests for data as invasive and damaging to an industry. It is clearly an issue for sales of a home microphone system if it is easy for the authorities to grab recordings.

Other devices have also been good data sources for police investigations.  Wristwatch-style Fitbit activity trackers have cropped up in a few cases eg for checking alibis against sleep patterns or activity.

A smart water meter has also been used in a murder case as evidence of a blood clean up operation,

Read more eu.htm at MelonFarmers.co.uk

The European Court of Justice has passed judgement on several linked cases in Europe requiring that ISP retain extensive records of all phone and internet communications. This includes a challenge by Labour’s Tom Watson. The court wrote in a press release:

european court of justice logoThe Members States may not impose a general obligation to retain data on providers of electronic communications services

EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime, provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.

In today’s judgment, the Court’s answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data.

The Court confirms first that the national measures at issue fall within the scope of the directive. The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures taken by all persons other than users, whether by private persons or bodies, or by State bodies.

Next, the Court finds that while that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in particular to the prohibition on storage of data laid down by that directive, becoming the rule.

Further, the Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is strictly necessary. The Court applies that case-law to the rules governing the retention of data and those governing access to the retained data.

The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.

The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying such interference.

The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia, providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.

The Court makes clear however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide for sufficient guarantees of the protection of data against risks of misuse. The legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that the scope of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is likely to reveal a link with serious criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.

As regards the access of the competent national authorities to the retained data, the Court confirms that the national legislation concerned cannot be limited to requiring that access should be for one of the objectives referred to in the directive, even if that objective is to fight serious crime, but must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. That legislation must be based on objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data. Access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national security, defence or public security interests are threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be inferred that that data might, in a specific case, make an effective contribution to combating such activities.

Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, the competent national authorities to whom access to retained data has been granted must notify the persons concerned of that fact.

Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end of the retention period.

The view of the authorities

david andersonDavid Anderson, the Independent Reviewer of Terrorism Legislation gives a lucid response outlining the government’s case for mass surveillance. However the official justification is easily summarised as it clearly assists in the detection of serious crime. He simply does not mention that the government having justified grabbing the data on grounds of serious crime detection, will share it willy nilly with all sorts of government departments for their own convenience, way beyond the reasons set out in the official justification.

And when the authorities talk about their fight against ‘serious’ crime, recent governments have been updating legislation to redefine practically all crimes as ‘serious’ crimes. Eg possessing a single spliff may in practice be a trivial crime, but the law on possession has a high maximum sentence that qualifies it as a ‘serious’ crime. It does not become trivial until it goes to court and the a trivia punishment has been handed down. So using mass snooping data would be easily justified to track down trivial drug users.

See  article from terrorismlegislationreviewer.independent.gov.uk

The Open Rights Group comments

See  article from openrightsgroup.org

open rights group 2016 logoThe judgment relates to a case brought by Deputy Leader of the Labour Party, Tom Watson MP, over intrusive data retention powers. The ruling says that:

  • – Blanket data retention is not permissible
  • – Access to data must be authorised by an independent body
  • – Only data belonging to people who are suspected of serious crimes can be accessed
  • – Individuals need to be notified if their data is accessed.

At present, none of these conditions are met by UK law.

Open Rights Group intervened in the case together with Privacy International, arguing that the Data Retention and Investigatory Powers Act (DRIPA), rushed through parliament in 2014, was incompatible with EU law. While the Judgment will no longer affect DRIPA, which expires at the end of 2016, it has major implications for the Investigatory Powers Act.

Executive Director Jim Killock said:

The CJEU has sent a clear message to the UK Government: blanket surveillance of our communications is intrusive and unacceptable in a democracy.

The Government knew this judgment was coming but Theresa May was determined to push through her snoopers’ charter regardless. The Government must act quickly to re-write the IPA or be prepared to go to court again.

Data retention powers in the Investigatory Powers Act will come into effect on 30 Dec 2016. These mean that ISPs and mobile phone providers can be obliged to keep data about our communications, including a record of the websites we visit and the apps we use. This data can be accessed by the police but also a wide range of organisations like the Food Standards Agency, the Health and Safety Executive and the Department of Health.

Read more gcnews.htm at MelonFarmers.co.uk

arms of the british governmentjpg logoAmong the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand technical changes to software and systems.

Communications Service Providers (CSP) subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.

As per the final wording of the law, comms providers on the receiving end of a technical capacity notice will be obliged to do various things on demand for government snoops — such as disclosing details of any system upgrades and removing electronic protection on encrypted communications.