Archive for the ‘Internet Snooping’ Category

A coronavirus check will include, facial recognition, providing personal information, a check against criminal records, a check on the car, and an app with location tracking to keep tabs on your whereabouts in Phuket.

Read more aw_privacy.htm at MelonFarmers.co.uk

phuket smart checkpoint Phuket is a holiday island in Thailand that is accessed by road via a single bridge to the mainland. In the name of coronavirus monitoring the Phuket authorities have introduced an horribly invasive computerised checkpoint on the bridge.The check on people crossing the bridge will include a temperature check with a facial recognition detection system connected with the public health database. In the case detection of a traveller has contracted the Covid-19 virus, police will be alerted at the checkpoints along with National Emergency Notification Center staff.

But that is just the beginning of it. The Phuket Smart Check Point will also include scanning for suspect vehicles involved in crimes, and checking the traveller’s criminal record.

The Check Point will also require travellers to register and supply personal information. This will be kept on record for subsequent crossings and will be used for unspecified analysis by the authorities, including for the suppression of crime.

The system comes with an app that can be used as a tracking device allowing authorities to see where your current location is in the province.

Read more eu.htm at MelonFarmers.co.uk

EU flag Eight major mobile carriers have agreed to share customer location data with the European Commission in a bid to track the spread of COVID-19.The announcement arrives after Deutsche Telekom, Orange, Telefonica, Telecom Italia, Telenor, Telia, A1 Telekom Austria and Vodafone discussed tracking options with European Commissioner for Internal Market and Services Thierry Breton.

Government officials attempted to allay the fears of critics by noting all collected data will be anonymized and destroyed once the pandemic is squashed.

Read more inau.htm at MelonFarmers.co.uk

protecting the age of innocence Protecting the age of innocence

Report of the inquiry into age verification for online wagering and online pornography

House of Representatives Standing Committee on Social Policy and Legal Affairs

Executive SUmmary

The Committee’s inquiry considered the potential role for online age verification in protecting children and young people in Australia from exposure to online wagering and online pornography.

Evidence to the inquiry revealed widespread and genuine concern among the community about the serious impacts on the welfare of children and young people associated with exposure to certain online content, particularly pornography.

The Committee heard that young people are increasingly accessing or being exposed to pornography on the internet, and that this is associated with a range of harms to young people’s health, education, relationships, and wellbeing. Similarly, the Committee heard about the potential for exposure to online wagering at a young age to lead to problem gambling later in life.

Online age verification is not a new concept. However, the Committee heard that as governments have sought to strengthen age restrictions on online content, the technology for online age verification has become more sophisticated, and there are now a range of age-verification services available which seek to balance effectiveness and ease-of-use with privacy, safety, and security.

In considering these issues, the Committee was concerned to see that, in so much as possible, age restrictions that apply in the physical world are also applied in the online world.

The Committee recognised that age verification is not a silver bullet, and that protecting children and young people from online harms requires government, industry, and the community to work together across a range of fronts. However, the Committee also concluded that age verification can create a significant barrier to prevent young people—and particularly young children—from exposure to harmful online content.

The Committee’s recommendations therefore seek to support the implementation of online age verification in Australia.

The Committee recommended that the Digital Transformation Agency lead the development of standards for online age verification. These standards will help to ensure that online age verification is accurate and effective, and that the process for legitimate consumers is easy, safe, and secure.

The Committee also recommended that the Digital Transformation Agency develop an age-verification exchange to support a competitive ecosystem for third-party age verification in Australia.

In relation to pornography, the Committee recommended that the eSafety Commissioner lead the development of a roadmap for the implementation of a regime of mandatory age verification for online pornographic material, and that this be part of a broader, holistic approach to address the risks and harms associated with online pornography.

In relation to wagering, the Committee recommended that the Australian Government implement a regime of mandatory age verification, alongside the existing identity verification requirements. The Committee also recommended the development of educational resources for parents, and consideration of options for restricting access to loot boxes in video games, including though the use of age verification.

The Committee hopes that together these recommendations will contribute to a safer online environment for children and young people.

Lastly, the Committee acknowledges the strong public interest in the inquiry and expresses its appreciation to the individuals and organisations that shared their views with the Committee.

Read more me_internet.htm at MelonFarmers.co.uk

firefox logo Firefox has begun the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users. The rollout will continue over the next few weeks to confirm no major issues are discovered as this new protocol is enabled for Firefox’s US-based users.

A little over two years ago, we began work to help update and secure one of the oldest parts of the internet, the Domain Name System (DNS). To put this change into context, we need to briefly describe how the system worked before DoH. DNS is a database that links a human-friendly name, such as http://www.mozilla.org, to a computer-friendly series of numbers, called an IP address (e.g. 192.0.2.1). By performing a lookup in this database, your web browser is able to find websites on your behalf. Because of how DNS was originally designed decades ago, browsers doing DNS lookups for websites — even encrypted https:// sites — had to perform these lookups without encryption. We described the impact of insecure DNS on our privacy:

Because there is no encryption, other devices along the way might collect (or even block or change) this data too. DNS lookups are sent to servers that can spy on your website browsing history without either informing you or publishing a policy about what they do with that information.

At the creation of the internet, these kinds of threats to people’s privacy and security were known, but not being exploited yet. Today, we know that unencrypted DNS is not only vulnerable to spying but is being exploited, and so we are helping the internet to make the shift to more secure alternatives. We do this by performing DNS lookups in an encrypted HTTPS connection. This helps hide your browsing history from attackers on the network, helps prevent data collection by third parties on the network that ties your computer to websites you visit.

We’re enabling DoH by default only in the US. If you’re outside of the US and would like to enable DoH, you’re welcome to do so by going to Settings, then General, then scroll down to Networking Settings and click the Settings button on the right. Here you can enable DNS over HTTPS by clicking, and a checkbox will appear. By default, this change will send your encrypted DNS requests to Cloudflare.Users have the option to choose between two providers 204 Cloudflare and NextDNS — both of which are trusted resolvers.

Read more eu.htm at MelonFarmers.co.uk

european commission logo The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications.The instruction appeared on internal messaging boards in early February, notifying employees that Signal has been selected as the recommended application for public instant messaging.

The app is favored by privacy activists because of its end-to-end encryption and open-source technology. Bart Preneel, cryptography expert at the University of Leuven explained:

It’s like Facebook’s WhatsApp and Apple’s iMessage but it’s based on an encryption protocol that’s very innovative. Because it’s open-source, you can check what’s happening under the hood.

Promoting the app, however, could antagonize the law enforcement community. It will underline the hypocrisy of  Officials in Brussels, Washington and other capitals have been putting strong pressure on Facebook and Apple to allow government agencies to access to encrypted messages; if these agencies refuse, legal requirements could be introduced that force firms to do just that.American, British and Australian officials have published an open letter to Facebook CEO Mark Zuckerberg in October, asking that he call off plans to encrypt the company’s messaging service. Dutch Minister for Justice and Security Ferd Grappehaus told POLITICO last April that the EU needs to look into legislation allowing governments to access encrypted data.

But children’s campaigners are arguing that we should not be so protected.

Read more nw.htm at MelonFarmers.co.uk

  nspcc logo Facebook is moving ahead with plans to implement end to end encryption on Facebook Messenger and Instagram to protect users from snoopers, censors, spammers, scammers and thieves.But children’s campaign groups are opposing these safety measures on the grounds the encryption will also protect those illegally distributing child abuse material.

About 100 organisations, led by the NSPCC, have signed an open letter warning the plans will undermine efforts to catch abusers.Home Secretary Priti Patel said she fully supported the move, presumably also thinking of the state’s wider remit to snoop on people’s communications.

End-to-end encryption, already used on Facebook-owned WhatsApp, means no-one, including the company that owns the platform, can see the content of sent messages. The technology will make it significantly less likely that hackers will be able to intercept messages, going a long way to protect users from phishing and cyber-stalking. And of course child internet users will also benefit from these protections.The campaign group opposed such protection arguing:

We urge you to recognise and accept that an increased risk of child abuse being facilitated on or by Facebook is not a reasonable trade-off to make.

A spokesman for Facebook said protecting the wellbeing of children on its platform was critically important to it. He said:

We have led the industry in safeguarding children from exploitation and we are bringing this same commitment and leadership to our work on encryption

We are working closely with child-safety experts, including NCMEC [the US National Center for Missing and Exploited Children], law enforcement, governments and other technology companies, to help keep children safe online.

In 2018, Facebook made 16.8 million reports of child sexual exploitation and abuse content to the NCMEC. The National Crime Agency said this had led to more than 2,500 arrests and 3,000 children made safe.

Google’s Chrome browser will ban 3rd party tracking cookies albeit over the course of two years.

Read more sstech.htm at MelonFarmers.co.uk

google chrome logo Google is to restrict web pages from loading 3rd party profiling cookies when accessed via its Chrome browser. Many large websites, eg major newspapers make a call to hundreds of 3rd part profilers to allow them to build up a profile of people’s browsing history, which then facilitates personalised advertising.Now Google has said that it will block these third-party cookies within the next two years.

Tracking cookies are very much in the sights of the EU who are trying to put an end to the exploitative practise. However the EU is not willing to actually ban such practises, but instead has invented a silly game about websites obtaining consent for tracking cookies.

The issue is of course that a lot of ‘free’ access websites are funded by advertising and rely on the revenue from the targeted advertising. I have read estimates that if websites were to drop personalised ads, and fall back on contextual advertising (eg advertising cars on motoring pages), then they would lose about a third of their income. Surely a fall that magnitude would lead to many bankrupt or unviable websites.

Now the final position of the EU’s cookie consent game is that a website would have to present two easy options before allowing access to a website:

  • Do you want to allow tracking cookies to build up a database of your browsing history
  • Do you NOT want to allow tracking cookies to build up a database of your browsing history

The simple outcome will be that virtually no one will opt for tracking, so the website will lose a third of its income. So it is rather unsurprising that websites would rather avoid offering such an easy option that would deprive them of so much of their income.

In reality the notion of consent it not practical. It would be more honest to think of the use of tracking cookies as a price for ‘free’ access to a website.

Perhaps when the dust has settled, a more honest and practical endgame would bea  choice more like:

  • Do you want to allow tracking cookies to build up a database of your browsing history in return for ‘free’ access
  • Do you want to pay a fee to enable access to the website without tracking cookies
  • Sorry you may not access this website

The EU has been complaining about companies trying to avoid the revenue destroying official consent options. A study just published observes that nearly all cookie consent pop-ups are flouting EU privacy laws.

Researchers at the Massachusetts Institute of Technology, University College London (UCL) and Aarhus University have conducted a joint study into the use of cookies. They analysed five companies which offer consent management platforms (CMP) for cookies used by the UK’s top 10,000 websites.Despite EU privacy laws stating that consent for cookies must be informed, specific and freely given, the research suggests that only 12% of the sites met the minimal requirements of GDPR (General Data Protection Regulation) law. Instead they were found to blanket data consent options in complicated site design, such as:

  • pre-ticked boxes burying decline buttons on later pages multiple clicks tracking users before consent and after pressing reject
  • Just over half the sites studied did not have rejecting all tracking as an option.
  • Of the sites which did, only 13% made it accessible through the same or fewer clicks as the option to accept all.

The researchers estimate it would take, on average, more than half an hour to read through what the third-party companies are doing with your data, and even longer to read all their privacy policies. It’s a joke and there’s no actual way you could do this realistically, said Dr Veale.

Read more awwb.htm at MelonFarmers.co.uk

dst logo The French government has come up with an innovative way of financing a program of mass social media, surveillance, to use it to detect tax fraud.The self financing surveillance scheme has now been given the go the constitutional court. Customs and tax officials will be allowed to review users’ profiles, posts and pictures for evidence of undisclosed income.

In its ruling, the court acknowledged that users’ privacy and freedom of expression could be compromised, but its applied caveats to the legislation. It said authorities would have to ensure that password-protected content was off limits and that they would only be able to use public information pertaining to the person divulging it online. However the wording suggests that the non public data is available and can be used for other more covert reasons.

The mass collection of data is part of a three-year online monitoring experiment by the French government and greatly increases the state’s online surveillance powers.

The US Senate Judiciary Committee joins the UK and Australia Wanting Everyone to Know It’s Concerned About Encryption.

Read more inus.htm at MelonFarmers.co.uk

EFF logo Yesterday the US Senate Judiciary Committee held a hearing on encryption and lawful access. That’s the fanciful idea that encryption providers can somehow allow law enforcement access to users’ encrypted data while otherwise preventing the bad guys from accessing this very same data.

But the hearing was not inspired by some new engineering breakthrough that might make it possible for Apple or Facebook to build a secure law enforcement backdoor into their encrypted devices and messaging applications. Instead, it followed speeches, open letters, and other public pressure by law enforcement officials in the U.S. and elsewhere to prevent Facebook from encrypting its messaging applications, and more generally to portray encryption as a tool used in serious crimes, including child exploitation. Facebook has signaled it won’t bow to that pressure. And more than 100 organizations including EFF have called on these law enforcement officials to reverse course and avoid gutting one of the most powerful privacy and security tools available to users in an increasingly insecure world.

Many of the committee members seemed to arrive at the hearing convinced that they could legislate secure backdoors. Among others, Senators Graham and Feinstein told representatives from Apple and Facebook that they had a responsibility to find a solution to enable government access to encrypted data. Senator Graham commented:

My advice to you is to get on with it, because this time next year, if we haven’t found a way that you can live with, we will impose our will on you.

But when it came to questioning witnesses, the senators had trouble establishing the need for or the feasibility of blanket law enforcement access to encrypted data. As all of the witnesses pointed out, even a basic discussion of encryption requires differentiating between encrypting data on a smartphone, also called encryption at rest, and end-to-end encryption of private chats, for example.

As a result, the committee’s questioning actually revealed several points that undercut the apocalyptic vision painted by law enforcement officials in recent months. Here are some of our takeaways:

There’s No Such Thing As an Unhackable Phone

The first witness was Manhattan District Attorney Cyrus Vance, Jr., who has called for Apple and Google to roll back encryption in their mobile operating systems. Yet by his own statistics, the DA’s office is able to access the contents of a majority of devices it encounters in its investigations each year. Even for those phones that are locked and encrypted, Vance reported that half could be accessed using in-house forensic tools or services from outside vendors. Although he stressed both the high cost and the uncertainty of these tools, the fact remains that device encryption is far from an insurmountable barrier to law enforcement.

As we saw when the FBI dramatically lowered its own estimate of unhackable phones in 2017, the level of security of these devices is not static. Even as Apple and Google patch vulnerabilities that might allow access, vendors like Cellebrite and Grayshift discover new means of bypassing security features in mobile operating systems. Of course, no investigative technique will be completely effective, which is why law enforcement has always worked every angle it can. The cost of forensic tools may be a concern, but they are clearly part of a variety of tools law enforcement use to successfully pursue investigations in a world with widespread encryption.

Lawful Access to Encrypted Phones Would Take Us Back to the Bad Old Days

Meanwhile, even as Vance focused on the cost of forensic tools to access encrypted phones, he repeatedly ignored why companies like Apple began fully encrypting their devices in their first place. In a colloquy with Senator Mike Lee, Apple’s manager of user privacy Erik Neuenschwander explained that the company’s introduction of full disk encryption in iOS in 2014 was a response to threats from hackers and criminals who could otherwise access a wealth of sensitive, unencrypted data on users’ phones. On this point, Neuenschwander explained that Vance was simply misinformed: Apple has never held a key capable of decrypting encrypted data on users’ phones.

Neuenschwander explained that he could think of only two approaches to accomplishing Vance’s call for lawful access, both of which would dramatically increase the risks to consumers. Either Apple could simply roll back encryption on its devices, leaving users exposed to increasingly sophisticated threats from bad actors, or it could attempt to engineer a system where it did hold a master key to every iPhone in the world. Regarding the second approach, Neuenschwander said as a technologist, I am extremely fearful of the security properties of such a system. His fear is well-founded; years of research by technologists and cryptographers confirm that key escrow and related systems are highly insecure at the scale and complexity of Apple’s mobile ecosystem.

End-to-End Encryption Is Here to Stay

Finally, despite the heated rhetoric directed by Attorney General Barr and others at end-to-end encryption in messaging applications, the committee found little consensus. Both Vance and Professor Matt Tait suggested that they did not believe that Congress should mandate backdoors in end-to-end encrypted messaging platforms. Meanwhile, Senators Coons, Cornyn, and others expressed concerns that doing so would simply push bad actors to applications hosted outside of the United States, and also aid authoritarian states who want to spy on Facebook users within their own borders. Facebook’s director for messaging privacy Jay Sullivan discussed ways that the company will root out abuse on its platforms while removing its own ability to read users’ messages. As we’ve written before, an encrypted Facebook Messenger is a good thing , but the proof will be in the pudding.

Ultimately, while the Senate Judiciary Committee hearing offered worrying posturing on the necessity of backdoors, we’re hopeful that Congress will recognize what a dangerous idea legislation would be in this area.

Comment: Open Rights Group joins international outcry over UK government calls to access private messages

11th December 2019. See article from openrightsgroup.org

See letter from openrightsgroup.org

open rights group 2016 logo Open Rights Group has joined dozens of other organizations signing an open letter to the UK government to express significant concerns raised by their recent statements against encryption.

The UK Home Secretary, Priti Patel, has joined her US counterparts in demanding weaker encryption and asking i nternet companies to design digital back doors into their messaging services. The UK government suggests stronger capabilities to monitor private messages will aid inf fighting terrorism and child abuse. ORG disagrees, arguing that alternative approaches must be used as the proposed measures will weaken the security of every internet user.

ORG is concerned that this attack on encryption forms a pattern of attacks on digital privacy and security by the UK government. Only last week leaked documents showed that the UK wants to give the US access to NHS records and other personal information, in a free flow of data between the two countries.

The open letter was also addressed to US and Australian authorities, and was coordinated by the US-based Open Technology Institute and was signed, among others, by Amnesty International, Article 19, Index on Censorship, Privacy International and Reporters Without Borders.

Javier Ruiz Diaz, Policy Director for Open Rights Group, said:

The Home Secretary wants to be able to access our private messages in WhatsApp and similar apps, demanding that companies remove the technical protections that keep out fraudsters and other criminals. This is wrong and will make the internet less safe. Surveillance measures should be targeted and not built into the apps used by millions of people to talk to their friends and family.

Comment: Facebook has also responded to UK/US/Australian government calls for back doors

11th December 2019. See article [pdf] from about.fb.com

Facebook logo As the Heads of WhatsApp and Messenger, we are writing in response to your public letter addressing our plans to strengthen private messaging for our customers. You have raised important issues that could impact the future of free societies in the digital age and we are grateful for the opportunity to explain our view.

We all want people to have the ability to communicate privately and safely, without harm or abuse from hackers, criminals or repressive regimes. Every day, billions of people around the world use encrypted messages to stay in touch with their family and friends, run their small businesses, and advocate for important causes. In these messages they share private information that they only want the person they message to see. And it is the fact that these messages are encrypted that forms the first line of defense, as it keeps them safe from cyber attacks and protected from falling into the hands of criminals. The core principle behind end-to-end encryption is that only the sender and recipient of a message have the keys to unlock and read what is sent. No one can intercept and read these messages – not us, not governments, not hackers or criminals.

We believe that people have a right to expect this level of security, wherever they live. As a company that supports 2.7 billion users around the world, it is our responsibility to use the very best technology available to protect their privacy. Encrypted messaging is the leading form of online communication and the vast majority of the billions of online messages that are sent daily, including on WhatsApp, iMessage, and Signal, are already protected with end-to-end encryption.

Cybersecurity experts have repeatedly proven that when you weaken any part of an encrypted system, you weaken it for everyone, everywhere. The backdoor access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm. It is simply impossible to create such a backdoor for one purpose and not expect others to try and open it. People’s private messages would be less secure and the real winners would be anyone seeking to take advantage of that weakened security. That is not something we are prepared to do.

 

You’ll be safer from snoopers, scammers and censors on public WiFi, but you’ll still be easy prey to government snoopers and censors.

Read more sstech.htm at MelonFarmers.co.uk

BT logo The UK ISP BT has become the first of the major broadband providers to trial their own DNS over HTTPS resolver, which encrypts Domain Name System (DNS) requests.This is response to Firefox offering its own choice of encrypted DNS resolver that would effectively evade BT’s current unencrypted DNS resolver which allows the UK government to monitor and log people’s internet use, block websites that are considered ‘harmful’; snitch people up to the police for politically incorrrect comments; and snitch people up to copyright trolls over dodgy file sharing.

However BT’s new service will allow people to continue using website blocking for parental control whilst being a lot safer from 3rd party snoopers on their networks.

BT have made the following statement about its experimental new service:

BT are currently investigating roadmap options to uplift our broadband DNS platform to support improvements in DNS security — DNSSEC, DNS over TLS (DoT) and DNS over HTTPS (DoH). To aid this activity and in particular gain operation deployment insights, we have enabled an experimental DoH trial capability.

We are initially experimenting with an open resolver, but our plan is to move a closed resolver only available to BT customers.

The BT DoH trial recursive resolver can be reached at https://doh.bt.com/dns-query/