Archive for Privacy

Dropbox Scans Your Files For DMCA Violations…. Should You Care?

Posted in Commentary with tags , on March 31, 2014 by itnerd

Is this creepy? Or does Dropbox have the right to scan your files for violations of the Digital Millennium Copyright Act (DMCA)? That’s the question being asked right now as a user of Dropbox got a bit of a surprise as he told ARS Technica:

The whole kerfuffle started yesterday evening, when one Darrell Whitelaw tweeted a picture of an error he received when trying to share a link to a Dropbox file with a friend via IM. The Dropbox web page warned him and his friend that “certain files in this folder can’t be shared due to a takedown request in accordance with the DMCA.”

Whitelaw freely admits that the content he was sharing was a copyrighted video but still expressed surprise that Dropbox was apparently watching what he shared for copyright issues. “I treat [Dropbox] like my hard drive,” he tweeted. “This shows it’s not private, nor mine, even though I pay for it.”

Here’s what Dropbox had to say:

Dropbox did confirm to Ars Technica that it checks publicly shared file links against hashes of other files that have been previously subject to successful DMCA requests. “We sometimes receive DMCA notices to remove links on copyright grounds,” the company said in a statement provide to Ars Technica. “When we receive these, we process them according to the law and disable the identified link. We have an automated system that then prevents other users from sharing the identical material using another Dropbox link. This is done by comparing file hashes.”

Dropbox added that this comparison happens when a public link to your file is created, and that “we don’t look at the files in your private folders and are committed to keeping your stuff safe.” The company wouldn’t comment publicly on whether the same content-matching algorithm was run on files shared directly with other Dropbox users via the service’s account-to-account sharing functions, but the wording of the statement suggests that this system only applies to publicly shared links.

And this is not a new behavior from Dropbox:

Dropbox has also been making use of file hashing algorithms for a while now as a means of de-duplicating identical files stored across different users’ accounts. That means that if I try to upload an identical copy of a 20GB movie file that has already been stored in someone else’s Dropbox account, the service will simply give my account access to a version of that same file, rather than forcing me to upload an identical version. This not only saves bandwidth on the user’s end, but significant storage space on Dropbox’s end as well.

Some researchers have warned of security and privacy concerns based on these de-duplication efforts in the past, but the open source Dropship project attempted to bend the feature to users’ advantage. By making use of the file hashing system, Dropship effectively tried to trick Dropbox into granting access to files on Dropbox’s servers that the user didn’t actually have access to. Dropbox has taken pains to stop this kind of “fake” file sharing through its service.

What’s my take? I have a Dropbox account and I have no, as in zero expectation of privacy. If I entrust my data to a third party, I fully expect that at some point they’ll take a look at it. In short, I feel that a third party service like Dropbox should not be treated like your hard drive and they do have the right to make sure that the service isn’t being used for illegal purposes. But I can see how some might see this as being creepy. Thus I think there needs to be more education of users so that these sorts of issues do not flare up and spin out of control because the service in question is trying to do something to protect itself from a potential lawsuit or something similar.

Microsoft Gets Caught Looking At Hotmail Users E-Mail [UPDATED]

Posted in Commentary with tags , on March 21, 2014 by itnerd

Microsoft is having to explain itself after they were caught looking into the Hotmail account of a user who they suspected was involved in leaking company secrets. Here’s the details from News.com:

A March 17 court filing by federal prosecutors reveals that Microsoft’s Office of Legal Compliance approved the decision after confirming that the leaked data in question included proprietary Microsoft code.

According to the filing, Microsoft received a tip from a person who was contacted via Hotmail by the blogger, who wanted to verify that the leaked source code was legitimate. Instead, the tipper went to Steven Sinofsky, then-president of the Windows Division at Microsoft, and told him of the interaction. Sinofsky forwarded the details to Microsoft’s Trustworthy Computing Investigations department, which investigates external threats and internal information leaks.

“After confirmation that the data was Microsoft’s proprietary trade secret on September 7, 2012, Microsoft’s Office of Legal Compliance approved the content pulls of the blogger’s Hotmail account,” the filing says. Microsoft’s investigation uncovered e-mails from then-Microsoft employee Alex Kibkalo to the unnamed blogger sharing prerelease Windows 8 RT code, according to the filing.

Federal prosecutors have charged Kibkalo, who worked for Microsoft in Lebanon and Russia, with theft of trade secrets.

The blowback was almost instant. Here are more details from News.com:

Edward Wasserman, Graduate School of Journalism dean at the University of California, Berkeley, told The New York Times that he had “never seen a case like this.”

“Microsoft essentially decided that whatever privacy expectation that its own customers supposedly had was basically a dead letter,” he said. “It simply decided that in its own corporate interest, it can intrude on a person’s email.”

That was clearly a fail because Microsoft has decided to revise their privacy policy in the wake of this. But that hasn’t taken the smell away from this incident. One has to wonder if Apple, Google, Yahoo, or your local ISP would do the same thing that Microsoft got caught doing.

UPDATE: Two things. One, I wasn’t clear about how Microsoft updated their terms of service. Here’s a link to a blog post that details the changes. Second, The Guardian has answered my question about whether others can or do what Microsoft has been caught doing. The answer is they have privacy policies that allow them to do the same thing.

REPORT: Canadian Spies Tracked People Using Airport WiFi

Posted in Commentary with tags , on January 31, 2014 by itnerd

Edward Snowden is the gift that keeps on giving. His latest “gift” is the news that the Communications Security Establishment Canada (CSEC) which is Canada’s version of the NSA had a very invasive and likely illegal method to keep tabs on Canadians. Here’s what the CBC is reporting:

The latest Snowden document indicates the spy service was provided with information captured from unsuspecting travellers’ wireless devices by the airport’s free Wi-Fi system over a two-week period.

Experts say that probably included many Canadians whose smartphone and laptop signals were intercepted without their knowledge as they passed through the terminal.

The document shows the federal intelligence agency was then able to track the travellers for a week or more as they — and their wireless devices — showed up in other Wi-Fi “hot spots” in cities across Canada and even at U.S. airports.

Here’s the troubling part. CSEC is not supposed to be doing this:

Ronald Deibert told CBC News: “I can’t see any circumstance in which this would not be unlawful, under current Canadian law, under our Charter, under CSEC’s mandates.”

The spy agency is supposed to be collecting primarily foreign intelligence by intercepting overseas phone and internet traffic, and is prohibited by law from targeting Canadians or anyone in Canada without a judicial warrant.

As CSEC chief John Forster recently stated: “I can tell you that we do not target Canadians at home or abroad in our foreign intelligence activities, nor do we target anyone in Canada.

“In fact, it’s prohibited by law. Protecting the privacy of Canadians is our most important principle.”

Clearly they must have forgot about that. This is very troubling if you’re Canadian and even if you’re not. It’s clear that better oversight of spy agencies so that this sort of thing doesn’t happen. It’s also clear that if you use free WiFi, you might be opening yourself up to this, or some other issue that exposes your privacy in some way.

It makes you think doesn’t it?

 

 

Google Told To Stop Ads Targeting Canadians Using Personal Health Info

Posted in Commentary with tags , , on January 15, 2014 by itnerd

Here’s another example why Google can’t claim to “do no evil” any longer. The CBC is reporting that Google was using Canadian’s personal health info to target them with ads:

An investigation led by Chantal Bernier, who has stepped in for outgoing privacy commissioner Jennifer Stoddart, backed up a man’s complaints that he was seeing so-called behavioural advertisements based on his web browsing history.

After searching for information about devices to treat sleep apnea, he began to see ads for those devices as he browsed the web.

While behavioural advertising is not illegal, Canada’s privacy law does not allow consumers to be targeted based on “sensitive personal information,” including a person’s health.

So what happened with that? The privacy commissioner gave Google a call. Here’s what happened next:

Google has pledged to upgrade the system that reviews ads for compliance, increase the monitoring of ads, and provide more information to advertisers and staff about the rules.

“We’ve worked closely with the office of the privacy commissioner throughout this process and are pleased to be resolving this issue,” said a Google Canada spokeswoman in a statement.

The company, which declined an interview request, said it will implement these steps by June.

My take? Why is that companies like Google have to get caught with their metaphorical hand in the cookie jar before they do the right thing? Because of that, I say that someone needs to keep an eye on companies like Google. After all, they’re in it for the money and ads are the primary driver of making money. Privacy is merely an inconvenience to them.

 

#Fail: ‘We Know Everyone Who Breaks the Law’ Says Ford Exec

Posted in Commentary with tags , on January 10, 2014 by itnerd

If you want to be creeped out and you’re a Ford owner (though owners of other cars should not feel snug for reasons I will get to in a bit), then read on.

Ford VP Jim Farley during a panel discussion on privacy at CES was trying to illustrate that Ford had a ton of data on it’s customers and they use very little of it in order to avoid raising privacy concerns. That’s when he said this:

“We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing. By the way, we don’t supply that data to anyone,”

Well, that sounds a wee bit sinister does it not? He must have figured that out on his own or when a Ford PR person told him about the impression that he left. That’s when he said this:

“I absolutely left the wrong impression about how Ford operates. We do not track our customers in their cars without their approval or consent.”

Ford later clarified his position further by saying that GPS units in Ford cars are not “routinely” reporting their whereabouts as car owners drive around. I put the word routinely in quotes because that implies that they either do phone home infrequently or are capable of doing so and Ford chooses not to enable that feature. And why would cars be capable of phoning home? How about to sell your driving patterns to third parties for a handsome profit for example? TomTom got caught doing that a while ago. So there’s no reason why others aren’t doing something similar.

Now some of you reading this are going to say “Hey, I never consented to Ford collecting all this data.” Well, actually you likely did and didn’t know it. It might have been buried in the license agreement for My Ford Touch, in the legalese that pops up on the screen every time the car starts up, or in the paperwork that you signed when you bought the car. Perhaps someone would like to clarify exactly where that lies as I am sure that many would be very interested in that.

Now let me be clear. Ford is NOT sharing data with third parties, but clearly if they wanted to, they could.  And seeing that similar systems exist in other cars, it is entirely possible that you can substitute Ford for some other car company and we’d be having a similar discussion. Thus it might be a very good thing if car companies came clean on if they collect data, and what they do with it. That would make us all feel better.

A Follow Up To My Parallels Desktop Privacy Story

Posted in Commentary with tags , on December 11, 2013 by itnerd

Between the time I wrote this story on some potential privacy related concerns with Parallels Desktop 9 and now, I’ve had the chance to experiment a bit. The first thing that I experimented with was the fact that Parallels Desktop 9 puts my iCloud folder along with accessing Dropbox without me telling it to. I’ve found two things out since I first wrote this story. This feature is on by default. The option in question can by found by following the instructions in this note from the Parallels knowledge base. The second thing is that it looks like it inherits Dropbox, Google Drive or iCloud from what’s on my Mac. I figured that out by removing Dropbox from my Mac along with unlinking the computer in the Dropbox software and starting a virtual machine. When I did that, it was not in the virtual machine. Now that does make me feel better because (a) Parallels already does this to a degree with volumes that the Mac has access to and (b) no user information such as usernames and passwords are being used to do this. Still, it would have been nice if this was not on by default and you were asked if you wanted this feature enabled. But be that as it may, I am comfortable enough with this to give Parallels a pass on this.

What I will not give Parallels a pass on is the fact that they appear to be collecting info on me via a opt out method. Meaning that unless you opt out, they can do what they want. Now, Parallels does have a privacy policy that’s online and there’s a link to it in the software. Here’s one thing that caught my eye:

If you choose to participate, we will be automatically collecting information about your hardware configuration and the way you use Parallels products. We will not collect any personal data, like your name, address, phone number, or keyboard input.

The program is voluntary and aims at making Parallels products better fit your needs.

That’s fine. Except that I never chose to participate. This option was on by default and I make a rule of never participating in these programs. Thus if I am every asked if I want to participate (which by the way is something that previous versions of Parallels did), I would say no. And I know that I said no when I installed version 9. Now I don’t know if this was just a glitch or if there’s something more sinister going on here. But I know that I am not a fan. As I type this, I have not heard back from the company and I would really like to as I’d like them to explain this. However if I do, I will update this story.

Hey IT Nerd! What Do You Think Of All Those Tech Giants Going Against The NSA?

Posted in Commentary with tags on December 9, 2013 by itnerd

Frankly, not much. But I’m getting ahead of myself.

Today, several tech giants including Google, Facebook, Microsoft, Apple among others published a open letter to President Barack Obama and Congress to crack down on the activities of the NSA. Now this sounds good on the surface. But this is why I have a problem with it. Sure there have been instances where these companies were unwilling participants in this. But I am sure that there have been times when these same companies were willing participants in this. Also, to me it seems hypocritical since these same companies who are really ticked off at the NSA make money by knowing as much as possible about their users, and then selling that information to advertisers. So I guess that spying by the NSA is bad, but spying by Google and Facebook is just fine.

This is just a marketing campaign. Plan and simple. There’s nothing to see here. Move along.

 

Parallels Desktop 9 – Some Privacy Issues Perhaps? [UPDATED]

Posted in Commentary with tags , on December 3, 2013 by itnerd

I’ve been a long time user of Parallels Desktop and their latest version got a very positive review from me recently. But in the last few days, I tripped over something that really, really bothers me.

For starters, I noted that inside my virtual machines it will automatically mount my iCloud folder as a network share. The only thing is that I didn’t tell it to do that. Nor did I ever hand over my Apple ID to allow it to do that. I also noted that it does the same thing with my DropBox account. That kinds of concerns me as they clearly have some sort of method to get these user IDs and passwords. But what concerns me more is the fact that there’s an option in Preferences and Advanced that allows the software to collect information about your computer and its software and periodically send this data back to the company under the guise of helping “to improve Parallels products and services.” It was on by default. That’s a fail as I truly believe that this should be an opt-in option rather than an opt-out option.

I would really like Parallels to explain why they think that the above is a good idea. In my mind, it won’t stop me from using the software, but it will influence me as to whether I get Parallels Desktop 10 or not.

So Parallels, if you want to explain this to me, feel free to leave a comment or drop me an e-mail.

UPDATE: Someone e-mailed me to ask me to show what I was talking about. So here we go. This is a picture of the “Customer Experience Program” option which sends info on your computer and software by default. You can get to it by going to Preferences and Advanced:

1

 

This is what should be an opt-in option rather than being an opt-out option. Now here’s what Computer looks like in my Windows 7 virtual machine:

2

 

You’ll notice on the left hand side that Dropbox as well as my iCloud stuff is clearly available. Not only that, it’s also listed as a network location. Though it never asked me if I wanted to do that. Don’t get me wrong, I appreciate the feature, I just want to be asked first. I also would be interested to know how they pulled that off.

Do LG Smart TV’s Monitor Your Viewing Habits? [UPDATED]

Posted in Commentary with tags , on November 21, 2013 by itnerd

The claim that LG Smart TV’s monitor what you watch is being reported by news outlets including the CBC today. Here’s the details:

The investigation comes after Jason Huntley, a 45-year-old IT consultant in Britain, detailed in his blog how his LG smart TV logged the channels he was watching and sent the data to LG.

He said the company continued to collect which channel he was watching even after he disabled the information collection feature.

“The (LG) server acknowledges the successful receipt of this information back to the TV,” he said in an email. The information appeared to be sent to LG unencrypted, he said.

Also collected were the names of files saved in an external USB hard drive plugged into the TV as well as the TV’s unique identification information.

Now LG is investigating, but this does raise a question: What are the odds that other TV companies that have so called smart TVs are doing the same thing? After all, this info is very valuable. I think it would be handy for Sony, Samsung, and other companies to come clean on what they may or may not be doing. In the meantime, I think I will go for a “dumb” TV for my next TV when the time comes.

UPDATE: News.com is reporting that LG is working on a firmware update to make this problem go away.

Apple Details Requests For Info By Governments… Kind Of

Posted in Commentary with tags , on November 6, 2013 by itnerd

Yesterday, Apple released a 7-page document titled “Report on Government Information Requests” [Warning: PDF].  But one has to wonder how useful this is because of this statement:

“At the time of this report, the U.S. government does not allow Apple to disclose, except in broad ranges, the number of national security orders, the number of accounts affected by the orders, or whether content, such as emails, was disclosed. We strongly oppose this gag order, and Apple has made the case for relief from these restrictions in meetings and discussions with the White House, the U.S. Attorney General, congressional leaders, and the courts. Despite our extensive efforts in this area, we do not yet have an agreement that we feel adequately addresses our customers’ right to know how often and under what circumstances we provide data to law enforcement agencies.” 

We believe that dialogue and advocacy are the most productive way to bring about a change in these policies, rather than filing a lawsuit against the U.S. government. Concurrent with the release of this report, we have filed an Amicus brief at the Foreign Intelligence Surveillance Court (FISA Court) in support of a group of cases requesting greater transparency. Later this year, we will file a second Amicus brief at the Ninth Circuit in support of a case seeking greater transparency with respect to National Security Letters. We feel strongly that the government should lift the gag order and permit companies to disclose complete and accurate numbers regarding FISA requests and National Security Letters. We will continue to aggressively pursue our ability to be more transparent.”

Clearly that’s a problem. While I understand that governments have a need to look into certain things to keep you safe, there needs to be some degree of transparency around it to generate warm and fuzzy feelings. It’s a very interesting read and I encourage you to take a look at it. Though I will note that Apple also wants to use this reports to take shots at competitors (ahem: Google):

“Unlike many other companies dealing with requests for customer data from government agencies, Apple’s main business is not about collecting information.”

My response? It may not be their main business…. Yet.

Follow

Get every new post delivered to your Inbox.

Join 158 other followers