Archive for Privacy

“Millions” Of Data Requests From Canadian Police: Toronto Star

Posted in Commentary with tags , on July 22, 2014 by itnerd

The Toronto Star via some newly released documents is reporting that law enforcement in Canada have requested data on Canadians from telecommunication companies “millions” of times dating back to 2006:

Internal documents from Public Safety Canada reveal authorities requested telecom companies to turn over “basic subscriber information” at least1.13 million times a year between 2006 and 2008.

That figure matches revelations from the federal privacy watchdog earlier this year that authorities sought subscriber information 1.2 million times in 2011.

“It suggests that there have been huge numbers of requests for years now taking place largely below the radar screen . . . without very much public awareness,” said Michael Geist, a University of Ottawa law professor and Star columnist, who obtained the documents.

So, what info are they getting? Here’s a partial list:

“Basic subscriber information” can include details like name, address, Internet protocol (IP) address, telephone number, email address and local service provider identity. The federal government and law enforcement agencies have argued this amounts to “phonebook information” — police seem to generally request names and addresses — but privacy advocates warn it can lead authorities to more personal and detailed information.

To top it off, some of these requests are made without a warrant:

In the documents, the RCMP said they do not track the number of “informal” warrantless requests — verbal or written — for “customer name and address” information.

“Police do not know across Canada, in all jurisdictions, how many (customer name and address) requests (telecoms) are answering voluntarily each year,” the documents state.

That should be cause for concern. But one that may be solved by the recent Supreme Court Of Canada decision that requires a warrant for accessing this type of info. But it still remains an open question as to how the Canadian Government is going to deal with this decision as that may once again change the landscape when it comes to this issue. Regardless, I believe that this illustrates the need for increased transparency on this issue. Canadians, except for a handful of cases, should know how and when information about them is being accessed by their government or by someone related to government such as law enforcement. By not having that transparency creates the impression that government and law enforcement are simply doing whatever they want with no rules, boundaries, of limitations. And that is not good for all concerned.

Rogers Updates Policies Related To Lawful Access Of Customer Info

Posted in Commentary with tags , , on July 16, 2014 by itnerd

About a month ago, I wrote about Rogers and Teksavvy releasing transparency reports that show how often law enforcement requests customer data and what data is handed over. Rogers today reached out to me with an update:

After hearing feedback from our customers and reviewing the Supreme Court ruling from last month, we’ve decided that from now on we will require a court order/warrant to provide basic customer information to law enforcement agencies, except in life threatening emergencies. We believe this move is better for our customers and that law enforcement agencies will still be able to protect the public

We’ve updated our blog post on Rogers Redboard to let customers know about the change.

Transparency Report blog post:

http://redboard.rogers.com/2014/transparency_report/

The Supreme Court ruling that’s being referred to is this one and it states that Canadian ISPs cannot hand over customer info to police without a warrant. What I like about this is there is no ambiguity as to where Rogers stands on this subject. I would like to see other ISPs in Canada do the same thing. Strangely, I have not seen anything like this from any other ISP other than the transparency report put out by Teksavvy. I can’t say why that is the case, but I hope that changes.

US Government Claims That Data On Servers Anywhere Belongs To Them

Posted in Commentary with tags , , on July 15, 2014 by itnerd

If there was something that could be defined as over-reaching, perhaps this is it. Here’s a story from ARS Technica that I just tripped over that has the U.S. Justice Department’s claiming that companies served with valid warrants for data must produce that data even if the data is not stored in the U.S.:

Global governments, the tech sector, and scholars are closely following a legal flap in which the US Justice Department claims that Microsoft must hand over e-mail stored in Dublin, Ireland. In essence, President Barack Obama’s administration claims that any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas. It’s a position Microsoft and companies like Apple say is wrong, arguing that the enforcement of US law stops at the border. A magistrate judge has already sided with the government’s position, ruling in April that “the basic principle that an entity lawfully obligated to produce information must do so regardless of the location of that information.” Microsoft appealed to a federal judge, and the case is set to be heard on July 31.

Well, isn’t that delightful. I was always under the impress that you cannot serve warrants to search property in other countries. But I’m a computer nerd, not a lawyer. But I’m thinking that if this does hold up somehow, and Microsoft releases the data stored in another country, then how long will it take for every other country in the world to buy equipment or services from a non-American or solely domestic company simply to avoid something like this happening to them? For example Germans buy from German companies or the French buying from French companies. But I’m getting ahead of myself. This is a case that needs to be watched closely as it’s going to have a huge impact.

Apple Responds To Chinese Over Location Tracking

Posted in Commentary with tags , , on July 15, 2014 by itnerd

Last week you’ll recall that I wrote about Chinese State Media claiming that Apple’s location tracking was a “national security concern.” I also said that because of Apple’s desire to be a player in the Chinese market, they’d have to respond. Well, they have on their Chinese website in both Chinese and English. Here’s a portion of what the statement said:

Our customers want and expect their mobile devices to be able to quickly and reliably determine their current locations for specific activities such as shopping, travel, finding the nearest restaurant or calculating the amount of time it takes them to get to work. We do this at the device level. Apple does not track users’ locations – Apple has never done so and has no plans to ever do so.

And:

Frequent Locations are only stored on a customer’s iOS device, they are not backed up on iTunes or iCloud, and are encrypted. Apple does not obtain or know a user’s Frequent Locations and this feature can always be turned “Off” via our privacy settings. 

Apple does not have access to Frequent Locations or the location cache on any user’s iPhone at any time. We encrypt the cache by the user’s passcode and it is protected from access by any app.

They conclude by saying this:

As we have stated before, Apple has never worked with any government agency from any country to create a backdoor in any of our products or services. We have also never allowed access to our servers. And we never will. It’s something we feel very strongly about.

Now, that’s a very definitive statement. One wonders why they didn’t come out with something similar last year when iOS 7 first appeared and people (including yours truly) first found this feature. Perhaps if they did, we wouldn’t be talking about it now.

China Claims That Apple’s Location Tracking A “National Security Concern”

Posted in Commentary with tags , , on July 11, 2014 by itnerd

Chinese state run media, which means it’s essentially the Chinese Government, has made a very interesting claim. They claim that because iOS 7 tracks your movements that this makes it a “national security concern.” Here’s what the Wall Street Journal had to say:

In its national noon broadcast, state-run China Central Television criticized the “frequent locations” function in Apple’s iOS 7 mobile operating system, which tracks and records the time and location of the owner’s movements. The report quoted researchers who said that those with access to that data could gain knowledge of the broader situation in China or “even state secrets.”

Apple didn’t respond to requests for comment.

Now I have talked about the frequent locations option previously. At the time I said that other phone makes do something similar and that I don’t think there’s anything sinister going on here. But I also mentioned that Apple should clear the air on this feature. Perhaps if they did, we wouldn’t be talking about this right now. Given that Apple really wants to make inroads into the Chinese marketplace, I think they’ll have to address this now.

This is one of those stories to keep an eye on.

BC Court Orders Google To Remove Sites From Its Global Index

Posted in Commentary with tags , , , on June 17, 2014 by itnerd

Here’s something that you should keep your eye on. Michael Geist who is an Ottawa based expert on Internet and E-commerce law has commented on a case where a BC court has apparently ordered Google to remove entries from not only Google.ca, but Google sites worldwide:

The case involves a company that claims that another company used its trade secrets to create a competing product along with “bait and switch” tactics to trick users into purchasing their product. The defendant company had been the target of several court orders demanding that it stop selling the copied product on their website. Google voluntarily removed search results for the site from Google.ca search results, but was unwilling to block the sites from its worldwide search results.

The case turned largely on jurisdictional questions: could a B.C. court assert jurisdiction over Google? Was a Canadian court the right court to hear the case when Google is based in California?  Is it appropriate to issue an order requiring the complete removal of results for all users worldwide?

The court answered affirmatively to all questions.

Not only that, the court cited the “right to be forgotten” [Warning: PDF] case where Google was forced to remove entries from their search engine for any EU citizen who wanted to have entries related to them removed.

This will likely open up a legal can of worms. First, this decision extends outside of Canada. So one question that comes to mind is that can a court really have jurisdiction beyond its borders? While this court seems to think it does, I am not sure that an appeals court will see things the same way. Also, lets pretend that this is a judgement that survives any and all challenges to it. I think it will create a black market for disclosing information. Which means that not only has this court potentially increased the value of the information that gets blocked. But it also potentially had the effect of encouraging it to spread rather than restricting it. Finally, this decision only applies to Google. What about, Bing, DuckDuckGo and any other search engine? What happens to them?

What are your thoughts on this? Please leave a comment and share your thoughts on this case.

 

 

Supreme Court Of Canada Says Cops Need To Get Warrants To Get Info From ISPs

Posted in Commentary with tags , , , on June 13, 2014 by itnerd

This morning in a major victory for those who want some semblance of privacy, the Supreme Court Of Canada ruled Canadian ISPs cannot hand over customer info to police without a warrant. Here’s what the CBC had to say:

Friday’s decision concerned the case of Matthew David Spencer, of Saskatchewan, who was charged and convicted of possession of child pornography after a police officer saw illegal files being downloaded to his IP address — a series of numbers representing a person’s internet identity.

The police officer went to Spencer’s internet service provider (ISP), Shaw, and asked for the real identity of the customer attached to the IP address. The police officer did not have a search warrant, but was given the address of Spencer’s sister, allowing police to track him down. 

Spencer appealed the decision, arguing that the search was unconstitutional and his rights were violated.

The Court of Appeal ruled there is no reasonable expectation of privacy for basic internet subscriber information, prompting Spencer to appeal to the Supreme Court of Canada.

However, there is a catch. Mr. Spencer didn’t get off the hook:

Although the Supreme Court set limits on when internet providers can disclose customer information, it dismissed Spencer’s appeal.

It said police should have obtained a warrant before asking Shaw for the customer information. But it also said police acted reasonably and in good faith, so the administration of justice would be impaired if the evidence gathered by searching Spencer’s home were thrown out of court.

This is something that I like. The court protected privacy and the bad guy didn’t get away. It’s a win-win.

One thing that this decision does do is it throws the future of Bill C-13 which is the Canadian Government’s anti cyber-bullying bill. It contains a provision that allows cops to access to the same sorts of information that was mentioned in this case. My guess is that this bill will have to be modified to avoid the possibility that the Supreme Court may strike the bill down. But I am a computer nerd, not a lawyer. Perhaps a real lawyer would like to comment on that?

 

Hey IT Nerd! Aren’t BlackBerry PIN Messages Secure From Snooping?

Posted in Commentary with tags , , on June 12, 2014 by itnerd

I just got a very interesting question from a reader:

IT Nerd. The Quebec Police just announced that they arrested a bunch of accused members of the Mafia. This story from the CBC says that the police intercepted PIN to PIN messages as part of the investigation: 

http://www.cbc.ca/news/canada/montreal/quebec-police-raids-target-31-alleged-mafia-members-1.2673070

I thought PIN to PIN messages were secure? 

Thanks for the question. In short, they are secure but they can be snooped on. Here’s what BlackBerry themselves have to say on this from a technical paper on the subject:

By default, each device uses the same global PIN encryption key, which Research In Motion adds to the device during the manufacturing process. The global PIN encryption key permits every device to authenticate and decrypt every PIN message that the device receives. Because all devices share the same global PIN encryption key, there is a limit to how effectively PIN messages are encrypted. PIN messages are not considered as confidential as email messages sent from the BlackBerry Enterprise Server, which use BlackBerry transport layer encryption. Encryption using the global PIN encryption key is sometimes referred to as “scrambling”.

So in short, PIN messages are secure to a degree. But not totally secure. Which means that someone could get access to PIN to PIN conversations. If you want even more info on this, CSEC has a very detailed document on the subject that is very much worth reading.

So if we accept that they can be snooped on, it is conceivable that a search warrant from the Quebec Police was all that was needed to get access to these PIN to PIN conversations. This pretty much reinforces a core belief of mine. There’s no such thing as privacy anymore and nobody should expect otherwise.

 

 

iOS 8 Will Protect Your Privacy By Limiting The Ability To Track You Via WiFi

Posted in Commentary with tags , on June 10, 2014 by itnerd

I’ve written about WiFi tracking in the past and how invasive I believe that to be. If you’re on Android, there are tools from AVG that will protect you from this sort of thing, But iOS users have been out of luck. Until now that is. Fredric Jacobs posted this Tweet with an intriguing feature that he spotted in iOS 8.

More details on this can be found here.

Now this will not only stop stores from tracking you, but that may also apply to spies as well as Canada was apparently tracking people via airport WiFi last year. This is a major win for privacy advocates. Though one has to wonder why this wasn’t mentioned during WWDC when iOS 8 was announced. Perhaps Apple didn’t want to tip their hand regarding this? Whatever the reason for them not mentioning it, it’s out in the open now and Apple has to be applauded for this move.

Teksavvy, Rogers Release Transparency Reports

Posted in Commentary with tags , , on June 6, 2014 by itnerd

Recent revelations from Edward Snowden have made it clear that various government agencies and law enforcement ask for all sorts of information from Internet Service Providers on a frequent basis. What consumers want to know is how often does this happen and what data is handed over? Yesterday, Rogers and Teksavvy released information on the data requests each company receives from various government agencies and authorities, such as the RCMP, CSIS, CBSA, CRA, and police departments.

Rogers posted this info on RedBoard with this from Ken Engelhart who is Rogers Chief Privacy Officer:

We don’t provide direct access to our customer databases. We carefully review requests to ensure they’re legally valid and not overly broad, and then our staff provides the information securely so that only the government or law enforcement agency requesting it can access it.

Teksavvy with somewhat less fanfare released a similar report earlier in the day. Both documents detail the sorts of requests that they get from government and the customer data they do and do not give to the Government when they come knocking on the door.

My take? This is a good first step and I applaud both these companies. However I would like to see other ISP’s do the same and do so quickly. Not only that, I would like to see these disclosures done on a regular basis. Say once a year. That way, we know not only what ISPs do when the Government comes looking for info, but we know what the Government is looking for.

Follow

Get every new post delivered to your Inbox.

Join 188 other followers