Archive for Privacy

Bell Stops Tracking Its Users For Profit

Posted in Commentary with tags , on April 14, 2015 by itnerd

You might remember that Canadian telco Bell Canada was tracking their users online activities unless they opt out of the program so that they could create detailed profiles about them for advertisers. And to make a few bucks off of that as well. That seems to have come to an end for now. The Canadian Privacy Comissioner has told Bell that what they’re doing is not cool:

In a report made public last Tuesday, [Privacy Commissioner Daniel] Therrien’s office ruled the program violated federal privacy laws, and should be limited to only those customers who explicitly volunteer to be tracked.

Bell initially blew the commissioner off. But they changed their tune when the report was made public. The telco is now going stop tracking users and delete the data that they’ve collected. That’s cool. Except for the fact that Bell is also going to reintroduce the program and ask users to opt in. Honestly, I would never do that and I cannot see why anyone else would. Which is why Bell made it an opt out program rather than an opt in program. But at least its legal now. Hopefully the Privacy Commissioner is keeping an eye on them to make sure that they don’t do anything else that violates privacy laws in Canada.

New Zealand Customs Officials Want Your Passwords And Encryption Keys

Posted in Commentary with tags on March 20, 2015 by itnerd

Seeing as I just came back from that part of the world a week ago, news that New Zealand Customs officials wanting to have the power to compel travelers to hand over passwords to electronic devices as well as encryption keys. The thing that has got people upset is that they would not require reasonable suspicion to do so. Though the person who runs NZ Customs says that’s not its intention. Here’s what New Zealand Customs Services chief executive Carolyn Tremain had to say:

“The reality is we have 11 million people crossing the border and a limited amount of resources which we are always going to prioritise by taking a risk-assessment approach. We are not saying every 10th person would be inspected.”

She also goes on to say that countries including Canada do this now. My understanding is that in Canada, this is only done if there are reasonable and probable grounds to do so. So it’s not quite the same thing. But perhaps someone in the know could clarify this.

Here’s why this isn’t going to have the desired effect for New Zealand or anyone else who thinks this is a good idea. People will just travel with clean computers, smartphones, etc, and download anything they need while in the country from their Dropbox account or some other cloud service. Or they will back up their laptop or smartphone to the cloud, wipe the devices, cross the border, and restore it in their hotel room. That’s very easy to do these days. Either way, Customs will never see it and they will not stop a single evil doer.

Now I don’t have a problem if you give customs officials the ability to get access to laptops and smartphones when you suspect that someone has done something wrong. But to have the blanket ability to do so is the wrong approach. New Zealand really needs to rethink this as it’s really not a good idea.

Office Of Auditor General Loses Sensitive Data On USB Drives…. Yikes!

Posted in Commentary with tags , on March 19, 2015 by itnerd

It’s bad enough that there are hackers and other evil doers out there trying to break into your IT infrastructure to get their hands on data that they can use for whatever evil purposes that they have in mind. But what’s worse is when you lose some form of removable media with sensitive data on it and you have no idea where it might be. Here’s a case in point served up from the Office Of The Auditor General here in Canada who lost a bunch of encrypted USB drives:

An internal investigation at the Office of the Auditor General found that about 22 per cent of the encrypted USB drives entrusted to employees were lost, according to newly released documents.

The Star obtained a briefing note through an access to information request that details how the encrypted portable data storage devices were handled by workers at the office of the federal government watchdog, with little done to ensure information technology security measures were followed.

“The management of these USB drives was not strictly enforced. Employees were given IT Security information sessions on how to report stolen or lost devices but there was never any real accountability if a USB drive was lost,” says the Sept. 22, 2014 memo prepared by Jean-Charles Parisé, chief information officer and departmental security officer with the Office of the Auditor General.

The Office Of The Auditor General for their part says there’s nothing to see here:

“We have always encrypted (since 2008), so we were not worried about losing the data. We couldn’t lose data, but it became a bit troublesome to have to manage those (devices). They’re easy to lose . . . . So, we decided we had to do away with (them),” Parisé said in a telephone interview Wednesday.

The institution has since moved mostly to using a secure file transfer (secure FTP) site to exchange information with outside institutions and has recalled all the USB devices, except for those currently being used in ongoing audits, such as the investigation into Senate expense claims.

Well, at least the drives are encrypted. That will stop the casual user from getting access to that data. But a more skilled user may have a shot at getting to that data. After all, nothing is hacker proof. And according to the story, the data on those drives is likely information containing identifying information about individuals or institutions that is not secret or classified. That’s not good. As for them moving to methods like secure file transfer services, at least there’s no physical media to lose. But it leaves them wide open to social engineering attacks and password cracking attempts unless they use some form of two factor authentication to stop that from happening. That’s because all that usually stands between a hacker and the data is a password. Thus I’m implying that they might have traded one problem for another.

Clearly there needs to be a major shift in terms of how data is handled and secured to stop situations like this from happening. Hopefully, it doesn’t take a major negative event for that shift to take place.

Canadian Arrested For Not Unlocking His Phone For Border Services

Posted in Commentary with tags , on March 5, 2015 by itnerd

Canadian smartphone users need to keep an eye on this as it’s going to be important from the standpoint of your privacy. A resident of the province of Quebec returned from the Dominican Republic recently. Here’s what happened next:

The case of a Quebec man charged with obstructing border officials by refusing to give up his smartphone password has raised a new legal question in Canada, a law professor says.

Alain Philippon, 38, of Ste-Anne-des-Plaines, Que., refused to divulge his cellphone password to Canada Border Services Agency during a customs search Monday night at Halifax Stanfield International Airport.

Philippon had arrived in Halifax on a flight from Puerto Plata in the Dominican Republic. The charge against him carries a maximum penalty of $25,000 and a year in prison.

Lovely. Here’s the key thing: Canada Border Services Agency may say that they have the right to search your electronic devices. But this has never been tested in court. Thus this could really backfire on the Canada Border Services agency. I would say that Canadians should keep an eye on this as I suspect that case law is about to be made.

Secret Memo Slams RCMP On ISP Request Records

Posted in Commentary with tags , on March 2, 2015 by itnerd

Well, this does not inspire confidence. Law enforcement in Canada routinely ask ISP’s for all sorts of data in the process of conducting criminal investigations. According to Michael Geist who is a noted Canadian privacy and digital rights advocate, those request are inaccurate and incomplete according to a secret memo:

The memorandum specifically references a 2010 RCMP document that purported to list tens of thousands of warrantless subscriber information requests. The document indicated that 94 per cent of requests involving customer name and address information was provided voluntarily without a warrant.

The Privacy Commissioner of Canada auditors apparently expected that document, which was previously released under the Access to Information Act, to serve as the starting point for their review of RCMP practices. The internal memorandum notes that “we expected that these statistics would be accurate, complete, and up-to-date and that they would allow us to review RCMP files related to such warrantless requests.”

Once the auditors began examining the data, however, they found something entirely different. The internal memorandum states that “based on the evidence below we found, on the contrary, that the statistics provided for 2010 (and later for 2011-2013) were inaccurate, incomplete, not current, and they were not useful identifying PROS files for review.”

The internal memorandum continues by citing specific problems with the RCMP evidence, acknowledging that “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states that “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.”

The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.”

In short, the Privacy Commissioner of Canada set out to audit the RCMP in the hope of uncovering the details behind requests for subscriber information. What it encountered instead was inaccurate data and an effort to downplay the problems within the public report.

The timing of this kind of sucks if you’re the Government of Canada. There is a bill in front of The House Of Commons right now called C-51 that would give Canada’s spies and law enforcement more powers to combat terrorism with questionable oversight. What this story highlights is that if you don’t have real oversight, you get this sort of situation. So one wonders what would happen if bill C-51 actually gets passed. Would this sort of situation happen more often?

The solution is either force more stringent and meaningful oversight on law enforcement, or if they can’t follow the existing rules, then they don’t get the ability to get info like this. Clearly this is a huge problem that needs to be addressed if Canadians are to have confidence in law enforcement.

Samsung Smart TV’s Are Listening To Your Voice And Sending It To Third Parties

Posted in Commentary with tags , on February 9, 2015 by itnerd

I for one will never own a Smart TV. The prospect of having a device that is connected to the Internet monitoring my viewing habits is very un-nerving to me. So, when this story from The Daily Beast hit my inbox, it only served to reinforce my decision to never buy a Smart TV:

A single sentence buried in a dense “privacy policy” for Samsung’s Internet-connected SmartTV advises users that its nifty voice command feature might capture more than just your request to play the latest episode of Downton Abbey.

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party,” the policy reads.

So be advised: If you’re too lazy to pick up the remote, you may want to keep your conversation with the TV as direct and non-incriminating as possible. Don’t talk about tax evasion, drug use. And definitely don’t try out your Violet Crawley impression.

It appears that what Samsung is up to is that they’re sending your voice to a third party to do voice to text conversion. That’s not unusual as Siri works the same way. But there is a concern that Corynne McSherry, the intellectual property director at the Electronic Frontier Foundation voices:

“If I were the customer, I might like to know who that third party was, and I’d definitely like to know whether my words were being transmitted in a secure form.” If the transmission is not encrypted, a Smart Hacker could conceivably turn your TV into an eavesdropping device.

Agreed. Now Samsung’s response to this really leaves a lot to be desired:

“Samsung takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use,” the company said in a statement to The Daily Beast. “Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. The TV owner can also disconnect the TV from the Wi-Fi network.”

Uh, no. How about being more clear about what you do with a users voice? Simply saying you can turn off the functionality or disconnect the TV from the Internet gives me a huge incentive not to buy the TV in the first place. That way I don’t have to worry about any of this. So, perhaps Samsung cares to rethink this answer and come up with something better that makes me want to trust them as a company when it comes to this sort of thing?


Here’s One Big Reason Why You Shouldn’t Use Just Any Open WiFi. Your Activities Can Be Easily Monitored.

Posted in Commentary with tags , on January 16, 2015 by itnerd

When I am out and about, I try not to use WiFi just anywhere. If required, I will use the Instant Hotspot feature which is part of the larger Continuity feature set that is built into OS X Yosemite and iOS 8.1 to get online. The reason being is that just because WiFi is open and available, it doesn’t mean that you should use it.

Gustav Nipe, president of Sweden’s Pirate Party’s youth wing illustrated this recently. During the Sälen security conference, he set up a WiFi hotspot named “Öppen Gäst” (“Open Guest”) without any kind of encryption. In short order, a large amount of unsuspecting high profile guests associate with the network. According to Nipe, he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. Here’s what he had to say on the matter:

“The security establishment was in Sälen pushing for more surveillance, but then leading figures go and log on to an unsecure W-Fi network,” he told The Local.
“It is very embarrassing because the data we collected showed that some people were looking at Skype, eBay and Blocket and stuff like that, or looking for holidays and where you could go and hike the forest. This was during the day when I suppose they were being paid to be at the conference working.”

Well, that’s a wee bit embarrassing. But this comment shows what the real danger is:

“The scary part is that with unsecure networks like these you can end up getting access even to secure servers because people so often use the same passwords for different sites. So we could have got into the government’s server or used other information to track people in their everyday lives.”

He says that he won’t be revealing which sites were visited by specific experts. But he has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden’s Personal Data Act. So this could end badly for him personally, but it does highlight the risks of using just any open WiFi hotspot.

Consider yourselves warned.


Get every new post delivered to your Inbox.

Join 309 other followers