Archive for Privacy

Secret Memo Slams RCMP On ISP Request Records

Posted in Commentary with tags , on March 2, 2015 by itnerd

Well, this does not inspire confidence. Law enforcement in Canada routinely ask ISP’s for all sorts of data in the process of conducting criminal investigations. According to Michael Geist who is a noted Canadian privacy and digital rights advocate, those request are inaccurate and incomplete according to a secret memo:

The memorandum specifically references a 2010 RCMP document that purported to list tens of thousands of warrantless subscriber information requests. The document indicated that 94 per cent of requests involving customer name and address information was provided voluntarily without a warrant.

The Privacy Commissioner of Canada auditors apparently expected that document, which was previously released under the Access to Information Act, to serve as the starting point for their review of RCMP practices. The internal memorandum notes that “we expected that these statistics would be accurate, complete, and up-to-date and that they would allow us to review RCMP files related to such warrantless requests.”

Once the auditors began examining the data, however, they found something entirely different. The internal memorandum states that “based on the evidence below we found, on the contrary, that the statistics provided for 2010 (and later for 2011-2013) were inaccurate, incomplete, not current, and they were not useful identifying PROS files for review.”

The internal memorandum continues by citing specific problems with the RCMP evidence, acknowledging that “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states that “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.”

The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.”

In short, the Privacy Commissioner of Canada set out to audit the RCMP in the hope of uncovering the details behind requests for subscriber information. What it encountered instead was inaccurate data and an effort to downplay the problems within the public report.

The timing of this kind of sucks if you’re the Government of Canada. There is a bill in front of The House Of Commons right now called C-51 that would give Canada’s spies and law enforcement more powers to combat terrorism with questionable oversight. What this story highlights is that if you don’t have real oversight, you get this sort of situation. So one wonders what would happen if bill C-51 actually gets passed. Would this sort of situation happen more often?

The solution is either force more stringent and meaningful oversight on law enforcement, or if they can’t follow the existing rules, then they don’t get the ability to get info like this. Clearly this is a huge problem that needs to be addressed if Canadians are to have confidence in law enforcement.

Samsung Smart TV’s Are Listening To Your Voice And Sending It To Third Parties

Posted in Commentary with tags , on February 9, 2015 by itnerd

I for one will never own a Smart TV. The prospect of having a device that is connected to the Internet monitoring my viewing habits is very un-nerving to me. So, when this story from The Daily Beast hit my inbox, it only served to reinforce my decision to never buy a Smart TV:

A single sentence buried in a dense “privacy policy” for Samsung’s Internet-connected SmartTV advises users that its nifty voice command feature might capture more than just your request to play the latest episode of Downton Abbey.

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party,” the policy reads.

So be advised: If you’re too lazy to pick up the remote, you may want to keep your conversation with the TV as direct and non-incriminating as possible. Don’t talk about tax evasion, drug use. And definitely don’t try out your Violet Crawley impression.

It appears that what Samsung is up to is that they’re sending your voice to a third party to do voice to text conversion. That’s not unusual as Siri works the same way. But there is a concern that Corynne McSherry, the intellectual property director at the Electronic Frontier Foundation voices:

“If I were the customer, I might like to know who that third party was, and I’d definitely like to know whether my words were being transmitted in a secure form.” If the transmission is not encrypted, a Smart Hacker could conceivably turn your TV into an eavesdropping device.

Agreed. Now Samsung’s response to this really leaves a lot to be desired:

“Samsung takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use,” the company said in a statement to The Daily Beast. “Voice recognition, which allows the user to control the TV using voice commands, is a Samsung Smart TV feature, which can be activated or deactivated by the user. The TV owner can also disconnect the TV from the Wi-Fi network.”

Uh, no. How about being more clear about what you do with a users voice? Simply saying you can turn off the functionality or disconnect the TV from the Internet gives me a huge incentive not to buy the TV in the first place. That way I don’t have to worry about any of this. So, perhaps Samsung cares to rethink this answer and come up with something better that makes me want to trust them as a company when it comes to this sort of thing?


Here’s One Big Reason Why You Shouldn’t Use Just Any Open WiFi. Your Activities Can Be Easily Monitored.

Posted in Commentary with tags , on January 16, 2015 by itnerd

When I am out and about, I try not to use WiFi just anywhere. If required, I will use the Instant Hotspot feature which is part of the larger Continuity feature set that is built into OS X Yosemite and iOS 8.1 to get online. The reason being is that just because WiFi is open and available, it doesn’t mean that you should use it.

Gustav Nipe, president of Sweden’s Pirate Party’s youth wing illustrated this recently. During the Sälen security conference, he set up a WiFi hotspot named “Öppen Gäst” (“Open Guest”) without any kind of encryption. In short order, a large amount of unsuspecting high profile guests associate with the network. According to Nipe, he was able to track which sites people visited as well as the emails and text messages of around 100 delegates, including politicians and journalists as well as security experts. Here’s what he had to say on the matter:

“The security establishment was in Sälen pushing for more surveillance, but then leading figures go and log on to an unsecure W-Fi network,” he told The Local.
“It is very embarrassing because the data we collected showed that some people were looking at Skype, eBay and Blocket and stuff like that, or looking for holidays and where you could go and hike the forest. This was during the day when I suppose they were being paid to be at the conference working.”

Well, that’s a wee bit embarrassing. But this comment shows what the real danger is:

“The scary part is that with unsecure networks like these you can end up getting access even to secure servers because people so often use the same passwords for different sites. So we could have got into the government’s server or used other information to track people in their everyday lives.”

He says that he won’t be revealing which sites were visited by specific experts. But he has already sparked criticism in Swedish newspapers and on social media, with some angry comments saying that Nipe breached Sweden’s Personal Data Act. So this could end badly for him personally, but it does highlight the risks of using just any open WiFi hotspot.

Consider yourselves warned.

Bug In OS X Spotlight Exposes Data To Spammers…… Yikes!

Posted in Commentary with tags , on January 9, 2015 by itnerd

I see that Apple’s software quality has taken yet another hit.

This time there apparently is a bug in OS X Yosemite’s Spotlight feature. German tech news site Heise is reporting that when you use Spotlight to search Apple Mail, Spotlight will show previews of emails and when it does this, it automatically loads external images linked in HTML email. The problem with that is that loading external images also exposes your IP address, current OS version and some details about the browser used as well as the version of Quick Look to spammers among others. That can identify your location as well as other details that can be used to spam you or launch a targeted attack against you. That’s why I have the loading of external images turned off by default in Apple Mail. But Spotlight ignores this setting for whatever reason and displays the external images anyway.


The only workaround is to uncheck the “Mail & Messages” box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight’s search results, and thus, no preview is shown. That’s great unless you actually rely on Spotlight like I do. Bottom Line: Apple really needs to fix this and fix it now as this is just a glaring privacy issue that should have never, ever made it outside the doors of 1 Infinite Loop.

Gogo Forges YouTube SSL Certificate To Throttle Bandwidth….. Not Cool….

Posted in Commentary with tags , on January 8, 2015 by itnerd

If you were planning on using in flight Internet provided by Gogo to watch a few YouTube videos, you may want to think twice. Naked Security has found that GoGo is doing a version of the “Man In The Middle Attack” to throttle high bandwidth applications such as watching YouTube:

Google Chrome security team engineer Adrienne Porter Felt first noticed the bogus SSL certificate while trying to get to the (Google-owned) YouTube site during a flight.

Instead of receiving the Google-issued certificate she expected, she got one from Gogo, with a red-letter warning saying that it came from an untrusted issuer.

Now, that’s very bad for the following reasons:

While modern-day browsers, including Chrome, will flag a bogus certificate, the practice of issuing fake certificates could, at least in theory, set Gogo up to be in the same position as the man in the middle of a man-in-the-middle (MitM) attack, issuing fake security certificates that allow it to view passwords and other sensitive information exchanged between users and YouTube – or whatever other service Gogo might use the technique to block.

Gogo sees things differently of course:

In response to Felt’s text, Gogo Executive Vice President and Chief Technology Officer Anand Chari released a statement saying that the broadband provider is absolutely not stealing users’ private data.

Rather, the rigged certificate is all about enforcing the company’s no-streaming policy, he said.

That’s fine, except Ms. Porter wasn’t trying to stream videos. Even if she was, Gogo was recently caught bragging about how it goes above and beyond to enable the US to snoop on passengers. Thus I would take whatever this company says with a grain of salt.

My advice. Use trusted (if there is such a thing these days) WiFi access in the airport terminal or use your smartphone’s tethering ability to get onto the Internet. Clearly in flight WiFi via Gogo can’t be trusted.


Cops Can Search Your Phone Without A Warrant: Supreme Court Of Canada

Posted in Commentary with tags , on December 11, 2014 by itnerd

If you get arrested in Canada and you have a cell phone or smart phone, the Supreme Court Of Canada says that the cops can search your phone without a warrant as long as the search relates to what you’re being arrested for. Here’s some more details from the CBC:

The Supreme Court of Canada says law enforcement officials can go through the cellphone of someone under arrest as long as the search relates directly to the arrest and police keep detailed notes.

The Supreme Court of Canada split 4-3, with the minority arguing cellphones and personal computers are “an intensely personal and uniquely pervasive sphere” that needs clear protection.

The majority also found that passwords protecting phones don’t carry much weight in assessing that person’s expectation of privacy.

“An individual’s decision not to password protect his or her cellphone does not indicate any sort of abandonment of the significant privacy interests one generally will have in the contents of the phone,” Justice Thomas Cromwell wrote.

I can see two reactions to this:

  • There will be those who say “I have nothing to hide so this is a non-issue for me.”
  • There will be those who say “cops shouldn’t have access to my phone without a warrant.” Then they’re going to figure out ways to encrypt their phone to make it difficult for cops to search them or set up their phone to erase after “x” number of failed attempts to enter the passcode.

Honestly, I am not sure which side of the fence that I am on when it comes to this. Though Glenn Greenwald’s TED Talk on why privacy matters does sort of swing me towards the latter camp. What are your thoughts on this? Please leave a comment below and share them with us.

Why Facebook Should Worry About Ello

Posted in Commentary with tags , , on September 29, 2014 by itnerd

There’s a new social network out there. It’s called Ello (as in the way that some from the UK say “hello”) and it’s currently an invite only platform. Now, you’re likely saying that there’s a new Facebook clone popping up every week. Why should you care about this one? Here’s why. This is what the creators of Ello have to say when you scroll down their landing page:

Your social network is owned by advertisers.

Every post you share, every friend you make and every link you follow is tracked, recorded and converted into data. Advertisers buy your data so they can show you more ads. You are the product that’s bought and sold.

We believe there is a better way. We believe in audacity. We believe in beauty, simplicity and transparency. We believe that the people who make things and the people who use them should be in partnership.

We believe a social network can be a tool for empowerment. Not a tool to deceive, coerce and manipulate — but a place to connect, create and celebrate life.

You are not a product.

That’s a clear shot at Facebook who’s known for not exactly being the best at balancing the needs of users privacy with its need to make a buck. That’s the main reason why I steer clear of Facebook and will never get an account on that platform. But will the fact that Ello advertises itself as being the exact opposite of Facebook resonate? It does for me and I suspect it will for many others out there as well. That’s a problem for Facebook as it makes most of its cash from collecting data on its users and selling it. Unless it can somehow wean itself off that addiction to making money in that manner, it will be under threat by a service like Ello. Thus Facebook will have to adapt or perhaps face the possibility that it may lose users.

My advice? Let’s see how this plays out. It will be very interesting to watch what happens as I really think that Facebook truly has something to worry about.


Get every new post delivered to your Inbox.

Join 291 other followers