Thursday, April 11, 2013

Electronic privacy roundup

Here are several national electronic privacy stories that relate to presently pending Texas legislation.

Selling not-so-anonymous location tracking data
Many user agreements one signs online indicate the company will not sell your personal information, but today "anonymized" data - even location data - can often be re-identified. The Verge describes the process in an article titled "How carriers sell your location and get away with it" (April 8):
The problem is, the data may not be anonymous after all. Last week, a group of MIT data scientists found a way to work back to 95 percent of the people in a European carrier’s data set from just four new location data points. Those could be Foursquare posts, geolocated tweets, or items on a credit card slip. If someone's got four of those hits, along with a batch of anonymized data from the carriers, it's enough to single you out. Suddenly, that "anonymized" data turns into a detailed record of everywhere you've been.

This kind of re-identification has happened before. In the mid-1990s, when a Massachusets state group released a crop of anonymized medical records, a data scientist named Latanya Sweeney was able to re-identify them by comparing them to local voter rolls — and responded by mailing the governor a full copy of his private medical history. As detailed by Paul Ohm, she later proved just a birthdate, zip code and gender is enough to identify 87 percent of the population, and knowing where someone is makes them even easier to ID. "Location pins you down a hell of a lot," said Lee Tien, a lawyer for the Electronic Frontier Foundation. "To know you're in a particular city, even if it's a big city like San Francisco, that ruled out most of the world right there."

All that’s left is a little math, but this is the kind of math that gets you in trouble. To a lawyer, running this algorithm counts as a data breach, which states have harsh laws about. Once you cross from "anonymous" to "personal" data, you'll face a world of ugly consequences if anyone finds out. But to a data scientist, it's as simple as connecting the dots.
Warrants for email? IRS says 'no'
Meanwhile, the IRS provides further evidence that the laws surrounding electronic privacy remain incredibly unclear, with different government agencies applying different standards at the federal level just like in Texas. Reported Declan McCullagh (CNET, April 10):
The Internal Revenue Service doesn't believe it needs a search warrant to read your e-mail.
Newly disclosed documents prepared by IRS lawyers say that Americans enjoy "generally no privacy" in their e-mail, Facebook chats, Twitter direct messages, and similar online communications -- meaning that they can be perused without obtaining a search warrant signed by a judge.

That places the IRS at odds with a growing sentiment among many judges and legislators who believe that Americans' e-mail messages should be protected from warrantless search and seizure. They say e-mail should be protected by the same Fourth Amendment privacy standards that require search warrants for hard drives in someone's home, or a physical letter in a filing cabinet.

An IRS 2009 Search Warrant Handbook obtained by the American Civil Liberties Union argues that "emails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual's computer." The handbook was prepared by the Office of Chief Counsel for the Criminal Tax Division and obtained through the Freedom of Information Act....

The IRS continued to take the same position, the documents indicate, even after a federal appeals court ruled in the 2010 case U.S. v. Warshak that Americans have a reasonable expectation of privacy in their e-mail. A few e-mail providers, including Google, Microsoft, Yahoo, and Facebook, but not all, have taken the position that Warshak mandates warrants for e-mail. ...

A March 2011 update to the IRS manual, published four months after the Warshak decision, says that nothing has changed and that "investigators can obtain everything in an account except for unopened e-mail or voice mail stored with a provider for 180 days or less" without a warrant. An October 2011 memorandum (PDF) from IRS senior counsel William Spatz took a similar position.

A phalanx of companies, including Amazon, Apple, AT&T, eBay, Google, Intel, Microsoft, and Twitter, as well as liberal, conservative, and libertarian advocacy groups, have asked Congress to update the 1986 Electronic Communications Privacy Act to make it clear that law enforcement needs warrants to access private communications and the locations of mobile devices.
Verizon colludes with feds to configure personal device for Stingray
Finally, it's worth remembering that much modern surveillance requires the collusion of vendors who are frequently compelled by statute to cooperate with law enforcement. It turns out Verizon not only provided data to the FBI but reconfigured their target's personal devices - in particular his "air card" - remotely in order to maximize the effective of the feds' Stingray surveillance equipment. Reported Wired (April 9):
Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case [alleged tax fraud] Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.
The FBI calls, which contacted the air card silently in the background, operated as pings to force the air card into revealing its location.

In order to do this, Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then “broadcast a very strong signal” to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location.

To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list. ...

During a hearing in a U.S. District Court in Arizona on March 28 to discuss the motion, the government did not dispute Rigmaiden’s assertions about Verizon’s activities.
Can police read your text messages without a warrant?
A case pending before the Washington State Supreme Court will consider the question. See an EFF blog post wherein you'll find linked their amicus brief on the subject.

'The Public Private'
See an AP story about a NYC art exhibit focusing on the blurred lines between public and private spheres of our lives in an era of social networking and ubiquitous camera surveillance.

4 comments:

  1. As much as many people enjoy poking fun at the post-911 "nutcases' that scream their doom and gloom as far as America becoming a police state; One has to acknowledge that many things that were alluded to by them in the early 2000's have come to pass in a very secretive, yet forceful way. The government has not only stopped listening to the people in many instances, but has stop being accountable. Which is more dangerous?

    ReplyDelete
    Replies
    1. I now suspect the authorities get a lot of clearances by their commanders and courts to intrude when they could not have prior to 9-11. All this (some is legitimate) freelancing by law enforcement..drones..wiretaps..runaway equipment budgets......under the umbrella famous phrase HOMELAND SECURITY.

      Delete
  2. what's sad is everyone forget's that old saying!

    Those who refuse to learn from history are doomed to repeat it!

    i like this version

    Those too fucking stupid to remember history are usualy ran over by it.

    Just take a look at a couple of other older "umbrilla security" agencies!

    Gestapo
    KGB

    or any other other others created in south america during the junta times.

    Now subsitute "Homeland Security" for those names. They are pretty much the same!

    ReplyDelete
    Replies
    1. No way to stop the state hysteria
      machine once it reaches sanctioned momentum.

      Delete