Home Tags Wiretapping

Tag: Wiretapping

Scroogled no more: Gmail won’t scan e-mails for ads personalization

Google kills Gmail's most controversial feature.

Man claims his Bose headphones intercept what he’s listening to

Illinois man: my headphones transmit audio metadata to data miner Segment.io.

Amid “muffled sobs,” ex-prosecutor pleads guilty to illegal wiretapping

"I intentionally forged court orders that allowed me to wiretap cellphones…"

Feds: Brooklyn prosecutor forged judges’ signatures to wiretap lover

Tara Lenich was entangled in a reported "love triangle gone wrong."

Congressional Group Says Encryption Backdoors Are a Bad Idea

The Congressional Encryption Working Group released its year-end report that concluded that encryption backdoors do more harm than good.

The 12-page report said that “any measure that weakens encryption works against the national interest.” The bipartisan congressional panel recommended that the U.S. support strong encryption and that “Congress should foster cooperation between the law enforcement community and technology companies.” The conclusions run contrary to those of the FBI, which in the past said it has favored encryption backdoors in tech products and services.

The Encryption Working Group was formed in the wake of the FBI’s battle with Apple to access data on an iPhone belonging to terrorist Syed Farook. Ed McAndrew, a former federal cybercrime prosecutor and partner at law firm Ballard Spahr, said that the conclusions of the committee are significant, however will have little impact on pending or future legislation. “There is nothing legislative being proposed as an outgrowth of this report,” he said. “The major points of the report track what the various stakeholders have said.

Backdoors are dangerous. Weaknesses in encryption can benefit the intended and unintended third-parties.” In its report, members of the working group said that it is exceedingly difficult and impractical, if not impossible, to “to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors.” The committee also concluded requiring “exceptional access to encrypted data would, by definition, prohibit some encryption design best practices, such as ‘forward secrecy,’ from being implemented.” Perfect Forward Secrecy is a technology that ensures communication sessions are secured by randomly generated ephemeral public keys.
It is a strategy that prevents an attacker from later using a stolen private key to decrypt recorded encrypted sessions. The committee identified areas of future discussion for the next Congress, such as how law enforcement agencies should navigate the process of accessing information from private companies. Other areas slated for discussion are examining options to improve law enforcement’s ability to leverage metadata and reviewing the circumstances, resources and legal framework necessary to help law enforcement agencies exploit existing flaws in digital products, according to the report. Electronic Frontier Foundation staff attorney Andrew Crocker said he was glad the working group came out “strongly against weakening encryption.” However, he said upcoming areas of focus for the commission were of equal importance when it comes to national security. “The report points in the direction of other approaches to government access to data, some of which raise similarly serious concerns, especially so-called lawful hacking by the government,” wrote Crocker in a statement to Threatpost. In the interim, encryption is going to continue to be a hotly debated topic, particularly with law enforcement investigations, McAndrew said. “What I’ll be watching for is whether the new administration and new Congress have any type of revised CALEA legislative proposals.” CALEA stand for Communications Assistance for Law Enforcement Act and is the statute that requires telecommunication companies and others to help law enforcement agencies with lawful intercept and wiretapping operations. Some lawmakers, most notably Sen. Richard Burr of North Carolina and Sen.

Tom Cotton of Arkansas, have strongly advocated for encryption backdoors in technology products. Reuters has reported that Sen.

Burr, who chairs the Intelligence Committee, will reintroduce encryption legislation compelling companies such as Apple to build “back doors” into devices and services.
Sen.

Burr believes there is new hope for his bill under the support of the Trump administration. For his part, President-Elect Donald Trump, hasn’t publicly taken a position on encryption. However during the Apple-FBI debate he blasted Apple on the campaign trail for not cooperating with the FBI and called for a boycott of Apple products. In its report the committee concluded, “There is no ‘us versus them,’ or ‘pro-encryption versus law enforcement.’ This conversation implicates everyone and everything that depends on connected technologies—including our law enforcement and intelligence communities.

This is a complex challenge that will take time, patience, and cooperation to resolve.”

French surveillance law is unconstitutional after all, highest court says

The French Constitutional Council has taken another look at a new security law it waved through in July 2015, and found it wanting. A key clause of last year's Surveillance Law essentially allowed security agencies to monitor and control wireless commu...

Researchers ask federal court to unseal years of surveillance records

Enlarge / The lawyers are petitioning a court housed in the Phillip Burton Federal Building in San Francisco.Bloomberg / Getty Images News reader comments 7 Share this story Two lawyers and legal researchers based at Stanford University have formally asked a federal court in San Francisco to unseal numerous records of surveillance-related cases, as a way to better understand how authorities seek such powers from judges.

This courthouse is responsible for the entire Northern District of California, which includes the region where tech companies such as Twitter, Apple, and Google, are based. According to the petition, Jennifer Granick and Riana Pfefferkorn were partly inspired by a number of high-profile privacy cases that have unfolded in recent years, ranging from Lavabit to Apple’s battle with the Department of Justice. As they wrote in their Wednesday filing: Most surveillance orders are sealed, however.

Therefore, the public does not have a strong understanding of what technical assistance courts may order private entities to provide to law enforcement.

There are at least 70 cases, many under seal, in which courts have mandated that Apple and Google unlock mobile phones—and potentially many more.

The Lavabit district court may not be the only court to have ordered companies to turn over private encryption keys to law enforcement based on novel interpretations of law.

Courts today may be granting orders forcing private companies to turn on microphones or cameras in cars, laptops, mobile phones, smart TVs, or other audio- and video-enabled Internet-connected devices in order to conduct wiretapping or visual surveillance. This pervasive sealing cripples public discussion of whether these judicial orders are lawful and appropriate. In their 45-page petition, they specifically say that they don’t need all sealed surveillance records, simply those that should have been unsealed—which, unfortunately, doesn’t always happen automatically. Petitioners seek the unsealing of underlying materials only from cases where there is no longer any need for secrecy, e.g., the criminal investigation has terminated, the surveillance order (including any delayed-notice order) has expired, or charges have been filed.

These records are public documents and should be publicly docketed and unsealed unless good cause exists on a case-by-case basis for continued secrecy based on the facts and circumstances of the individual matter. Granick is the director of civil liberties at the Stanford Center for Internet and Society and previously worked at Zwillgen, one of the law firms that represented Apple in the wake of the December 2015 terrorist attack in San Bernadino. Pfefferkorn is the Cryptography Fellow at the same Stanford group.

Both women have been outspoken on the issue of expansive government surveillance. The petition has yet to be assigned to a judge, and as such, hearings have not been scheduled.

Judge: child porn evidence obtained via FBI’s Tor hack must be...

EnlargeAndrew Brookes / Getty Images News reader comments 1 Share this story A federal judge in Iowa has ordered the suppression of child pornography evidence derived from an invalid warrant.

The warrant was issued as part of a controversial government-sanctioned operation to hack Tor users. Out of nearly 200 such cases nationwide that involve the Tor-hidden child porn site known as "Playpen," US District Judge Robert Pratt is just the third to make such a ruling. "Any search conducted pursuant to such warrant is the equivalent of a warrantless search," Judge Pratt wrote Monday in his 19-page order in United States v.

Croghan.
While the charges against Beau Croghan have not been dropped yet, the ruling significantly hinders the government's case. Earlier this year, federal judges in Massachusetts and Oklahoma made similar rulings and similarly tossed the relevant evidence.

Thirteen other judges, meanwhile, have found that while the warrants to search the defendants' computers via the hacking tool were invalid, they did not take the extra step of ordering suppression of the evidence.

The corresponding judges in the remainder of the cases have yet to rule on the warrant question. In all of these cases related to Playpen, a federal magistrate judge in Virginia issued a warrant that was then used to authorize the deployment of this tool, known as a "network investigative technique," or NIT, as a way to locate users. Under current rules of federal jurisprudence, magistrate judges only have the authority to issue warrants within their own district. However, a change in this rule will almost certainly expand this power to magistrate judges later this year, absent Congressional action.

As of now, only more senior federal judges, known as district judges, have the authority to issue out-of-district warrants.
So, Judge Pratt concluded, because the warrant was invalid ab initio, or from the beginning, any evidence that resulted from that search must be suppressed. "Here, by contrast, law enforcement caused an NIT to be deployed directly onto Defendants' home computers, which then caused those computers to relay specific information stored on those computers to the Government without Defendants' consent or knowledge," Judge Pratt wrote. "There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer." As the judge continued: If a defendant writes his IP address on a piece of paper and places it in a drawer in his home, there would be no question that law enforcement would need a warrant to access that piece of paper—even accepting that the defendant had no reasonable expectation of privacy in the IP address itself. Here, Defendants' IP addresses were stored on their computers in their homes rather than in a drawer. Our tax dollars at work As Ars has reported before, investigators in early 2015 used the NIT to force Playpen users to cough up their actual IP address, which made tracking them down trivial.
In yet another related case prosecuted out of New York, an FBI search warrant affidavit described both the types of child pornography available to Playpen's 150,000 members and the malware's capabilities. As a way to ensnare users, the FBI even took control of Playpen and ran it for 13 days before shutting it down.

During that period, with many users' Tor-enabled digital shields down—revealing their true IP addresses—the government was then able to identify and arrest the nearly 200 child porn suspects. (However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which could suggest that even more charges could be filed.) Privacy-minded experts applauded Judge Pratt's reasoning—that the government should not have the ability, absent proper warrants, to hack into people's computers. "Judge Pratt correctly interpreted the NIT's function and picked the correct analogy," Fred Jennings, a New York-based lawyer who has worked on numerous computer crime cases, told Ars. Jennings continues: [Pratt] correctly points out that the usual analogies, to tracking devices or IP information turned over by a third-party service provider, are inapplicable to this type of government hacking.

A common theme in digital privacy, with Fourth Amendment issues especially, is the difficulty of analogizing to apt precedent—there are nuances to digital communication that simply don't trace back well to 20th-century precedent about physical intrusion or literal wiretapping. By contrast to Judge Pratt, other courts have struggled with the basics of how Tor and IP addresses work. "In attempting to salvage the mess they made with Playpen, [the Department of Justice] has tried to say that the NIT is like a GPS tracking device," Chris Soghoian, a technologist for the American Civil Liberties Union, told Ars. "And, sadly, several judges have bought it, saying that the defendants traveled virtually to Virginia, and that the NITs were installed in Virginia while they were virtually there." For its part, the government has said it is not sure how it will deal with the suppression order in Croghan. "Our office is still in the process of reviewing the judge's order that was issued yesterday," Rachel Scherle, a federal prosecutor in Iowa, told Ars by e-mail. "No decisions have been made as to dismissal or appeal at this time, but I will keep you posted."

EU 'Seeks to Restrict Digital Comms Encryption'

The EU wants to force WhatsApp, iMessage and other internet-based tools to abide by tougher data-protection rules, leaked documents say. By Matthew BroersmaThe European Union is looking to extend some of the privacy rules that currently apply to telecommunications companies to cover internet-based services such as Skype and WhatsApp in a way that could restrict their use of encryption, according to reports.The EU's plans could also oblige digital services to allow users to take content, such as copies of emails, with them when they change providers, according to reports from media outlets including The Financial Times and Reuters, all of which cited internal EU documents.New Privacy Obligations The privacy and confidentiality obligations for internet firms remain to be defined, according to the EU documents. Currently 2002's Privacy and Electronic Communications Directive, known as the ePrivacy Directive, applies only to telecoms providers such as Vodafone or Orange, and those providers have argued the rules place them at a disadvantage to web-based competitors.Facebook's WhatsApp, for instance, protects its communications with end-to-end encryption, while telecoms companies are barred from doing so, being subject to wiretapping and "lawful interception" demands by governments.Apple's mobile iMessage service also claims to offer end-to-end encryption, while Microsoft's Skype encrypts communications but also says it monitors message content for the purposes of blocking fraud and other illegal activity. ePrivacy Review The possible changes are part of a review to the ePrivacy rules announced by the EU in April, when it launched a public consultation seeking the views of stakeholders.The EU said the review was motivated in part by the introduction of the General Data Protection Regulation this year, which is set to broadly alter Europe's data protection environment.While organizations including national data protection regulators, telecoms companies and internet firms have published their responses to the consultation, the EU's own views have not previously been made public.Orange pointed out in its response that internet-based services are "allowed to commercially exploit the traffic data and the location data they collect", while telecoms firms are restricted in how they use such information.In its response, Facebook argued against any extension of the ePrivacy rules, saying new restrictions could mean it would "no longer be able to guarantee the security and confidentiality of the communication through encryption" and therefore could "have the undesired consequence of undermining the very privacy it is seeking to protect".The European Commission has said it does not necessarily plan to treat all communications services the same for all purposes. Spectrum Changes A broader reform of the EU's telecoms rules is set to begin next month, and the Commission is proposing to take the opportunity to increase the term of spectrum licenses from 10 to 25 years, according to internal documents cited by Reuters.That move, intended to introduce a more stable market for operators and encourage them to boost their investments, could face opposition from national governments, for whom spectrum license auctions have proven a lucrative source of income.Under the results of a June referendum, the UK is set to exit the European Union, but EU laws are likely nevertheless to continue to influence British policies.

Internet tracking software maker to face wiretapping trial, court rules


reader comments 2 Share this story A federal appeals court says the maker of an online spying tool can be sued on accusations of wiretapping.

The federal lawsuit was brought by a man whose e-mail and instant messages to a woman were captured by the husband of the woman.

That husband used that data as a "battering ram" as part of his 2010 divorce proceedings. It's the second time in a week that a federal court has ruled in a wiretapping case—in favor of a person whose online communications were intercepted without consent.

The other ruling was against Google.

A judge ruled that a person not using Gmail who sent e-mail to another person using Gmail had not consented to Gmail's automatic scanning of the e-mail for marketing purposes. Hence, Google could be sued (PDF) for alleged wiretapping violations. For the moment, the two outcomes are a major victory for privacy.

But the reasoning in the lawsuit against the makers of the WebWatcher spy program could have ramifications far beyond the privacy context—and it places liability on the producers of spyware tools. In the case decided Tuesday, the 6th US Circuit Court of Appeals ruled (PDF) that Awareness Technologies, which markets WebWatcher, must face a wiretapping lawsuit from a man named Javier Luis because the data its software intercepts is stored on its servers. "We conclude that Luis has indeed alleged enough facts to reasonably infer that Awareness intercepted his communications," Judge Ronald Gilman, of the three-judge appeals court, wrote for the 2-1 majority. In dissent, Judge Alice Batchelder wrote that the technology company was not the one "intentionally doing the intercepting." She said the case is a "novel theory of liability" which "does not appear even to have been tried, much less to have been successful, in any previous case." Indeed, the appellate panel's decision reverses a 2014 lower court ruling in favor of Awareness Technologies.

A trial judge ruled that Awareness was not responsible because any spying was done by the company's customers. Listing image by Barn Images

Privacy lawsuit over Gmail will move forward

cinefil_reader comments 44 Share this story Thanks to a judge's order, Google must face another proposed class-action lawsuit over its scanning of Gmail.

The issue is a lingering headache for the search giant, which has faced allegations for years now that scanning Gmail in order to create personalized ads violates US wiretapping laws. In a 38-page order (PDF), US District Judge Lucy Koh rejected Google's argument that the scanning takes place within the "ordinary course of business." "Not every practice that is routine or legitimate will fall within the scope of the 'ordinary course of business'," Judge Koh wrote. Koh noted that while Google has to scan for other reasons, like virus and spam prevention, the company didn't have to scan for advertising purposes.
She noted that in April 2014, Google "ceased intercepting, scanning, and analyzing, for advertising purposes, the contents of emails transmitted via Google Apps for Education." According to Koh, that shows that Google is able to provide Gmail, at least to some users, without scanning email for ad purposes. The order was published on Friday and first reported earlier today by Courthouse News.

The ruling means that Google won't be able to get the lawsuit, which was filed in September, thrown out at an early stage. However, the plaintiffs are a long way from seeing a payday.

Google will likely fight hard to defend the way it has long run its Gmail service. The plaintiffs still have yet to pass key hurdles, including forming a class, which proved impossible in an earlier lawsuit. Koh's order reviews the history of those earlier privacy cases, the first of which was filed in 2010.

They were filed in various districts and ultimately consolidated in Koh's court as In re Google Inc.

Gmail Litigation
. While Google wasn't able to get that suit thrown out either, the individual plaintiffs all dismissed their cases with prejudice after they failed to form a class.
In that case, Koh ruled that the question of whether the plaintiffs had provided consent to scan their Gmail needed "individualized inquiries" and couldn't be addressed as a class action. In the case Koh ruled on Friday, Matera v.

Google
, the plaintiffs are seeking to represent only users who do not use Gmail and have never had a Gmail account, but have still had the content of their emails scanned because they interacted with Gmail users.

The plaintiffs in Matera say the scanning violates both the federal Electronic Communications Privacy Act and California state privacy laws.