Wednesday, April 20, 2011

Dropbox's privacy commitment questioned after terms change

From IT PRO:
Dropbox users have been forced to reconsider the security of the files after revelations the provider will decrypt and release customer information to law enforcement authorities.

Dropbox, which has quickly become popular with individuals and small agencies, has inserted a clause in its terms of service which states the company will turn over files to the authorities if they ask for them.

In a move heralded as “not surprising but disappointing” by analysts, the decision brings Dropbox into line with the terms of other cloud providers, including Amazon and Google.

Researchers Disclose iPhone and iPad Location-Tracking Privacy Issues

From Mac Rumors:
A pair of security researchers today announced that they are sounding the privacy warning bell about the capability of iOS 4 to track the location of an iPhone or iPad on an ongoing basis, storing the data to a hidden file known as 'consolidated.db' in the form of latitude and longitude and a timestamp for each point.
All iPhones appear to log your location to a file called 'consolidated.db.' This contains latitude-longitude coordinates along with a timestamp. The coordinates aren't always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically around a year's worth of information at this point. Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself.
While the consolidated.db file has been known for some time and has played a key role in forensic investigations of iOS devices by law enforcement agencies, the researchers note the data is available on the devices themselves and in backups in unencrypted and unprotected form, leading to significant privacy concerns. Once gathered, the data is saved in backups, restored to devices if necessary, and even migrated across devices, offering a lengthy history of a user's movement.

Bill would require parental consent for TSA pat-downs of minors

From The Daily Caller:
Under fire after a video surfaced online of a 6-year-old Kentucky girl undergoing an enhanced pat-down at the New Orleans airport, a new bill would require Transportation Security Administration agents to obtain parental permission before performing new invasive pat-down techniques on children at airports.

Utah Republican Rep. Jason Chaffetz, chairman of the Oversight Subcommittee on National Security, unveiled the legislation last week.

“If you’re going to do a pat-down — which I’ve got a serious problem with in the first place — then you’re going to have to have parental consent and that parent has to be there,” Chaffetz, a longtime critic of TSA, said during an MSNBC interview Monday.

Rep. Mica: TSA 'Out of Control'

From Newsmax:
Rep. John Mica says the Transportation Security Administration has become a huge bureaucracy that has “spun out of control” and cries out for reform.

The Florida Republican, chairman of the House Transportation and Infrastructure Committee, also says it makes no sense to hire additional air traffic controllers for night duty to deal with the problem of sleeping controllers.

Mica was first elected to the House in 1992, and as chairman of the Aviation Subcommittee he was a major force in the creation of the TSA following the 9/11 terrorist attacks.

Tell Government and the Travel Industry: No More TSA Pat-Downs for Kids

From PRNewswire-:
Traveler advocate We Won't Fly is organizing a mass 'Call Flood' campaign to force the Transportation Security Administration (TSA) to stop touching children, as they did to 6-year-old Anna Drexel last week. The campaign is focused on TSA administrator John Pistole, President Barack Obama, Department of Homeland Security (DHS) Secretary Janet Napolitano, Disneyland and other travel industry participants that serve families.

The goal of the campaign is to highlight the immorality of TSA pat-downs of minors, force the TSA to immediately and permanently halt all touching of minors and encourage travel industry players to join us.

In a December 2010 interview, expert in the fight against child sexual abuse Ken Wooden said that TSA patdowns could 'desensitize children to inappropriate touch and ultimately make it easier for sexual offenders to prey on our children.'

Administration Releases Strategy to Protect Online Consumers and Support Innovation and Fact Sheet on National Strategy for Trusted Identities in Cyberspace

From NIST:
Today, the Obama Administration released the National Strategy for Trusted Identities in Cyberspace (NSTIC), which seeks to better protect consumers from fraud and identity theft, enhance individuals' privacy, and foster economic growth by enabling industry both to move more services online and to create innovative new services. The NSTIC aims to make online transactions more trustworthy, thereby giving businesses and consumers more confidence in conducting business online.

'The Internet has transformed how we communicate and do business, opening up markets, and connecting our society as never before. But it has also led to new challenges, like online fraud and identity theft, that harm consumers and cost billions of dollars each year,' said President Obama. 'By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation. That's why this initiative is so important for our economy.'

Michigan State Police Reportedly Extracting Personal Info From Cellphones

From the New American:
The Michigan chapter of the American Civil Liberties Union is questioning the Michigan State Police's use of cellphone 'extraction' devices.

Specifically, the group claims that law enforcement is clandestinely using portable devices to secretly extract personal information from cell phones during routine stops. The devices are sold by a company called Cellebrite and facilitate the downloading of text messages, photos, video, and even GPS data from mobile phones. The handheld machines use various codes to work with different models and can be programmed to even bypass security passwords in order to access the desired personal information stored on the cell phone.
According to the ACLU, it has submitted several Freedom of Information Act (FOIA) requests over the past three years, none of which has been complied with by the Michigan State Police.

Sunday, April 3, 2011

No common law tort for invasion of privacy: judge

From the Financial Post:
The Ontario case of Jones v. Tsige involves the sort of prurient details you’d expect to see in front of Judge Judy on afternoon TV: soured romantic entanglements and a squabble over money.

But the case is on its way to the Ontario Court of Appeal to address one of the oldest issues in the common law world: Is there a free standing common law tort for invasion of privacy?

Most people might assume such a right exists, but the issue has actually perplexed lawyers in Ontario and some other common law provinces for decades. Last week, Mr. Justice Kevin Whitaker of the Ontario Superior Court of Justice answered the question in a brief 9-page summary judgment ruling: “I conclude that there is no tort of invasion of privacy in Ontario.”

Flight Attendant Union Applauds Announcement of New TSA Alternate Screening Program

From PRNewswire:
The Association of Flight Attendants-CWA (AFA) today issued support of the Transportation Security Administration's (TSA) new program that will promote an alternate screening of crewmembers. The new program, sponsored by the Air Line Pilots Association (ALPA) and the Air Transport Association (ATA), will begin testing later this year.

'As first responders, Flight Attendants hold a primary stake and are the last line of defense in aviation security. AFA is proud to partner with ALPA, ATA and TSA on an alternate screening program for crewmembers,' said Veda Shook, AFA International President. 'We look forward to being a key partner in the advancement of this alternate screening system. This program will highlight the importance of all crewmembers working as a security team for the safety of the crew and the traveling public.'

The program, as proposed by ALPA and ATA, includes Flight Attendants after initial testing. Alternate screening identifies authorized and trusted crewmembers at security screening checkpoints. The process, which Congress intended for all crewmembers in 2007, utilizes security screening clearances which are a condition of employment for aviation employees.

New Study Says TSA Full-Body Scanner Radiation Exposure `Trivial’

From the WSJ Middle Seat Terminal blog:
A new study published in the Archives of Internal Medicine says that regular exposure to full-body scan airport X-ray screening doses does not appear to pose a significant radiation threat. It would take about 4,000 trips through the scanner to equal the radiation of one mammogram, the report said.

“Based on what is known about the scanners, passengers should not fear going through the scans for health reasons, as the risks are truly trivial,’’ Pratik Mehta of the University of California, Berkeley, and Rebecca Smith-Bindman of the University of California, San Francisco, wrote.

CO Supreme Court Rules for Defendant's Right to Privacy of iPhone

From HuffPost Denver:
The (Colorado) Supreme Court sided Monday with a man whose iPhone was snooped through by an Aspen police officer that lead to search warrants based on the evidence retrieved during that illegal search.

Although the high court refused to address the Fourth Amendment directly, it was a victory for David Shutter, 32, of Aspen, who inadvertently locked his phone in a public bathroom. Shutter was told by the store clerk to come back later, but officer Matt Burg got there first.

After the officer answered the phone several times, and began scrolling deep into the text history, incriminating messages were used to issue search warrants for Mr. Shutter and his mother's homes. Drugs, drug paraphernalia and other damning evidence found during these searches lead to multiple felony charges.

Federal judge in Twitter/Wikileaks case rules that consumers read privacy policies

From slight paranoia:
Earlier this afternoon, a federal magistrate judge issued an order in the much-hyped Twitter/Wikileaks case. While I will leave it to others in the media to analyze the order and its impact, I do want to focus on one specific issue.

The three individuals who objected to having their Twitter account records obtained by the government (referred to in the order as the petitioners) raised an interesting 4th amendment claim regarding their IP address information. Building on recent developments in the area of location privacy (where the 3rd circuit ruled that consumers do not knowingly transmit their location information to phone companies, because they generally don't understand the technical details of how phones work), the individuals here claimed that they didn't realize that they were conveying their IP addresses to Twitter, and thus maintained a privacy interest in this information.

Contracts and ‘Reasonable Expectations of Privacy'

From Cato @ Liberty:
Chris Soghoian looks at a recent ruling related to the ongoing investigation of Wikileaks, in which a judge rejected a challenge from several users whose Twitter account information had been obtained by the government. Thanks to a shortsighted Supreme Court ruling from the 1970s, people are presumed to waive their 'reasonable expectation of privacy' in data voluntarily conveyed to third parties, which means many types of sensitive records can routinely be obtained by the government without the need for a full-blown Fourth Amendment search warrant based on probable cause. In some cases, a mere subpoena, or even a government agency's certification that the records are 'relevant' to an investigation, will suffice.

Former Duke Lacrosse Players Can Continue Suit, Judge Says

From SFGate:
Three former Duke University lacrosse players, falsely accused of rape in a case that cost a district attorney his law license, can move forward with part of their claims against the former prosecutor and the city of Durham, North Carolina, a judge ruled.

U.S. District Judge James A. Beaty Jr., in a ruling today, refused to dismiss the former students' claims that their constitutional rights were violated through malicious prosecution, concealment of evidence and fabrication of false evidence. The judge dismissed their separate conspiracy claim and their intentional infliction of emotional distress claim.

'The intentional use of false or misleading evidence before a grand jury to obtain an indictment and arrest without probable cause is exactly the type of unreasonable search and seizure that the Fourth Amendment was designed to protect against,' the judge said.