Nice Infographic Demonstrating the Perils of Internet Privacy
Abine, maker of online privacy tools, has created a nice inforgraphic showing how privacy is lost online and what can be done about it. It is a good chart to look at in light of the White House’s proposed “privacy bill of rights.” The chart is long and may found at: http://abine.com/wordpress/wp-content/uploads/2012/02/abine_infographic.jpg. Before I reproduce it below, I would point out the key feature is the three grey boxes towards the bottom, where three of the harms that can arise from Internet privacy are described. These three harms: unknown parties creating dossiers on you that can affect things such as your aiblity to obtain credit, a narrowing of the Interent to just what others perceive to be your interests and the opportunity for identity theft are a good examples as to why individuals who uses the Internet and companies who collect data should not be cavalier about privacy. The Internet is a large, complex place and having tools guide you to what you find interesting can be helpful. But they can’t be limiting tools or flawed tools. The Fair Information Privacy Practices that form the basis of the “privacy bill of rights” promote the transparency and control needed to assist providers and users of consumer data in limiting the harms described in Abine’s three gray boxes. Here’s the infographic:
Nice Infographic Demonstrating the Perils of Internet Privacy
Abine, maker of online privacy tools, has created a nice inforgraphic showing how privacy is lost online and what can be done about it. It is a good chart to look at in light of the White House’s proposed “privacy bill of rights.” The chart is long and may found at: http://abine.com/wordpress/wp-content/uploads/2012/02/abine_infographic.jpg. Before I reproduce it below, I would point out the key feature is the three grey boxes towards the bottom, where three of the harms that can arise from Internet privacy are described. These three harms: unknown parties creating dossiers on you that can affect things such as your aiblity to obtain credit, a narrowing of the Interent to just what others perceive to be your interests and the opportunity for identity theft are a good examples as to why individuals who uses the Internet and companies who collect data should not be cavalier about privacy. The Internet is a large, complex place and having tools guide you to what you find interesting can be helpful. But they can’t be limiting tools or flawed tools. The Fair Information Privacy Practices that form the basis of the “privacy bill of rights” promote the transparency and control needed to assist providers and users of consumer data in limiting the harms described in Abine’s three gray boxes. Here’s the infographic (it looks like the infographic is too large for WordPress. Please double click on it to see the whole thing. The first click will show it very small. The second click will bring it up full size:
Credit Card Technology Advances Increase Privacy Risk
The use of RFIDs in credit cards, also known as contactless credit cards, such Discover’s Zip, American Express’ ExpressPay or MasterCards Paypass) makes purchasing easier, and provides a different type of credit card security. However, it has also enabled an easy means for others to swipe your credit card information. The security community has voiced this concern for awhile. Security researcher Kristen Paget took the stage at the Shmoocon hacker convention to demonstrate how easily it can be done.
Using an RFID credit card reader she bought an Ebay for $50, Kristin had volunteers from the audience come up and have her read the credit card number, expiration date and CVV number without their having to take the card out of their wallet or even their wallet out their coat or back pocket. She then used a $300 card-magnetizing tool to encode that data onto a blank card. For a finale, shen the used an iPhone attachment to swipe the newly created counterfeit credit card and pay herself $15 of the volunteer’s money. To avoid hard feelings and stave off any lawsuit she gave each of the volunteers a twenty dollar bill in return for the $15 she charged to their account.
Contactless credit cards provide some greater security than regular credit cards through the use of a one time only CVV code. This means that someone would have to repeatedly steal the data from the credit card in order to conduct more than one transaction. This would make Paget’s trick of limited use to a credit card thief looking to exploit one credit card. However, it does work for a credit card their working through a crowd.
You can protect against this type of theft either through not using contactless credit cards, microwaving the card (about 3 seconds should do). Keeping the card in a metal mesh wallet provides some protection.
For Forbes’ account of the demonstration see: http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/
Court Order to Turn Over Unencrypted Files not the Same as Order to Turn Over Password (Fricosu Revisited)
In my first post of this year I commented on U.S. v. Ramona Camelia Fricosu, in which it was widely reported the government was trying to compel the Defendant to turn over the password to an encrypted hard drive found on a computer in her home. See: http://simonkraussprivacyeye.com/2012/01/08/should-a-defendant-be-compelled-to-provide-prosecutor-with-password/
I, and others, believed the court would not allow the government to compel the Defendant to turn over the password as the 5th Amendment protects against compelling a Defendant to self-incriminate and turning over a password shows control over the encrypted hard drive and any incriminating information on it. Basically, the Defendant does not have to disclose something in their mind that is self-incriminating. For example, another court found that a Defendant did not have turn over the combination to a safe.
This past week, the judge made his decision. Contrary to what others may report, In the Fricosu case, Judge Blackburn did order Ms Fricosu to disclose the password to the computer found in her home. He did order her to turn over the unencrypted files. While the result is the same, the government gets to see the unencrypted files, there is a difference between having the government compel the disclosure of a password as opposed to the unencrypted hard drive.
First, it helps to know some key facts. Firstly, the government had a lawfully acquired phone surveillance tape between Ms. Fricosu and her ex-husband in which they acknowledge that the computer is hers. Second, the encrypted file on the computer was called “WORKGROUP Ramona” which the government demonstrated would be the name the computer would automatically assign the file based on who owned the computer. Lastly, the government had offered Ms. Fricosu immunity for her testimony.
Previous case law has established that the government can compel a defendant to turn over something that the government lawfully knows exists (as opposed to government knowing about something based on unlawful acts). In this case, the government knew the file existed and that is was under Ms. Fricosu’s ownership and control. The government also presented detailed evidence which convinced Judge Blackburn that no one else had just named the file “Ramona” or that the computer had been moved during the search of her home.
From the judge’s perspective, by a preponderance of the evidence, the government knew it was Ms. Fricosu’s computer and the she had created the file. In addition, the government could not use any of the contents of the encrypted hard to prosecute Ms. Fricosu in any prosecution. Therefore, there was nothing incriminating in having Ms. Fricosu turn over to the government the unencryped file. Unlike a password, the file was not in Ms. Fricosu’s mind and, in any event, whatever was in the file couldn’t be used against her.
The case may have come out differently with a different set of facts. I am left wondering about, as it was apparently not argued (or at least addressed in the Order) is that Ms. Fricosu is ordered to produce something that does not exist. There was no unencrypted file until Ms. Fricosu was ordered to create it.
A copy of Judge Blackburn’s order may be found at: http://www.wired.com/images_blogs/threatlevel/2012/01/decrypt.pdf
Zip Codes are Personal Identification in Massachusetts, but not Like Zip Codes are Personal Identification in California
What a difference as state statute makes. It was about a year ago that the California Supreme Court, in Pineda v. Williams-Sonoma, found that a zip code is personal identification information and, therefore, California businesses cannot request and record them. The Court interpreted California’s Song-Beverly Credit Card Act, which prohibits California stores receiving credit cards from requiring and recording personal identification.
The Court found that a zip code is personal identification information since the Act identified personal identification information as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.” Since a zip code is part of an address, the Court determined that a zip code is personal information.
The Massachusetts Court, in Tyler v. Michaels Stores, Inc., interpreted a law with much the same language, that a business that accepts credit cards cannot collect personal identification. The Massachusetts law states that, “Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.” No surprise the Massachusetts court found that zip codes are personal identification just as the California court did.
So, who cares? Insurance companies care. A violation of the Song-Beverly Credit Card results in automatic penalties of up to $250 for the first violation and $1000 for each subsequent violation. The Massachusetts law requires the plaintiff to show actual damages, which the Massachusetts plaintiff could not show. It is reported that there were many California class action suits after Court’s decision in Pineda v. Williams-Sonoma. The outcomes of these two cases demonstrates how privacy liability risks can differ between states – headache for multi-state businesses and their insurers.
No surprise that there are lots of jobs for privacy professionals.
The ruling in Pineda v. Williams-Sonoma may be found at: http://www.scribd.com/doc/48602246/Pineda-v-Williams-Sonoma-S178241-Cal-Supreme-Court-Feb-10-2011
The ruling in Tyler v. Michaels Stores, Inc. may be found at: http://www.scribd.com/doc/77818868/Tyler-v-Michaels-Stores-11-10920-WGY-D-mass-Jan-6-2012
Upromise (a business name with “promise” in it always sounds like trouble — why didn’t they just call it “Ends in Tears”?) is an online college savings program just settled an FTC complaint.
Upromise users save money for college through purchases made through participating merchants. Kind of a nice idea, you, your parents and anyone else who wants to help out signs up at Upromise and then, so long as purchases are made through the approximately 800 participating merchants, the merchants give money back to a user’s college savings program.
Where Upromise ran afoul of the FTC is that Upromise users, unless they unchecked a box at sign up, downloaded a “TurboSaver Toolbar” that is supposed to identify Upromise partner companies. The toolbar also had a personalization feature that, when enabled, allowed Upromise to collect information about the user to better tailor college savings opportunities.
However, when you enabled the personalization features, Upromise collected everything: search terms, where you went on the Web, what you clicked, passwords, credit card numbers — along with expiration dates and security codes, and social security numbers. Your total privacy nightmare.
This was contrary to the Upromise privacy statement which told you that filters were in place to prevent collection of financial data, such data would be collected “infrequently” and any data Upromise collected was sent encrypted. What actually happened was that everything was collected all of the time and sent unencrypted. Why did Upromise lie in its privacy statement?
While I don’t know what actually happened, I bet Upromise did not intentionally mislead anyone. If that were the case they could have at least drafted a more devious privacy statement. My guess is that there was a disconnect between people who drafted the privacy statement and people who developed the software.
I can see it now, the person who drafted the privacy statement asked the head of the software development team, “you have protections in place so financial data isn’t unintentionally collected — right?” and the response was “Absolutely.” What was missing was an investigation as to how the privacy features, such as the financial filters, were supposed to work. While Upromise’s filters would not collect any data from a field marked “PIN”, they happily passed along data from fields marked “security code” or “personal I.D.” So while the head of software development might have thought adequate filters were in place, there was no auditing of the filters against what the Upromise privacy statement.
Historically, software developers have lived in the world of “good enough.” A long time ago, there was an email going round about what would happen if Microsoft built cars. You would drive, then the car would suddenly stop and need to be rebooted; you may get an error message when you tried to use your windshield wipers while the radio was playing — that sort of thing. Outside of critical operations, like nuclear power plants, it is perfectly acceptable for software to be far less reliable than just about anything else we use. In fact, it is a standard provision in most software licenses that the software is not to be used in critical operations, like nuclear power plants.
The actions of the FTC may make privacy the new critical operation, the “nuclear power plant” of any business. Privacy related software will need to work flawlessly and be audited against what is in the privacy statement. That’s the hope, anyway.
The FTC’s page on Upromise is available at: http://www.ftc.gov/os/caselist/1023116/index.shtm
Should a Defendant be Compelled to Provide Prosecutor with Password to Encrypted Data?
While a Pennsylvania Court has found that since there is no expectation of privacy in Facebook postings, thus forcing a defendant to turn over the password to her Facebook account (see blog post of November 27, 2011), a Colorado federal court is taking on the bigger question as to whether a defendant can be compelled to produce the password to decrypt information on a laptop to a federal prosecutor.
In U.S. v. Ramona Camelia Fricosu, in which the defendant is charged with real estate fraud, the government wants the key to decrypt information on a laptop found in the defendant’s home. The home was shared with a co-defendant so it is not necessarily clear who owned/controlled the laptop. The Electronic Freedom Foundation, in an amicus brief, argues that having Ms. Fricosu disclose the password or even use the password to access the data on behalf of the government is in violation of the defendant’s Fifth Amendment right against self-incrimination since, if the password works, it could be used to show the defendant had ownership and control of the laptop.
The Supreme Court has ruled that the Fifth Amendment protection protects the content of a defendant’s mind, so that while a defendant may be compelled to turn over the physical key to a safe the defendant cannot be compelled to turn over the combination to a safe. The Government argues that it already has a search warrant for the laptop so that all they are asking Ms. Fricosu to do is equivalent to unlocking the safe. The Government need not even know the actual password. The government also argues that if Ms. Fricosu need not turn over the password then really bad guys (e.g. terrorists and child pornographers) will have a means of frustrating prosecution (just like those other darn Constitutional protections).
Although this is a complex case, and I am sympathetic to the government’s frustration over having to try to decrypt the laptop, my money is with the defendant on this one. The password for the encrypted computer file is exactly like the password for a safe — it is contained in the defendant’s head and is not a physical thing. Certainly, having the defendant disclose the password would certainly show ownership and control of the laptop. Judge Blackburn is expected to rule on this issue shortly.
When is Privacy Violated?
The rapid pace of technology developments continually raises questions as to what is “privacy” and when is it “violated”? The ability to identify privacy violations will likely be a moving target, but a court in Iowa has made one contribution, at least with regards to the “unreasonable intrusion upon the seclusion of another” prong of an invasion of privacy tort.
In a bizarre case in which an insurance agent, apparently investigating a female employee whose performance had deteriorated, placed a camera in the company’s unisex bathroom. This was after the camera showed nothing after being hidden in the reception area but after the agent found a hypodermic needle in the employee parking lot. The employee and another female employee found the the bathroom camera and called the police.
The agent was aquitted of criminal charges, presumably because he could demonstrate that the camera didn’t work and he captured no footage so there was nothing for him to view. This is the defense that got the invasion of privacy civil case thrown out of district court. However, upon appeal up to the Iowa Supreme Court, the court found that the test for invasion of privacy was not whether the camera worked and the footage was viewed but whether or not a reasonable person could believe that their privacy was invaded.
The court was specifically interested in the use of electronic devices in invasion of privacy cases. In its review of electronic devices and invasion of privacy history, the court noted that the tort is based on upon the shame and indiginity that occurs when there is intrusion onto a person’s isolation and personal control. The court noted that it is the intrusion itself that is the tort, not the type of information shared or if any information had been shared at all.
In this instance, the fact that the camera was capable of working, and had worked in the past from a different location was sufficient for the women to continue with their civil suits. The court also ruled that “the act of intrusion is complete once it is discovered … because acquisition of information is not a requirement.” However, while this may be the law in Ohio, other states, such as North Dakota, Oregon and Pennsylvania, require that there be actual an collection of something, such as a recorded conversation, before there could be a finding of an intrusion upon a right to privacy.
It will be interesting to see if cases such as this will have an impact on privacy on the Internet
The Court ruling can be found at: http://www.iowacourts.gov/Supreme_Court/Recent_Opinions/20111223/08-1927.pdf
Privacy Issues in Medical Apps
Much of the focus on privacy and apps has been on the unknowing collection of location information. Medical apps, while useful to patients, such as provding medication reminders and tracking prescriptions, have their own set of privacy concerns.
Unless the app provider is a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) there is a likelihood that the information you provide to the app, as well as any information the app collects on its own, will be sold. HIPAA covered entities include health care providers, health care clearinghouses and health care plans. Application developers, even if they are providing medical apps, are not HIPAA covered entities.
HIPAA covered entities have stringent laws protecting how your health data is secured and disclosed. Since app developers are not covered entities there is no clear law as to how the information the apps collect about you is secured or how application developer, or anyone else, may use it.
In some ways, this is similar to the privacy issues that arise when you use your credit card to purchase your prescriptions from your pharmacist. While the pharmacy is a HIPAA covered entity, your privacy protections with credit card company is governed under the Graham-Leach-Bliley Act (GLB). GLB allows the disclosure of your transaction information among all of the credit card companies “affiliated entities.” So, while the pharmacy can’t leverage your health care information, your credit card provider can.
While medical apps may be very useful, with regards to privacy they should be used at your own risk.
CarrierIQ — The Latest Defining Privacy Moment
CarrierIQ is a company that exists deep in the plumbing of telecommunications. Its business is to license software to mobile phone companies that is installed on your phone to assist the phone companies in understand the performance of their phones and network. CarrierIQ claims it is used in over 141 million phones, with a new phone added about every second (there is a rolling count on its homepage: http://www.carrieriq.com/).
On November 16, a researcher, Trevor Eckhart, reviewed CarrierIQ manuals and claimed that CarrierIQ sofware was capturing:
the manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device. … When a user browses a webpage, HTTP header information can be grabbed along with detailed information on the page, or CarrierIQ can log keypresses made on what webpage. When location is changed the phone can report in. When a call is placed or data is started any metrics can be queried (see: http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/).
This posting was alarming and the news travelled fairly quickly creating more bad news as it spread. Professor Paul Ohm, a noted privacy scholar, opined that it appeared CarrierIQ was violating wiretap statutes (see: http://www.informationweek.com/news/security/privacy/232200565), CarrierIQ received a letter from Senator Al Franken (see: http://franken.senate.gov/?p=press_release&id=1868), and then the inevitable class action lawsuits: (see: http://www.forbes.com/sites/andygreenberg/2011/12/02/and-now-the-lawsuits-class-actions-hit-carrier-iq-htc-and-samsung/).
CarrierIQ, while first trying to silence Mr. Eckhart with a cease and desist letter (those always go over well . . .) but backed off after the Electronic Freedom Foundation stepped in to Mr. Eckhart’s defense. Last Thursday, CarrierIQ tried a different tactic. It issued a defense, stating:
. . . While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video. For example, we understand whether an SMS was sent accurately, but do not record or transmit the content of the SMS. We know which applications are draining your battery, but do not capture the screen . . “ (see: http://www.carrieriq.com/CIQ_Press_Statement_DEC_1_11.pdf)
CarrierIQ also hired several independent researchers who found that CarrierIQ was not capturing keystroke information and transmitting it back to the carriers but was reporting software used and URL’s visited (see CNET’s Declan McCullagh’s article at: http://news.cnet.com/8301-31921_3-57335715-281/how-carrier-iq-was-wrongly-accused-of-keylogging/?tag=mncol%3btxt. )
The comments following the CNET article are telling in that you have numerous people claiming technical knowledge disagreeing with each other as to what is going on with the CarrierIQ programming and what may or may not be collected or even transmitted. It seems the technical questions around CarrierIQ are still foggy.
As to what CarrierIQ may be doing, in its webpages, CarrierIQ state the following:
- It is a tool, an agent, for the phone/network providers (that is, it is an extension of each of their phone/network provider customers)
- CarrierIQ, “uses data directly from the mobile phone itself to give a precise view of how users interact with both their phones and the services delivered through them, even if the phone is not communicating with the network.” (see: http://www.carrieriq.com/overview/IQInsightExperienceManager/index.htm)
- CarrierIQ helps the phone/network provider, “Identify exactly how your customers interact with services and which ones they use. See which content they consume, even offline. Identify problems in service delivery, including the inability to connect to the service at all.” see: http://www.carrieriq.com/overview/IQInsightExperienceManager/index.htm)
From CarrierIQ’s own statements it is clear that they are collecting individual data as to what phone carrier customers are doing with their phones both when they are on and off the network. This raises the question as to why a phone/network provider should need to know about how a subscriber is using the phone off the network. Some of these questions may be answered in the mobile phone provider’s terms of service.
T-Mobile, for example, states, “T-Mobile may retain, use, and share information collected when you download, use, or install some Content & Apps, may update your Content & Apps remotely, or may disable or remove any Content & Apps at any time.” T-Mobile also has me agree that it may use my personal information to “anticipate and resolve actual and potential problems with our products and services; create and improve products and services; suggest additional or different products or services; make internal business decisions about current and future offers; provide personalized service and user experiences. . .” These terms imply use of software such as CarrierIQ.
In the end, the key questions may revolve around what is necessary for a carrier to provide you with services, how transparent must those practices be (similar to some of the issues around network neutrality) and who has what rights to your phone?
