Ad libraries pay for your “free” Android app.  The app retrieves ads from a remote computer (server) and periodically runs the ad on your phone.  Every time the ad runs the app developer gets paid.  

The problem is that the advertisers receive the same permissions as the app.  So the navigating app, which needs to know your location in order to operate, also allows the advertiser to know where you are.  The app the can access call logs and your address book allows the advertiser to also address your call logs and your address book.  Should you care?

Yes, you should care.  While there may be some issue with the allowing the advertiser the same access as the app, after all it is an access which the advertiser does not need, the bigger issue is the security around the access.  Many of the ad libraries have insufficient security when they access your phone.  This gives bad guys a back door into your phone to be able to either collect data or introduce malware to collect all of the data that passes through your phone.  Of the apps studied, 297 allowed ad libraries themselves to download and run code form remote computers, thus heightening your security risk.

The study is located at: http://www.csc.ncsu.edu/faculty/jiang/pubs/WISEC12_ADRISK.pdf

The FCC began investigating this issue in 2010 and concluded its investigation in April, 2012 with the issuance of a “Notice of Liability of Forfeiture.” In the Notice, the FCC cited Google’s slowness and unresponsiveness in responding to FCC inquiries and fined Google $25,000. Google’s revenue for 2011 was $37.9 billion. In a sense, the FCC has set a low price tag for evasiveness and unresponsiveness.

There was no fine for the war driving. The FCC agreed with Google’s argument that the Wiretap Act expressly exempted the interception of radio communications sent in a manner that is readily accessible to the general public. Since the Wi-Fi messages were unencrypted the messages must have been made available to the general public. That would be the “general public” that knows about and how to use packet sniffing technology. This argument is also contrary to the court’s decision in Goodman v. Harding (http://www.leagle.com/xmlResult.aspx?page=2&xmldoc=199982639FSupp2d787_1748.xml&docbase=CSLWAR2-1986-2006&SizeDisp=7) in which the defendant used a police scanner to listen in and record his next door neighbors cordless phone communications.

On the other hand, the class action lawsuit begun in response to Google’s war-driving is still working its way through the courts. Perhaps Google will receive a stronger rebuke through the civil courts than it received from the FCC.

The creation of a privacy-oriented ISP is an interesting idea, much like the creation of a privacy oriented social network (see: http://simonkraussprivacyeye.com/2010/09/28/diaspora-an-attempt-at-a-privacy-oriented-social-network/).  On its website, https://www.calyxinstitute.org/, the Calyx Institute provides some clues as to how it will provide privacy.  First, note the Calyx Institute URL.  Even when visiting the home page the Calyx Institute provides a layer of encryption through the use of SSL or TLS certificates.  This means that when you are at the Calyx Institute web page it would be difficult for someone to eavesdrop the link between you and the web page.

CNET reports that Calyx will provide its users with encryption keys and limit logging.  This will limit the ability for Calyx to respond to law enforcement wiretap orders as, with limited logging, it will have limited information to provide law enforcement.  By providing encryption keys to its users, but not keeping copies of the keys itself, Calyx will not have to decrypt any of its subscribers’ sessions pursuant to CALEA, the Communications Assistance for Law Enforcement Act.  CALEA mandates that a telecommunications provider decrypt the surveillance target’s communications if the telecommunications provider has the keys.

The Calyx Institute’s approach to privacy appears to be, initially, oriented to protecting its subscribers from government surveillance.  It is not clear how the Calyx Institute will shield its subscribers from commercial tracking, such as “Do Not Track.” 

The Calyx Institute does state that it will:

• Promoting ‘best practices’ with regard to privacy and freedom of expression within the telecommunications industry
• Conducting research into privacy technology for the Telecommunications and Internet Provider industries
• Providing a ‘test bed’ environment for the development and deployment of secure voice, data and mobile services
• Legal advocacy and defense

With two law firms on its advisory board, it looks like the Calyx Institute is ready to back up its last bullet point.  For more on Nicholas Merrill and the Calyx Institute: http://news.cnet.com/8301-31921_3-57412225-281/this-internet-provider-pledges-to-put-your-privacy-first-always/

It looks kind of like an air freshener (see the “fressh” sticker?) or a power adapter. It is neither.  The Pwn Plug is a computer packed with hacker software that can be accessed remotely and very covertly to hack into a computer or a network of computers.  Pwn Plug is manufactured with a legitimate purpose.  Security professionals can use Pwn Plug to perform “penetration testing.” Penetration testing is the authorized hacking into a network to identify vulnerabilities.  IT departments can use Pwn Plug to service remote enterprise computers and networks.

However, it is easy to envision a hacker coming to a business claiming that they are conducting an energy audit or are there to work on the electrical system, plugging in a Pwn Plug and walking away.  I wonder if Pwn Plugs would be considered “criminal instruments” under the laws that cover the ownership and use of burglary tools.

If you are looking for a Pwn Plug on your system, don’t just look for the “fressh” sticker.  Pwn Plugs come with a variety of “stealthy decals.”

For more information see: http://pwnieexpress.com/

Using an RFID credit card reader she bought an Ebay for $50, Kristin had volunteers from the audience come up and have her read the credit card number, expiration date and CVV number without their having to take the card out of their wallet or even their wallet out their coat or back pocket.   She then used a $300 card-magnetizing tool to encode that data onto a blank card.  For a finale, shen the used an iPhone attachment to swipe the newly created counterfeit credit card and pay herself $15 of the volunteer’s money.  To avoid hard feelings and stave off any lawsuit she gave each of the volunteers a twenty dollar bill in return for the $15 she charged to their account.

Contactless credit cards provide some greater security than regular credit cards  through the use of a one time only CVV code.   This means that someone would have to repeatedly steal the data from the credit card in order to conduct more than one transaction.  This would make Paget’s trick of limited use to a credit card thief looking to exploit one credit card.  However, it does work for a credit card their working through a crowd.

You can protect against this type of theft either through not using contactless credit cards, microwaving the card (about 3 seconds should do).  Keeping the card in a metal mesh wallet provides some protection.  

For Forbes’ account of the demonstration see: http://www.forbes.com/sites/andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-cards-can-be-read-through-clothes-and-wallets/

I, and others, believed the court would not allow the government to compel the Defendant to turn over the password as the 5th Amendment protects against compelling a Defendant to self-incriminate and turning over a password shows control over the encrypted hard drive and any incriminating information on it.  Basically, the Defendant does not have to disclose something in their mind that is self-incriminating. For example, another court found that a Defendant did not have turn over the combination to a safe.

This past week, the judge made his decision. Contrary to what others may report, In the Fricosu case, Judge Blackburn did order Ms Fricosu to disclose the password to the computer found in her home.  He did order her to turn over the unencrypted files.  While the result is the same, the government gets to see the unencrypted files, there is a difference between having the government compel the disclosure of a password as opposed to the unencrypted hard drive.

First, it helps to know some key facts.  Firstly, the government had a lawfully acquired phone surveillance tape between Ms. Fricosu and her ex-husband in which they acknowledge that the computer is hers.  Second, the encrypted file on the computer was called “WORKGROUP Ramona” which the government demonstrated would be the name the computer would automatically assign the file based on who owned the computer.  Lastly, the government had offered Ms. Fricosu immunity for her testimony.

Previous case law has established that the government can compel a defendant to turn over something that the government lawfully knows exists (as opposed to government knowing about something based on unlawful acts).  In this case, the government knew the file existed and that is was under Ms. Fricosu’s ownership and control.  The government also presented detailed evidence which convinced Judge Blackburn that no one else had just named the file “Ramona” or that the computer had been moved during the search of her home.

From the judge’s perspective, by a preponderance of the evidence, the government knew it was Ms. Fricosu’s computer and the she had created the file.  In addition, the government could not use the fact that Ms. Fricosu decrypted the file as evidence to prosecute Ms. Fricosu in any prosecution.  Therefore, there was nothing incriminating in having Ms. Fricosu turn over to the government the unencryped file.  Unlike a password, the file was not in Ms. Fricosu’s mind and, in any event, whatever was in the file couldn’t be used against her.

The case may have come out differently with a different set of facts.  I am left wondering about, as it was apparently not  argued (or at least addressed in the Order) is that Ms. Fricosu is ordered to produce something that does not exist.  There was no unencrypted file until Ms. Fricosu was ordered to create it.

A copy of Judge Blackburn’s order may be found at: http://www.wired.com/images_blogs/threatlevel/2012/01/decrypt.pdf

The Court found that a zip code is personal identification information since the Act identified personal identification information as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”   Since a zip code is part of an address, the Court determined that a zip code is personal information.

The Massachusetts Court, in Tyler v. Michaels Stores, Inc., interpreted a law with much the same language, that a business that accepts credit cards cannot collect personal identification.  The Massachusetts law states that, “Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number.”  No surprise the Massachusetts court found that zip codes are personal identification just as the California court did.

So, who cares? Insurance companies care.  A violation of the Song-Beverly Credit Card results in automatic penalties of up to $250 for the first violation and $1000 for each subsequent violation.   The Massachusetts law requires the plaintiff to show actual damages, which the Massachusetts plaintiff could not show.  It is reported that there were many California class action suits after Court’s decision in Pineda v. Williams-Sonoma.  The outcomes of these two cases demonstrates how privacy liability risks can differ between states – headache for multi-state businesses and their insurers.

No surprise that there are lots of jobs for privacy professionals.

 The ruling in Pineda v. Williams-Sonoma may be found at: http://www.scribd.com/doc/48602246/Pineda-v-Williams-Sonoma-S178241-Cal-Supreme-Court-Feb-10-2011

 The ruling in Tyler v. Michaels Stores, Inc.   may be found at: http://www.scribd.com/doc/77818868/Tyler-v-Michaels-Stores-11-10920-WGY-D-mass-Jan-6-2012