snooping
Latest
RIM reported to have agreed to snooping deal with India, says 'no way!'
Reports out of India this morning claim that RIM has agreed a deal with the local government to permit its security agencies to "monitor" email and messaging done on BlackBerry devices. There's even a roadmap for this snooperiffic rollout, as all consumer email is expected to be opened up within 15 days and tools are being developed over the next six to eight months to allow chat surveillance as well. A very detailed report indeed, but the IDG News service reports RIM has rubbished the entire thing, stating it's in a continuing dialog with the Indian government and discussions remain confidential. Then again, we'd expect RIM to keep up the facade as long as possible, considering the likely domino effect a capitulation in India would have in nearby states that have similar security concerns. In the mean time, Nokia has meekly announced it'll be complying with the Indian government's rules for push mail and is "installing the required infrastructure." For more on that and the BlackBerry saga, hit the source links below.
BlackBerry email, web and messaging to be banned in UAE due to 'security concerns'
Looks like those regulators over in the Middle East don't mess about. Following this week's revelation that the United Arab Emirates' telco overseers weren't happy with being unable to monitor how people were using their BlackBerrys, today we're hearing what their solution to the problem will be: an outright ban. Internet access, email and instant messaging on RIM devices will be blocked in the UAE starting this October -- provided, of course, that the Canadian phone maker doesn't do something in the meantime to appease the authorities. Saudi Arabia is similarly peeved with the BBM service, which it intends to shut down later this month. And just in case you were wondering why all this drama is taking place, the BBC cites a Saudi Telecom board member as admitting it's designed to pressure RIM into releasing users' communication data "when needed." Charming.
Apple responds to congressional inquiry, details location data collection in 13-page letter
When Apple's latest privacy policy revealed the company could track any iPhone's location in real time, it threw some for a loop... including a pair of gentlemen from the US House of Representatives, who asked what Cupertino was up to. In a thirteen page letter dated July 12, Apple's legal counsel explains the whole matter away, while giving us a fascinating look into how the company collects -- and justifies collecting -- all that GPS data. Legally the defense is simple, as Apple claims users grant express permission via pop-up messages for every single location-based service and app, and if you don't care to be tracked, you can simply shut down location services globally or (in iOS 4) on a per-app basis in the phone's settings panel. Where it gets more interesting is when Apple explains what it actually collects, and who they share it with -- namely, Google and Skyhook, who provided location services to earlier versions of the operating system. In iOS 3.2 and beyond, only Apple has the keys to the database, and what's inside are locations of cell towers, WiFi access points, and anonymous GPS coordinates. None of these are personally identifying, as the company doesn't collect SSIDs or any data, and in the case of device coordinates they're reportedly collected and sent in encrypted batches only once every 12 hours, using a random ID generated by the phone every 24 hours that apparently can't be linked back to the device. In the case of iAd, Apple says coordinates don't even make it to a database, as they're immediately converted (by remote server) to a advertising-friendly five-digit zip code. Concerning location data collection for services other than iAd, there's still the little question of why, but we'll just leave you with Apple legal's quote on that subject after the break, and let you hit up the full document yourself at Scribd if you want the deep dive.
Google to disclose WiFi snooping data to regulators amid allegations it was collected intentionally
And the mess gets messier. A class action lawsuit filed against Google in Oregon has now been enriched with the allegation that Google willfully collected personal data with its Street View cars, rather than doing so accidentally, as it claims. It's a bold accusation, whose primary basis is a patent application, filed by Google in November 2008, for a "computer-implemented method of estimating the location of a wireless device." A subsidiary claim references the "obtaining [of] one or more packets of data transmitted" from one wireless device to another to help estimate accuracy of location results. That's the supposedly damning verbiage that shows Google intentionally created WiFi-snooping software, and it's also what's being relied on to show that Mountain View couldn't have been ignorant of the data collection going on. Yes, it's quite a stretch, but that's what lawyers are for: mental gymnastics. Over in Europe, Google is doing its best to placate local regulators, some of whom are contemplating criminal charges against the multinational company, by agreeing to hand over all data that was collected by its vehicles. France, Germany and Spain will be first to peruse the info, though presumably there'll be an open door to other nosy governments as well. Doesn't that strike you as weird -- having your private data protected by letting a bunch more people look at it?
EU Written Declaration 29 wants you to think of the children, hand over all your search results
Oh boy, the EU's back on the crusade path again. This time, the Brussels brain trust has decided it will end pedophilia, child pornography, and other miscreant activities by simply and easily recording everyone's search results. Because, as we all know, Google searches are the central cog by which the seedy underworld operates. Here's how Declaration 29 sees it: Asks the Council and the Commission to implement Directive 2006/24/EC and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively. Directive 2006/24/EC is also known as the Data Retention Directive, and permits (nay, compels) states to keep track of all electronic communications, including phone calls, emails and browsing sessions. Describing the stupefying invasion of privacy that its expansion represents as an "early warning system," the European Parliament is currently collecting signatures from MEPs and is nearing the majority it requires to adopt the Declaration. Guess when Google does it, it's a horrible infraction of human rights, but when the EU does it, it's some noble life-saving endeavor. Unsurprisingly, not everyone is convinced that sifting through people's search results will produce concrete crime-reducing results, and Swedish Pirate Party MEP Christian Engstrom puts together a very good explanation of what Written Declaration 29 entails and why it's such a bad idea. Give it a read, won't ya?
KDDI concocts snooping mobile phones, line managers rub hands with glee
Sci-fi movies often present us with omniscient villains who are able to track the most minute actions of their underlings and foes. Rarely do we get a glimpse into their surveillance systems, but you have to imagine that some of the more rudimentary "employee evaluation" hardware will not be too far off from KDDI's latest. The Japanese cellphone giant has unveiled a new system, built around accelerometers, that can detect the difference between a cleaner scrubbing or sweeping a floor and merely walking along it. Based on new analytical software, stored remotely, this should provide not only accurate positional information about workers, but also a detailed breakdown of their activities. The benefits touted include "central monitoring, "salesforce optimisation," and improvements in employee efficiency. We're guessing privacy concerns were filed away in a collateral damage folder somewhere.
3G GSM encryption cracked in less than two hours
Looks like all that GSM code-cracking is progressing faster than we thought. Soon after the discovery of the 64-bit A5/1 GSM encryption flaw last month, the geniuses at Israel's Weizmann Institute of Science went ahead and cracked the KASUMI system -- a 128-bit A5/3 algorithm implemented across 3G networks -- in less than two hours. If you must know, the method applied is dubbed 'related-key sandwich attack' where multiple values of known differentials are processed through the first seven rounds of KASUMI, then using resulting quartets that are identified sharing key differences, subkey materials can be obtained in round eight to build up the 128-bit key. Sure, it's hardly snooping-on-the-go at this speed, but worryingly this was only an 'unoptimized implementation... on a single PC.' At the same time, the paper condemns the presumably red-faced GSM Association for moving from MISTY -- a more computationally-expensive but much stronger predecessor algorithm -- to KASUMI. Guess we'll just have to stick with Skype.
GSM call encryption code cracked, published for the whole world to see
Did you know that the vast majority of calls carried out on the 3.5 billion GSM connections in the world today are protected by a 21-year old 64-bit encryption algorithm? You should now, given that the A5/1 privacy algorithm, devised in 1988, has been deciphered by German computer engineer Karsten Nohl and published as a torrent for fellow code cracking enthusiasts and less benevolent forces to exploit. Worryingly, Karsten and his crew of merry men obtained the binary codes by simple brute force -- they fed enough random strings of numbers in to effectively guess the password. The GSM Association -- which has had a 128-bit A5/3 key available since 2007, but found little takeup from operators -- has responded by having a whinge about Mr. Nohl's intentions and stating that operators could just modify the existing code to re-secure their networks. Right, only a modified 64-bit code is just as vulnerable to cracking as the one that just got cracked. It's important to note that simply having the code is not in itself enough to eavesdrop on a call, as the cracker would be faced with just a vast stream of digital communications -- but Karsten comes back to reassure us that intercepting software is already available in customizable open source varieties. So don't be like Tiger, keep your truly private conversations off the airwaves, at least for a while.
RIM allows Indian government to monitor Blackberry network
Well, it took longer than 15 days to reach a resolution, but apparently RIM is going to back down and allow the Indian government to monitor the Blackberry network in that country. What's worse, it appears that RIM was more interested in covering its own ass than protecting user data during the negotiations: the only concession the company received from the Indian government was a promise that it won't be held liable if there's a leak of users' personal information. Yeah, that ought to provide a sparkling incentive to keep things safe. There's no word on when monitoring might begin, but we've got a feeling privacy-loving Indians might suddenly be in the market for a new smartphone.[Thanks, Rishab J.]
Judge limits New York police surveillance practices
Sure, we're all well aware that surveillance practices have been ratcheted up a notch or two since six or so years ago, but a judge in Manhattan has recently rebutted his own go-ahead from four years back to give the NYPD "greater authority to investigate political, social and religious groups." The most recent ruling states that by "videotaping people who were exercising their right to free speech and breaking no laws," the cops had ignored the milder limits he had imposed on it in 2003, seemingly squirming out from under his own misjudgments and placing the blame elsewhere. Nevertheless, he was clear that the voyeuristic limits only applied at events where people gather to exercise their rights under the First Amendment, while bridges, tunnels, airports, subways, and street traffic points could maintain their current level of surveillance -- and we thought this would mean those lamppost cameras couldn't pick us off whilst crossing the street with our iPod jamming.[Via BoingBoing]
