Tag Facebook

The year 2019 has been setting the scene on the cyber-geopolitical scene for the 2020s. Here’s a nice sum up.

And on the personal front the best defense is to keep yourself informed – Watch out for fake news and facts-check everything you read especially anything that seems too perfectly outrageous.

This is really terrific news for the privacy conscious and open source community – Mozilla is joining the Matrix, the new protocol for open, decentralized, encrypted communication.

The Matrix protocol aims to create a global decentralized encrypted real-time communications network that provides an open platform similar to the Web.

One general (and major) appeal of Matrix is that it works seamlessly between different service providers by supporting what is known as “bridging messages” from different chat applications into the “Matrix rooms”. These bridges currently include popular communications apps like WhatsApp, WeChat, Telegram, Signal, Skype, Facebook Messenger, etc. In laymen’s terms, you can add your favorite communications apps to Matrix for better (and ultimate) privacy protection.

The Matrix community, admittedly still in its infancy but with huge potential, is understandably thrilled in welcoming onboard Mozilla, the “champions of the open web, open standards, not to mention open source”. The Matrix protocol is currently using the “riot.im” interface, which is hindering its appeal to the masses. Hence the introduction of Mozilla will be crucial for its development.

If anyone asks what is the safest way to communicate, or which is the safest communications apps these days – like “Is Telegram still safe?” – the Matrix protocol is probably the answer going forward.

Check out the following Guardian article:

Spies helped build Silicon Valley. Now the tables are turning

David Cameron wants US tech sector companies to do more to fight terrorism. But they’ve grown too powerful to listen

Gordon Corera
Wednesday 29 July 2015

If you want to understand how modern British and American intelligence services operate, you could do worse than visit the new exhibition that opens at Bletchley Park this week. It tells the story of code-breaking in the first world war, which paved the way not just for the better-known success story of world war two, but also GCHQ and the NSA’s modern day bulk interception.

A century ago, just as today, intelligence services and network providers used to enjoy a symbiotic relationship. Britain, for example, exploited its dominance of the telegraph system to spy after its companies had built an imperial web of cables that wrapped itself around the world. Britain’s first offensive act of the conflict was to cut Germany’s own undersea cables and install “secret censors” in British company offices around the world that looked out for enemy communications. A staggering 80m cable messages were subject to “censorship” during the war.

In recent decades the US has enjoyed a similar ability to spy on the world thanks to its role in building the internet – what the NSA called “home field advantage”. This worked via two channels. The first was fibre-optic cables passing through either American or British territory, allowing intelligence agencies to install the modern equivalent of secret censors: computerised black boxes that could filter data to look for emails based on “selectors”. The second channel was Silicon Valley – which had thrived thanks to massive Pentagon and NSA subsidies. People around the world sent their communications and stored their data with American companies, whose business model often involved collecting, analysing and monetising that data. This attracted spies like bears to honey. And so Prism was born – requiring the companies themselves to run selectors across their own data. 45,000 selectors were running in 2012. Put together with cable-tapping, this meant that nearly 90,000 people around the world were being spied on.

Building the internet allowed the US to export its values, import other countries’ information through spying and make a lot of money for American corporations along the way. But the relationships have fractured. The Snowden disclosures were one reason – exposure led tech companies to back away from quiet cooperation and make privacy a selling point (even competing with each other as seen in Apple’s CEO blast against Google recently).

At the same time, Isis’s use of social media has increased the state’s desire to get more from these companies, leading to growing tension. It was notable that David Cameron’s speech on extremism last week singled out tech companies for criticism. When their commercial models are built around tracking our likes and dislikes, why do they say it’s too difficult to help when it comes to the fight against terrorism, the prime minister asked.

A big problem for the spies is that during the first world war the cable companies that helped Britain knew who was boss. Today it is more complex. An angry Mark Zuckerberg of Facebook told President Obama that his administration “blew it” when it tried to defend Prism by saying it was only used to spy on foreigners. After all, most of Facebook and Silicon Valley’s customers are foreigners.

The British government criticised Facebook for not spotting private messages from one of the men who went on to kill Lee Rigby. This is the kind of thing Cameron wants the companies to do more on. But whose job is it to spy? The companies are nervous of signing up to a system in which it is their job to scan their customers’ data and proactively report suspicious content, effectively outsourcing the act of spying (and not just the collection of data) to the private sector. Such a deal, tech companies fear, could set a dangerous precedent: if you help Britain when it comes to national security, what do you do when China or Russia come knocking?

On his first day as director of GCHQ, Robert Hannigan launched a volley against Silicon Valley, accusing it of acting as “command and control” for groups like Isis. But since then, the tone has been more conciliatory. What Hannigan may have realised is that companies have the upper hand, partly because the data is with US companies that are subject to US laws. To avoid the Russia and China issue, they assert their co-operation is voluntary and there is not much the British state can do about it.

It was notable that in his speech, Cameron didn’t threaten new legislation. Why? Because he knows that power relations between governments and corporations have shifted since the first world war: modern tech firms are too big to be pushed around.

If they have a vulnerability, it’s their dependence on customers: verbal volleys from politicians and spies are a sign that the real battleground is now public opinion. Companies are gambling that focusing on privacy will win them the trust of the public, while governments in London and Washington are hoping that talking about terrorism will pressure companies to cooperate more. Who wins this tug of war may depend on events that neither party can control, including the prevalence of terrorist attacks. Whatever the case, the old alliance between Silicon Valley and the spies is no more.

Check out The Daily Dot article below:

Windows 10 can share your Wi-Fi password with your Facebook friends

By Mike Wehner
Jul 3, 2015, 12:28pm CT

If you’ve been using the internet for any considerable amount of time you already know that your password is really never absolutely secure. From hacking incidents to other security breaches, it’s impossible to know that your secret code is indeed always secret, and now Microsoft’s soon to be released Windows 10 is making one of your passwords even less secure by gifting it to your Facebook friends.

Microsoft’s Wi-Fi Sense feature—already in operation on Windows Phones and coming to Windows 10 upon its debut later this year—is aimed at making it easier to share your connection with your friends. To that end, it allows users to effortlessly use each other’s Wi-Fi connections by allowing them to use your password.

The password itself is encrypted and shared automatically once you opt-in, and the list of people who can use it includes your Outlook mail contacts, Skype contacts, and even your Facebook friends.

The idea here is that if you’re at a friends house and you both have Wi-Fi Sense, you can join their network without having to ask for their password. Ideally, such a system will save you from using your wireless data plan as much as possible, thereby saving you a few bucks.

However, there are likely plenty of people on your Facebook or email contact lists that you wouldn’t want browsing from your own internet connection, and that’s where the potential for trouble comes in. Not surprisingly, Microsoft’s own FAQ about Wi-Fi Sense is filled with warnings about connecting to unfamiliar hotspots, as well as sharing your connection with those you don’t trust.

The documentation also notes that you cannot pick and choose individual contacts with which to share your connection. Instead, you’ll only be able to toggle huge groups on or off, like everyone from your Skype list or your entire Facebook friends roster. So, if you don’t trust absolutely everyone you know on Facebook, Skype, or Outlook, it’s probably a good idea to leave this would-be handy little feature unused.

Glenn Greenwald and his colleagues at The Intercept has just released an extensive report on the NSA use of XKEYSCORE. And here’s a video on the same topic:

It’s simple. Whenever Bruce Schneier speaks, listen.

How we sold our souls – and more – to the internet giants

Bruce Schneier
Sunday 17 May 2015 11.00 BST

Last year, when my refrigerator broke, the repair man replaced the computer that controls it. I realised that I had been thinking about the refrigerator backwards: it’s not a refrigerator with a computer, it’s a computer that keeps food cold. Just like that, everything is turning into a computer. Your phone is a computer that makes calls. Your car is a computer with wheels and an engine. Your oven is a computer that cooks lasagne. Your camera is a computer that takes pictures. Even our pets and livestock are now regularly chipped; my cat could be considered a computer that sleeps in the sun all day.

Computers are being embedded into all sort of products that connect to the internet. Nest, which Google purchased last year for more than $3bn, makes an internet-enabled thermostat. You can buy a smart air conditioner that learns your preferences and maximises energy efficiency. Fitness tracking devices, such as Fitbit or Jawbone, collect information about your movements, awake and asleep, and use that to analyse both your exercise and sleep habits. Many medical devices are starting to be internet-enabled, collecting and reporting a variety of biometric data. There are – or will be soon – devices that continually measure our vital signs, moods and brain activity.

This year, we have had two surprising stories of technology monitoring our activity: Samsung televisions that listen to conversations in the room and send them elsewhere for transcription – just in case someone is telling the TV to change the channel – and a Barbie that records your child’s questions and sells them to third parties.

All these computers produce data about what they’re doing and a lot of it is surveillance data. It’s the location of your phone, who you’re talking to and what you’re saying, what you’re searching and writing. It’s your heart rate. Corporations gather, store and analyse this data, often without our knowledge, and typically without our consent. Based on this data, they draw conclusions about us that we might disagree with or object to and that can affect our lives in profound ways. We may not like to admit it, but we are under mass surveillance.

Internet surveillance has evolved into a shockingly extensive, robust and profitable surveillance architecture. You are being tracked pretty much everywhere you go, by many companies and data brokers: 10 different companies on one website, a dozen on another. Facebook tracks you on every site with a Facebook Like button (whether you’re logged in to Facebook or not), while Google tracks you on every site that has a Google Plus g+ button or that uses Google Analytics to monitor its own web traffic.

Most of the companies tracking you have names you’ve never heard of: Rubicon Project, AdSonar, Quantcast, Undertone, Traffic Marketplace. If you want to see who’s tracking you, install one of the browser plug-ins that let you monitor cookies. I guarantee you will be startled. One reporter discovered that 105 different companies tracked his internet use during one 36-hour period. In 2010, the seemingly innocuous site Dictionary.com installed more than 200 tracking cookies on your browser when you visited.

It’s no different on your smartphone. The apps there track you as well. They track your location and sometimes download your address book, calendar, bookmarks and search history. In 2013, the rapper Jay Z and Samsung teamed up to offer people who downloaded an app the ability to hear the new Jay Z album before release. The app required that users give Samsung consent to view all accounts on the phone, track its location and who the user was talking to. The Angry Birds game even collects location data when you’re not playing. It’s less Big Brother and more hundreds of tittletattle little brothers.

Most internet surveillance data is inherently anonymous, but companies are increasingly able to correlate the information gathered with other information that positively identifies us. You identify yourself willingly to lots of internet services. Often you do this with only a username, but increasingly usernames can be tied to your real name. Google tried to enforce this with its “real name policy”, which required users register for Google Plus with their legal names, until it rescinded that policy in 2014. Facebook pretty much demands real names. Whenever you use your credit card number to buy something, your real identity is tied to any cookies set by companies involved in that transaction. And any browsing you do on your smartphone is tied to you as the phone’s owner, although the website might not know it.

Surveillance is the business model of the internet for two primary reasons: people like free and people like convenient. The truth is, though, that people aren’t given much of a choice. It’s either surveillance or nothing and the surveillance is conveniently invisible so you don’t have to think about it. And it’s all possible because laws have failed to keep up with changes in business practices.

In general, privacy is something people tend to undervalue until they don’t have it anymore. Arguments such as “I have nothing to hide” are common, but aren’t really true. People living under constant surveillance quickly realise that privacy isn’t about having something to hide. It’s about individuality and personal autonomy. It’s about being able to decide who to reveal yourself to and under what terms. It’s about being free to be an individual and not having to constantly justify yourself to some overseer.

This tendency to undervalue privacy is exacerbated by companies deliberately making sure that privacy is not salient to users. When you log on to Facebook, you don’t think about how much personal information you’re revealing to the company; you chat with your friends. When you wake up in the morning, you don’t think about how you’re going to allow a bunch of companies to track you throughout the day; you just put your cell phone in your pocket.

But by accepting surveillance-based business models, we hand over even more power to the powerful. Google controls two-thirds of the US search market. Almost three-quarters of all internet users have Facebook accounts. Amazon controls about 30% of the US book market, and 70% of the ebook market. Comcast owns about 25% of the US broadband market. These companies have enormous power and control over us simply because of their economic position.

Our relationship with many of the internet companies we rely on is not a traditional company-customer relationship. That’s primarily because we’re not customers – we’re products those companies sell to their real customers. The companies are analogous to feudal lords and we are their vassals, peasants and – on a bad day – serfs. We are tenant farmers for these companies, working on their land by producing data that they in turn sell for profit.

Yes, it’s a metaphor, but it often really feels like that. Some people have pledged allegiance to Google. They have Gmail accounts, use Google Calendar and Google Docs and have Android phones. Others have pledged similar allegiance to Apple. They have iMacs, iPhones and iPads and let iCloud automatically synchronise and back up everything. Still others let Microsoft do it all. Some of us have pretty much abandoned email altogether for Facebook, Twitter and Instagram. We might prefer one feudal lord to the others. We might distribute our allegiance among several of these companies or studiously avoid a particular one we don’t like. Regardless, it’s becoming increasingly difficult to avoid pledging allegiance to at least one of them.

After all, customers get a lot of value out of having feudal lords. It’s simply easier and safer for someone else to hold our data and manage our devices. We like having someone else take care of our device configurations, software management, and data storage. We like it when we can access our email anywhere, from any computer, and we like it that Facebook just works, from any device, anywhere. We want our calendar entries to appear automatically on all our devices. Cloud storage sites do a better job of backing up our photos and files than we can manage by ourselves; Apple has done a great job of keeping malware out of its iPhone app store. We like automatic security updates and automatic backups; the companies do a better job of protecting our devices than we ever did. And we’re really happy when, after we lose a smartphone and buy a new one, all of our data reappears on it at the push of a button.

In this new world of computing, we’re no longer expected to manage our computing environment. We trust the feudal lords to treat us well and protect us from harm. It’s all a result of two technological trends.

The first is the rise of cloud computing. Basically, our data is no longer stored and processed on our computers. That all happens on servers owned by many different companies. The result is that we no longer control our data. These companies access our data—both content and metadata—for whatever profitable purpose they want. They have carefully crafted terms of service that dictate what sorts of data we can store on their systems, and can delete our entire accounts if they believe we violate them. And they turn our data over to law enforcement without our knowledge or consent. Potentially even worse, our data might be stored on computers in a country whose data protection laws are less than rigorous.

The second trend is the rise of user devices that are managed closely by their vendors: iPhones, iPads, Android phones, Kindles, ChromeBooks, and the like. The result is that we no longer control our computing environment. We have ceded control over what we can see, what we can do, and what we can use. Apple has rules about what software can be installed on iOS devices. You can load your own documents onto your Kindle, but Amazon is able to delete books it has already sold you. In 2009, Amazon automatically deleted some editions of George Orwell’s Nineteen Eighty-Four from users’ Kindles because of a copyright issue. I know, you just couldn’t write this stuff any more ironically.

It’s not just hardware. It’s getting hard to just buy a piece of software and use it on your computer in any way you like. Increasingly, vendors are moving to a subscription model—Adobe did that with Creative Cloud in 2013—that gives the vendor much more control. Microsoft hasn’t yet given up on a purchase model, but is making its MS Office subscription very attractive. And Office 365’s option of storing your documents in the Microsoft cloud is hard to turn off. Companies are pushing us in this direction because it makes us more profitable as customers or users.

Given current laws, trust is our only option. There are no consistent or predictable rules. We have no control over the actions of these companies. I can’t negotiate the rules regarding when Yahoo will access my photos on Flickr. I can’t demand greater security for my presentations on Prezi or my task list on Trello. I don’t even know the cloud providers to whom those companies have outsourced their infrastructures. If any of those companies delete my data, I don’t have the right to demand it back. If any of those companies give the government access to my data, I have no recourse. And if I decide to abandon those services, chances are I can’t easily take my data with me.

Political scientist Henry Farrell observed: “Much of our life is conducted online, which is another way of saying that much of our life is conducted under rules set by large private businesses, which are subject neither to much regulation nor much real market competition.”

The common defence is something like “business is business”. No one is forced to join Facebook or use Google search or buy an iPhone. Potential customers are choosing to enter into these quasi-feudal user relationships because of the enormous value they receive from them. If they don’t like it, goes the argument, they shouldn’t do it.

This advice is not practical. It’s not reasonable to tell people that if they don’t like their data being collected, they shouldn’t email, shop online, use Facebook or have a mobile phone. I can’t imagine students getting through school anymore without an internet search or Wikipedia, much less finding a job afterwards. These are the tools of modern life. They’re necessary to a career and a social life. Opting out just isn’t a viable choice for most of us, most of the time; it violates what have become very real norms of contemporary life.

Right now, choosing among providers is not a choice between surveillance or no surveillance, but only a choice of which feudal lords get to spy on you. This won’t change until we have laws to protect both us and our data from these sorts of relationships. Data is power and those that have our data have power over us. It’s time for government to step in and balance things out.

Adapted from Data and Goliath by Bruce Schneier, published by Norton Books. To order a copy for £17.99 go to bookshop.theguardian.com. Bruce Schneier is a security technologist and CTO of Resilient Systems Inc. He blogs at schneier.com, and tweets at @schneierblog

Some thoughts for the weekend… listen especially to the first six and a half minutes of this clip below about the conspiracy theories surrounding the recent mysterious death of Dave Goldberg, the husband of Facebook Chief Operating Officer Sheryl Sandberg – the “Facebook-NSA Queen”.

(Above) Photo credit: dailydotcom

Are you wondering why this “problem” (data overload – see article below) did not happen earlier…?

NSA is so overwhelmed with data, it’s no longer effective, says whistleblower

Summary:One of the agency’s first whistleblowers says the NSA is taking in too much data for it to handle, which can have disastrous — if not deadly — consequences.

By Zack Whittaker for Zero Day | April 30, 2015 — 14:29 GMT (22:29 GMT+08:00)

NEW YORK — A former National Security Agency official turned whistleblower has spent almost a decade and a half in civilian life. And he says he’s still “pissed” by what he’s seen leak in the past two years.

In a lunch meeting hosted by Contrast Security founder Jeff Williams on Wednesday, William Binney, a former NSA official who spent more than three decades at the agency, said the US government’s mass surveillance programs have become so engorged with data that they are no longer effective, losing vital intelligence in the fray.

That, he said, can — and has — led to terrorist attacks succeeding.

Binney said that an analyst today can run one simple query across the NSA’s various databases, only to become immediately overloaded with information. With about four billion people — around two-thirds of the world’s population — under the NSA and partner agencies’ watchful eyes, according to his estimates, there is too much data being collected.

“That’s why they couldn’t stop the Boston bombing, or the Paris shootings, because the data was all there,” said Binney. Because the agency isn’t carefully and methodically setting its tools up for smart data collection, that leaves analysts to search for a needle in a haystack.

“The data was all there… the NSA is great at going back over it forensically for years to see what they were doing before that,” he said. “But that doesn’t stop it.”

Binney called this a “bulk data failure” — in that the NSA programs, leaked by Edward Snowden, are collecting too much for the agency to process. He said the problem runs deeper across law enforcement and other federal agencies, like the FBI, the CIA, and the Drug Enforcement Administration (DEA), which all have access to NSA intelligence.

Binney left the NSA a month after the September 11 attacks in New York City in 2001, days after controversial counter-terrorism legislation was enacted — the Patriot Act — in the wake of the attacks. Binney stands jaded by his experience leaving the shadowy eavesdropping agency, but impassioned for the job he once had. He left after a program he helped develop was scrapped three weeks prior to September 11, replaced by a system he said was more expensive and more intrusive. Snowden said he was inspired by Binney’s case, which in part inspired him to leak thousands of classified documents to journalists.

Since then, the NSA has ramped up its intelligence gathering mission to indiscriminately “collect it all.”

Binney said the NSA is today not as interested in phone records — such as who calls whom, when, and for how long. Although the Obama administration calls the program a “critical national security tool,” the agency is increasingly looking at the content of communications, as the Snowden disclosures have shown.

Binney said he estimated that a “maximum” of 72 companies were participating in the bulk records collection program — including Verizon, but said it was a drop in the ocean. He also called PRISM, the clandestine surveillance program that grabs data from nine named Silicon Valley giants, including Apple, Google, Facebook, and Microsoft, just a “minor part” of the data collection process.

“The Upstream program is where the vast bulk of the information was being collected,” said Binney, talking about how the NSA tapped undersea fiber optic cables. With help from its British counterparts at GCHQ, the NSA is able to “buffer” more than 21 petabytes a day.

Binney said the “collect it all” mantra now may be the norm, but it’s expensive and ineffective.

“If you have to collect everything, there’s an ever increasing need for more and more budget,” he said. “That means you can build your empire.”

They say you never leave the intelligence community. Once you’re a spy, you’re always a spy — it’s a job for life, with few exceptions. One of those is blowing the whistle, which he did. Since then, he has spent his retirement lobbying for change and reform in industry and in Congress.

“They’re taking away half of the constitution in secret,” said Binney. “If they want to change the constitution, there’s a way to do that — and it’s in the constitution.”

An NSA spokesperson did not immediately comment.

Have to feel sorry for Snowden here…

Here’s an exclusive story (below) from Al Jazeera neither Google nor the NSA wants you to know.

Exclusive: Emails reveal close Google relationship with NSA

National Security Agency head and Internet giant’s executives have coordinated through high-level policy discussions

May 6, 2014 5:00AM ET
by Jason Leopold

Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying.

Disclosures by former NSA contractor Edward Snowden about the agency’s vast capability for spying on Americans’ electronic communications prompted a number of tech executives whose firms cooperated with the government to insist they had done so only when compelled by a court of law.

But Al Jazeera has obtained two sets of email communications dating from a year before Snowden became a household name that suggest not all cooperation was under pressure.

On the morning of June 28, 2012, an email from Alexander invited Schmidt to attend a four-hour-long “classified threat briefing” on Aug. 8 at a “secure facility in proximity to the San Jose, CA airport.”

“The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” Alexander wrote in the email, obtained under a Freedom of Information Act (FOIA) request, the first of dozens of communications between the NSA chief and Silicon Valley executives that the agency plans to turn over.

Alexander, Schmidt and other industry executives met earlier in the month, according to the email. But Alexander wanted another meeting with Schmidt and “a small group of CEOs” later that summer because the government needed Silicon Valley’s help.

“About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.”

Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, said she believes information sharing between industry and the government is “absolutely essential” but “at the same time, there is some risk to user privacy and to user security from the way the vulnerability disclosure is done.”

The challenge facing government and industry was to enhance security without compromising privacy, Granick said. The emails between Alexander and Google executives, she said, show “how informal information sharing has been happening within this vacuum where there hasn’t been a known, transparent, concrete, established methodology for getting security information into the right hands.”

The classified briefing cited by Alexander was part of a secretive government initiative known as the Enduring Security Framework (ESF), and his email provides some rare information about what the ESF entails, the identities of some participant tech firms and the threats they discussed.

Alexander explained that the deputy secretaries of the Department of Defense, Homeland Security and “18 US CEOs” launched the ESF in 2009 to “coordinate government/industry actions on important (generally classified) security issues that couldn’t be solved by individual actors alone.”

“For example, over the last 18 months, we (primarily Intel, AMD [Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on the industry side) completed an effort to secure the BIOS of enterprise platforms to address a threat in that area.”

“BIOS” is an acronym for “basic input/output system,” the system software that initializes the hardware in a personal computer before the operating system starts up. NSA cyberdefense chief Debora Plunkett in December disclosed that the agency had thwarted a “BIOS plot” by a “nation-state,” identified as China, to brick U.S. computers. That plot, she said, could have destroyed the U.S. economy. “60 Minutes,” which broke the story, reported that the NSA worked with unnamed “computer manufacturers” to address the BIOS software vulnerability.

But some cybersecurity experts questioned the scenario outlined by Plunkett.

“There is probably some real event behind this, but it’s hard to tell, because we don’t have any details,” wrote Robert Graham, CEO of the penetration-testing firm Errata Security in Atlanta, on his blog in December. “It”s completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.”

And by enlisting the NSA to shore up their defenses, those companies may have made themselves more vulnerable to the agency’s efforts to breach them for surveillance purposes.

“I think the public should be concerned about whether the NSA was really making its best efforts, as the emails claim, to help secure enterprise BIOS and mobile devices and not holding the best vulnerabilities close to their chest,” said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation’s digital civil liberties team.

He doesn’t doubt that the NSA was trying to secure enterprise BIOS, but he suggested that the agency, for its own purposes, was “looking for weaknesses in the exact same products they’re trying to secure.”

The NSA “has no business helping Google secure its facilities from the Chinese and at the same time hacking in through the back doors and tapping the fiber connections between Google base centers,” Cardozo said. “The fact that it’s the same agency doing both of those things is in obvious contradiction and ridiculous.” He recommended dividing offensive and defensive functions between two agencies.

Two weeks after the “60 Minutes” broadcast, the German magazine Der Spiegel, citing documents obtained by Snowden, reported that the NSA inserted back doors into BIOS, doing exactly what Plunkett accused a nation-state of doing during her interview.

Google’s Schmidt was unable to attend to the mobility security meeting in San Jose in August 2012.

“General Keith.. so great to see you.. !” Schmidt wrote. “I’m unlikely to be in California that week so I’m sorry I can’t attend (will be on the east coast). Would love to see you another time. Thank you !” Since the Snowden disclosures, Schmidt has been critical of the NSA and said its surveillance programs may be illegal.

Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, did attend that briefing. Foreign Policy reported a month later that Dempsey and other government officials — no mention of Alexander — were in Silicon Valley “picking the brains of leaders throughout the valley and discussing the need to quickly share information on cyber threats.” Foreign Policy noted that the Silicon Valley executives in attendance belonged to the ESF. The story did not say mobility threats and security was the top agenda item along with a classified threat briefing.

A week after the gathering, Dempsey said during a Pentagon press briefing, “I was in Silicon Valley recently, for about a week, to discuss vulnerabilities and opportunities in cyber with industry leaders … They agreed — we all agreed on the need to share threat information at network speed.”

Google co-founder Sergey Brin attended previous meetings of the ESF group but because of a scheduling conflict, according to Alexander’s email, he also could not attend the Aug. 8 briefing in San Jose, and it’s unknown if someone else from Google was sent.

A few months earlier, Alexander had emailed Brin to thank him for Google’s participation in the ESF.

“I see ESF’s work as critical to the nation’s progress against the threat in cyberspace and really appreciate Vint Cerf [Google’s vice president and chief Internet evangelist], Eric Grosse [vice president of security engineering] and Adrian Ludwig’s [lead engineer for Android security] contributions to these efforts during the past year,” Alexander wrote in a Jan. 13, 2012, email.

“You recently received an invitation to the ESF Executive Steering Group meeting, which will be held on January 19, 2012. The meeting is an opportunity to recognize our 2012 accomplishments and set direction for the year to come. We will be discussing ESF’s goals and specific targets for 2012. We will also discuss some of the threats we see and what we are doing to mitigate those threats … Your insights, as a key member of the Defense Industrial Base, are valuable to ensure ESF’s efforts have measurable impact.”

A Google representative declined to answer specific questions about Brin’s and Schmidt’s relationship with Alexander or about Google’s work with the government.

“We work really hard to protect our users from cyberattacks, and we always talk to experts — including in the U.S. government — so we stay ahead of the game,” the representative said in a statement to Al Jazeera. “It’s why Sergey attended this NSA conference.”

Brin responded to Alexander the following day even though the head of the NSA didn’t use the appropriate email address when contacting the co-chairman.

“Hi Keith, looking forward to seeing you next week. FYI, my best email address to use is [redacted],” Brin wrote. “The one your email went to — sergey.brin@google.com — I don’t really check.”

Continuing on the Facebook topic again, check out the video clip and the exclusive Guardian article below:

Facebook ‘tracks all visitors, breaching EU law’

Exclusive: People without Facebook accounts, logged out users, and EU users who have explicitly opted out of tracking are all being tracked, report says

Facebook tracks the web browsing of everyone who visits a page on its site even if the user does not have an account or has explicitly opted out of tracking in the EU, extensive research commissioned by the Belgian data protection agency has revealed.

The report, from researchers at the Centre of Interdisciplinary Law and ICT (ICRI) and the Computer Security and Industrial Cryptography department (Cosic) at the University of Leuven, and the media, information and telecommunication department (Smit) at Vrije Universiteit Brussels, was commissioned after an original draft report revealed Facebook’s privacy policy breaches European law.

The researchers now claim that Facebook tracks computers of users without their consent, whether they are logged in to Facebook or not, and even if they are not registered users of the site or explicitly opt out in Europe. Facebook tracks users in order to target advertising.

The issue revolves around Facebook’s use of its social plugins such as the “Like” button, which has been placed on more than 13m sites including health and government sites.

Facebook places tracking cookies on users’ computers if they visit any page on the facebook.com domain, including fan pages or other pages that do not require a Facebook account to visit.

When a user visits a third-party site that carries one of Facebook’s social plug-ins, it detects and sends the tracking cookies back to Facebook – even if the user does not interact with the Like button, Facebook Login or other extension of the social media site.

EU privacy law states that prior consent must be given before issuing a cookie or performing tracking, unless it is necessary for either the networking required to connect to the service (“criterion A”) or to deliver a service specifically requested by the user (“criterion B”).

The same law requires websites to notify users on their first visit to a site that it uses cookies, requesting consent to do so.

A cookie is a small file placed on a user’s computer by a website that stores settings, previous activities and other small amounts of information needed by the site. They are sent to the site on each visit and can therefore be used to identify a user’s computer and track their movements across the web.

“We collect information when you visit or use third-party websites and apps that use our services. This includes information about the websites and apps you visit, your use of our services on those websites and apps, as well as information the developer or publisher of the app or website provides to you or us,” states Facebook’s data usage policy, which was updated this year.

Facebook’s tracking practices have ‘no legal basis’

An opinion published by Article 29, the pan-European data regulator working party, in 2012 stated that unless delivering a service specifically requested by the user, social plug-ins must have consent before placing a cookie. “Since by definition social plug-ins are destined to members of a particular social network, they are not of any use for non-members, and therefore do not match ‘criterion B’ for those users.”

The same applies for users of Facebook who are logged out at the time, while logged-in users should only be served a “session cookie” that expires when the user logs out or closes their browser, according to Article 29.

The Article 29 working party has also said that cookies set for “security purposes” can only fall under the consent exemptions if they are essential for a service explicitly requested by the user – not general security of the service.

Facebook’s cookie policy updated this year states that the company still uses cookies if users do not have a Facebook account, or are logged out, to “enable us to deliver, select, evaluate, measure and understand the ads we serve on and off Facebook”.

The social network tracks its users for advertising purposes across non-Facebook sites by default. Users can opt out of ad tracking, but an opt-out mechanism “is not an adequate mechanism to obtain average users informed consent”, according to Article 29.

“European legislation is really quite clear on this point. To be legally valid, an individual’s consent towards online behavioural advertising must be opt-in,” explained Brendan Van Alsenoy, a researcher at ICRI and one of the report’s author.

“Facebook cannot rely on users’ inaction (ie not opting out through a third-party website) to infer consent. As far as non-users are concerned, Facebook really has no legal basis whatsoever to justify its current tracking practices.”

Opt-out mechanism actually enables tracking for the non-tracked

The researchers also analysed the opt-out mechanism used by Facebook and many other internet companies including Google and Microsoft.

Users wanting to opt out of behavioural tracking are directed to sites run by the Digital Advertising Alliance in the US, Digital Advertising Alliance of Canada in Canada or the European Digital Advertising Alliance in the EU, each of which allow bulk opting-out from 100 companies.

But the researchers discovered that far from opting out of tracking, Facebook places a new cookie on the computers of users who have not been tracked before.

“If people who are not being tracked by Facebook use the ‘opt out’ mechanism proposed for the EU, Facebook places a long-term, uniquely identifying cookie, which can be used to track them for the next two years,” explained Günes Acar from Cosic, who also co-wrote the report. “What’s more, we found that Facebook does not place any long-term identifying cookie on the opt-out sites suggested by Facebook for US and Canadian users.”

The finding was confirmed by Steven Englehardt, a researcher at Princeton University’s department of computer science who was not involved in the report: “I started with a fresh browsing session and received an additional ‘datr’ cookie that appears capable of uniquely identifying users on the UK version of the European opt-out site. This cookie was not present during repeat tests with a fresh session on the US or Canadian version.”

Facebook sets an opt-out cookie on all the opt-out sites, but this cookie cannot be used for tracking individuals since it does not contain a unique identifier. Why Facebook places the “datr” cookie on computers of EU users who opt out is unknown.

‘Privacy-friendly’ design

For users worried about tracking, third-party browser add-ons that block tracking are available, says Acar: “Examples include Privacy Badger, Ghostery and Disconnect. Privacy Badger replaces social plug-ins with privacy preserving counterparts so that users can still use social plug-ins, but not be tracked until they actually click on them.

“We argue that it is the legal duty of Facebook to design its services and components in a privacy-friendly way,” Van Alsenoy added. “This means designing social plug-ins in such a way that information about individual’s personal browsing activities outside of Facebook are not unnecessarily exposed.”

Facebook is being investigated by the Dutch data protection authority, which asked the social network to delay rollout of its new privacy policy, and is being probed by the Article 29 working party.

A Facebook spokesperson said: “This report contains factual inaccuracies. The authors have never contacted us, nor sought to clarify any assumptions upon which their report is based. Neither did they invite our comment on the report before making it public. We have explained in detail the inaccuracies in the earlier draft report (after it was published) directly to the Belgian DPA, who we understand commissioned it, and have offered to meet with them to explain why it is incorrect, but they have declined to meet or engage with us. However, we remain willing to engage with them and hope they will be prepared to update their work in due course.”

“Earlier this year we updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we’re expanding people’s control over advertising. We’re confident the updates comply with applicable laws including EU law.”

Van Alsenoy and Acar, authors of the study, told the Guardian: “We welcome comments via the contact email address listed within the report. Several people have already reached out to provide suggestions and ideas, which we really appreciate.”

“To date, we have not been contacted by Facebook directly nor have we received any meeting request. We’re not surprised that Facebook holds a different opinion as to what European data protection laws require. But if Facebook feels today’s releases contain factual errors, we’re happy to receive any specific remarks it would like to make.”

Let’s continue on the Facebook topic from yesterday and hear it this time from software freedom activist and computer programmer Richard Stallman (also known as rms).

Do you need convincing reasons to leave Facebook for good? Look no further than this video clip and Guardian article below.

To be honest, I signed up to Facebook only late last year but used it exclusively to promote this blog. Yet, I’m always having second thoughts…

Leave Facebook if you don’t want to be spied on, warns EU

European Commission admits Safe Harbour framework cannot ensure privacy of EU citizens’ data when sent to the US by American internet firms

Samuel Gibbs
@SamuelGibbs

Thursday 26 March 2015 19.11 GMT

The European Commission has warned EU citizens that they should close their Facebook accounts if they want to keep information private from US security services, finding that current Safe Harbour legislation does not protect citizen’s data.

The comments were made by EC attorney Bernhard Schima in a case brought by privacy campaigner Maximilian Schrems, looking at whether the data of EU citizens should be considered safe if sent to the US in a post-Snowden revelation landscape.

“You might consider closing your Facebook account, if you have one,” Schima told attorney general Yves Bot in a hearing of the case at the European court of justice in Luxembourg.

When asked directly, the commission could not confirm to the court that the Safe Harbour rules provide adequate protection of EU citizens’ data as it currently stands.

The US no longer qualifies

The case, dubbed “the Facebook data privacy case”, concerns the current Safe Harbour framework, which covers the transmission of EU citizens’ data across the Atlantic to the US. Without the framework, it is against EU law to transmit private data outside of the EU. The case collects complaints lodged against Apple, Facebook, Microsoft, Microsoft-owned Skype and Yahoo.

Schrems maintains that companies operating inside the EU should not be allowed to transfer data to the US under Safe Harbour protections – which state that US data protection rules are adequate if information is passed by companies on a “self-certify” basis – because the US no longer qualifies for such a status.

The case argues that the US government’s Prism data collection programme, revealed by Edward Snowden in the NSA files, which sees EU citizens’ data held by US companies passed on to US intelligence agencies, breaches the EU’s Data Protection Directive “adequacy” standard for privacy protection, meaning that the Safe Harbour framework no longer applies.

Poland and a few other member states as well as advocacy group Digital Rights Ireland joined Schrems in arguing that the Safe Harbour framework cannot ensure the protection of EU citizens’ data and therefore is in violation of the two articles of the Data Protection Directive.

The commission, however, argued that Safe Harbour is necessary both politically and economically and that it is still a work in progress. The EC and the Ireland data protection watchdog argue that the EC should be left to reform it with a 13-point plan to ensure the privacy of EU citizens’ data.

“There have been a spate of cases from the ECJ and other courts on data privacy and retention showing the judiciary as being more than willing to be a disrupting influence,” said Paula Barrett, partner and data protection expert at law firm Eversheds. “Bringing down the safe harbour mechanism might seem politically and economically ill-conceived, but as the decision of the ECJ in the so-called ‘right to be forgotten’ case seems to reinforce that isn’t a fetter which the ECJ is restrained by.”

An opinion on the Safe Harbour framework from the ECJ is expected by 24 June.

Facebook declined to comment.

It’s mid-week… thought I should share something light for a change: an alternative comic look into privacy and the government takeover of the internet in our daily lives.

Use only end-to-end encryption programs and apps like SpiderOak, Signal, RedPhone and TextSecure, according to Snowden – see article below.

And never ever anything like Dropbox, Facebook and Google, as he has previously stressed (watch this video clip):

The apps Edward Snowden recommends to protect your privacy online

Mar 05, 2015 9:57 AM ET
Andrea Bellemare, CBC News

There are a host of free, easy-to-use apps and programs that can help protect your privacy online, and if everybody uses them it can provide a sort of “herd immunity” said Edward Snowden in a live video chat from Russia on Wednesday.

Snowden appeared via teleconference in an event hosted by Ryerson University and Canadian Journalists For Expression, to launch the CJFE’s online database that compiles all of the publicly released classified documents the former U.S. National Security Agency contractor leaked. In response to a Twitter question,Snowden expanded on what tools he recommends for privacy.

“I hardly touch communications for anything that could be considered sensitive just because it’s extremely risky,” said Snowden.

But Snowden did go on to outline a few free programs that can help protect your privacy.

“You need to ensure your communications are protected in transit,” said Snowden. “It’s these sort of transit interceptions that are the cheapest, that are the easiest, and they scale the best.”

Snowden recommended using programs and apps that provide end-to-end encryption for users, which means the computer on each end of the transaction can access the data, but not any device in between, and the information isn’t stored unencrypted on a third-party server.

​”SpiderOak doesn’t have the encryption key to see what you’ve uploaded,” said Snowden, who recommends using it instead of a file-sharing program like Dropbox. “You don’t have to worry about them selling your information to third parties, you don’t have to worry about them providing that information to governments.”

“For the iPhone, there’s a program called Signal, by Open Whisper Systems, it’s very good,” said Snowden.

He also recommended RedPhone, which allows Android users to make encrypted phone calls, and TextSecure, a private messenging app by Open Whisper Systems.

“I wouldn’t trust your lives with any of these things, they don’t protect you from metadata association but they do strongly protect your content from precisely this type of in-transit interception,” said Snowden.

He emphasized that encryption is for everyone, not just people with extremely sensitive information.

“The more you do this, the more you get your friends, your family, your associates to adopt these free and easy-to-use technologies, the less stigma is associated with people who are using encrypted communications who really need them,” said Snowden. “We’re creating a kind of herd immunity that helps protect everybody, everywhere.”

Above photo credit: http://background-kid.com/blurred-people-background.html

Great, now there’s a new technology to get true clear pictures out of blurred CCTV images just when we learned last week that there are gadgets to hide one’s identity from the prying eyes of facial recognition programs like the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System.

Fujitsu, the Japanese multinational information technology equipment and services company, recently said it has invented a new, first of its kind image-processing technology that can detect people from low-resolution imagery and track people in security camera footage, even when the images are heavily blurred to protect privacy. See full story below.

Sad to say, this is probably the easiest, effective and most feasible solution:

Fujitsu tech can track heavily blurred people in security videos

By Tim Hornyak
IDG News Service | March 6, 2015

Fujitsu has developed image-processing technology that can be used to track people in security camera footage, even when the images are heavily blurred to protect their privacy.

Fujitsu Laboratories said its technology is the first of its kind that can detect people from low-resolution imagery in which faces are indistinguishable.

Detecting the movements of people could be useful for retail design, reducing pedestrian congestion in crowded urban areas or improving evacuation routes for emergencies, it said.

Fujitsu used computer-vision algorithms to analyze the imagery and identify the rough shapes, such as heads and torsos, that remain even if the image is heavily pixelated. The system can pick out multiple people in a frame, even if they overlap.

Using multiple camera sources, it can then determine if two given targets are the same person by focusing on the distinctive colors of a person’s clothing.

An indoor test of the system was able to track the paths of 80 percent of test subjects, according to the company. Further details of the trial were not immediately available.

“The technology could be used by a business owner when planning the layout of their next restaurant/shop,” a Fujitsu spokesman said via email. “It would also be used by the operators of a large sporting event during times of heavy foot traffic.”

People-tracking know-how has raised privacy concerns in Japan. Last year, the National Institute of Information and Communications Technology (NICT) was forced to delay and scale down a large, long-term face-recognition study it was planning to carry out at Osaka Station, one of the country’s busiest rail hubs.

The Fujitsu research is being presented to a conference of the Information Processing Society of Japan being held at Tohoku University in northern Japan. The company hopes to improve the accuracy of the system with an aim to commercializing it in the year ending March 31, 2016.

Fujitsu has also been developing retail-oriented technology such as sensors that follow a person’s gaze as he or she looks over merchandise as well as LED lights that can beam product information for smartphones.

Sending an email message is like sending a postcard. That’s the message Hillary Clinton probably now wish she heard earlier.

Andy Yen, a scientist at CERN – the European Organization for Nuclear Research – co-founded ProtonMail, an encrypted email startup based in Geneva, Switzerland. As he explained in this TEDTalk, it is easy to make encryption easy for all to use and keep all email private.

But curiously, it seems so much like PGP.

“Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

That’s a quote from Obama reported in The Guardian (see article below).

Oh great, so Obama actually understood the consequences of government gaining backdoors into encryption? He should give the same advice to his NSA director Mike Rogers who somehow struggled when asked about the issue recently.

Building backdoors into encryption isn’t only bad for China, Mr President

Trevor Timm
@trevortimm
Wednesday 4 March 2015 16.15 GMT

Want to know why forcing tech companies to build backdoors into encryption is a terrible idea? Look no further than President Obama’s stark criticism of China’s plan to do exactly that on Tuesday. If only he would tell the FBI and NSA the same thing.

In a stunningly short-sighted move, the FBI – and more recently the NSA – have been pushing for a new US law that would force tech companies like Apple and Google to hand over the encryption keys or build backdoors into their products and tools so the government would always have access to our communications. It was only a matter of time before other governments jumped on the bandwagon, and China wasted no time in demanding the same from tech companies a few weeks ago.

As President Obama himself described to Reuters, China has proposed an expansive new “anti-terrorism” bill that “would essentially force all foreign companies, including US companies, to turn over to the Chinese government mechanisms where they can snoop and keep track of all the users of those services.”

Obama continued: “Those kinds of restrictive practices I think would ironically hurt the Chinese economy over the long term because I don’t think there is any US or European firm, any international firm, that could credibly get away with that wholesale turning over of data, personal data, over to a government.”

Bravo! Of course these are the exact arguments for why it would be a disaster for US government to force tech companies to do the same. (Somehow Obama left that part out.)

As Yahoo’s top security executive Alex Stamos told NSA director Mike Rogers in a public confrontation last week, building backdoors into encryption is like “drilling a hole into a windshield.” Even if it’s technically possible to produce the flaw – and we, for some reason, trust the US government never to abuse it – other countries will inevitably demand access for themselves. Companies will no longer be in a position to say no, and even if they did, intelligence services would find the backdoor unilaterally – or just steal the keys outright.

For an example on how this works, look no further than last week’s Snowden revelation that the UK’s intelligence service and the NSA stole the encryption keys for millions of Sim cards used by many of the world’s most popular cell phone providers. It’s happened many times before too. Ss security expert Bruce Schneier has documented with numerous examples, “Back-door access built for the good guys is routinely used by the bad guys.”

Stamos repeatedly (and commendably) pushed the NSA director for an answer on what happens when China or Russia also demand backdoors from tech companies, but Rogers didn’t have an answer prepared at all. He just kept repeating “I think we can work through this”. As Stamos insinuated, maybe Rogers should ask his own staff why we actually can’t work through this, because virtually every technologist agrees backdoors just cannot be secure in practice.

(If you want to further understand the details behind the encryption vs. backdoor debate and how what the NSA director is asking for is quite literally impossible, read this excellent piece by surveillance expert Julian Sanchez.)

It’s downright bizarre that the US government has been warning of the grave cybersecurity risks the country faces while, at the very same time, arguing that we should pass a law that would weaken cybersecurity and put every single citizen at more risk of having their private information stolen by criminals, foreign governments, and our own.

Forcing backdoors will also be disastrous for the US economy as it would be for China’s. US tech companies – which already have suffered billions of dollars of losses overseas because of consumer distrust over their relationships with the NSA – would lose all credibility with users around the world if the FBI and NSA succeed with their plan.

The White House is supposedly coming out with an official policy on encryption sometime this month, according to the New York Times – but the President can save himself a lot of time and just apply his comments about China to the US government. If he knows backdoors in encryption are bad for cybersecurity, privacy, and the economy, why is there even a debate?

Forget Google Glass, there’s something more fun and useful (picture above) but first, consider this picture below.

It may sounds like the Hollywood movie Matrix but let’s face it, everyone would sooner or later have their photos captured in the public space.

Consider for example, the FBI’s US$1 billion futuristic facial recognition program – the Next Generation Identification (NGI) System – was already up and running with the aim to capture photographs of every Americans and everyone on US soils.

The pictures above is an example of what the US government had collected of one individual – she filed a Freedom of Information Act request to see what was collected and the Department of Homeland Security subsequently released the data collected under the Global Entry Program.

But apart from immigration checkpoints, and potentially other files from other government departments (local and global), we are also subjected to the millions of CCTV cameras in public areas and the facial recognition programs scanning through the captured images (and also those on the internet and social networks).

So it’s good to know there may be a potential solution – though it’s still early days and it may not apply to cameras at immigration checkpoints.

The (computer) antivirus software company AVG is working on a “privacy glasses” project. These glasses (above) are designed to obfuscate your identity and prevent any facial recognition software from figuring out who you are, either by matching you with the pictures in their database or creating a new file of you for future use.

Find out more from this article below.

NSA Director Admiral Michael Rogers said at a cyber security conference in Washington DC Monday this week that the government needs to develop a “framework” so that the NSA and law enforcement agencies could read encrypted data when they need and he was immediately challenged by top security experts from the tech industry, most notably Yahoo’s chief information security officer Alex Stamos (see transcript).

This is probably the most telling moment of how US President Barack Obama is still on the wrong frequency on cyber matters…

Obama blamed the “impact on their [the tech companies] bottom lines” for the mistrust between the government and Silicon Valley in the aftermath of the Snowden revelations. These were his words, straight from the POTUSA mouth rather than reading from the scripts, in an exclusive interview with Re/code’s Kara Swisher (see video below) following the well publicized cybersecurity summit at Stanford University last Friday, when he signed an executive order to encourage the private sector to share cybersecurity threat information with other companies and the US government.

Contrast that with the high-profile speech by Apple CEO Tim Cook (see video below), who warned about “life and death” and “dire consequences” in sacrificing the right to privacy as technology companies had a duty to protect their customers.

His speech was delivered before Obama’s address to the summit – which the White House organized to foster better cooperation and the sharing of private information with Silicon Valley – best remembered for the absence of leaders from tech giants like Google, Yahoo and Facebook who gave Obama the snub amid growing tensions between Silicon Valley and the Obama administration. Heavyweights whom Obama counted as “my friends” in the Re/code interview (watch closely his expression at the 39th second of the clip above).

This is really nothing new but I’m posting it because similar “news” resurfaced again the past week.

Let’s not forget smart TV are essentially becoming more like computers. And yes, they can watch you and your loved ones discreetly without your knowledge.

If you’ve already bought one, the easy solution is to cover the webcam with a duct tape unless you need to use it.

This spat on intrusive rules is going to be a huge long battle.

The US is voicing opposition to Chinese rules that foreign vendors hand over the source code if they were to supply computer equipments to Chinese banks – which could expand to other sectors as the matter is “part of a wider review”.

Other measures to comply with include the setting up of research and development centers in China and building “ports” for Chinese officials to manage and monitor the data processed by their hardware.

Submitting to these “intrusive rules” for a slice of the huge Chinese markets also means alienating the rest of the world – as complying with these rules means creating backdoors, adopting Chinese encryption algorithms and disclosing sensitive intellectual property.

Find out more from this video:

Speaking of “intrusive rules” (see BBC report far below) and “actual intrusions” in China, the latter I have expanded recently in two articles – one on Apple yesterday and the other on VPN blocks last week – and merged in this new column I’m also pasting right below.

The long and short of it, it’s espionage made easy. Period.

Apple Lets Down Its Asia Users
Written by Vanson Soo
MON,02 FEBRUARY 2015

Knuckling under to China on security inspections

If you are a die-hard fan of Apple products and if you, your company or business have anything to do with mainland China, recent developments involving the US tech giant can be construed as bad news, with deeper implications than what was generally thought and reported.

First, about Apple.

I have always liked the beauty and elegance of Apple products. I have owned two Mac laptops and an iPhone but I have shunned them as anyone deeply conscious and concerned about privacy and security should do. Edward Snowden, for example, who laid bare extensive snooping by the US National Security Agency, recently said he had never used the iPhone given the existence of secret surveillance spyware hidden in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices including iPhones, iPads and Mac computers. The move understandably makes business sense to Apple [and its shareholders] as China is just too huge a market to ignore – so the Cupertino-based company [whose market capitalization hit US$683 billion last week, more than double Microsoft’s US$338 billion] realized it simply couldn’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

What Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well documented that Apple users were [and probably still are] known for their cult-like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers.

The company has also denied working with any government agencies to create back doors into its products or servers… So surrendering to security audits wouldn’t?

If only Apple users managed to chuck away their cult mentality and come to their senses about their privacy and security risks, the firm would realize the Google approach, though still not perfect, is a better way of cultivating brand loyalty.

And in case you’re wondering, I use Linux most of the time – and shun the most popular Linux distributions to be on the safe side.a

Now next. And this is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News surfaced in late January that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

The real impact is not merely on domestic residents who were cut off from YouTube, BBC/CNN news and other information sources but resident expatriates, multinationals, foreign embassies and those traveling to China, especially businessmen and executives. Think: Chinese espionage now made easy!

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through it, which effectively shields internet traffic from government filters that have set criteria on what sites can be accessed.

And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

29 January 2015 Last updated at 14:35

US tech firms ask China to postpone ‘intrusive’ rules
By Kevin Rawlinson BBC News

US business groups are seeking “urgent discussions” over new Chinese rules requiring foreign firms to hand over source code and other measures.

The groups wrote to senior government officials after the introduction of the cybersecurity regulations at the end of last year.

The US Chamber of Commerce and other groups called the rules “intrusive”.

The regulations initially apply to firms selling products to Chinese banks but are part of a wider review.

“An overly broad, opaque, discriminatory approach to cybersecurity policy that restricts global internet and ICT products and services would ultimately isolate Chinese ICT firms from the global marketplace and weaken cybersecurity, thereby harming China’s economic growth and development and restricting customer choice,” the letter read.

The groups said that the rules would force technology sellers to create backdoors for the Chinese government, adopt Chinese encryption algorithms and disclose sensitive intellectual property.

Firms planning to sell computer equipment to Chinese banks would also have to set up research and development centres in the country, get permits for workers servicing technology equipment and build “ports” which enable Chinese officials to manage and monitor data processed by their hardware, Reuters reported.

Source code is the usually tightly guarded series of commands that create programs. For most computing and networking equipment, it would have to be turned over to officials, according to the new regulations.

Tension

In the letter, a copy of which has been seen by the BBC, the groups have asked the Chinese government to delay implementation of the regulations and “grant an opportunity for discussion and dialogue for interested stakeholders with agencies responsible for the initiatives”.

They added: “The domestic purchasing and related requirements proposed recently for China’s banking sector… would unnecessarily restrict the ability of Chinese entities to source the most reliable and secure technologies, which are developed in the global supply chain,” the letter, which was dated 28 January, read.

The letter from the American groups, including the US Chamber of Commerce, AmCham China and 16 others, was addressed to the Central Leading Small Group for Cyberspace Affairs, which is led personally by Chinese President Xi Jinping.

It comes at a time of heightened tension between the USA and China over cybersecurity. In May last year, Beijing denounced US charges against Chinese army officers accused of economic cyber-espionage.

Pressure

It was also alleged that the US National Security Agency spied on Chinese firm Huawei, while the US Senate claimed that the Chinese government broke into the computers of airlines and military contractors.

American tech firms, such as Cisco and Microsoft, are facing increased pressure from Chinese authorities to accept rigorous security checks before their products can be purchased by China’s sprawling, state-run financial institutions.

Beijing has considered its reliance on foreign technology a national security weakness, particularly following former National Security Agency contractor Edward Snowden’s revelations that US spy agencies planted code in American-made software to snoop on overseas targets.

The cyber-space policy group approved a 22-page document in late 2014 that contained the heightened procurement rules for tech vendors, the New York Times reported on Thursday.

I always like the beauty and elegance of Apple products (I had 2 Mac laptops and 1 iPhone) but I have to admit I have already shunned them as anyone deeply conscious and concerned about privacy and security should do – Snowden, for example, recently said he never used the iPhone given the existence of secret surveillance spyware in the devices.

Consider the latest news that Apple Inc. has caved in to Chinese demands for security inspections of its China-made devices like the iPhones, iPads and Mac computers. The move understandably makes business sense to Apple (and its shareholders) as China is just too huge a market to ignore – so the Cupertino-based company (whose market capitalization hit $683 billion last week, more than double Microsoft’s $338 billion) realized it simply can’t ignore Beijing’s “concerns” about national security arising from the iPhone’s ability to zero in onto a user’s location.

Now pause right there. No, there’s no typo above. And yes, the Android and Blackberry smartphones can also mark a user’s location. So what’s the catch? Figure that out – it’s not difficult.

And what Apple found they can ignore is the privacy and security of its die-hard users – after all, it has been well-documented Apple users were (and probably still are) well known for their “cult” like loyalty to the brand. Look no further for evidence than last summer when Apple announced its plan to host some of its data from its China-based users on servers based inside the country and claimed the company was not concerned about any security risks from using servers hosted by China Telecom, one of the three state-owned Chinese carriers. The company has also denied working with any government agencies to create back doors into its products or servers… (So surrendering to security audits wouldn’t?)

If only Apple users somewhat managed to chuck away their cult mentality and come to their senses (about their privacy and security risks), the US tech giant would realize the Google approach (though still not the perfect example) is a better way to cultivating brand loyalty (see article below).

And in case you’re wondering, I use laptops with no parts made in China along with Linux most of the time – and shun the most popular Linux distributions to be on the safe side.

Apple’s New Security Concessions to Beijing

By Doug Young | January 27, 2015, 10:13 AM

Apple is deepening its uneasy embrace of Beijing security officials, with word that it has agreed to allow security audits for products that it sells in China. This latest development comes less than a year after Apple took the unusual step of moving some of the user information it collects to China-based servers, which was also aimed at placating security-conscious regulators in Beijing.

Apple’s increasingly close cooperation with Beijing contrasts sharply with Google, whose popular Internet products and services are increasingly being locked out of China as it refuses to play by Beijing’s rules. Other global tech giants are also having to deal with the delicate situation, each taking a slightly different approach to try to protect user privacy while complying with Beijing’s insistence that they make their information available to security-conscious government regulators.

As a relatively neutral observer, I can sympathize with both the Apples and Googles of the world. Companies like Apple have decided that China is simply too large for them to ignore, and thus are taking steps to address Beijing’s security concerns as a condition for access to the huge market. Microsoft has also taken a similar tack, and Facebook is showing it will also be willing to play by such rules with its recent repeated lobbying for a chance to set up a China-based service.

Google has taken a more defiant stance by refusing to compromise user privacy and free speech, with the result that a growing number of its products and services are now blocked in China. The company shuttered its China-based search website in 2010 over a dispute with Beijing on self censorship. Last year many of its global sites and even its Gmail email service also became increasingly difficult to access for users in China.

Apple isn’t being nearly so defiant, and the latest headlines say it has agreed to the audits of its products by the State Internet Information Office. The reports say Apple agreed to the audits when CEO Tim Cook met with State Internet Information Office official Lu Wei during a December trip to the U.S. I previously wrote about Lu’s trip after photos appeared on an official Chinese government website showing him visiting the offices of Facebook, Apple, and also Amazon.

Lu reportedly told Cook that China needs to be sure that Apple’s popular iPhones, iPads, and other products protect user privacy and also don’t compromise national security. Unlike other PC and cellphone makers that simply sell their devices to consumers, Apple actively keeps records of its product users and some of their usage habits and other related information on remote computers.

This latest move looks like an extension of another one last summer, which saw Apple agree to host some of the data from its China-based users on servers based inside the country. That move also looked aimed at calming national security worries from Beijing, since storing such information on China-based computers would make it more accessible to investigators conducting security-related probes.

In an interesting twist to the story, this latest report comes from a state-owned newspaper in Beijing, making it a sort of semi-official disclosure of China’s approach to the matter. That would follow the government’s own announcement of Lu Wei’s December trip, and perhaps shows that Beijing wants to be more open about steps it’s taking to address national security threats like terrorism. That kind of more open attitude could help both domestic and foreign companies to better navigate China’s tricky cyber realm, though it won’t be of much help to defiant companies like Google that are more intent on protecting free speech and user privacy.

Here’s one nice TEDTalk on why encryption is important for everyone and why breaking or weakening it – British Prime Minister David Cameron and US President Barack Obama are now pushing for a ban on encryption – is not a good idea. To put it bluntly and briefly, it is shooting our own foot.

This is bad news with far-reaching global implications – and it’s affecting not just only those based in China.

News has surfaced over the weekend that some foreign-based virtual private network (VPN) vendors found their services in China had been disrupted following a government crackdown – which the authorities labeled as an “upgrade” of its Internet censorship – to block the use of VPNs as a way to escape the so-called Great Firewall.

Many China-based internet users use VPNs to access external news sources but this is also bad news for companies and government offices based in China as well as anyone visiting the Chinese mainland – as many businessmen and executives use VPNs, as part of their company (and security) practice, on their business trips. Many foreigners and businesses residing in China also use VPNs for their day-to-day communications.

The VPNs provide an encrypted pipe between a computer or smartphone and an overseas server such that any communications would be channeled through the designated pipe, which effectively shield internet traffic from government filters that have set criteria on what sites can be accessed.

Find out more about this news below – And as China is fast moving beyond the “factories of the world” tag to become a global economic powerhouse and important trading partner to many developed and developing countries, this is one development to keep a close watch on.

Let’s have a different take on Obama and his endorsement (of Cameron’s drive) to kill encryption.

Obama is not allowed to use an iPhone because it’s “not safe”, the NSA advised him – Edward Snowden has recently said the iPhone was made to remotely track and transmit data about users.

Obama uses a Blackberry because of its reputation for security. But it’s still not safe enough, so his device was further encrypted though experts warned it’s still no absolute guarantee.

So Mr. President, you understand very well the value of encryption and privacy. And you want to ban encryption in the name of national security when you knew very well the terrorists you’re after are very apt at finding alternatives (remember Osama bin Laden?), including using primitive channels like typewriters, paper and pen, etc?

And at the same time, you’re crippling the entire world – companies, individuals and government (what did Merkel tell you?) – with the floodgates thrown open to cyber-criminals and hackers?

Reckon you can see that the equation doesn’t add up?

Blackberry’s CEO John Chen in his latest blog post “Encryption Needn’t Be An Either/Or Choice Between Privacy and National Security” responded to the recent push by British Prime Minister David Cameron – endorsed by US President Barack Obama last week – to ban encrypted communications in the name of national security:

Encryption Needn’t Be An Either/Or Choice Between Privacy and National Security

In the wake of the Paris terror attacks earlier this month, U.K. Prime Minister David Cameron proposed banning encrypted communications services such as those offered by Apple, Facebook and others. President Obama partially endorsed Prime Minister Cameron’s proposal a few days later, indicating he would support banning encrypted communications services that cannot be intercepted by law enforcement and national security agencies. While there is no publicly-available evidence that encrypted communications played any role in the Paris attacks, security officials say their ability to prevent future attacks will be hindered if terrorists are able to evade surveillance using encrypted communications and messaging services.

Reconciling these opposing perspectives on encryption requires a reasoned approach that balances legitimate national security concerns with legitimate cyber security concerns.

Privacy is Everyone’s Concern

Our dependence on computing devices for transmitting and storing sensitive personal information has become irreversible. Billions of items of personal information including health records, bank account records, social security numbers and private photographs reside on millions of computers and in the cloud. This information is transmitted via the internet every day. The same is true for highly confidential and proprietary business information. And of course no government or law enforcement agency could function without maintaining high levels of information security.

Modern forms of encrypting voice and data traffic provide the best protection for highly valuable and private personal, business and government information. Rendering data unreadable to the intruder greatly diminishes the incentive to hack or steal. Banning encryption, therefore, would dramatically increase the exposure of all such information to hacking and cyber theft. Clearly that is not a viable option.

Call of Duty

On the other hand, the same encryption technology that enables protection of sensitive data can also be abused by criminals and terrorists to evade legitimate government efforts to track their data and communications. Companies offering encrypted communications thus have a duty to comply with lawful requests to provide information to security agencies monitoring would-be terrorists. Companies like BlackBerry: We’ve supported FIPS 140-2 validated encryption in all of our devices for the past 10 years – longer than many of our competitors have been selling smartphones.

The answer, therefore, is not to ban encryption, because doing so would give hackers and cyber-criminals a windfall, making it much easier for them to mine billions of items of sensitive personal, business and government data. Instead, telecommunications and internet companies should cooperate with the reasonable and lawful efforts of governments to fight terrorism. That way we can help protect both privacy and lives.

US President Obama has openly voiced support to British Prime Minister’s idea about banning encryption but as The Guardian report (below) last week on a secret US cybersecurity document in 2009 showed, they are very well aware their decision would leave the entire world highly vulnerable to cyber attacks at the expense of their interest in national security and terrorism matters.

Secret US cybersecurity report: encryption vital to protect private data

Newly uncovered Snowden document contrasts with British PM’s vow to crack down on encrypted messaging after Paris attacks

A secret US cybersecurity report warned that government and private computers were being left vulnerable to online attacks from Russia, China and criminal gangs because encryption technologies were not being implemented fast enough.

The advice, in a newly uncovered five-year forecast written in 2009, contrasts with the pledge made by David Cameron this week to crack down on encryption use by technology companies.

In the wake of the Paris terror attacks, the prime minister said there should be no “safe spaces for terrorists to communicate” or that British authorites could not access.

Cameron, who landed in the US on Thursday night, is expected to urge Barack Obama to apply more pressure to tech giants, such as Apple, Google and Facebook, which have been expanding encrypted messaging for their millions of users since the revelations of mass NSA surveillance by the whistleblower Edward Snowden.

Cameron said the companies “need to work with us. They need also to demonstrate, which they do, that they have a social responsibility to fight the battle against terrorism. We shouldn’t allow safe spaces for terrorists to communicate. That’s a huge challenge but that’s certainly the right principle”.

But the document from the US National Intelligence Council, which reports directly to the US director of national intelligence, made clear that encryption was the “best defence” for computer users to protect private data.

Part of the cache given to the Guardian by Snowden was published in 2009 and gives a five-year forecast on the “global cyber threat to the US information infrastructure”. It covers communications, commercial and financial networks, and government and critical infrastructure systems. It was shared with GCHQ and made available to the agency’s staff through its intranet.

One of the biggest issues in protecting businesses and citizens from espionage, sabotage and crime – hacking attacks are estimated to cost the global economy up to $400bn a year – was a clear imbalance between the development of offensive versus defensive capabilities, “due to the slower than expected adoption … of encryption and other technologies”, it said.

An unclassified table accompanying the report states that encryption is the “[b]est defense to protect data”, especially if made particularly strong through “multi-factor authentication” – similar to two-step verification used by Google and others for email – or biometrics. These measures remain all but impossible to crack, even for GCHQ and the NSA.

The report warned: “Almost all current and potential adversaries – nations, criminal groups, terrorists, and individual hackers – now have the capability to exploit, and in some cases attack, unclassified access-controlled US and allied information systems.”

It further noted that the “scale of detected compromises indicates organisations should assume that any controlled but unclassified networks of intelligence, operational or commercial value directly accessible from the internet are already potentially compromised by foreign adversaries”.

The primary adversaries included Russia, whose “robust” operations teams had “proven access and tradecraft”, it said. By 2009, China was “the most active foreign sponsor of computer network intrusion activity discovered against US networks”, but lacked the sophistication or range of capabilities of Russia. “Cyber criminals” were another of the major threats, having “capabilities significantly beyond those of all but a few nation states”.

The report had some cause for optimism, especially in the light of Google and other US tech giants having in the months prior greatly increased their use of encryption efforts. “We assess with high confidence that security best practices applied to target networks would prevent the vast majority of intrusions,” it concluded.

Official UK government security advice still recommends encryption among a range of other tools for effective network and information defence. However, end-to-end encryption – which means only the two people communicating with each other, and not the company carrying the message, can decode it – is problematic for intelligence agencies as it makes even warranted collection much more difficult.

The latest versions of Apple and Google’s mobile operating systems are encrypted by default, while other popular messaging services, such as WhatsApp and Snapchat, also use encryption. This has prompted calls for action against such strong encryption from ministers and officials. Speaking on Monday, Cameron asked: “In our country, do we want to allow a means of communication between people which we cannot read?”

The previous week, a day after the attack on the Charlie Hebdo office in Paris, the MI5 chief, Andrew Parker, called for new powers and warned that new technologies were making it harder to track extremists.

In November, the head of GCHQ, Robert Hannigan, said US social media giants had become the “networks of choice” for terrorists. Chris Soghoian, principal senior policy analyst at the American Civil Liberties Union, said attempts by the British government to force US companies to weaken encryption faced many hurdles.

“The trouble is these services are already being used by hundreds of millions of people. I guess you could try to force tech companies to be less secure but then they would be less secure against attacks for anyone,” he said.

GCHQ and the NSA are responsible for cybersecurity in the UK and US respectively. This includes working with technology companies to audit software and hardware for use by governments and critical infrastructure sectors.

Such audits uncover numerous vulnerabilities which are then shared privately with technology companies to fix issues that could otherwise have caused serious damage to users and networks. However, both agencies also have intelligence-gathering responsibilities under which they exploit vulnerabilities in technology to monitor targets. As a result of these dual missions, they are faced with weighing up whether to exploit or fix a vulnerability when a product is used both by targets and innocent users.

The Guardian, New York Times and ProPublica have previously reported the intelligence agencies’ broad efforts to undermine encryption and exploit rather than reveal vulnerabilities. This prompted Obama’s NSA review panel to warn that the agency’s conflicting missions caused problems, and so recommend that its cyber-security responsibilities be removed to prevent future issues.

Another newly discovered document shows GCHQ acting in a similarly conflicted manner, despite the agencies’ private acknowledgement that encryption is an essential part of protecting citizens against cyber-attacks.

The 2008 memo was addressed to the then foreign secretary, David Miliband, and classified with one of the UK’s very highest restrictive markings: “TOP SECRET STRAP 2 EYES ONLY”. It is unclear why such a document was posted to the agency’s intranet, which is available to all agency staff, NSA workers, and even outside contractors.

The memo requested a renewal of the legal warrant allowing GCHQ to “modify” commercial software in violation of licensing agreements. The document cites examples of software the agency had hacked, including commonly used software to run web forums, and website administration tools. Such software are widely used by companies and individuals around the world.

The document also said the agency had developed “capability against Cisco routers”, which would “allow us to re-route selected traffic across international links towards GCHQ’s passive collection systems”.

GCHQ had also been working to “exploit” the anti-virus software Kaspersky, the document said. The report contained no information on the nature of the vulnerabilities found by the agency.

Security experts regularly say that keeping software up to date and being aware of vulnerabilities is vital for businesses to protect themselves and their customers from being hacked. Failing to fix vulnerabilities leaves open the risk that other governments or criminal hackers will find the same security gaps and exploit them to damage systems or steal data, raising questions about whether GCHQ and the NSA neglected their duty to protect internet systems in their quest for more intelligence.

A GCHQ spokesman said: “It is long-standing policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the secretary of state, the interception and intelligence services commissioners and the parliamentary intelligence and security committee.“All our operational processes rigorously support this position. In addition, the UK’s interception regime is entirely compatible with the European convention on human rights.”

Michael Beckerman, president and CEO of the Internet Association, a lobby group that represents Facebook, Google, Reddit, Twitter, Yahoo and other tech companies, said: “Just as governments have a duty to protect to the public from threats, internet services have a duty to our users to ensure the security and privacy of their data. That’s why internet services have been increasing encryption security.”

Rather than hearing from the geeks, it may be refreshing to listen the same from Mark Cuban, Shark Tank host and owner of NBA team Dallas Mavericks:

In the aftermath of the recent Charlie Hebdo attacks, it came as no surprise politicians were quick to up the antenna (again) on surveillance and stifle the right to privacy – whilst, in the same breath, they drape themselves publicly in Paris to embrace free speech and press freedom.

British Prime Minister David Cameron, for example, stole the headlines this week saying that, if re-elected in May, he would ban encrypted online messaging apps like WhatsApp and Snapchat if the British intelligence agencies were not given backdoors to access the communications.

“We must not allow terrorists safe space to communicate with each other,” said Cameron as he spoke about a “comprehensive piece of legislation” to close the “safe spaces” used by suspected terrorists – and also planned to encourage US President Barack Obama (who should be reminded that he has promised to pursue NSA reforms) to make internet companies like Facebook and Twitter cooperate with British intelligence agencies to track the online activities of Islamist extremists.

Backdoors are by and large security holes and what Cameron is proposing would set a dangerous precedence with irreversible consequences far beyond the loss of free speech – this is best summed up in the following open letter to David Cameron (below – and here):

Following up on an earlier post on the same topic:

Continuing on my blog post yesterday – shouldn’t one feel guilty about posting photos of their loved ones online without knowing or truly understanding the underlying risks?

Well instead of covering the face(s), how about encoding your photos with personal secret code so that only you and those selected parties can see them? That’s what this software PhotoScrambler is about.

If you’re still coining your new year resolutions… how about never to post (and tag) any photos of yourself and loved ones online?

Yes, it’s a social norm these days – just look at the Facebook sphere – but I can’t explain the risks better than this excellent presentation (below) from the Make Use Of blog about facial recognition technology and the risks of posting our photos online.

Food for thoughts?

Here’s a recent LifeHacker article that may be well received: a manual on how to turn off the “read receipt” feature in some of the most popular apps, including What’s App. And yes, that’s another one up for privacy.

Question: If the NSA managed to threaten and make Internet and technology giants like Yahoo, Google, Apple, Facebook, etc to hand over our metadata, who else could they target?

The US Postal Service?

And why not – since the information like names, addresses and postmark dates of both the senders and recipients conveniently splashed on the package covers could provide valuable investigative leads to law enforcement agencies?

As it turned out, the USPS Office of Inspector General (OIG) — the internal watchdog of the postal service – found that “USPS captured information from the outside of about 49,000 pieces of consumer mail in 2013 and turned much of it over to law enforcement organizations throughout the country, unbeknownst to the intended senders and recipients” – see full story below.

And why then should one trust the postal services outside the US – given the Snowden revelations also revealed how intelligence agencies across the globe have duly followed the NSA leads?

The US Postal Service has been quietly surveilling more mail than anyone thought

Program captured information from the outside of 49,000 pieces of mail in 2013 alone, sharing it with law enforcement agents

By Carl Franzen on October 28, 2014 02:15 pm

Snail mail is growing steadily less popular thanks to the internet, but people in the US still send lots of it every year — over 158 billion pieces of mail were handled by the US Postal Service in 2013 alone. As it turns out, the USPS has also been quietly spying on way more of the mail passing through its doors than previously acknowledged. A report from the agency’s internal watchdog — the USPS Office of Inspector General (OIG) — found that USPS captured information from the outside of about 49,000 pieces of consumer mail in 2013 and turned much of it over to law enforcement organizations throughout the country, unbeknownst to the intended senders and recipients. This information reportedly did not include the contents of letters and packages, but rather was limited to the information appearing only on the exterior, such as names, addresses, and postmark dates.

The report on the USPS information capturing program, called “mail covers,” was initially published to little fanfare over the summer and subsequently reported on by Politico, but is getting more attention now with an article appearing today in The New York Times that includes additional details.

First some background: the mail covers program is hardly new, it’s been in existence for over a hundred years, as The Times notes. It’s also not as invasive as a full search warrant for the contents of mail, which the USPS also grants (although only for federal search warrants; state search warrants aren’t accepted by the agency). In a guide for law enforcement agencies, the USPS explains exactly how the program works: a police officer/law enforcement agent needs to be already conducting an investigation into a suspected felony and have the names and addresses for their intended surveillance targets. The officer must send this information to the USPS through the mail or provide it verbally (in person or over the phone), along with a reason why the mail cover is needed. Then the USPS will begin capturing the information from the exterior of all the targets’ incoming and outgoing mail for up to 30 days (although extensions are available). The USPS says that “information from a mail cover often provides valuable investigative leads,” but adds that it “is confidential and should be restricted to those persons who are participating in the investigation.”

However, as the OIG report found, there are numerous problems with the way the USPS has been running the mail covers program. For starters, the USPS has a mail cover app that apparently doesn’t work very well and is blamed for the agency continuing to capture information from the mail of 928 targets even after the surveillance period was supposed to have ended. The USPS also appears to have started mail cover surveillance on targets without sufficient justification from law enforcement as to why it was needed, and some USPS employees didn’t even keep the written justification on file like they were supposed to. And in a further failure of duty, several mail covers weren’t started on time. Perhaps most troubling of all, the USPS doesn’t appear to have been accurately reporting the total number of mail covers in its official records provided to the Times under Freedom of Information Act requests, which show only 100,000 total requests for mail surveillance between 2001 and 2012 (an average of 8,000 a year, way fewer than the 49,000 mail covers acknowledged in the OIG report). The USPS said it agreed with the findings of the OIG report and would work to implement changes, but for an agency already struggling with how to move into the future, the findings are hardly good news.

Here’s an interesting story from BuzzFeed about a “little-noticed” court ruling from the US Justice Department – that the government has the right to impersonate someone’s identity, create a phony Facebook account in that person’s name, post racy photos found on that person’s seized phone – all without that person’s knowledge – in order to reach out to suspected criminals.

The world is still coming to grips with the snooping of personal information by the NSA, GCHQ and the likes in this post-Snowden era. But to commandeer one’s identity, without one’s knowledge, to catch criminals (or terrorists for that matter)? Has that gone too far, endangering one’s life?

(Btw check out this article on how to detect fake Facebook profiles.)

Government Set Up A Fake Facebook Page In This Woman’s Name

A DEA agent commandeered a woman’s identity, created a phony Facebook account in her name, and posted racy photos he found on her seized cell phone. The government said he had the right to do that.

Chris Hamby BuzzFeed Staff
Posted on Oct. 7, 2014, at 7:16 a.m.

The Justice Department is claiming, in a little-noticed court filing, that a federal agent had the right to impersonate a young woman online by creating a Facebook page in her name without her knowledge. Government lawyers also are defending the agent’s right to scour the woman’s seized cellphone and to post photographs — including racy pictures of her and even one of her young son and niece — to the phony social media account, which the agent was using to communicate with suspected criminals.

The woman, Sondra Arquiett, who then went by the name Sondra Prince, first learned her identity had been commandeered in 2010 when a friend asked about the pictures she was posting on her Facebook page. There she was, for anyone with an account to see — posing on the hood of a BMW, legs spread, or, in another, wearing only skimpy attire. She was surprised; she hadn’t even set up a Facebook page.

The account was actually set up by U.S. Drug Enforcement Administration special agent Timothy Sinnigen.

Not long before, law enforcement officers had arrested Arquiett, alleging she was part of a drug ring. A judge, weighing evidence that the single mom was a bit player who accepted responsibility, ultimately sentenced Arquiett to probation. But while she was awaiting trial, Sinnigen created the fake Facebook page using Arquiett’s real name, posted photos from her seized cell phone, and communicated with at least one wanted fugitive — all without her knowledge.

The Justice Department’s headquarters in Washington, D.C., referred all questions to the DEA, which then declined to answer questions and, in turn, referred inquiries to the local U.S. attorney’s office in Albany, New York. That office did not respond to multiple requests for an interview.

A Facebook spokesman declined to comment on the case. The site’s “Community Standards” say, “Claiming to be another person, creating a false presence for an organization, or creating multiple accounts undermines community and violates Facebook’s terms.” The spokesman said there is no exception to this policy for law enforcement.

Meanwhile, the bogus Facebook page remains accessible to the public, BuzzFeed News found.

Leading privacy experts told BuzzFeed News they found the case disturbing. “It reeks of misrepresentation, fraud, and invasion of privacy,” said Anita L. Allen, a professor at University of Pennsylvania Law School.

The experts also agreed that the case raises novel legal and ethical questions. There is a long tradition of deceptive practices by police that are legal, they noted. For example, officers assume a false identity to go undercover. “What’s different here,” said Ryan Calo, a professor at the University of Washington School of Law, is that the agent assumed the identity of a real person without her explicit consent.

“The technologies we have now are enabling all sorts of new uses,” said Neil Richards, a professor at the Washington University School of Law. “There are a whole bunch of new things that are possible, and we don’t have rules for them yet.”

The DEA’s actions might never have come to light if Arquiett, now 28, hadn’t sued Sinnigen, accusing him in federal district court in Syracuse, New York, of violating her privacy and placing her in danger.

In a court filing, a U.S. attorney acknowledges that, unbeknownst to Arquiett, Sinnigen created the fake Facebook account, posed as her, posted photos, sent a friend request to a fugitive, accepted other friend requests, and used the account “for a legitimate law enforcement purpose.”

The government’s response lays out an argument justifying Sinnigen’s actions: “Defendants admit that Plaintiff did not give express permission for the use of photographs contained on her phone on an undercover Facebook page, but state the Plaintiff implicitly consented by granting access to the information stored in her cell phone and by consenting to the use of that information to aid in an ongoing criminal investigations [sic].”

That argument is problematic, according to privacy experts. “I may allow someone to come into my home and search,” said Allen, of the University of Pennsylvania, “but that doesn’t mean they can take the photos from my coffee table and post them online.”

“I cannot imagine she thought that this would be a use that she consented to,” the University of Washington’s Calo said.

“That’s a dangerous expansion of the idea of consent, particularly given the amount of information on people’s cell phones,” said Elizabeth Joh, a professor at the University of California, Davis, School of Law.

The government’s court filing confirms that Sinnigen posted a photo of Arquiett “wearing either a two-piece bathing suit or a bra and underwear,” but denies “the characterization of the photograph as suggestive.”

This picture is no longer on the Facebook page, but others are. An album called “Sosa,” her nickname, shows her in a strapless shirt and large hoop earrings or, in another, lying face-down on the hood of the BMW, legs kicked up behind her. “At least I still have this car!” reads a comment supposedly posted by her.

The DOJ also acknowledges that Sinnigen posted photos of Arquiett’s son and niece, who were then clearly young children.

Arquiett’s current attorneys declined requests to interview her. But court documents tell much of her story.

She was arrested in July 2010 and accused of participating in a conspiracy to distribute cocaine, an offense that could carry up to a life sentence. She pled guilty in February 2011, and, in a court filing, federal prosecutors recommended a reduced sentence, noting that she was not a significant player in the conspiracy and had promptly accepted responsibility.

Arquiett grew up in Watertown, New York, according to a motion on sentencing by her attorney in her criminal case. Her father was imprisoned when she was an infant. Her mother was an alcoholic and drug user, and her stepfather abused both Arquiett and her mother.

By 2008, Arquiett was dating Jermaine Branford, who authorities believed to be the head of a drug trafficking ring, the criminal complaint against Arquiett says. He also physically abused her, according to the sentencing motion her lawyer filed.

The government accused Arquiett of allowing Branford and his associates to process and store cocaine in her apartment and helping them contact other members of the drug ring and arrange transactions. Branford later pled guilty in federal court to conspiracy to distribute cocaine and received a sentence of almost 16 years.

Arquiett’s lawyer argued that Branford and his crew took advantage of her vulnerabilities. “To her, because they ‘took care’ of her, she considered them like family,” attorney Kimberly Zimmer wrote. “In fact, they preyed upon and used her.”

Arquiett, Zimmer wrote, wasn’t paid like other members of the drug ring, just given money on occasion to buy gas or other items. “At the time, although she knew that her co-defendants were distributing drugs and that she was helping them to do so, she considered the things that she did for Branford and the other co-defendants as ‘favors,’ ” Zimmer wrote.

Zimmer also noted Sinnigen’s actions. “Ms. Arquiett never intended for any of the pictures on her phone to be displayed publicly, let alone on Facebook, which has more than 800 million active users,” she wrote in the motion addressing sentencing. “More disturbing than the fact that the DEA Agents posted a picture of her in her underwear and bra is the fact that the DEA agents posted a picture of her young son and young niece in connection with that Facebook account, which the DEA agents later claim was used for legitimate law enforcement purposes, that is, to have contact with individuals involved in narcotics distribution.”

Taking all of this into account, a judge sentenced Arquiett to five years of probation, including six months of weekend incarceration and six months of home detention. This March, a probation officer certified that she had complied with the terms of her sentence and terminated her probation.

From China with Love

It’s the one year anniversary of what is now known as the Snowden revelations, which appeared on June 5 and June 9 when The Guardian broke news of classified National Security Agency documents and Edward Snowden revealed himself in Hong Kong as the source of those leaks.

There is still much to decipher from the chronology of events in the aftermath and the sudden global awakening to the end of privacy. Among the impacts on the personal, business and political fronts, one interesting salient feature is the hypocritical rhetorical spats between the US and China in recent weeks, which could set the undertone for US-Sino relations for years to come.

Snowden said his biggest fear is that nothing would change following his bold decision a year ago.

You can find the entire column here.

NSA Snooping Compromises the Cloud Computing Industry

Facebook CEO Mark Zuckerberg complained last week that trust in social networks and Internet companies has dived ever since cyber snooping and spying activities by the US National Security Agency began to make global headlines earlier this year.

It is no surprise. In fact, as fugitive former NSA operative Edward Snowden pointed out, the encryption system adopted by the International Organization for Standardization and its 163 member countries were actually written by the NSA, convincing proof that online platforms being used by Internet companies and the commercial world, including banks, could in fact be easily compromised by the NSA.

In other words, the NSA designed their own secret back door into the global encryption system for their convenience. So until the encryption system has been overhauled and taken away from NSA’s control, no server and no cloud service provider is secure enough to be entrusted with any confidential data.

So why then are blindly trusting companies still moving ever more data into the cloud and onto servers, where online access to highly confidential information related to clients, customers, employees, deals, business plans and performances, etc., is available to the US snoops?

You can find the entire column here.

Take your pick: Edward Snowden, Internet and phone service providers, or just everybody?

The furor over the past week about how US intelligence agencies like the National Security Agency and the Federal Bureau of Investigation have for years scooped up massive loads of private communications data raises one critical and distressing question.

Who, worldwide and in the US, are the general public supposed to trust now that it seems all forms of digital and cyber communications risk being read by the American authorities? The Americans, it seems, don’t believe it’s that big a deal. By 62-34, according to the latest poll by Pew Research and the Washington Post, they say it’s more important to investigate the threats than protect their privacy. But what about the rest of the world?

The immediate acknowledgement, rather than point blank denial, of the massive clandestine eavesdropping programs is no doubt alarming even for those long suspicious of such covert undertakings. But the more disturbing part is that the official response amounts to plain outright lies.

Please read this entire Opinion Column here.

The Security Assault on Social Networks

Forget hacking. It works but it’s illegal.

Big data mining is the future of cyber espionage. It is not illegal as long as the data is open source and in the public domain. And all that data on “open” social networking Web sites are most vulnerable.

Two recent commercially developed software packages could soon be giving your government and employer and possibly anyone else who is interested – ways to spy on you like never before, including monitoring your words, your movements and even your plans now and into the future.

Please read the full column here and there.

Looking back at 2010: A Very Social World
The world has changed. More than ever before, it is dominated by two opposing forces: the compulsion to share information and the need to control it. The year 2010 can claim to have a pivotal spot in the technological history of mankind, though not evidently for the better.
On the eve of the New Year, I began to wonder what some of the most significant world events were and which of these stood out. How could they further have an impact on a world already paranoid about privacy and national security on one hand, and obsessed with the advancement of techno-devices on the other?
The WikiLeaks headlines obviously top the list on a global scale, followed by the Google pullout from China, which left its mark on the world of corporate espionage. Third is the pressure exerted on the Canadian company Research In Motion (RIM) to hand over its Blackberry encryption to several governments.
These three events signify a paradigm shift in the gathering and sharing of information… (Read the entire column here and there).