Cell phone searches are a common law enforcement tool, but up until now, the public has largely been in the dark regarding how much sensitive information the government can get with this invasive surveillance technique. A document submitted to court in connection with a drug investigation, which we recently discovered, provides a rare inventory of the types of data that federal agents are able to obtain from a seized iPhone using advanced forensic analysis tools. The list, available here, starkly demonstrates just how invasive cell phone searches are—and why law enforcement should be required to obtain a warrant before conducting them.

Last fall, officers from Immigration and Customs Enforcement (ICE) seized an iPhone from the bedroom of a suspect in a drug investigation. In a single data extraction session, ICE collected a huge array of personal data from the phone. Among other information, ICE obtained:

call activity
phone book directory information
stored voicemails and text messages
photos and videos
apps
eight different passwords
659 geolocation points, including 227 cell towers and 403 WiFi networks with which the cell phone had previously connected.

For the full article, see here.

The post New document sheds light on government’s ability to search iPhones appeared first on The Citizen Lab.

In September 2011, two Mexican bloggers who reported frequently on local crime, including drug trafficking and related gang activity, were tortured and hanged on a pedestrian bridge in Nuevo Laredo, a town near the U.S. border. The town is run by the Zetas, one of Mexico’s most active and dangerous criminal organizations. A note near the scene signed “Z” warned that other Internet users could meet the same fate.

Later that month, the body of a decapitated woman was found in the city with a message saying she was killed for her posts on the social media forum “Nuevo Laredo en Vivo.”

That these victims were journalists and bloggers working online signals the increasing vulnerability of digital journalists in Mexico. Despite this, most Mexican journalists and bloggers reporting on highly sensitive topics (such as crime, corruption, violence and human rights issues) do not fully understand the risks and threats they face when they use digital and mobile technology, even though the topics they cover make them even more vulnerable, a new survey by Freedom House and the International Center for Journalists finds.

ICFJ Knight International Journalism Fellow Jorge Luis Sierra prepared the 21-question survey, which was completed by 102 journalists and bloggers in 20 Mexican states, particularly those affected by drug violence and where journalists and bloggers have been under stress due to a wave of murders, kidnappings, physical attacks and death threats.

For the full article, see here.

The post Mexico’s most vulnerable reporters lack digital security skills appeared first on The Citizen Lab.

Table of Contents

• Facebook, Skype and Instagram
• Privacy legislation updates, proposals and responses
• Mobile App Privacy
• SSL Implementations

Facebook, Skype and Instagram

New features, security concerns and policy fumbles among web giants Facebook, Skype and Instagram each caused a significant amount of concern among privacy advocates and the larger web community this past month.

Facebook Graph Search announced

Facebook’s newly announced Graph Search has caused large ripples among privacy and security commentators. The product greatly enhances the specificity of search results on the social network by incorporating powerful filtering mechanisms based on people’s profile data, “likes”, and other activities. For example, a satirical blog called “Actual Facebook Graph Searches” outlines some disturbing search queries, such as “Family members of people who live in China and like Falun Gong”, which highlight the product’s potential for malicious use. While Facebook claims Graph Search conforms to existing privacy settings and does not expose any information previously unavailable, critics point out that it works to undermine a Facebook user’s sense of obscurity. Currently, users have some perception that their activity on the site will drift away into obscurity as new activities appear at the top of people’s feeds. Graph Search, however, can efficiently dig up those long-forgotten posts, Likes and interests, bringing information to light that could be useful to stalkers, phishing operatives, or potential employers. In response to these risks, the Electronic Frontier Foundation (EFF) has published a guide on “How to protect your privacy from Facebook’s Graph Search”.

Skype under pressure from activists

A recent open letter to Skype signed by Reporters without Borders, the EFF, and many other organizations calls on Skype’s owner, Microsoft, to clarify what information is stored when people use its service and make public any government requests for such data. Essentially, they are calling on Skype to issue a transparency report similar to those released Google and Twitter. The letter also demands Skype’s analysis of what data malicious third parties may be able to collect, and to clarify the company’s relationship with TOM Online, the operator of a licensed, modified version of Skype for the Chinese market. While the letter asks that Skype explains what it knows about “the surveillance and censorship” that users “may be subject to” while using Tom-Skype, as was reported by the Information Warfare Monitor — a public-private venture between two Canadian institutions: the Citizen Lab and the SecDev Group, an operational think tank based in a Ottawa (Canada) — in 2008, messages containing blacklisted words such as ‘“Taiwan Independence” trigger the application to send chat logs to a Chinese server and block the transmission of such messages to others. Skype’s owner at that time, eBay, had no comment on the message monitoring; Microsoft is currently “reviewing the letter” — how it will respond remains to be seen.

Aftermath of Instagram TOS debacle

After last month’s public outcry over language in Instagram’s update to its Terms of Service which may have permitted it or its affiliates to use user content in advertisements, independent analytics suggested that Instagram’s daily active users dropped by 50 percent in the weeks after the announcement. Although the company responded to the community uproar by reverting the advertising section of its Terms to the earlier language, the negative publicity seemed to have taken a large toll. However, since those reports, Instagram has released its own data indicating 90 million monthly active users, and claimed that it continues to see strong growth around the world. While the company’s response may have helped to mitigate some long-term damage to its user base, the backlash highlights that social media users are keen to make their voices heard when it comes to perceived potential misuses of personal data.

Back to top

Privacy legislation updates, proposals and responses

The close of 2012 and the start of 2013 saw several key legislative stories surface regarding the collection and disclosure of user data, both in the United States and EU.

ECPA / VPPA shuffles

In the wake of last year’s Petraeus affair, many privacy activists in the United States called for modernizations to the Electronic Communications Privacy Act of 1986 (ECPA) to better protect email privacy from law enforcement. Late last year, the Senate Judiciary committee passed a bill to amend ECPA that would require law enforcement to obtain a warrant before compelling service providers to hand over a subscriber’s emails. However, when Congress considered the bill, they added an amendment to the Video Privacy Protection act of 1988 (VPPA) to it, and later dropped the ECPA reforms shortly before voting, after heavy law enforcement lobbying.

The VPPA amendment passed, and U.S. companies may now obtain distinct consent via the Internet to disclose a consumer’s video viewing information through electronic means. Netflix lobbied for the change in order for its users to legally be allowed to share their video watching habits on Facebook.

Google and others want to see a warrant

Perhaps as a response to the fizzled attempt to amend ECPA, Google announced late January that it requires a probable cause warrant in order to divulge the contents of a user’s Gmail messages to law enforcement. Authorities may still obtain registration information such as name and IP address without a warrant, using only a subpoena. This announcement coincided with the release of Google’s latest transparency report, which for the first time breaks down U.S. government requests for data by legal justification. The report shows that 68 percent of U.S. requests were made with only a subpoena, which is similar to the 60 percent figure released by Twitter in its latest transparency report.

After the news about Google’s policy broke, The Hill newspaper reported that Microsoft, Facebook, and Yahoo! also require warrants before divulging the contents of their user’s communications. The companies all reportedly justified their policies based on case law arising from United States vs. Warshak, a ruling that found police breached an individual’s constitutional (fourth amendment) rights against unreasonable search and seizure when obtaining email contents without a warrant.

EU data privacy law proposal draws responses from lobbyists, activists

A draft of a new EU Data Protection Regulation would significantly broaden the definition of personal data to include a variety of persistent online identifiers such as cookies, IP addresses, “and other unique identifiers”. The law would also mandate that users provide explicit (opt-in) consent to data processing activities before online service providers utilize their data in such a manner. Furthermore, consent would be invalidated if a platform’s terms of service change in such a way that a person has no option other than to accept the change or cease using the platform he / she has devoted significant time to. Der Spiegel claims this provision could refer to Facebook’s strategy of continually expanding the scope of “public” items on the platform.

In response to the proposed law, a lobbyist representing U.S. companies such as Facebook, Google and Zynga posited that if they were not legally able to monetize user data, Gmail and Facebook may be compelled to start to charge customers for the services. In opposition to such lobbying, U.S. data privacy advocates such as the American Civil Liberties Union, the Consumer Federation of America, and the Center for Digital Democracy wrote to the EU in favour of increased consumer protections.

States’ social media employment laws

California and Illinois have both passed laws that bar employers from demanding social media login details from job applicants and employees, while Nebraska and Vermont are considering similar legislation. These laws are aimed at curbing employers’ practices of managers and other authority figures snooping on their employee’s activities on social networks. The California law furthermore protects university students in a similar manner and prohibits retaliation in the case that someone refuses a request to disclose such social media information.

COPPA rule revised

The FTC issued a decision this month that amended the Commission’s rules regarding its enforcement of the Child’s Online Privacy Protection Act (COPPA). The ruling will enable websites to obtain verifiable parental consent to the disclosure of children’s personal information through newly approved methods such as the electronic submission of scanned consent forms or video conferencing. The ruling is intended to make it simpler for web services to obtain proper consent and comply with the law. It furthermore adds new forms of personally identifiable information to its scope, including physical location, a child’s image or his/her voice.

Back to top

Mobile App Privacy

Mobile applications continue to introduce new privacy challenges; and policy makers and watchdogs are following suit by releasing guidelines to help developers to protect their users’ data.

California issues mobile app privacy guidelines

The state of California has released “Privacy on the Go (PDF)”, a guide for mobile app developers to approach privacy by design when building their applications. Some highlights from the guidelines include a call for readable privacy policies, notice when data is shared with third parties, and for apps to only collect the minimum amount of personally identifiable information required for system functionality. Onlookers point to this as an example of the growing awareness of mobile privacy issues, and an important step in protecting user privacy. The recommendations are not enforceable by law, but they may be signposts indicating the direction the the law will take in the future.

Back to top

SSL Implementations

SSL is an encryption layer that secures normal web communications using the http standard. It is increasingly being adopted as the default by social media sites, which previously only utilized the protocol when dealing with usernames and passwords (such as during registration or log-ins).

Yahoo! Mail now under https following XSS vulnerability

Yahoo! Mail now joins other major webmail providers by offering users the ability to use SSL connections during use sessions. This follows a call by the EFF and other rights groups last year for the company to do so. Yahoo! Mail was also recently compromised by an XSS vulnerability that could have provided attackers with backdoor access to millions of accounts. In the wake of that incident, Yahoo!’s chief information security officer was dismissed. The move to implement SSL as an option still leaves Yahoo behind Microsoft Live and Gmail, which implement the secure protocol by default.

Nokia server decrypts HTTPS data en route to mobile browser

Nokia’s mobile browser “Xpress” drew criticism due to an intermediary server’s decryption of secured data during transmission. The browser routes all incoming web traffic through a centralized server that pre-processes content to reduce filesize and save bandwidth. This preprocessing is a fairly common practice among mobile browsers, but Nokia’s servers temporarily store encrypted data in plain text form, leaving the data in an accessible format, and circumventing the security expected by its users. Nokia assured the public that it wasn’t using this decrypted data to spy on its users; however, critics call on the company to be more transparent in its use of user data.

Back to top

Read previous editions of Social Media CyberWatch.

The post Social Media CyberWatch – January 2013 appeared first on The Citizen Lab.

On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet.

Update: Nokia has confirmed the behavior, but says it is nothing to worry about, as outlined in the update at the bottom of this article.

Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Ovi proxy servers if the Nokia browser is used, or to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent).

While there was no indication that Nokia is conducting a man-in-the-middle (MITM) attack, it certainly could be. This led him to wonder about what Nokia could be doing behind the scenes with all this information, and a new investigation this month. He wanted to verify that HTTPS traffic, at the very least, is being transferred without any intermediate host inspecting it.

For the full article, see here.

The post Nokia confirms it is hijacking traffic on some of its phones, grabbing your HTTPS data unencrypted appeared first on The Citizen Lab.

“The risk is still pretty low but that doesn’t mean it’s always going to be that way, it’s just still a relatively new space. The moment people start to figure out how to take advantage of it for money is when we’ll see a lot more of it targeting the average user,” Hardy said.

The good news is that hackers have yet to begin aggressively targeting average consumers in North America.

Read the full piece here.

The post Citizen Lab Senior Security Analyst Seth Hardy in CTV News piece appeared first on The Citizen Lab.

Pakistan’s government will continue its suspension of cell phone services in several parts of the country Saturday morning after it restores services Friday midnight, the interior minister said.

Rehman Malik told reporters in Islamabad that the suspension will resume at 6 am on Saturday and will run through the next day, the 10th day of Ashura, to “ensure security during and after the Muharram processions”.

Militants in Pakistan often detonate bombs using cell phones and the government has implemented similar service suspensions in the past, but not on such a wide scale.

Malik said 90 per cent of the bombs set off by militants in Pakistan have been detonated using cell phones.

Cellular services were suspended Friday in Karachi, Quetta, and several parts of the capital Islamabad from 1pm on interior minister’s directives.

“We have shut our service in Karachi and Quetta on the instructions of the Pakistan Telecommunications Authority from 1:00 pm to midnight,” said an official at Mobilink, the country’s largest mobile phone service provider.

For the full article, see here.

The post Cellular services suspended in Karachi and Quetta appeared first on The Citizen Lab.

Adi Pito and his friend Avi Genasia were checking out the damage from the first – and so far only – fatal rocket attack of the past week when there was a deep rumble on the horizon.

There was also a buzz from Mr. Genasia’s iPhone. A rocket had been fired from Gaza.

Thanks to Color Red, a new app thought up by a 13-year-old, Israelis all over the country know exactly when and where each rocket is headed.

Think you know the Middle East? Take our geography quiz.

The geeky solution for Israel’s more than 3 million residents threatened by rocket fire isn’t the first time Israel’s high-tech prowess has been applied to its security threats. In fact, much of Israel’s innovation economy – which is considered second only to Silicon Valley – is spurred by the demands of its military and related security industries.

Perhaps adversity whets Israel’s competitive edge, as suggested by the 2009 best-seller Start-Up Nation. According to Israeli press reports, the young teenager behind Color Red is from Beersheva, one of the cities that bears the brunt of Gaza rocket fire – and thus pops up most frequently on the app.

For the full article, see here.

The post When Hamas launches a rocket, Israeli iPhones buzz appeared first on The Citizen Lab.

All emails, telephone calls and other communications with the rest of the world will begin to be monitored within 90 days at a cost of million of dollars, according to a deadline given by the government to operators including PTCL.

The government has assigned PTCL and other operators to install monitoring equipment by the end of this year for checking voice and email communications from abroad and the services of the country’s spy agency will be used basically to check and curb blasphemous and obscene websites on the Internet.

“The regulator, the Pakistan Telecommunication Authority (PTA), has assigned 14 LDIs, including PTCL, to install this monitoring equipment,” senior executive vice president of the Pakistan Telecommunication Company Limited (PTCL) Sikandar Naqi toldThe News on Thursday.

He said the PTA had installed a monitoring system to check 15 gigabytes (GB) traffic coming from international routes at a cost of $10 million in 2008. Now this international traffic from abroad has increased to 275 GB so the cost of monitoring could be higher.

For the full article, see here.

The post Pakistan to monitor all emails, calls within 90 days appeared first on The Citizen Lab.

If you’re the brand new owner of a Verizon iPhone, you’ve got 30 days to opt-out of sharing information including anonymized location data as well as demographics like age, gender, sports teams, dining habits and more. The opt-out was pointed out by Bryan Clark on App.net and shared by Benjamin Brooks. Updated below with more information from Verizon.

The opt-out options are only available for 30 days after you’ve fired up a new line and they’re located in the MyPrivacy section of Verizon’s website. There are three categories of opt-out, each of which covers the sharing of a different flavor of personal information.

And they’re not just for iPhone owners, any smartphone purchaser is likely going to need to check out these privacy settings if they want to make sure they’re only sharing what they wish. I’m an iPhone owner, so could only confirm that it was there for me, but I don’t see why it wouldn’t be for other devices as well.

For the full article, see here.

The post Verizon iPhone owners have 30 days to opt-out of sharing location, search data and more with advertisers appeared first on The Citizen Lab.

The government is gearing up to arm cyber sleuths with forensic tools to catch up with criminals who outsmart investigators by using secure mobile phones or password-protected computers that leave few footprints once the data is deleted.

The Union home ministry has decided to buy more than 30 licensed software from firms in the US, Canada and Israel to crack open data in seized mobile phones and computers. The move comes after cyber forensic investigators failed to make much headway in deciphering password-protected data or retrieving deleted data from seized iPhones, BlackBerry handsets, Apple computers and even Windows-based mobile phones.

An official, who did not wish to be named, told ET that criminals are increasingly using such gadgets, which don’t allow access to password-protected data and leave virtually no trace of deleted email content and Internet history.

The software, for which a bid was floated recently, will be used by the Central Forensic Science Laboratory (CFSL) in Delhi and the five regional CFSLs in Mumbai, Kolkata, Chennai, Guwahati and Jammu, the official said.

The software will help access and recover data from 4,000 types of mobile phones, including those running on Apple, BlackBerry and Windows platforms.

Besides retrieving email and Internet history from the seized gadgets, the software will also prepare a “built-in smartphone report”, throwing up crucial evidence to be presented before the courts and furnishing further leads to the intelligence agencies.

For the full article, see

The post Indian government plans to acquire code-busting software to tackle smartphone crime appeared first on The Citizen Lab.