Bonzer Wolf Today™

Entries in privacy (4)

Thursday
Sep122013

Wickr Your Way to Privacy

Wickr Transparency Report

By Jennifer DeTrani, Wickr General Counsel August 4, 2013

Our Philosophy:

Wickr received its first government request to hand over data in February of this year, however, because Wickr requires all data requests to go through the U.S. judicial system no information regarding the requested user account was disclosed.

We believe in maintaining a level of transparency with respect to government and court ordered requests and that your data belongs to you. Furthermore, because of the manner in which messages on Wickr are encrypted, even with a properly issued subpoena, Wickr can never provide the content of the messages. Content is protected in transit and at rest and is only readable by you and your intended recipient. We can only provide a snapshot of the account at a given moment and such details as the date of creation of an account, the type of device on which the account is used, and the date of last use of the account.

For more information on what type of information we collect related to your account, please read our privacy policy at https://www.mywickr.com/en/privacypolicy.php

Wickr is committed to sharing the number of requests for user information that we receive from law enforcement and how we handle them.

Our Promise:

As the electronic landscape continues to expand and change with regard to user’s privacy rights, we remain committed to remaining transparent with our users and various government entities. That having been said, there are no back doors. What you see is what you get.

Prediction of the Future:

In light of recent events involving data-collection practices within the U.S., it is apparent that certain government organizations are eager to gain access to user information for various reasons pursuant to the PRISM Program. We at Wickr are cognizant of such practices but maintain that due to the specific architecture employed by Wickr there are no back-doors to our system. Therefore, should such lawful government requests arise, we will wholly comply, however, such compliance will be limited to metadata based on the specifics of the proprietary encryption process. In other words, while user data requests may certainly increase in the future, our goal is to address them honestly and openly with the understanding that such data requests will reveal only account information, never content, given the nature of our unique technology.

THE INTERNET IS FOREVER.  YOUR PRIVATE COMMUNICATIONS DONT NEED TO BE.

https://www.mywickr.com/en/index.php

Monday
Dec102012

Everyone in U.S. Under Virtual Surveillance by NSA

As a former special agent with the the Departments of State and Treasury and Homeland Security, my ears perk up when I hear someone talk about domestic spying by the National Security Agency (NSA). The Federal Bureau of Investigation (FBI) and virtually all other federal law enforcement and investigative agencies have unlimited access to NSA information .  I will not disclose classified information that may have come to my attention during my career but I will say this report does not suprise me. 

NSA Whistleblower William Binney was recently interviewed by Russia Today.  I have been paying close attention to Binneys story.

Binney came to national attention earlier this year when he started telling the story of how NSA surveillance works to anyone who would listen. He is a crypto-mathematician and a codebreaker (described as one of the best in NSA history) and  his explanation of the spying program appeared in the New York Times in August 2012 . Binney spoke about “Stellar Wind” a top-secret domestic spying program developed by the NSA and its implications for civilian security and privacy.

After the recent General Petraeus scandal, the NSA has come under the spotlight as it pertains to domestic spying and the privacy of US citizens and their digital dealings.  Everyone should be aware that anything sent over the Internet can be intercepted. Everything send in the clear is largely unprotected; but the scale of surveillance of any individual citizen has always been something of a technical conundrum.

It’s unlikely that any one person (not already targeted) could have all their data ransacked by even an overfunded government agency because of the sheer volume but with the falling prices on big storage technology and the advent of Big Data fears of the NSA’s spying powers are less science fiction and more business fact. Massive storage of petabytes and the analytics necessary to process it are not uncommon today.

“He is [President Obama] supporting the building of the Buffdale (Utah) facility which is over 2 million dollars they’re spending on storage alone of data,” says Binney when asked about how the current administration may have changed the NSA’s mission. “Which means they’re collecting a lot more now and they need more storage for it. That facility, by my calculations, that I submitted in a sworn affidavit to the court for the EFF lawsuit against the NSA would hold on the order of would hold on the order of 5,000 exabytes or 5 zettabytes of data…and that’s not talking about what they might have in the future.”

Binney is alleging a great deal of surveillance that extends to billions of communications.

Even now, with Anonymous rattling around like the rats in the walls of the Internet, the youth of many countries are turning to the use of anonymizing services and VPN services to hide their cyber-activities from prying eyes. Although for the most part this cultural shift is due to ISPs throttling and essentially spying on their own customers as part of anti-copying regimes—we’ve seen the sudden up-thrust of more VPN use after the UK blocked The Pirate Bay, but using more security to hide communication would also tend to help shield against government surveillance to an extent as well.

Not long after the Petraeus scandal hit the airwaves,  it sparked a debate about domestic government spying and much of the media circled back to Google’s most recent semiannual Transparency Report. In that, Google revealed that they’d received over 20,000 requests from governments around the world and complied with almost 90% of them. This doesn’t even cover covert surveillance of the type that Binney speaks about in his interview.

Much of this behavior, and the radical transparency of Internet communications may lead to a paradigm shift among the wired-and-wise to migrate to more secure communication, use more cryptography in their daily communications, and watch what they say online. Of course, the opposite is also true: as the Internet integrates more fully into our daily lives, it’s easy to be more cavalier about what we say online, what information we boast across the wires, and recklessly abandon in dusty 3rd party storage silos.

Of course, a person targeted for surveillance by a large agency wouldn’t be able to hide their activity even if they encrypted everything online—spies capably sussed out communications long before the arrival of the Internet.

Binney believes that he’s definitely a “target” and takes a bit of humor in his being in the NSA’s spotlight:

“So I keep telling them everything I think of them in my e-mail, so when they read it they know everything I think of them,” he says.

Binney - The FBI has access to the data collected, which is basically the emails of virtually everybody in the country. And the FBI has access to it. All the congressional members are on the surveillance too, no one is excluded. They are all included. So, yes, this can happen to anyone. If they become a target for whatever reason - they are targeted by the government, the government can go in, or the FBI, or other agencies of the government, they can go into their database, pull all that data collected on them over the years, and we analyze it all. So, we have to actively analyze everything theyve done for the last 10 years at least.

If you are using an iPad, iPhone or other device without FLASH, view interview here

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall issue, but upon probably cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. -4th Amendment

Wednesday
May182011

Police Can Create "Exigent Circumstances" to Kick Down Your Door

States cannot grant its citizens wider freedoms from search and seizure than federal courts do, and police may manipulate events that allow them to avoid getting Fourth Amendment search warrants from judges for home searches, the U.S. Supreme Court ruled May 13 in the case of Kentucky v. King. The 8-1 decision included a stinging dissent from Justice Ruth Bader Ginsberg, one of the most liberal justices on the bench.

Ginsberg argued in her dissent: The Court today arms the police with a way routinely to dishonor the Fourth Amendment’s warrant requirement in drug cases. In lieu of presenting their evidence to a neutral magistrate, police officers may now knock, listen, then break the door down, nevermind that they had ample time to obtain a warrant.

The court syllabus described the facts in the case:

Police officers in Lexington, Kentucky, followed a suspected drug dealer to an apartment complex. They smelled marijuana outside an apartment door, knocked loudly, and announced their presence. As soon as the officers began knocking, they heard noises coming from the apartment; the officers believed that these noises were consistent with the destruction of evidence. The officers announced their intent to enter the apartment, kicked in the door, and found [the defendant] and others. They saw drugs in plain view during a protective sweep of the apartment and found additional evidence during a subsequent search.

The Kentucky lower courts convicted King, but the state supreme court ruled that police cannot “deliberately creat[e] the exigent circumstances with the bad faith intent to avoid the warrant requirement.” In essence, the Kentucky Supreme Court ruled that police were too lazy to get a search warrant, and knew that if they had any reason to believe that evidence was being destroyed they wouldnt have to get one. So they went up to the apartment and knocked loudly on the door and announced that they were the police, expecting the drug dealer to start to try to destroy the evidence. As soon as they heard shuffling in the house, they broke down the door without a warrant.

The court, in rejecting the Kentucky Supreme Courts ruling, stated that the Kentucky decision would create unacceptable and unwarranted difficulties for law enforcement officers who must make quick decisions in the field, as well as for judges who would be required to determine after the fact whether the destruction of evidence in response to a knock on the door was reasonably foreseeable based on what the officers knew at the time.

As Ginsberg explained in her dissent, Circumstances qualify as exigent [i.e., dont require a warrant, according to the court] when there is an imminent risk of death or serious injury, or danger that evidence will be immediately destroyed, or that a suspect will escape. The majority in the court admitted that destruction of evidence issues probably occur most frequently in drug cases because drugs may be easily destroyed by flushing them down a toilet or rinsing them down a drain. Persons in possession of valuable drugs are unlikely to destroy them unless they fear discovery by the police. Indeed, destruction of evidence in a murder case is not as practical; a body can not be easily disposed of in the same manner and other evidence (such as blood on carpets, DNA evidence, etc.) is even more difficult to destroy. So the exigent circumstances exception has largely been crafted by courts to accommodate the federal war on drugs.

 But the Fourth Amendment makes no mention of an exigent circumstances exception to the warrant requirement. Ginsberg notes that the Court has accordingly declared warrantless searches, in the main, per se unreasonable,” citing the 1978 precedent of Mincey v. Arizona. Indeed the Fourth Amendment uses a four-part test to define a reasonable search. All searches, to be reasonable under the Fourth Amendment, must contain: 1) probable cause and 2) a warrant that must be backed with 3) an oath or affirmation and 4) specificity particularly describing the place to be searched, and the persons or things to be seized. Ginsberg stressed that the court overturned a 1947 ruling on an identical issue; in Johnson v. U.S., police barged into a hotel room without a warrant after smelling burning opium and noises that appeared to be efforts to cover up the evidence.

In the Kentucky case, Ginsberg stressed that there was little risk that drug-related evidence would have been destroyed had the police delayed the search pending a magistrate’s authorization.

But Ginsberg failed to mention that the Supreme Court in the Kentucky case also violated the sovereignty of the Commonwealth of Kentucky by denying them the right to expand the understanding of the Fourth Amendment in state cases beyond what is required of federal officials. While the 14th Amendment denies states the right to infringe upon freedoms guaranteed by the U.S. Constitution, and gives Congress the power to enforce it, theres nothing in the U.S. Constitution that allows the federal courts to take away rights states guarantee to individuals. The first section of the 14th Amendment reads:

No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws.

Federal courts since 1925 have understood that part of the 14th Amendment to mean that state governments may not deprive persons of any enumerated right under the Constitution or Bill of Rights. The so-called incorporation doctrine has been, until now, an expansive one. That is, states may define rights enumerated in the U.S. Constitution and Bill of Rights, or their own state constitutions, more broadly to confer wider freedoms upon their citizens than are protected under federal law — but not more narrowly. Kentucky v. King may be the first case decided by the Supreme Court that rules states may not grant more freedoms to their citizens than federal courts understand.

Ginsbergs dissent asked: How secure do our homes remain if police, armed with no warrant, can pound on doors at will and, on hearing sounds indicative of things moving, forcibly enter and search for evidence of unlawful activity? The answer is not very.

Monday
Jan242011

Police Can Search Smartphones Without Warrants

Ryan Radia focuses on adapting law and public policy to the unique challenges of the information age. His research areas include information privacy, telecommunications, competition policy, free speech, intellectual property, and media regulation.

Radia is a frequent contributor to the Technology Liberation Front, the technology policy blog dedicated to preserving freedom and liberty in the information age. He recently wrote an article for Gear and Gadgets about  Why you should always encrypt your smartphone

Last week, Californias Supreme Court reached a controversial 5-2 decision  holding that police officers may lawfully search mobile phones found on arrested individuals persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to 4th Amendment to the Constitution.

Californias opinion in Diaz is the latest of several recent court rulings upholding warrantless searches of mobile phones incident to arrest. While this precedent is troubling for civil liberties, its not a death knell for mobile phone privacy. If you follow a few basic guidelines, you can protect your mobile device from unreasonable search and seizure, even in the event of arrest.

While the search incident to arrest exception gives police free rein to search and seize mobile phones found on arrestees’ persons, police generally cannot lawfully compel suspects to disclose or enter their mobile phone passwords. Thats because the Fifth Amendments protection against self-incrimination bars the government from compelling an individual to divulge any information or engage in any action considered to be testimonial—that is, predicated on potentially incriminating knowledge contained solely within the suspects mind.

Individuals can be forced to make an incriminating testimonial communication only when there is no possibility that it will be used against them (such as when prosecutors have granted them immunity).

As such, if you are arrested or detained by a law enforcement officer, you cannot lawfully be compelled to tell the officer anything other than your basic identifying information—even if the officer has not read you the Miranda warning. Exercising your right to remain silent cannot be held against you in a court of law, nor can it be used to establish probable cause for a search warrant.

However, if you voluntarily disclose or enter your mobile phone password in response to police interrogation, any evidence of illegal activity found on (or by way of) your phone is admissible in court, regardless of whether or not youve been Mirandized.

While police cannot force you to disclose your mobile phone password, once theyve lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack). If police succeed in gaining access your mobile phone, they may make a copy of all information contained on the device for subsequent examination and analysis.

Alarmingly, in many cases, extracting data from a mobile device is possible even if the device password is not known. Such extraction techniques take advantage of widely known vulnerabilities that make it disturbingly simple to access data stored on a smartphone by merely plugging the device into a computer and running specialized forensics software. For instance, Android and iPhone devices are vulnerable to a range of exploits, some of which Ars documented in 2009.

Therefore, if you care about your privacy, password-protecting your smartphone should be a no-brainer. Better yet, you should ensure your smartphone supports a secure implementation of full-disk encryption. With this method of encryption, all user information is encrypted while the phone is at rest. While it isnt absolutely foolproof, full-disk encryption is the most reliable and practical method for safeguarding your smartphone data from the prying eyes of law enforcement officers (and from wrongdoers, like the guy who walks off with your phone after you accidentally leave it in a bar.)

Unfortunately, few consumer-grade smartphones support full device encryption. While there are numerous smartphone apps available for encrypting particular types of files, such as emails (i.e. NitroDesk TouchDown), voice calls (i.e. RedPhone), and text messages (i.e. Cypher), these selective encryption tools offer insufficient protection unless youre confident that no incriminating evidence exists anywhere on your smartphone outside of an encrypted container. 

Despite the generally sorry state of mobile device security, a few options exist for privacy-conscious mobile phone owners. Research in Motions BlackBerry, when configured properly, is still widely considered to be the most secure smartphone platform. In fact, BlackBerrys transport encryption is so robust that a few foreign governments have recently forced RIM to install backdoors for law enforcement purposes.

For information on the state of mobile phone security, see this excellent InfoWorld article in which Galen Gruman assesses each major mobile platforms security strengths and weaknesses.

With the ascent of cloud computing, smartphones increasingly provide a window into our private lives, enabling us to access and store practically limitless amounts of sensitive personal data. As ultra-fast 4G wireless networks emerge, mobile devices will likely grow even more intertwined with our digital lives. Just as we have long stored our personal papers and effects in our desks or file cabinets at home, today were just as likely to store such information in digital format on cloud services like Windows Live or Google. Thus, the Fourth Amendment demands that mobile phones—a primary gateway to our lives in the cloud—be treated as an extension of the home, rather than mere physical containers analogous to cigarette packs.

California Deputy Attorney General Victoria Wilson, who argued Diaz for the state, has told reporters that the matter of warrantless cell phone searches is ripe for resolution by the US Supreme Court. If that happens, lets hope the nations high court sides with common sense and reaffirms its 2001 ruling in Kyllo v. US that the Fourth Amendment’s protections must adapt to safeguard our rights as technology evolves.