Online privacy

One out of every seven people on the planet uses the messaging app WhatsApp every day, according a recent blog post from the company. A billion people a day send messages to their friends and family on a service that's end-to-end encrypted by default, up from a billion per month from 2016. That surge in growth stands in sharp contrast to Twitter, which added approximately no new monthly uses last quarter, and had in fact lost two million in the US. WhatsApp and Twitter don't just represent contrary growth curves; they're the polar opposites of messaging. Twitter is public. WhatsApp is private. Twitter has a huge problem with safety, while WhatsApp has made privacy and security the center of its mission. And it's now more clear than ever that people have made their choice.

[Commentary] More than 50 percent of Google Play apps targeted at children under 13—we examined more than 5,000 of the most popular (many of which have been downloaded millions of times)—appear to be failing to protect data. In fact, the apps we examined appear to regularly send potentially sensitive information—including device serial numbers, which are often paired with location data, email addresses, and other personally identifiable information—to third-party advertisers. Over 90 percent of these cases involve apps transmitting identifiers that cannot be changed or deleted, like hardware serial numbers—thereby enabling long-term tracking.

We suspect that most of the developers whose apps fail to protect data do not have nefarious intent, but rather fail to configure their software properly or neglect to scrutinize practices of the third-party advertisers they rely upon to generate revenue. When building an app, developers import ready-to-use code from many different third-parties, including advertising companies. While this code “reuse” results in time savings and fewer errors, app developers likely do not realize that they are liable for all code included in their apps, regardless of whether or not they were the ones who wrote it.

[Serge Egelman is research director of the Usable Security & Privacy group at the International Computer Science Institute and an affiliated researcher at the University of California, Berkeley Center for Long-Term Cybersecurity]

A bipartisan bill, the ECPA Modernization Act, has been introduced that would update communications privacy law to protect cloud storage. It is the latest effort by the Senate to address the issue after the House voted overwhelmingly to protect older data. In the previous Congress, Senate Judiciary Committee chairman Charles Grassley (R-IA) pulled an Electronic Communications Privacy Act update bill from the committee's markup agenda after "poison pill" amendments threatened to expand the bill into areas that neither of its co-sponsors wanted it to go. That baseline bill, which passed the House 419 to zero, would have updated the Electronic Communications Privacy Act to provide protections for cloud storage by requiring a probable cause warrant for accessing information in the cloud and extending the protections to emails and other content stored over 180 days (currently no warrant is required to access those).

The purpose for this document is assist risk managers in making decisions with respect to privacy when sharing cybersecurity information. It builds upon the previously published basic principles by outlining actions to promote efficient and effective information sharing while minimizing the impact on privacy interests. Importantly, this document reflects the contributions of industry, civil society, and the government. This document supplements ISAO 300-1 Introduction to Information Sharing, Section 9 Information Privacy.

Cheap phones are coming at the price of your privacy, security analysts discovered.

At $60, the Blu R1 HD is the top-selling phone on Amazon. In November 2016, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the Blu R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the command and control channel when they did it."

Apparently, Sens Patrick Leahy (D-VT) and Mike Lee (R-UT) are expected to unveil legislation that will force the government to obtain warrants to look at American citizen’s e-mails. Sens Leahy and Lee’s bill, titled the ECPA Modernization Act of 2017, aims to update the Email Communications Privacy Act of 1986. The bill will initially be released without any cosponsors.

Currently, law enforcement can obtain Americans’ e-mail correspondence with a written statement saying that the e-mails are necessary to an investigation, a process that does not require judicial review. The new bill would change this and require law enforcement agencies to get warrants through a court to gain access to citizens’ e-mails. Apparently, the reforms would cover areas beyond email privacy like protections on metadata, and improvements to the current gag rules which allow the government to keep e-mail service providers from notifying users that their e-mails have been obtained. The bill has been extremely popular in the House, passing with an overwhelming, bipartisan majority the last two times it was introduced.

Where smart technologies are concerned, the expectation of privacy extends only from the consumer to machine. Once the machine communicates with an outside server – even where data is sent to a server controlled by the product's manufacturer – privacy is violated. Currently, law enforcement can obtain a search warrant compelling a third party to turn over data recorded by the smart device if the company can control or access the information.

The Supreme Court has yet to consider a case that specifically addresses whether, in an era of modern technology where we regularly choose to give personal data to third parties, a person should have an expectation of privacy in the information. As the law stands, once information is voluntarily disclosed to a third party, he does not. One case currently pending at the Supreme Court may tee up the issue of the Third Party Doctrine in the digital age, but until the Court takes on such a case, this premise holds true. It seems the one thing technologists and lawyers alike agree on is that the "right" to privacy could be overcome by technology very soon. The danger is that the new standard will become: You have the right to remain silent, but your smart home does not.

The European Union’s top court is set to decide whether the bloc’s “right to be forgotten” policy stretches beyond Europe’s borders, a test of how far national laws can—or should—stretch when regulating cyberspace. The case stems from France, where the highest administrative court on July 19 asked the EU’s Court of Justice to weigh in on a dispute between Alphabet's Google and France’s privacy regulator over how broadly to apply the right, which allows EU residents to ask search engines to remove some links from searches for their own names.

At issue: Can France force Google to apply it not just to searches in Europe, but anywhere in the world? The case will set a precedent for how far EU regulators can go in enforcing the bloc’s strict new privacy law. It will also help define Europe’s position on clashes between governments over how to regulate everything that happens on the internet—from political debate to online commerce. France’s regulator says enforcement of some fundamental rights—like personal privacy—is too easily circumvented on the borderless internet, and so must be implemented everywhere. Google argues that allowing any one country to apply its rules globally risks upsetting international law and, when it comes to content, creates a global censorship race among autocrats.

Sealed law enforcement requests to track Americans without a warrant through cellphone location records or Internet activity grew sevenfold in the past three years in the District, new information released by a federal judge shows. Details about the growth come as the US Supreme Court weighs whether to rein in such rapidly expanding demands. Legal experts said the disclosure appears to mark a first, and that neither the Justice Department nor private companies have previously made public such specific data about how often law enforcement agencies seek those court orders. The summary data gave counts of requests by year from 2008 through 2016 made in criminal cases handled by the Justice Department or US attorney’s office for the District. Details about each individual case, such as the name of a suspect or what records were sought, were not disclosed.

The requests were made under a 1986 statute that enables law enforcement agencies to obtain court orders requiring ­communication service providers to turn over records about individual customers. The orders do not apply to information about telephone calls, such as the time, date, duration and numbers dialed, which can be obtained in other ways. Instead, the requests seek individuals’ Internet connection records or cellphone tower records. Those records exclude the content of communications but can be highly valuable to investigators seeking to establish a history or pattern of movement, conduct or relationships. The information requests can include Internet browsing logs and activity; the time, date, size, sender and recipient of email, instant or social media messages, or other transaction records; as well as computer identification numbers and information about websites that a user accessed.

Apparently, Facebook, Alphabet's Google, Apple, and other major technology firms are largely absent from a debate over the renewal of a broad US internet surveillance law, weakening prospects for privacy reforms that would further protect customer data. While tech companies often lobby Washington on privacy issues, the major firms have been hesitant to enter a fray over a controversial portion of the Foreign Intelligence Surveillance Act (FISA), industry lobbyists, congressional aides and civil liberties advocates said. Among their concerns is that doing so could jeopardize a trans-Atlantic data transfer pact underpinning billions of dollars in trade in digital services, apparently.

Technology companies and privacy groups have for years complained about the part of FISA known as Section 702 that allows the US National Security Agency (NSA) to collect and analyze e-mails and other digital communications of foreigners living overseas. Though targeted at foreigners, the surveillance also collects data on an unknown number of Americans - some privacy advocates have suggested it could be millions - without a search warrant. Section 702 will expire at the end of 2017 unless the Republican-controlled Congress votes to reauthorize it. The White House, U.S. intelligence agencies and many Republican senators want to renew the law, which they consider vital to national security, without changes and make it permanent. A coalition of Democrats and libertarian-leaning conservatives prefer, however, to amend the law with more privacy safeguards.