Free songs

Mobile Privacy

Digital Privacy Isn’t Taken, It Is Given Away

Open Source Data & Surveillance

With the Edward Snowden privacy leak there is an important factor that is being missed. It isn’t the government agencies that collect the data, they are merely consumers and harvesters of it. The data comes from corporations that have been collecting this it for years, data that we have given them freely in exchange for convenience and vanity. We are the victims and the perpetrators.

Read More»

Senate Cyberstalking Bill To Close Privacy Loophole

Today the Senate Judiciary Committee is set to approve legislation sponsored by sponsored by Sen. Al Franken, D-Minn. that would block a loophole for “cyberstalking apps”.

Read More»

ToorCamp 2012 – Tracking Technology, Forensics and Privacy

My presentation from this summer at ToorCamp, probably the most fun you can possibly have at a security conference. I learned tons.

Read More»

Privacy Invasion Lawsuit Names 18 Companies

Several companies have ben named in a class-action lawsuit as a result of mobile applications uploading contacts to servers without users’ consent. The mobile app developers who were following this practice were doing so to provide more personalized recommendations regarding who they should follow on their social networks, however they did so without user consent or knowledge.

Read More»

Mobile Privacy, Security and Celebrities

There have been a number of recent stories with celebrities photos being leaked online, including Scarlet Johansson, Christine Hendricks, Olivia Munn and more. I was interviewed by Fox News regarding how celebrities can better protect themselves. The obvious answer is to not take the photos and store them on their devices or in the cloud in the first place.

Read More»

Mobile Privacy – User Bill of Rights From EFF

Mobile smartphone apps represent a powerful technology that will only become more important in the years to come. But the unique advantages of the smartphone as a platform—a device that’s always on and connected, with access to real world information like user location or camera and microphone input—also raise privacy challenges. And given the sensitivity of the data that many consumers store on their phones, the stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public.

Fortunately, frameworks exist for understanding the privacy rights and expectations of the users. The following guide of best practices pulls from documents like EFF’s Bill of Privacy Rights for Social Network Users and the recently released White House white paper “Consumer Data Privacy in a Networked World” to set a baseline for what mobile industry players must do to respect user privacy.

Some of these practices may require the participation of other parties, like the mobile platform provider or ad networks. While each party carries some responsibility, application developers are in a position to take the lead on these issues, whether that means selecting an ad network for its responsible practices or supporting efforts by platforms to incorporate privacy-protective policies and practices.

A mobile user bill of rights

Developers need to create applications that respect these rights.

  1. Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it’s not technically or legally required by the platform.The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: “Companies should provide means of with drawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion.”
  2. Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash.Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.
  3. Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).
  4. Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a “find friends” feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.
  5. Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.
  6. Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.

Best technical practices

How should developers best keep in line with this bill of rights? Here are some specific practices that developers should use to preserve user privacy.

  • Anonymizing and obfuscation: Wherever possible, information should be hashed, obfuscated, or otherwise anonymized. A “find friends” feature, for example, could match email addresses even if it only uploaded hashes of the address book.
  • Secure data transitTLS connections should be the default for transferring any personally identifiable information, and must be the default for sensitive information.
  • Secure data storage: Developers should only retain the information only for the duration necessary to provide their service, and the information they store should be properly encrypted.
  • Internal security: Companies should provide security not just against external attackers, but against the threat of employees abusing their power to view sensitive information.
  • Penetration testing: Remember Schneier’s Law: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.” Security systems should be independently tested and verified before they are compromised.
  • Do Not Track: One way for users to effectively indicate their privacy preferences is through a Do Not Track (DNT) setting at the operating system (OS) level. Currently, DNT is limited mostly to web browsers, and only Mozilla’s under-development Boot2Gecko supports the Do Not Track flag at the OS level. But developers would benefit from the clear statement of privacy preferences, and should encourage other OS makers to add support.

These recommendations represent a baseline, and all the players—from the application developers to the platform providers to the ad networks and more—should work to meet and exceed them. As the mobile app ecosystem has matured, users have come to expect sensible privacy policies and practices. It’s time to deliver on those expectations.

( Reprinted from the EFF under Creative Commons )

Government Access To Cell Phone Records & Location Data

Today the  Supreme Court unanimously ruled that the police violated the Constitution when they placed a Global Positioning System tracking device on a suspect’s car and monitored its movements. This helps clarify in many regards the extent to which law enforcement can track private property without a warrant.  This raises questions for some in the mobile realm regarding what level of access that law enforcement have when conducting an investigation.

The first step law enforcement take is to determine the service provider from the phone number, there are a number of services that allow users to do this free. The next step is to determine probable cause or exigent circumstances such as a child abduction, missing person, fugitive etc. The provider will then send information to the law enforcement agent to complete, that information is then faxed back.

The law enforcement agent can send a preservation letter to the provider to ensure that records are not discarded regarding the target phone number, such as text messages and voicemail which is sometimes only retained for 72 hours. The next step is a subpoena, this will allow law enforcement access to basic transaction data, this is limited to account details, billing records and account notes.  This is usually sent via fax to a specific number at a provider for this purpose.

In order to get deeper information a court order or search warrant is filed. When this happens law enforcement can get detailed records including incoming and outgoing calls, cell tower locations and general location information, text message content, voicemail content and other information.

The hierarchy of protection regarding your cell data is as follows:

  1. Transaction records ( name, number billing)
  2. Numbers dialed, incoming and outgoing
  3. Location data, from cell towers
  4. Content of stored communication such as email, voice, text messages
  5. Content of telephone conversations ( wiretap )
It is a crime to access electronic communications without the proper authorization and it is outlined to law enforcement pretty clearly the process and circumstances the data should be accessed. According to  18 U.S.C. §§ 2701-2711  Section 2703(c) a court order, search warrant or customer consent is required for the release of electronic communications including location data. A  subpoena can be used to obtain basic transactional data, but cannot be used to get location information.





Federal Use of Stingray Logs All User Data

An interesting bit of information came to light in the affidavit of a Bradley Morrison, an FBI agent in the Ridgemaiden case, where a Stingray device was used to locate him. Not only was Ridgemaiden’s device data captured, but also all data from people in the area as the device mimicked a Verizon cell tower so quite a bit of data was intercepted. Although the document states it is their policy to then wipe all of this data, the fact they are collecting it raises some interesting questions regarding mobile privacy and citizens rights.

Verizon Makes Mobile Privacy Optional

Verizon recently modified their privacy policies such that unless you opt-out, they will begin using information about websites you visit, what apps you use, your location, websites you visit and search terms you use in business and marketing reports. The information will also be shared with third parties and advertising partners:

Mobile Usage Information:

  • Addresses of websites you visit when using our wireless service. These data strings (or URLs) may include search terms you have used
  • Location of your device (“Location Information”)
  • App and device feature usage

Consumer Information:

  • Information about your use of Verizon products and services (such as data and calling features, device type, and amount of use)
  • Demographic and interest categories provided to us by other companies, such as gender, age range, sports fan, frequent diner, or pet owner (“Demographics”)

If you are a Verizon customer and wish to opt-out of having your information aggregated and shared you need to visit or call 1-866-211-0874. Just to make things easy for you, if you have a family plan you will need to specific your choice for each individual line.