October 21, 2014

South Carolina Supreme Court says web based emails aren’t protected by the Stored Communications Act

(LiveHacking.Com) – A South Carolina Supreme Court has ruled that emails stored in the cloud, on services like Google and Yahoo, aren’t classified as “electronic storage”. This means that reading someone’e online email without their permission or knowledge isn’t an offense under the Stored Communications Act (SCA).

According to the act, it is criminal behavior for anyone to “intentionally accesses without authorization a facility through which an electronic communication service is provided or… intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorize access to a wire or electronic communication while it is in electronic storage in such system.”

The problem is that the act defines electric storage as “any storage of such communication by an electronic communication service for the purposes of backup protection of such communication.” And the judges have ruled that since emails in Gmail or Yahoo aren’t backups, but the actual originals of the messages, then web based emails aren’t covered.

According to a report by Sophos, earlier court rulings found that the cloud based emails were in “electronic storage”, thus protected under the SCA. Last week’s ruling reversed that decision, saying that earlier court decisions had misunderstood the definition of “electronic storage” under the Act and incorrectly concluded the e-mails had been stored for the purpose of backup protection.

“All of the discussions regarding backups, temporary copies, and the read/unread distinction seem to have very little to do with the way that most people perceive their use of e-mail” said Woodrow Hartzog, a professor at the Cumberland School of Law at Stanford University.

However, Hartzog did point out that there could still be federal liability under the Computer Fraud and Abuse Act.

In brief: New free eBook released to those with no prior experience to protect privacy in a digital world

(LiveHacking.Com) – The CryptoParty, a new, decentralized, global initiative aimed at introducing basic cryptography tools to the general public, has released its first handbook. The CryptoParty Handbook is designed to help those with no prior experience to protect their basic human right to Privacy in the online world.

The book covers a variety of topics like passwords, browsing, email encryption, VPNs, hard disk encryption and secure file sharing. In each of these areas the book describes the dangers to privacy and recommends which open source tools to use.

By recommending open source tools, rather than commercial tools, the authors hope that users will start to take their online privacy seriously without needing to spend money on sometimes expensive software products.

The CryptoParty Handbook is the brainchild of Marta Peirano and Adam Hyde who came up with the idea after the first Berlin CryptoParty, held on the 29th of August, 2012. Others including Julian Oliver and Danja Vasiliev, co-organisers of the Berlin CryptoParty (along with Marta) were very enthusiastic about the book. It was written in the first 3 days of October 2012 at Studio Weise7, Berlin. Approximately 20 people were involved in its creation, some more than others, some local and some far (Melbourne in particular).

Firefox’s ‘new tab’ feature raises privacy concerns – Fix coming

When Firefox 13 was released almost three weeks ago it touted redesigned Home and New Tab pages to compete with other browsers like Chrome and Opera. However new concerns about these redesigned pages have surfaced. According to The Register, users of Firefox 13 have found that the thumbnails shown on the “New Tab” page can include snapshots of private information. One user discovered that after opening a new tab he found a snapshot of his earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc.

Mozilla has acknowledged that the behavior isn’t desirable and has promised a fix:

We are aware of the concern and have a fix that will be released in a future version of Firefox. Mozilla remains resolute in its commitment to privacy and user control. The new tab thumbnail feature within Firefox does not  transmit nor store personal information outside the user’s direct control.

The new tab thumbnails are based on  users’ browsing history. All information is contained within the browser and can be deleted at any time. Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened.

Users who share their computer or use Firefox on a public computer should follow best practices for protecting their privacy by utilizing the built-in privacy tools in in Firefox, such as Private Browsing Mode.

iOS 6 apps need user permission to access personal data

(LiveHacking.Com) – The incredible growth of Internet enabled smartphones and tablets means that malware authors have targeted these devices in their attempts to make illegally gained income. One of the most valuable types of information on a smartphone is the personal information like contacts, calendars, reminders and photos. Android and iOS have both had their shares of privay scandals including the Carrier IQ snopping incident and Apple’s locationgate problems.

According to a MacRumors report, new clauses have been added to the ‘Data Privacy’ section in Apple’s iOS 6 Release Notes:

In addition to location data, the system now asks the user’s permission before allowing third-party apps to access certain user data, including:

- Contacts
– Calendars
– Reminders
– Photo Library

For contact, calendar, and reminder data, your app needs to be prepared to be denied access to these items and to adjust its behavior accordingly. If the user has not yet been prompted to allow access, the returned structure is valid but contains no records. If the user has denied access, the app receives a NULL value or no data. If the user grants permission to the app, the system subsequently notifies the app that it needs to reload or revert the data.

Previously, an app only needed to get permission when it wanted to access the GPS data but with iOS 6, explicit permission is now requested when the media gallery is accessed because of the location meta-data stored in the photos.

iOS 6 is currently a developer preview and is expected to be released  in the last quarter of this year.

Yahoo’s Privacy Chief Moves to Google

(LiveHacking.Com) – Yahoo’s chief trust officer Anne Toth has joined Google as head of privacy for Google+. Although Google already has a privacy chief, Google needs as much help as it can get in the forming it privacy policies after it agreed earlier this year to undergo regular privacy audits for the next 20 years.

The deal, which was struck with the US Federal Trade Commission, came in the aftermath of Google’s failed Buzz social network which Google incorporated into Gmail without seeking the permission of its users. In the deal Google must hire an outside auditor to conduct an independent review of its privacy policies every two years and obtain users’ permission before altering how it shares user information with third parties.

Anne announced her move on Google+ on Friday:

Excited to be joining Google and the Google+ team next week. Today I’m enjoying my one, solitary day of unemployment. I love everyone who told me to take time off between jobs but I’m too Type A for my own good.

During her tenure at Yahoo!, Anne tried to embed privacy as part of the culture and headed a “privacy by design” approach to developing new products and features.

Will the Kindle Fire be Safe for Web Browsing?

(LiveHacking.Com) – Amazon has just announced its new 7 inch Android based tablet which includes what Amazon are calling “Revolutionary Cloud-Accelerated” web browsing. Amazon Silk, as it is known, splits web browsing into two domains – the things that run on the tablet and the things that run on the Amazon Elastic Compute Cloud (Amazon EC2).

As some of the world’s top web sites are hosted on EC2, Amazon say that web surfing will be faster as “many web requests will never leave the extended infrastructure of AWS, reducing transit times to only a few milliseconds.”

However the real worry is that with Silk all fetching, and probably some form of optimization and compression, will be performed on the cloud and the result send to the Kindle. Amazon explain it like this:

Silk uses the power and speed of the EC2 server fleet to retrieve all of the components of a website simultaneously, and delivers them to Kindle Fire in a single, fast stream. Transferring computing-intensive tasks to EC2 helps to conserve your Kindle Fire battery life.

To do all this Amazon needs to keep a record of what web sites you have been using. The FAQ explains it like this:

Amazon Silk optimizes and accelerates the delivery of web content by using Amazon’s cloud computing services.  To do this, the content of web pages you visit using Amazon Silk may be cached to improve performance and certain web address information will be collected to help troubleshoot and diagnose Amazon Silk technical issues.

So what about secure connections like https:

We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g.https://siteaddress.com). Amazon Silk will facilitate a direct connection between your device and that site.  Any security provided by these particular sites to their users would still exist.

A look in the terms and conditions reveals that Amazon will keep a log of your websites for “generally” no more than 30 days:

Amazon Silk also temporarily logs web addresses  known as uniform resource locators (“URLs”)  for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues.  We generally do not keep this information for longer than 30 days.

Obviously the privacy implications are enormous. It is very likely that a court order can be issued to Amazon to hand over the details of all your browsing.

There is one good bit of news however:

You can also choose to operate Amazon Silk in basic or “off-cloud” mode.  Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers.  As such, it does not take advantage of Amazon’s cloud computing services to speed-up web content delivery.

Facebook Change Privacy Controls – Again

(LiveHacking.Com) – Facebook, the popular social media network, has redesigned its privacy controls allowing users to manage the sharing setting for each and every item posted online. Facebook has often been criticized over its security and privacy policies especially since it has more than 750 million active users who are posting, often personal, details to the site.

According to the blog post one of the most common privacy complaints was that users were unsure who could see their postings and that these settings could be clearer across the whole Facebook site.

To make the system more straightforward, Facebook are moving most of the privacy controls from the settings page to right next to the posts, photos and tags they affect.

Other changes include:

  • In line controls – each item on a user’s wall has individual privacy options, such as public, friends and custom
  • Tag takedown – the ability to remove tags of self, ask the person who tagged you to remove it, or block the tagger
  • Universal tagging - users can tag anyone, not just Facebook friends. Other person can choose not to accept the tagged post on their profile
  • Location tagging - geographic locations can be added in all versions of Facebook, not just mobile app
  • Profile view - the option to see how others view your profile is added above the news feed

The new privacy options will begin to be rolled out across the site from Thursday 25 August.

Apple Releases iOS 4.3.3 to Fix Locationgate Bugs

iOS 4.3.3 has been released to fix the so-called Locationgate tracking bugs that have caused Apple so much recent controversy. This update fixes the bugs which caused iPhones to store up to a years worth of cell tower information which is then synced with iTunes.

A few weeks ago Alasdair Allan and Pete Warden released a proof-of-concept application for Mac OS X that demonstrates how the iPhone is tracking its location.

Apple responded with a press release saying that the iPhone is not logging its location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers to help the phone rapidly and accurately calculate its location when requested. In other words a cache. They also promised a software update which is what has been released today.

The update contains changes to how iOS manages this crowd-sourced location database cache. Specifically the update:

  • Reduces the size of the cache
  • No longer backs up the cache to iTunes
  • Deletes the cache entirely when location services is turned off

Apple to Issue Software Update to Clear Cell Tower Cache

In the continuing controversy, that has now been dubbed Locationgate, about iPhones storing up to a years worth of cell tower information and syncing this with iTunes, Apple has now issued a press release to try and clarify the situation. In summary Apple is saying that the iPhone is not logging its location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers to help the phone rapidly and accurately calculate its location when requested. In other words a cache.

The press release also deals with why this cache contains entries for more than a year. Apples answer, “the reason the iPhone stores so much data is a bug.” According to ZDNet, Scott Forstall (the senior vice president of iOS Software) has revealed that the problem is actually the size of the cache and not explicitly how long it holds entries for, “we picked a size, around 2MB, which is less than half a song. It turns out it was fairly large and could hold items for a long time.”

OK, but when a user turns off Location Services, why does the iPhone sometimes continue updating its Wi-Fi and cell tower data?  Apple says, “It shouldn’t. This is a bug, which we plan to fix shortly.”

Apple’s argument is that it is legitimate to store cell tower information on a short term basis n the phone but because of bugs in iOS too much data is being stored. Apple is promsing an update to iOS in the near future which will

  • reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
  • cease backing up this cache, and
  • delete this cache entirely when Location Services is turned off.

Apple is also promising that in the next major iOS software release (4.4? 5.0?) the cache will also be encrypted on the iPhone.

So is this the end of Locationgate? Please comment below.

 

Your iPhone is Watching You! New Proof-of-Concept App Shows How Your iPhone is Tracking Your Every Movement

Alasdair Allan and Pete Warden have released a new proof-of-concept application for Mac OS X that demonstrates that your iPhone is tracking your movements and recording the information. We have tested the application and it is 100% true, Apple are watching you!

Since the release of iOS 4.0 the iPhone has started storing cell-phone tower information and this information is copied to your Mac or PC when you sync your phone with iTunes. The application that Alasdair and Pete have released searches through your old sync data on your Mac and finds this cell-phone tower information and then displays it on a map, courtesy of OpenStreetMap.

How bad is this?

  • Other applications on your Mac can access this data.
  • Apple shouldn’t be collecting this information. Mobile phone operators collect tower information as part of their operations but it is private and it normally requires a court order to gain access to it. Your iPhone tower information is available to anyone who can get their hands on your phone or computer.
  • By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.
  • If you sell or exchange your iPhone the tower data might still be on the phone. My iPhone is second-hand and I have discovered that I now have a map of the movements of its previous owner going back to October 2010.

Was it right for Allan and Warden to release this app? They mention this on their site:

We did hesitate over the right thing to do in this case, but when it became clear that “Individuals familiar with iPhone forensic analysis will be quite familiar” with it, as Ryan Neal puts it and that at least one other person had tried to alert the public but apparently failed to make it clear what was going on, a demonstration application seemed the lesser evil.

Note: The application available from the iPhone Tracker site is for 64-bit Macs. If you have an early Intel Mac it is 32-bit only. I have built a 32-bit version here.

Are you worried about this? Please leave a comment below.