February 7, 2023

More Data on Privacy, but Picture Is Still Fuzzy

Now, one by one, the companies are putting out data intended to reassure their users that the government gets information on just a tiny number of people. Over the weekend, Facebook and Microsoft released reports about the overall number of data requests they had received from United States law enforcement agencies. On Monday, Apple and Yahoo joined the chorus.

But rather than provide clarity, some of the disclosures have left many questions unanswered.

Apple, for example, said that from Dec. 1, 2012, through May 31, 2013, it received between 4,000 and 5,000 requests for data, covering 9,000 to 10,000 accounts, from American law enforcement agencies. Facebook said it got 9,000 to 10,000 requests for information about its users, covering 18,000 to 19,000 user accounts, in the last six months of 2012.

How many of those requests were from investigators seeking to sniff out the next terrorist?

The companies said they were not allowed to say, although they noted that the requests were commonly related to things like local police investigations and searches for missing children. That continuing restriction prompted both Google and Twitter to say they would not publish similar data until they could separate national security requests from the rest.

“We still don’t know what is allowed and how these programs are being implemented,” said Amie Stepanovich, director of the Domestic Surveillance Project at the Electronic Privacy Information Center, a nonprofit group.

But the companies were under immense pressure to announce something. If customers do not trust that Facebook or Microsoft or Google will keep private data confidential, they could use those services far less, undermining the companies’ business model.

“They’ve got to say to the consuming public that we care about your data, we’re going to do everything we can to preserve your data, and absent a national security contingency, no one gets access to your data,” said Adonis Hoffman, an adjunct professor at Georgetown University, who has served as a legal adviser to both the government and the advertising industry.

Pressing on the companies from the other side are the country’s intelligence agencies, which prohibit companies from disclosing virtually anything about the requests for national security data without permission.

“The nature of these orders are that they themselves are secret,” said one frustrated executive at a company involved in discussions with the government over disclosure issues.

Despite a week of arduous negotiations since the first reports about the National Security Agency’s seeking private data from nine major technology companies, the firms still cannot say much. “The government will only authorize us to communicate about these numbers in aggregate, and as a range,” Facebook wrote when it posted its data late Friday night.

Still, for tech companies that had never before released a transparency report, like Facebook and Apple, the data shed some light on their practices.

Apple, for example, noted in its report that it never gives the government copies of electronic conversations that take place over iMessage and FaceTime because they are protected by encryption that even Apple cannot break. “Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form,” the company said.

Google and Twitter, which had previously released transparency reports, said that lumping all law enforcement requests together, like Apple and the others did over the weekend, would be even less transparent.

Microsoft, which put out its first transparency report in March, decided to disclose the aggregate numbers but said it was pressing for further disclosure. Google, which published its first transparency report in 2010, has been the most aggressive in pushing for more disclosure. In March, it began breaking out data on one type of government request — National Security Letters, which request information on Americans — saying it had received 0 to 999 requests.

Permission to disclose that came after more than a year of negotiations with the government, and Google had been seeking permission to publish data on the other major type of national security request — information on foreigners demanded under the Foreign Intelligence Surveillance Act — even before news of Prism, the government’s surveillance program, broke, according to a person briefed on those discussions. It is still in talks to try to publish more detailed data, the person said.

By pushing to be able to publish more data on national security requests, the companies were hoping to shift the debate from the data exchange between the tech companies and the government to how the government can be more transparent about it.

Still, even if the government gives permission to break out FISA requests as a separate data point, the numbers are unlikely to tell the whole story. For every formal FISA request the government makes, intelligence agents are able to add names and additional search queries to that request for up to a year afterward, so the amount of data requested could be much higher.

Also, when the government gave Google and Microsoft permission to publish the number of national security letters they receive, it required them to publish the numbers in increments of 1,000, instead of the exact number, and would most likely do the same for FISA requests.

Article source: http://www.nytimes.com/2013/06/18/technology/more-data-on-privacy-but-picture-is-no-clearer.html?partner=rss&emc=rss

Special Report: Technology and Innovation: Microsoft Inherits Sticky Data Collection Issues From Skype

BARCELONA — When Microsoft, the world’s largest software maker, bought Skype in May 2011 for $8.5 billion, it acquired not only the technology behind the world’s dominant Internet voice and video service, but a connection with more than 250 million active users.

But perhaps what Microsoft did not anticipate when it made the purchase was that it would inherit the delicate privacy aspects of Skype’s business, including its billions of encrypted, peer-to-peer Internet conversations.

Those conversations, and the access Microsoft grants to them, are now the focus of a lobbying campaign by 50 digital rights groups and dozens of individuals.

In a letter sent in January, the group asked Microsoft to disclose what data it collected from Skype users and whether that data was passed on — whether to potential advertisers or to law enforcement agencies conducting criminal investigations.

The group, a collection of Internet activists from around the world that includes the Electronic Frontier Foundation, Reporters Without Borders and Zwiebelfreunde, a German university group, called on Microsoft to begin publishing regular transparency reports listing the requests made by government agencies for Skype client information around the world.

Amid the pressure, there are signs that Microsoft may be preparing to relent and publish what are known as transparency reports, which disclose the level of government requests for information. Google has provided the reports since 2010. Since then, Twitter and LinkedIn, among others, have moved toward offering regular reports — but not Microsoft.

Besides public disclosures, said Eva Galperin, a global policy analyst at the Electronic Frontier Foundation, the group also wanted to know the location of Skype’s headquarters — whether in Luxembourg, as it was before it was acquired by Microsoft, or at Microsoft’s base in Redmond, Washington.

The location is important, Ms. Galperin said, because if Skype’s headquarters are in the United States, Microsoft and Skype would be required to comply with requests made by U.S. intelligence services under Calea, the Communications Assistance for Law Enforcement Act, which gives agencies easier access to monitor data from online businesses like Skype.

Internet activists in countries with authoritarian regimes also need to know whether their Skype conversations, once considered a hack-proof way of avoiding government phone wiretaps because of the peer-to-peer nature of the exchanges, are still secure, she said.

“What we know right now is that we don’t know,” said Paul Bernal, a lawyer and professor of technology, intellectual property and media law at the University of East Anglia in Norwich, England, one of 61 individuals who also signed the open letter to Microsoft.

“We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” Mr. Bernal said. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.”

Dominic Carr, a Microsoft spokesman in Redmond, said that Skype’s headquarters, even after the purchase, remained in Luxembourg and the company was subject to laws of Luxembourg and the European Union, not the United States.

Luxembourg, like other E.U. countries, has mutual assistance pacts and other legal mechanisms that permit companies like Microsoft to share information with foreign law enforcement agencies in continuing investigations. The purchase of Skype by Microsoft has not changed the ability of law enforcement to gain access to Skype data, Mark Gillett, a corporate vice president responsible for Skype engineering and operations, wrote in a blog post.

According to Microsoft’s published privacy policy, three types of information are generated by Skype: personally identifiable information on users; nonidentifiable information; and the actual contents of Skype-to-Skype audio and video conversations.

Article source: http://www.nytimes.com/2013/02/25/technology/microsoft-inherits-sticky-data-collection-issues-from-skype.html?partner=rss&emc=rss

Security Firm Says It Found Global Cyberspying

The company, McAfee, said it had alerted the 72 targets it identified and also informed law enforcement agencies, which it said were investigating. The 14-page report calls the attacks highly sophisticated and says they appear to have been operated by a government body, which it declined to name.

“We’re not pointing fingers at anyone but we believe it was a nation-state,” Dmitri Alperovitch, McAfee’s vice president of threat research and the lead author of the report, said in a telephone interview on Wednesday. China has repeatedly been the focus of suspicion in such cases.

The report comes after high-profile cyberattacks aimed at the International Monetary Fund, Sony and the Lockheed Martin Corporation, America’s largest military contractor.

McAfee, which was recently acquired by Intel, said it released the report to coincide with the start of the annual Black Hat technical security conference in Las Vegas. Briefings at the conference are scheduled to be delivered Wednesday and Thursday. Details of the study were first published on the Web site of Vanity Fair.

Although in recent months there have been an alarming number of reports about computer spying, many offer few details, citing concern for the targets’ privacy. The 14-page McAfee report, for instance, offers little detail about the cases, what kinds of documents were stolen or what kind of evidence was found to determine the perpetrator was a government body.

Among the few targets the report mentions by name is the International Olympic Committee. However, Mark Adams, a spokesman for the committee, said early Wednesday: “We are unaware of the alleged attempt to compromise our information security claimed by McAfee. If true, such allegations would of course be disturbing.”

Spokesmen for the United Nations and another named target, the World Anti-Doping Agency, could not immediately be reached for comment. The report said that 49 targets were in the United States and that governments, companies, and organizations in Canada, Japan, South Korea, Taiwan, Switzerland and Britain were also targets multiple times.

“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” Mr. Alperovitch wrote.

McAfee said it learned of the hacking campaign last March, when it discovered logs of attacks while reviewing the contents of a server it had discovered in 2009 as part of an investigation into security breaches at defense companies.

It dubbed the attacks Operation Shady RAT — RAT stands for remote access tool, a type of software used to access computer networks.

The company dated the earliest breaches to mid-2006, though it said other intrusions might have gone undetected. The duration of the attacks ranged from a month to what McAfee said was a sustained 28-month attack against an Olympic committee of an unidentified Asian nation.

What was done with the data “is still largely an open question,” Mr. Alperovitch wrote in the report. “However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

Asked why McAfee decided not to identify most of the corporations that were targets in Operation Shady Rat, the company said on Wednesday that most corporations were worried about being identified and alarming shareholders or customers.

Cyber security is now a major international concern, with hackers gaining access sensitive corporate and military secrets, including intellectual property.

In some attacks, the culprits are believed to be professional hackers engaged in disrupting an organization’s operations for the sheer pleasure of it, or seeking revenge.

In mid-May, the Obama administration proposed creating international computer security standards with penalties for countries and organizations that fell short. The strategy calls for officials from the State Department, the Pentagon, the Justice Department, the Commerce Department and the Department of Homeland Security to work with their counterparts around the world to come up with standards aimed at preventing theft of private information and ensuring Internet freedom.

David Barboza reported from Shanghai, and Kevin Drew from Hong Kong.

Article source: http://feeds.nytimes.com/click.phdo?i=1f0c90cc1c09fbe3cdc35ae3f8803592

Inquiries Grow Over Apple’s Data Collection Practices

At the same time, some researchers said that contrary to reports published Wednesday, the iPhone’s recording of location information in a hidden file on the device, later stored on iTunes on a PC, has been known for some time, and that the information has, on some occasions, been used by law enforcement agencies in investigations.

“This data that was supposedly discovered yesterday has existed in earlier iPhones,” said Alex Levinson of Katana Forensics, a company that specializes in extracting data from electronic devices for legal cases. Mr. Levinson said that he and colleagues had explained Apple’s practices at conferences and in research papers, and that his firm has helped law enforcement agencies “harvest geolocational evidence from iOS devices,” a reference to the Apple operating system.

Mr. Levinson said that an update to Apple’s operating system changed the location of the file storing the information, but that the file had existed previously.

Security experts say law enforcement agencies can often get more precise location information from cellphone carriers than from the hidden file.

While privacy advocates and many iPhone users were alarmed by the revelations, Mr. Levinson and other security experts said they suspected that Apple had been using the data to be able to pinpoint a phone’s location more quickly, saving bandwidth and battery life, when their owners used location-based services like maps and navigation.

Still, the controversy has been magnified by Apple’s silence. For the second day, the company did not respond to calls and e-mails seeking comment.

But in a letter sent by Apple in July to two congressmen — Edward J. Markey, Democrat of Massachusetts, and Joe L. Barton, Republican of Texas — the company appeared to confirm that it has been storing and collecting location information for some time.

In the letter, Apple said it collects the location data anonymously and only when consumers agree to use its location-based services like maps, or any apps that ask a user’s location, and for its advertising system, iAds. The company said that it has been offering location-based services since 2008, but that only in 2010, when it released iOS 3.2, did it begin relying on its own databases for those services. Explaining its need to collect data from its customers’ phones, Apple wrote, “These databases must be updated continuously.”

Security experts say companies like Apple and Google collect the location of Wi-Fi networks and cell towers to pinpoint the location of phones without using GPS technology. Some suggested Apple was doing so through the users of its iPhones.

Mark Seiden, an information security consultant in Silicon Valley, said that Apple’s letter to the congressmen suggests that it uses the location data from the previously hidden file “so a phone knows where it is quickly.” Mr. Seiden said that Apple did not appear to be using the data to track people, but that the company should probably be more diligent about deleting dated location information. “I don’t know why they would want to keep old data on the device,” he said.

Mr. Markey on Thursday sent a follow-up letter to Apple asking it to explain why it was storing the information in the user’s device, and raising concern that its actions could violate the Communications Act.

“Apple needs to safeguard the personal location information of its users to ensure that an iPhone doesn’t become an iTrack,” Mr. Markey said in a statement. On Wednesday, Senator Al Franken, Democrat of Minnesota, also sent a letter asking Apple for an explanation.

The controversy erupted on Wednesday, when two computer programmers issued a report at a conference in San Francisco describing the files with the hidden data. The programmers also released a program that allowed users to see their stored location data on a map.

Some privacy experts were particularly concerned that the files were not encrypted, and that they were backed up on users’ computers.

The concerns quickly spread to Europe, where privacy laws are typically stricter than in the United States.

The Bavarian Agency for the Supervision of Data Protection, in Germany, said it would examine whether — and if so, why — the iPhone and iPad were storing such user data. Thomas Kranig, the director of the agency, said his office had asked Apple whether geographic information was being stored and for what purpose. 

“If it’s true that this information is being collected, and it is being done without the approval and knowledge of the users, then it is definitely a violation of German privacy law,” Mr. Kranig said. 

The Italian Data Protection Authority also opened an investigation into Apple’s data collection, expanding one it had begun on how mobile applications process personal data, Reuters reported.

France may follow suit. Yann Padova, the secretary general of CNIL, the French data protection authority, said the agency was trying to verify the report by the American programmers.

The French agency plans to send Apple France a letter asking for an explanation next week, Mr. Padova said. A major concern will be whether the information remained on the device or whether it was transferred by Apple to one of its commercial partners.

“In the first case, it is a matter of simply not obtaining the consent of  the consumer for the data to be collected,” Mr. Padova said. “In the second case, if the information is marketed without the knowledge of the consumer, it is much more serious.”

Article source: http://feeds.nytimes.com/click.phdo?i=74fd8a4f915940d4c38c6958bb0c25d6