Document Freed By FOIA Shows How Much Data The FBI Can Obtain From Cellphone Service Providers

from the quite-a-bit-and-dating-back-for-quite-awhile dept

An internal FBI document shared with Joseph Cox of Motherboard by Ryan Shapiro of Property of the People gives a little more insight into law enforcement's data grabs. The Third Party Doctrine -- ushered into law by the Supreme Court decision that said anything voluntarily shared with third parties could be obtained without a warrant -- still governs a lot of these collections.

For everything else, there are warrant exceptions, plain view, inevitable discovery, a variety of "exigent circumstances," and reverse warrants that convert probable cause to "round up everyone and we'll decide who the 'usual suspects' are." Constitutional concerns still reside in this gray area, which means law enforcement will grab everything it can until precedent says it can't.

The document [PDF] gives some insight into the FBI's CAST (Cellular Analysis Survey Team). It shows how much the FBI has access to, how much it has the potential to grab, and how much unsettled law aids in bulk collection of data the FBI can parse through to find suspects or, if enough fishing rods are present, decide whether it has anything to do with its investigative time.

It's all in there, starting with "Basic Cellular Theory" and moving on to everything cell-related the FBI can get its data mitts on.

CAST supports the FBI as well as state, local, and tribal law enforcement investigations through the analysis of call data and tower information, the presentation adds. That can include obtaining the data from telecommunications companies in the first place; analyzing tower dumps that can show which phones were in an approximate location at a given time; providing expert witness testimony; and performing drive tests to verify the actual coverage of a cell tower.

More specifically:

CAST will utilize industry standard survey gear drive test equipment to determine the true geographical coverage breadth of a cell site sector...

Hell yeah. Mapping the frontier except its a van full of feds out wardriving, Lewis-and-Clarking their way into OTA superiority.

Other information derived or directly included in this presentation shows CAST (and?) crew are leveraging minimal oversight and precedent to hoover up data, including historical cell site location data, which now has some constitutional protection. One CAST member Vice found on LinkedIn noted their "special emphasis" on long-term tracking via historical cell site data, apparently occasionally in service of solving serious crimes.

To that end, the FBI apparently operates its own software to help collect data from cell towers and cross reference it with whatever the agency can collect from other sources.

“CASTViz has the ability to quickly plot call detail records and tower data for lead generation and investigative purposes…"

There's more to it. A lot of what's discussed here has been discussed in the public sphere (courts, records requests, leaked documents, etc.), but even if the subject matter is familiar, it's entertaining and educational to see the FBI's (instructional) take on what is now a large part of current Fourth Amendment jurisprudence. It discusses everything from grabbing location data from burner phones to General Motors' OnStar in-vehicle systems.

The document also makes it clear not all service providers are created equal. Some are far more useful than others.

The presentation provides more recent figures on how long telecoms retain data for. AT&T holds onto data such as call records, cell site, and tower dumps for 7 years. T-Mobile holds similar information for 2 years, and Verizon holds it for 1 year.

The slide also shows that AT&T retains “cloud storage internet/web browsing” data for 1 year.

AT&T has always been proactive with its data-sharing. It has set up its own data centers where NSA analysts can grab communications and other data from AT&T internet backbones. This is on top of whatever it can offer on the telco side, including its millions of cell phone users. There are eight of these secret data centers in the United States. All of this helps explain why AT&T holds on to so much data for so long: it has plenty of federal customers to give it to.

There's also some discussion of real-time tracking, which is governed by far fewer precedential decisions. The DOJ enacted a warrant requirement (with plenty of exceptions) for Stingray device use, but hasn't done the same for real-time tracking via cell service providers. As it stands now, the Third Party Doctrine is controlling, which means warrants aren't needed and if it's a close call, a variety of exceptions would likely make use of these tools a "good faith" effort, legally speaking.

It's a good peek into the FBI's data collection habits, one that also shows how much cell providers collect and retain, which may provide guidance for privacy-minded individuals in the market for a new service provider.

Filed Under: cast, data, fbi, foia, privacy

Surprising, But Important: Facebook Sorta Shuts Down Its Face Recognition System

from the good-to-see dept

A month ago, I highlighted how Facebook seemed uniquely bad attaking a long term view and publicly committing to doing things that are good for the world, but bad for Facebook in the short run . So it was a bit surprising earlier this week to see Facebook (no I'm not calling it Meta, stop it) announce that it was shutting down its Face Recognition system and (importantly) deleting over a billion "face prints" that it had stored.

The company's announcement on this was (surprisingly!) open about the various trade-offs here, both societally and for Facebook, though (somewhat amusingly) throughout the announcement Facebook repeatedly highlights the supposed societal benefits of its facial recognition.

Making this change required careful consideration, because we have seen a number of places where face recognition can be highly valued by people using platforms. For example, our award-winning automatic alt text system, that uses advanced AI to generate descriptions of images for people who are blind and visually impaired, uses the Face Recognition system to tell them when they or one of their friends is in an image.

[....]

But the many specific instances where facial recognition can be helpful need to be weighed against growing concerns about the use of this technology as a whole. There are many concerns about the place of facial recognition technology in society, and regulators are still in the process of providing a clear set of rules governing its use. Amid this ongoing uncertainty, we believe that limiting the use of facial recognition to a narrow set of use cases is appropriate.

One interesting tidbit buried in this is that only about 1/3 of Facebook users opted in to use Facebook's facial recognition tool (despite the company pushing it heavily on users). At the very least, it showed that a large number of users weren't comfortable with the technology.

There's also the issue that, while they're turning off the tool and deleting the facial prints, the NY Times notes they're hanging on to the algorithm that was built on all those faces:

Although Facebook plans to delete more than one billion facial recognition templates, which are digital scans of facial features, by December, it will not eliminate the software that powers the system, which is an advanced algorithm called DeepFace. The company has also not ruled out incorporating facial recognition technology into future products, Mr. Grosse said.

That's resulted in some (expected) amount of cynicism from Facebook's critics that Facebook "got what it wanted" and is now moving on. However, I think that's a bit silly. Facebook could have easily kept the facial recognition program going. Of all the regulatory pressures the company is facing, this was way down the list and barely on the radar.

And, to make a bigger point, here's a case where the company is actually doing the right thing: turning off a questionable product and deleting a ton of data it collected. And we should at least encourage both Facebook and other companies to be willing to make that decision based on recognizing the societal risks, and without waiting around until they're forced to do so.

Filed Under: ai, data, deepface, facial recognition, privacy, society, trade-offs
Companies: facebook

Clearview Finally Submits AI For Independent Testing; Only Tests Feature It Isn't Actually Selling

from the competing-for-a-high-score-no-one-cares-about dept

At long last, Clearview has finally had its AI tested by an independent party. It has avoided doing this since its arrival on the facial recognition scene, apparently content to bolster its reputation by violating state privacy laws, making statements about law enforcement efficacy that are immediately rebutted by law enforcement agencies, and seeing nothing wrong with scraping the open web for personal information to sell to government agencies, retailers, and bored rich people.

Kashmir Hill reports for the New York Times that Clearview joined the hundreds of other tech companies that have had their algorithms tested by the National Institute of Standards and Technology.

[M]ore than two years after law enforcement officers first started using the company’s app, Clearview’s algorithm — what allows it to match faces to photos — has been put to a third-party test for the first time. It performed surprisingly well.

In a field of over 300 algorithms from over 200 facial recognition vendors, Clearview ranked among the top 10 in terms of accuracy, alongside NTechLab of Russia, Sensetime of China and other more established outfits.

That seems to confirm CEO Hoan Ton-That's continuous claims that Clearview's AI is one of the most accurate in the business. But there's a huge caveat to his claims and these test results. This test does not reflect real-world use of Cleaview's tech.

But the test that Clearview took reveals how accurate its algorithm is at correctly matching two different photos of the same person, not how accurate it is at finding a match for an unknown face in a database of 10 billion of them.

No one's buying access to Clearview to perform this task. And that certainly isn't what Clearview is selling or promising to potential customers when it pitches its 10 billion image database. So, Clearview calling this test result "an unmistakable validation" of its tech is, well, pure bullshit. It doesn't validate anything. All it possibly shows is that Clearview could be used to verify identity by matching faces -- something that might be useful for unlocking a phone or providing access to restricted areas.

What it doesn't show is Clearview's accuracy when it compares an uploaded photo to its billions of scraped images. Supposedly, Clearview will be allowing NIST to run a 1-to-many test of its AI (Ton-That says that will happen "shortly"). If that happens, we'll finally be able to see if Clearview's AI is as accurate as its CEO has repeatedly said it is.

Even if it is accurate, it's still facial recognition tech -- something that comes with a lot of inherent drawbacks. Every AI tested by NIST showed some form of bias, like performing better when checking white male faces for matches. And it won't change the fact that Clearview's database is the product of web scraping -- something that's not illegal but definitely questionable. Internet users may agree to share information with others and the sites they use, but no one affirmatively agrees to allow Clearview to scoop up that information and sell it to government agencies. That's what has resulted in it being sued in a couple of states, and being kicked out of Canada entirely.

Clearview has no product without the unwilling and unaware contributions of millions of internet users. Even if its AI isn't as terrible as we're all free to believe it is, it will still just be the bottom feeder in a murky cesspool of facial recognition tech providers. Floating to the top of the NIST's tank may give it better copy for its marketing materials, but it won't earn it any respect.

Filed Under: ai, facial recognition, privacy
Companies: clearview

California Prosecutors Are Still Trying To Get Signal To Hand Over User Info It Simply Doesn't Possess

from the keep-burning-that-toner,-g-men dept

Encrypted messaging app Signal is slowly educating federal prosecutors on the meaning of the idiom "blood from a stone." Usually this refers to someone who is judgment-proof (or extortion-proof or whatever), since you can't take money a person doesn't have.

This would be the digital equivalent. Prosecutors in California have tried three times this year to obtain data on Signal users that Signal never collects or retains. Issue all the subpoenas you want, Signal says, but don't expect anything to change. We can't give you what we don't have. (h/t Slashdot)

Here we are in the second half of 2021, Signal still knows nothing about you, but the government keeps asking.

Because everything in Signal is end-to-end encrypted by default, the broad set of personal information that is typically easy to retrieve in other apps simply doesn’t exist on Signal’s servers. Once again, this request sought a wide variety of information we don’t have, including the users’s name, address, correspondence, contacts, groups, call records.

As usual, we couldn’t provide any of that. It’s impossible to turn over data that we never had access to in the first place. Signal doesn’t have access to your messages; your chat list; your groups; your contacts; your stickers; your profile name or avatar; or even the GIFs you search for. As a result, our response to the subpoena will look familiar. It’s the same set of “Account and Subscriber Information” that we can provide: Unix timestamps for when each account was created and the date that each account last connected to the Signal service.

That’s it.

That handles one request from prosecutors in Santa Clara County, California. Another one was greeted with the same response a few days later -- this time from the Central District of California. Apparently the lesson wasn't learned back in April, when the same district made the same request for data and got the same answer from Signal. Two grand jury subpoenas and one search warrant later and the answer remains the same.

The search warrant had a few more wrinkles of the government variety, even if the end result was Unix timestamps. According to the Signal post, the government attached a gag order to this warrant and renewed it four times while being told by Signal that the company had nothing more to turn over in response. There was nothing remotely adversarial about this process. The government made four secrecy requests, got all four granted -- all without acknowledging Signal's motion to unseal. The court also refused to schedule a hearing or even return phone calls from Signal's legal reps.

It seems like the government will keep trying, though. Signal doesn't get hit with many requests for user info, but prosecutors spending the public's money seem willing to define insanity through their ineffective actions. And for companies providing encrypted communications, the best way to protect users is to gather as little info about them as possible. When the government comes knocking, it's sometimes best to have nothing to give it.

Filed Under: california, encryption, privacy, prosecutors, subpoenas
Companies: signal

Swiss Court Says ProtonMail Isn't A Telecom, Isn't Obligated To Retain Data On Users

from the neutral-good-remains-a-pretty-solid-alignment dept

ProtonMail offers encrypted email, something that suggests it's more privacy conscious than others operating in the same arena. But, being located in Switzerland, it's subject to that country's laws. That has caused some friction between its privacy protection claims and its obligations to the Swiss government, which, earlier this year, rubbed French activists the wrong way when their IP addresses were handed over to French authorities.

The problem here wasn't necessarily the compliance with local laws. It was Proton's claim that it did not retain this information. If it truly didn't, it would not have been able to comply with this request. But it is required by local law to retain a certain amount of information. This incident coming to light resulted in ProtonMail altering the wording on its site to reflect this fact. It no longer claimed it did not retain this info. The new statement merely says this info "belongs" to users and Proton's encryption ensures it won't end up in the hands of advertisers.

Proton's retention of this data was the result of a Swiss data retention law and, more recently, a revocation of its ability to operate largely outside the confines of this law. Terry Ang of Jurist explains the how and why behind Proton's relinquishment of IP addresses to French authorities, which resulted in its challenge of the applicability of the local data retention law.

The company lodged an appeal last month after the PTSS [Swiss Post and Telecommunications Surveillance Service) abruptly revoked Proton’s limited surveillance obligations in September 2020. Before that order, they were only required to provide IP addresses to surveillance departments in situations of “extreme criminal cases.” The company was also protected by article 271 of the Swiss Criminal Code, which means that data submission for surveillance purposes is supposed to be approved by the Swiss government.

But as a result of the sudden policy change, the company was forced to surrender IP addresses of climate activists, leading to several arrests by the French authorities. The company was also subjected to new data retention obligations for future surveillance purposes.

It's these retention obligations that have been challenged. These obligations undercut earlier promises made by Proton to its users -- the ones that resulted in a rewrite of its privacy guarantees as well as its cooperation with French authorities.

Fortunately for ProtonMail and its users, surveillance of the service will go back to being more limited. The Swiss Federal Administrative Court has sided with Proton, finding that it is not a service provider under the definitions included in the data retention law.

The Court on Friday concluded that email services are different from conventional telecommunication providers in Switzerland, and thus, should not be subject to the same kinds of data storage requirements. The Court followed a recent Swiss Supreme Court ruling in April that clarifies the status of instant messaging, video and telephone app services such as WhatsApp, Threema, Zoom and Skype. In that case, the Supreme Court stated that such applications and services are not considered telecom service providers, but classified as “over-the-top” (OTT) service providers.

This should allow ProtonMail to go back to offering users the privacy protections they thought they had until news reports indicated otherwise. But users should be aware that email services generate a lot more data and metadata than encrypted chat services, which means there's more stuff laying around for investigators (and oppressive governments) to demand or utilize should the opportunity arise. But it's still a significant win for the service -- one that also reaffirms that not all communication service providers are telecom service providers, and shouldn't be subject to the same data retention obligations.

Filed Under: data, data retention, email, law enforcement, logging, privacy, ptss, switzerland
Companies: proton mail

FTC Study Highlights How 'Big Telecom' Privacy Practices Are Even Worse Than 'Big Tech'

from the stating-the-obvious dept

I've noted for a few times that the very obvious dysfunction in "big tech" has proven to be the gift that keeps on giving for "big telecom." While tech giants like Google, Amazon, and Facebook get the entirety of (often very justified) attention for dodgy business practices and terrible judgement, telecom has basically been forgotten in the DC Policy conversation. While lawsuits and Congressional posturing all focus on expanding oversight of "big tech," "big telecom" and "big media" have been able to lobotomize most of the oversight of its own businesses, despite engaging in all the same (and sometimes worse) dubious business practices.

An FTC report on privacy reiterated that forgetting about telecom and media was a mistake. The FTC's latest report on privacy noted largely what most people knew: telecom and cable companies collect an absolute ocean of data on U.S. consumers, then "sell" access to that data to third parties (they usually just call it something else) without being clear about it. They then provide users with opt out and transparency tools that are intentionally cumbersome, if they work at all. This data then bounces around the internet creating potential harm and abuse among countless parties, whether stalkers, law enforcement, people pretending to be law enforcement, or other corporations.

The FTC found that many ISP and cable companies "privacy policies" are utterly theatrical in nature. As in they're designed to be so cumbersome as to deter people from using them (which companies then use as evidence that consumers "don't care about privacy"). Other times the "opt out" tools don't work at all, and in some cases they result in even more user data being collected. None of this is made particularly clear to the end user:

"...rapid consolidation has allowed ISPs to access and control a much larger and broader cache of consumer data than ever before, without having to explain fully their purposes for such collection and use, much less whether such collection and use is good for consumers."

The FTC correctly noted that as network operators, ISPs and cable companies have access to way more data than even tech giants, app makers, or advertising companies. This includes DNS data, browsing data, clickstream data (how long you spend on each site down to the second), behavioral ad information, location data, race and ethnicity data, data on which TV programs you watch, and more. The report is quick to bring up the repeated location data scandals that have plagued the wireless industry, as well as the "zombie cookie" scandals at Verizon (and briefly AT&T) that involved embedding tracker headers in each user data packet to track them around the internet (again without informing them or letting them opt out):

"Unlike traditional ad networks whose tracking consumers can block through browser or mobile device settings, consumers cannot use these tools to stop tracking by these ISPs, which use ‘supercookie’ technology to persistently track users,” the FTC report said.

ISPs and cable companies will usually tell the press, lawmakers, and regulators they don't "sell" access to this data, but they still technically do. They simply call the practice something else.

Like a network security, auditing, or marketing company will get access to "anonymized" (a worthless term) user datasets as part of a broader contract for "security consultation," "marketing and brand awareness," or "strategic consultation." That company will get a bit more money for whatever their broader contract is, while also often being allowed to sell that data out the back door. It's not technically "selling access to your data" because they've actively just called it something else, knowing that U.S. regulators are too feckless and understaffed to dig through a tangled web of intentional complication.

Of course the FTC's report on the terrible privacy practices of the telecom industry is just a report. Actually doing something about the problem is another issue entirely. And every time we've tried to do something about the problem, lobbyists scuttle it in pretty short order (like those FCC broadband privacy rules killed by a heavily-lobbied Congress before they could even take effect, or even a basic federal privacy law). And, more recently, with telecom and media giant lobbying encouragement, the entirety of DC is so fixated exclusively on the problems with tech giants, telecom and media reform has effectively been forgotten entirely.

Filed Under: big tech, competition, consolidation, ftc, privacy, telcos
Companies: at&t, comcast, verizon

New Report Again Shows Global Telecom Networks Aren't Remotely Secure

from the maybe-we-should-fix-that dept

Last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet's security and privacy issues. In part because TikTok wasn't doing anything that wasn't being done by thousands of other app makers, telecoms, data brokers, or adtech companies in a country that can't be bothered to pass even a basic privacy law for the internet era. If we're serious about security and privacy solutions, we need to take a much broader view.

For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation's telecom networks, whether we're talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards in the internet of broken things. Or the dodgy security in our satellite communications networks.

This week, Crowdstrike drove this myopia home again with a new report showcasing how Chinese hackers have compromised global telecom networks for years. The security firm found that since 2016 or so, a (likely Chinese state backed) hacking organization dubbed "LightBasin" or "UNC1945" targeted global telecom companies and was able to compromise 13 of them since 2019. First accessing an eDNS server through an SSH connection from the network of another compromised company, the hackers were able to obtain a trove of telecom data including subscriber information, call metadata, text messages and more, helping them develop a wide collection of snooping tricks:

"The report lays out how this group has developed highly customized tools and a precise working knowledge of global telecommunications network architectures such that it can emulate network protocols to allow scanning and “to retrieve highly specific information from mobile communication infrastructure.” The nature of the data targeted “aligns with information likely to be of significant interest to signals intelligence operations."

Of course this comes on the heels of a steady parade of other telecom security scandals, ranging from the SS7 flaw we still haven't fully fixed (opening the door to covert surveillance), revelations that most satellite networks have the security of damp cardboard, and recent reports of a company that handles billions of global text messages from carriers all over the world was compromised for years before anybody knew anything about it. Most of these reports come and go quietly without even a tiny fraction of the hysteria we saw aimed at TikTok.

Speaking to the press, Crowdstrike researchers were quick to point out that freaking out about malware and apps doesn't mean much if the underlying telecom infrastructure is compromised (and it very much is):

"People leverage their cellphones like they’re magic,” said Adam Meyers, CrowdStrike’s senior vice president of intelligence. “They don’t think about the fact that there’s this whole infrastructure that makes it work … and that infrastructure is not something that you can take for granted."..."They don’t need to deploy the malware onto your phone if they’re owning the network that your phone is riding on,” he said.

Granted much like everyday infrastructure issues like bridge repair, shoring up overall internet network security isn't a sexy topic that sees much traction. Unless you're a U.S. company lobbyist leveraging Xenophobia to your competitive and political tactical advantage (see the sometimes narrow hysteria surrounding 5G), much of this stuff doesn't see anywhere near the attention it deserves in a press and policy discourse that often couldn't care less.

Filed Under: privacy, security, ss7, telco equipment, telcos, telecom networks
Companies: crowdstrike

Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks

from the small-privacy-breach-with-larger-repercussions dept

Of all the places to come across illegal facial recognition tech deployment, a convenience store chain is certainly one of the strangest. The tech wasn't deployed to stop shoplifting or keep unwanted people off the premises. Instead, somewhat ironically, it was deployed to help 7-Eleven convenience stores quantify how well it was doing in the customer service department.

Here's Campbell Kawn for ZDNet (via Slashdot):

In Australia, the country's information commissioner has found that 7-Eleven breached customers' privacy by collecting their sensitive biometric information without adequate notice or consent.

From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers' facial images at two points during the survey-taking process -- when the individual first engaged with the tablet, and after they completed the survey.

After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commenced an investigation into 7-Eleven's survey.

The investigation [PDF] says 7-Eleven handled pretty much everything about this badly. It also shows the company tried to distance itself from its own tablet-based survey by blaming the third-party vendor handling the survey on its behalf.

The facial images were collected twice during the survey and stored locally on the tablets for about 20 seconds. After that, they went to the third party's servers, where they were processed and converted into an algorithmic representation of the face. The original images were then deleted from the device used to perform the survey.

These "representations" were then used to check for matches on other surveys. This was done to detect any potential gaming of the system by individuals repeatedly performing surveys and to make guesses about the age and gender of survey takers. All of that data was deleted after seven days. In total, 1.6 million surveys were performed.

7-Eleven argued this was not a violation of Australian law because the images were not used to identify, track, or monitor respondents. It also said it had no access to facial images on the local device, nor any access to images once they had been moved to the third party servers.

Wrong, says the information commissioner. The problem isn't how the collected information was handled. The problem is how it was collected. 7-Eleven needed consent from survey takers and didn't get it. The commissioner found "no evidence" individuals "expressly" agreed to have their biometric information collected by 7-Eleven.

7-Eleven argued it did get at least implied consent. As evidence of this it offered the blanket notice displayed in front of all stores:

Site is under constant video surveillance.

By entering the store you consent to facial recognition cameras capturing and storing your image.

It also pointed to its privacy policy on its website -- something survey takers weren't presented with when taking surveys.

7-Eleven may also collect photographic or biometric information from users of our 7-Eleven App and visitors to our stores, again, where you have provided your consent. 7-Eleven collects and holds such information for the purposes of identity verification.

None of this is sufficient, says the commissioner.

Consent may not be implied if an individual’s consent is ambiguous or there is reasonable doubt about the individual’s intention. While I accept that use of the tablet was voluntary, I am not satisfied that the act of using the tablet unambiguously indicated an individual’s agreement to collect their facial image and faceprint, in circumstances where:

There was no information provided on or in the vicinity of the tablet, or during the process of completing the survey, about the respondent’s collection of facial images and faceprints.

The Store Notices were unclear, and, given the prevalence of these kind of notices in stores and public places, may have created an impression that the respondent captured customers’ images using a facial recognition CCTV camera as part of surveillance of the store.

The respondent’s Privacy Policy did not link the collection of photographic or biometric information to the use of in-store ‘feedback kiosks’.

Non-specific blanket statements about possible collections are not the same thing as informing survey takers prior to taking a survey that their biometric information will definitely be collected if they fill out a survey.

That's some lawbreaking right there. The company that processed the facial images on behalf of 7-Eleven is ordered to destroy all faceprints collected by this survey. It's also forbidden from engaging in this sort of thing again without securing explicit permission from clients' customers. How much of a deterrent this is remains to be seen since the third party already declared all facial recognition data was deleted seven days after it was collected and processed.

The greater benefit of a ruling like this -- especially one that deals with information gathered irresponsibly but apparently handled with more care once it was harvested -- is the official reminder it sends to all Australian entities that may currently believe a link to a privacy policy buried on the bottom of a corporation's website home page is all that's needed to obtain "consent" for collection of personal info.

Filed Under: australia, convenience stores, facial recognition, privacy
Companies: 7-eleven

Study Shows How Android Phones Still Track Users, Even When 'Opted Out'

from the words-mean-nothing dept

We've frequently noted that what's often presented as "improved privacy" is usually privacy theater. For example researchers just got done showing how Apple's heavily hyped "do not track" button doesn't actually do what it claims to do, and numerous apps can still collect an parade of different data points on users who believe they've opted out of such collection. And Apple's considered among the better companies when it comes to privacy promises.

Android is notably worse. One of my favorite privacy and adtech reporters is Shoshana Wodinsky, because she'll genuinely focus on the actual reality, not the promises. This week she wrote about how researchers at Trinity College in Dublin took a closer look at Android privacy, only to find that the term "opting out" often means absolutely nothing:

"According to the researchers, “with little configuration” right out of the box and when left sitting idle, these devices would incessantly ping back device data to the OS’s developers and a slew of selected third parties. And what’s worse is that there’s often no way to opt out of this data-pinging, even if users want to."

So called "system" apps in many Android variants by the likes of Samsung, Xiaomi, and Huawei often come pre-installed, and can't be removed without rooting your device (which the majority of users can't or won't do). These apps are pretty constantly hoovering up handset data and sending it back not only to the parent company, but to third party data brokers. So even when you think you're "opting out" of data collection and sales, you're not really:

"On their own, none of these data points can identify your phone as uniquely yours, but taken together, they form a unique “fingerprint” that can be used to track your device, even if you try to opt out. The researchers point out that while Android’s advertising ID is technically resettable, the fact that apps are usually getting it bundled with more permanent identifiers means that these apps—and whatever third parties they’re working with—will know who you are anyway. The researchers found this was the case with some of the other resettable IDs offered by Samsung, Xiaomi, Realme, and Huawei."

Some of Google's developer rules prohibit the worst sorts of behavior, but they often only restrict how the data can be sold, not what can be collected. And it's also hard to think they're being effectively policed at any scale. Meanwhile, Google tried to brush aside the researchers' concerns over at Bleeping Computer by claiming this is just how phones work now:

"While we appreciate the work of the researchers, we disagree that this behavior is unexpected – this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds."

Except it's not how cell phones have to work. Case in point: phones using /e/OS, a privacy-focused open-source operating system that promises users a "de-Googled" device, don't mindlessly and endlessly chirp back to the monitor mothership. You can make devices that actually don't phone home constantly, and genuinely opt users out of all tracking when asked. Companies just don't want to do it. Most usually because apathy and tap dancing is more profitable.

Again, much of this occurs because the U.S. still lacks a real privacy law for the internet era. While people often talk about how passing a good privacy law is just too damn hard to get right, a good first step is requiring absolute transparency into what's being collected and sold, and providing working opt out tools. And also we could probably actually fund and staff U.S. privacy regulators while we're at it, so there's somebody competent actually watching the henhouse. Meanwhile, the full study can be found here (pdf) for those interested.

Filed Under: android, do not track, opt-out, privacy
Companies: google

Many Digital Divide 'Solutions' Make Privacy And Trust A Luxury Option

from the First-do-no-harm dept

We've noted a few times how privacy is slowly but surely becoming a luxury good. Take low-cost cellular phones, for example. They may now be available for dirt cheap, but the devices are among the very first to treat consumer privacy and security as effectively unworthy of consideration at that price point. So at the same time we're patting ourselves on the back for "bridging the digital divide," we're creating a new paradigm whereby privacy and security are something placed out of reach for those who can't afford it.

A similar scenario is playing out on the borrowed school laptop front. Lower income students who need to borrow a school laptop to do their homework routinely find that bargain comes with some monumental trade offs; namely zero expectation of privacy. Many of the laptops being used by lower-income students come with Securly, student-monitoring software that lets teachers see a student’s laptop screen in real time and even close tabs if they discover a student is "off-task."

But again, it creates a dichotomy between students with the money for a laptop (innately trusted) and lower income students who are inherently tracked and surveilled:

"Hootman says she and other parents wouldn’t have chosen school-issued devices if they knew the extent of the monitoring. (“I’m lucky that’s an option for us,” she says.) She also worried that when monitoring software automatically closes tabs or otherwise penalizes multitasking, it makes it harder for students to cultivate their own ability to focus and build discipline."

Teachers and school administrators may be well intentioned, but they're not thinking particularly large picture. But the creation of this bifurcated treatment of privacy wasn't lost on the Center for Democracy and Technology, which issued a report last month that found, unsurprisingly, wealthier kids that can afford their own devices are subject to less surveillance and are inherently trusted more overall. Sometimes just by nature of the laptop surveillance systems, but also thanks to school district concerns about liability:

"LEAs (local education agencies) with wealthier student populations reported that their students are more likely to have access to personal devices, which are subject to less monitoring than school-issued devices...LEAs feel compelled to monitor student activity to satisfy perceived legal requirements and protect student safety."

So in trying to "help" kids, by not thinking broadly enough you're teaching them that they're inherently inferior and less deserving of overall trust. Combine that with the overarching problem that less expensive computer and phone hardware is often inherently less private and secure, and it's not particularly hard to see how efforts to "bridge the digital divide" could make some aspects of it worse if they're not particularly well thought out.

Filed Under: digital divide, luxury, privacy, school laptops, schools, security, students, surveillance, tracking