'Just Use A VPN' Isn't A Real Solution To The GOP's Decision To Kill Broadband Privacy Protections

from the snoopvertising-incorporated dept

Not too surprisingly, VPN providers say they're seeing an interest spike in the wake of lawmakers' full frontal assault on consumer broadband privacy protections. The attack on the rules comes as the broadband industry is suffering from an overall decline in competition, something of notable concern to privacy advocates. Some VPN providers were quick to use the debate as a marketing opportunity, with VPN provider Private Internet Access taking out a front page ad in the New York Times shaming the 50 Senators who sold consumer welfare down river in exchange for AT&T, Comcast, Verizon and Charter campaign contributions.

VPN provider NordVPN says it has seen an 86% spike in new subscriber inquiries since the effort to kill the rules began, something it's quick to note happens every time privacy is threatened by myopic lawmakers worldwide:

"Such spikes in user interest in VPNs are not unusual - whenever a government announces increase in surveillance, people turn to privacy tools. We saw similar spikes back in November when UK passed the law dubbed ‘The Snoopers Charter’ or after the revelation about CIA surveillance by the Wikileaks. We are worried about the global tendency to invade Internet users’ privacy, and we are glad we can offer a reliable tool that helps people keep their information private. We want to stress that privacy tools are needed every day, not only during such moments - to protect yourself from ever-growing online security threats and increasing surveillance."

When ISPs were busy lobbying to have the rules killed, they were quick to insist that they don't really collect much data about consumers anyway (patently false). They were also quick to try and argue that killing consumer broadband privacy protections isn't that big of a deal -- because consumers could just protect themselves by using encryption and a VPN. One particular study (pdf) by the telecom-sector funded Information Technology & Innovation Foundation put it this way:

"ISPs do not have nearly the visibility critics suggest. First, as the cost of processing has continued to drop, the number of online services and sites that use encryption has dramatically increased. As a result, ISPs will have less and less insight into customers' Internet usage. Second, any customers who have a heightened sensitivity to privacy concerns are able use tools like Virtual Private Networks (VPN) or even onion routing to obscure online communications. Third, ISPs only have a partial view of subscriber online behavior since most use multiple devices and service providers."

This argument has also been pushed around by many folks that aren't keen on additional government regulation, but want to convince themselves the erosion of privacy protections in a captive, uncompetitive market isn't that big of a deal. But as Princeton computer Scientist Nick Feamster pointed out a year ago, ISPs know an alarming amount about you via DNS records, deep packet inspection, location data tracking and other commercial surveillance. And neither encryption nor VPNs alone are enough to ensure your private data isn't being tracked, collected, stored, and sold:

"Traffic from VPNs doesn’t simply disappear: it merely resurfaces in another ISP that can subsequently monitor user activity. The opportunities for observing user traffic are substantial. For example, in a recent simple experiment that postdoc Philipp Winter performed, web requests from Tor exit relays to the Alexa top 1,000 websites traversed more than 350 Internet service providers considering the DNS lookups from these exit relays, the traffic from these exit nodes traverses an additional 173 Internet service providers."

Meanwhile, Feamster was also quick to point out that the myriad of internet-of-broken-things devices in most homes usually aren't compatible with VPN use:

"VPN clients are typically for desktop machines and, in some cases, mobile devices such as phones and tablets. As previously discussed, IoT devices in homes will continue to generate more traffic. Most such devices do not support VPN software. While it is conceivable that a user could set up an encrypted VPN tunnel from the home router and route all home traffic through a VPN, typical home gateways don’t easily support this functionality at this point, and configuring such a setup would be cumbersome for the typical user."

As Wired quite correctly points out, a VPN also won't help you if your wireless carrier is installing snoopvertising locally on your phone (remember CarrierIQ?). Nor is it a bulletproof solution for ISPs like Verizon that have creatively started modifying user packets to covertly track subscribers around the internet. Nor does it prevent you from an ISP charging you more to opt out of data collection (something AT&T and Comcast have both flirted with). A VPN also won't protect you from companies that have flirted with providing worse customer service based on your credit score.

And, of course, in using a paid-for VPN service, you're basically just moving the area of attack. Now, instead of your ISP snooping on you, you need to worry about the VPN company, because they get the same insight into your traffic patterns as your ISP. And while many VPNs insist that they don't monitor, record, or track this stuff, not all do, and there's been little done to see if various VPN companies are telling the truth. Certainly, many VPN companies stake their entire reputation on privacy and not snooping through your surfing data -- and hopefully the potential risk to their reputation for not being honest about that stops abuses, part of the problem is that no one really knows. Kevin Riggle has a good post outlining why you should be skeptical and careful, if you think a VPN is the answer to your privacy concerns.

Long story short, you're going to hear a lot of people say "just get a VPN" in the wake of Congress' decision to sell your privacy down river for ISP campaign contributions. But a VPN isn't a silver bullet that magically compensates for fading regulatory oversight of an uncompetitive (and anti-competitive) telecom sector, where neither regulatory authority nor competition impede these companies' hoovering up of consumer data. A VPN is just one tool for anybody hoping to protect their traffic from the ever-expanding, watchful gaze of your now unshackled broadband provider, and it may not even be a very good one. And it's a problem if people jump on VPNs thinking that it's "the solution." It is not.

Filed Under: broadband, congress, privacy, vpn

Consumer Broadband Privacy Protections Are Dead

from the dysfunction-junction dept

Last week, the Senate voted 50-48 along party lines to kill consumer broadband privacy protections. That vote then continued today in the House, where GOP lawmakers finished the job, apparently happy to advertise how ISP campaign contributions consistently, directly manifest in anti-consumer policy with a 215 to 205 vote (you can find a full vote breakdown here). The rules, which were supposed to take effect this month, were killed using the Congressional Review Act -- which not only eliminates the protections, but limits the agency's ability to issue similar rules down the road.

The broadband industry's effort to kill the rules is one of the uglier examples of pay-to-play government in recent memory. The protections, originally passed last October by the FCC, have been endlessly demonized by the broadband industry, despite the fact that they're relatively straight forward. The rules would have simply required that ISPs are transparent about what they collect (and who they sell it to), and provide working opt out tools. ISPs were also required to have consumers opt in for more sensitive data collection (financial, browser history data).

Large ISPs, however, consistently whined about the rules, insisting the rules would "confuse" consumers, and hamper "innovation" in the advertising and telecom space. They also tried to claim that ISPs don't really collect much data on consumers, and what collection that does happen can be easily dodged by using a VPN (neither of which is true). ISPs also tried to claim it was unfair to saddle them with additional privacy regulations not seen by Google and Facebook, intentionally ignoring that the often stark lack of broadband competition makes this an apples to oranges comparison.

In an last-ditch attempt to try and convince the House that ISP revenues shouldn't take priority over consumer privacy, a group of around twenty smaller ISPs sent a letter to the House (clearly promptly ignored) trying to explain to them how the lack of competition in broadband made the rules necessary:

"Perhaps if there were a healthy, free, transparent, and competitive market for Internet services in this country, consumers could choose not to use those companies’ products. But small ISPs like ours face many structural obstacles, and many Americans have very limited choices: a monopoly or duopoly on the wireline side, and a highly consolidated cellular market dominated by the same wireline firms.

Under those circumstances, the FCC’s Broadband Privacy Rules are the only way that most Americans will retain the free market choice to browse the Web without being surveilled by the company they pay for an Internet connection."

And now those rules are dead, courtesy of lawmakers that put fattening AT&T and Comcast quarterly earnings above consumer privacy and the health of the entire internet.

ISPs have consistently tried to argue that killing the FCC's rules is no big deal because the FTC will somehow magically pick up the slack. But as former FCC boss Tom Wheeler recently noted, the FTC lacks rule-making authority, and ISPs know that privacy issues are going to quickly fall through the cracks at the over-extended agency. There's also rumblings that the GOP wants to push additional bills that hamstring both the FCC and the FTC consumer protection authority. If that doesn't work, they can dodge FTC oversight via common carrier exemptions patiently carved out by AT&T lawyers looking to dodge accountability for fraud.

During an early afternoon floor debate, Massachusetts Representative Michael Capuano had perhaps the most amusing and heated opposition to the effort (video here), citing his online underwear purchases while mocking the lack of public support for the rules' repeal:

...When I was growing up, one of the tents of the Republican party that I admired the most was (dedication to) privacy. Please give me one, not two, one good reason why all these people here, why all these people watching, would want Comcast or Verizon to have information -- unless they give it to them. We're talking medical information, we're talking passwords, we're talking financial information, we're talking college applications -- there is nothing in today's society that every one of us doesn't do every day on the internet -- and yet Comcast is gonna get it. Not because I said it's ok.

...Go out in the street! Please, leave Capitol Hill for five minutes -- go anywhere you want -- find three people in the street who think it's ok. And you can explain to them "ROIs, and the company has to make progress, and we have to make money." You'll lose that argument every single time, as you should. And I guarantee it you won't find anybody in your district who wants this bill passed.

It's consistently disappointing that ideas like net neutrality and privacy get mired in partisan politics, despite the broad, bipartisan consumer support both concepts enjoy. What happens next won't be pretty, regardless of your political ideology.

Congress has intentionally and repeatedly ignored the lack of broadband competition that makes net neutrality, privacy, and other bad behavior possible. Now, as cable's monopoly over broadband grows faster than ever, ISP-loyal lawmakers are rushing to strip away any and all government oversight of one of the least-liked, and most anti-competitive business sectors in American history. ISPs recently busted for covertly modifying packets to track users, charging an additional fee for privacy, or giving worse customer support based on credit score now have carte blanche to misbehave.

Thanks to a cash-soaked Congress there will be neither broadband competition, nor functional regulatory oversight of an industry with a documented history of aggressive, anti-consumer and anti-competitive behavior. What could possibly go wrong?

Filed Under: broadband, competition, congress, fcc, isps, privacy

Congress Just Voted To Kill Consumer Broadband Privacy Protections

from the the-almighty-dollar dept

Despite a last-ditch effort by the EFF and other consumer and privacy groups, Congress today voted to dismantle privacy protections for broadband subscribers in a 50-48 vote. The rules, passed last October by the FCC, simply required that ISPs clearly disclose what subscriber data is being collected and sold by ISPs. It also required that ISPs provide working opt out tools, and required that consumers had to opt in (the dirtiest phrase imaginable to the ad industry) to the collection of more sensitive data like financial info or browsing histories.

Another part of the rules, which simply required that ISPs were transparent about hacking intrusions and data theft, had already been killed off quietly by new FCC boss Ajit Pai.

The rules were seen as important in the face of greater consolidation in an already uncompetitive broadband market, where said lack of competition eliminates any organic market punishment for bad behavior on the privacy front (unlike the content or other industries). Now, with neither broadband competition -- nor meaningful regulatory oversight -- privacy advocates are justifiably worried about the repercussions to come.

The rules were killed by using the Congressional Review Act, which allows Congress to dismantle recently approved regulations with a simple majority vote. While the rules really were relatively straightforward, telecom lobbyists spent months deriding the rules as "onerous regulations" that would be "too confusing" for consumers, potentially stifling sector "innovation." Industry lobbyists also consistently pushed "studies" proclaiming that ISPs really don't collect much consumer data, in stark contrast to, you know, the truth.

One of the proposals sponsors, Arizona Senator Jeff Flake, went so far in a speech Wednesday night to suggest that the rules somehow "restricted constitutional rights" (of giant ISPs like Comcast, apparently):

"In a speech on the Senate floor Wednesday night, Sen. Jeff Flake (R-Ariz.), who introduced the bill, said the FCC regulations were an example of a “bureaucratic power grab.” "Passing this CRA will send a powerful message that federal agencies can’t unilaterally restrict constitutional rights and expect to get away with it,” Flake said."

ISP lobbyists had spent countless hours trying to convince lawmakers that FCC oversight of privacy was unnecessary, and that the FTC alone was well-equipped to handle consumer privacy complaints in the broadband sector. But in a recent interview, former FCC boss Tom Wheeler made it abundantly clear that this was largely bullshit -- and the goal is to shovel off privacy oversight to an FTC without rule making abilities, already overloaded by other enforcement obligations:

"It’s a fraud. The FTC doesn’t have rule-making authority. They’ve got enforcement authority and their enforcement authority is whether or not something is unfair or deceptive. And the FTC has to worry about everything from computer chips to bleach labeling. Of course, carriers want [telecom issues] to get lost in that morass. This was the strategy all along.

So it doesn’t surprise me that the Trump transition team — who were with the American Enterprise Institute and basically longtime supporters of this concept — comes in and says, “Oh, we oughta do away with this.” It makes no sense to get rid of an expert agency and to throw these issues to an agency with no rule-making power that has to compete with everything else that’s going on in the economy, and can only deal with unfair or deceptive practices."

In other words, the goal is quite simply to gut oversight of one of the least competitive (and most anti-competitive) sectors in American industry. First by hamstringing the FCC's oversight of the sector, then by inevitably pushing bills that hinder the FTC's oversight as well. All told, today's vote is one of the more embarrassing examples of our broken, cash-compromised legislative process in recent memory.

Update: Here's the roll call breakdown of who voted for or against the measure, in case you're the type that actually likes accountability.

Filed Under: broadband, congress, fcc, isps, privacy

Should You Have Any 4th Amendment Rights In An Airport?

from the seems-kind-of-important dept

For many years, we've written about the craziness of the so-called "border search exception" to the 4th Amendment, in which the US government has insisted that the 4th Amendment doesn't apply at the border, and thus it's allowed to search people at the border. The initial reasoning was -- more or less -- that at the border, you're not yet in the country, and thus the 4th Amendment doesn't apply yet. But that's expanded over time -- especially in the digital age. Perhaps, back when people just had clothes/books/whatever in their luggage, you could understand the rationale for allowing a search, but today, when people carry laptops and handheld electronic devices that basically store their whole lives, the situation is a lot scarier. Unfortunately, (with just a few small exceptions) the courts have simply taken the historical ability to search luggage at the border and expanded it to cover electronic devices. Then, things got even more ridiculous, when Homeland Security decided that anywhere that's within 100 miles of the border could be "close enough" to count as a "border search," making the "border search exception" apply. That's... messed up.

There's now a case in the 4th Circuit that shows how this is expanding even further, and on Monday we joined with the Cause of Action Institute and the Committee for Justice to file an amicus brief in the case of Hamza Kolsuz (the ACLU has also filed an amicus brief). Kolsuz had his phone searched under a "border search exception" -- but here's the thing: He was in the process of leaving the country, not entering it. A regular bag search turned up handgun parts in his checked luggage, for which he was arrested. After that, his iPhone was seized and searched without a warrant. Remember, just a few years ago, the Supreme Court ruled that you need a warrant to search a mobile phone in the Riley case. But here there was none.

Law enforcement tried to get around this by claiming that since Kolsuz was at the airport, the search of his phone should count as a border search exception. But that's crazy. Unfortunately, the district court accepted this reasoning -- and now the case is on appeal. We signed onto this amicus brief for a variety of reasons, but a big one is that, as journalists, protecting sources and documents is important. We shouldn't be subject to warrantless searches of our work every time we just happen to be in an airport. As the brief notes:

The District Court erred in denying Mr. Kolsuz's Motion to Suppress and this Court should reverse and remand for a new trial. First, while the border search doctrine constitutes a narrow exception to the otherwise unequivocal Fourth Amendment requirement that the government obtain a warrant to conduct a search, the governmental interests that justify this narrow border search exception were not in play when the Defendant's smartphone was searched incident to his arrest, and this exception therefore cannot be used to justify the search here. The fact that Mr. Kolsuz was arrested and his phone seized at an airport--the equivalent of a border--does not change this case from one that fits squarely within Riley v. California... to one that is suddenly part of a narrow exception of cases justified by the sovereign's customs enforcement rules.

The Court should see this search for what it was: a month-long, detailed, forensic search to gather evidence against Mr. Kolsuz for use in a trial on the very charges for which he was arrested. Since the search here was not actually a border search, the border search exception cannot save it.

Second, the United States essentially seeks a mechanical application of a Fourth Amendment exception even where the interests that justify the exception were not implicated in this case. The dangers of such a mechanical application are readily apparent. People traveling into and out of the United States routinely cross with smartphones or computers that contain the equivalent of "every piece of mail... every picture... [and] every book" a person has.... These individuals include journalists, lawyers, and business travelers with confidential information typically safeguarded under American jurisprudence. Nevertheless, customs agents purport to have unfettered access to the contents of electronic devices carried by such individuals, without any reasonable suspicion or probable cause of a crime, simply by the fact that the individual wishes to leave or enter the United States. This is not the application of the border search exception that the Supreme Court had in mind when it outlined its narrow purview.

Of course, many of us still find the very idea of a "border search exception" to be nonsensical in the first place. But if it's there, the idea that it could be abused in this manner is even more problematic and concerning. Hopefully the 4th Circuit corrects this injustice. We're proud to sign onto this brief, and hope the court listens.

Filed Under: 4th amendment, airports, border search, border search exception, hamza kolsuz, privacy, warrants

The Ad Industry Is Really Excited About Plans To Gut Broadband Privacy Protections

from the an-informed,-empowered-consumer-costs-us-money dept

The broadband, advertising and marketing industries are absolutely thrilled about plans to kill the FCC's new broadband privacy protections for consumers. Passed last year, the rules simply require that ISPs provide working opt-out tools, go to reasonable lengths to protect data and notify users of hack attacks, and be transparent about what data they collect and who they sell to. The rules also require that ISPs obtain opt-in consent (public enemy number one for marketing folks) for the collection and sale of more personal data like financial details or browsing histories.

Given that empowered, informed consumers cost the marketing and broadband industry billions, they've been waging a massive campaign to have the rules killed -- and they're about to succeed. New FCC boss Ajit Pai quickly and covertly set about killing the rules' hacking-related requirements. Meanwhile Senator Jeff Flake and Rep. Marsha Blackburn have gotten quickly to work introducing Congressional Review Act resolutions that would kill the rest of the new rules before they're even allowed to take effect.

Needless to say, the marketing industry is pretty excited. In a joint statement by numerous ad policy and lobbying groups including the Association of National Advertisers and American Advertising Federation, the ad industry went so far as to try and claim that protecting consumer privacy was somehow "anti-consumer":

"Without prompt action in Congress or at the FCC, the FCC's regulations would break with well-accepted and functioning industry practices, chilling innovation and hurting the consumers the regulation was supposed to protect. The Congressional Review Act was designed as a common-sense check on anti-consumer regulations like this, and we are pleased that Senator Flake, Congressman Blackburn, and their colleagues are using it to such positive effect. We strongly urge Congress to support and quickly act on these Joint Resolutions."

Granted the ad and broadband industries would have you forget why the FCC crafted these "anti-consumer" rules in the first place. They were only pushed after Verizon was caught covertly modifying user wireless packets in order to track users around the internet without telling them. The FCC was similarly motivated by the fact that AT&T and Comcast were starting to show interest in charging users a premium for privacy, and the fact that companies like CableONE were proudly crowing about how they use financial data to provide worse customer service to bad credit customers.

The lack of last mile competition ensures that these companies face no organic, market-based punishment for these behaviors. And now regulatory oversight will be hamstrung as well, much to the joy of large ISPs looking to jump more heavily into the Millennial advertising business.

ISP-loyal lawmakers are selling the push by claiming that eliminating FCC oversight -- and leaving privacy in the hands of the FTC only -- will result in "more efficient" and "symmetrical" regulations in line with what Google and Facebook face (ignoring the vast, obvious differences in the internet content and broadband industries). That's something former FCC boss (and dingo) Tom Wheeler called a "fraud," specifically designed to saddle the already overextended FTC with work ISPs know will fall through the cracks. The EFF was also quick to recently debunk this and other claims over at its website:

"Unfortunately, recent court decisions have limited the FTC’s ability to enforce privacy rules on ISPs. Plus, relying on each state to enforce its own laws to protect privacy would create a terrible patchwork of mismatched regulations. You’d think with all the uncertainty and bureaucracy that would create, the ISPs would actually prefer clear, bright-line rules at the national level. But you’d be wrong: at this point, they’ll say anything to block the FCC’s privacy-protective rules."

The EFF has penned a second post discussing all of the fun things ISPs have done -- and will do -- with neither regulators nor free market competition keeping them in line. These efforts are being rushed through under the belief that bigger debates (like the Affordable Care Act) will overshadow how quickly Congress mindlessly rushed to do the bidding of companies like AT&T, Comcast, Verizon and Charter. A vote on the repeal of the rules is expected to happen as soon as Thursday, and consumer advocacy groups like Public Knowledge and the EFF are urging concerned citizens to contact their representatives.

Filed Under: ads, ajit pai, broadband, fcc, net neutrality, privacy

Smart Vibrator Company To Pay $3.75 Million For Private Data Collection

from the masturbatory-metadata dept

Given the often-comedic "security" featured on "smart" tea kettles, televisions, refrigerators and light bulbs -- was there any question that your sex toys would suffer from the same problems plaguing other Internet of Things devices?

Last fall, a company named Standard Innovation was sued because its We-Vibe vibrator collected sensitive data about customer usage. Specifically, the device and its corresponding Bluetooth-tethered smartphone app collected data on how frequently (and for how long) users enjoyed the toy, the "selected vibration settings," the device's battery life, and even the vibrator's "temperature." All of this rather personal data was collected and sent off to the company's Canadian servers, where the company claims it's used to conduct research for future products and product updates.

Unlike many IoT products, Standard Innovation does fortunately encrypt this data in transit, but like most IoT companies, it failed to fully and clearly disclose the scope of data collection to customers, what was being done with that data, and how to opt out (or preferably, opt in).

The end result was a lawsuit by one of the device's users (pdf) claiming this improperly-disclosed data collection violated Illinois privacy laws. This week, Standard Innovation struck a $3.75 million settlement (pdf). Under the terms of the deal, Standard Innovation will designate $3 million of the total for customers who downloaded the app and used it with the We-Vibe device, each individual receiving about $10,000 each. The remaining $750,000 is then destined to be divided between customers who purchased the devices alone, with each individual in that instance receiving roughly $200 each.

The company tells the Chicago Tribune it had learned its lesson about the collection of masturbatory metadata:

"Standard Innovation denied any wrongdoing in the settlement, which spokesman Denny Alexander called "fair and reasonable." Some changes agreed to in the settlement have been in place since We-Vibe updated its We-Connect app and privacy notice in September, he said.

"At Standard Innovation we take customer privacy and data security seriously. We have enhanced our privacy notice, increased app security, provided customers more choice in the data they share, and we continue to work with leading privacy and security experts to improve the app," he said."

Of course the real lesson here continues to be: if you want to be smart about device security in the internet of broken things era, you're almost always better off with the dumb alternative.

Filed Under: iot, privacy, security, smart vibrators
Companies: standard innovation

City Of Tacoma To Pay $50,000 To Privacy Activist For Over-Redacting FBI's Stingray Non-Disclosure Agreement

from the fines-set-to-'MAX' dept

In the fall of 2015, privacy activist Phil Mocek and the Center for Open Policing sued the city of Tacoma for its response to a request for Stingray documents. The documents Mocek obtained were heavily-redacted, despite there being several mostly-unredacted versions of the FBI's Stingray non-disclosure agreement already in public circulation.

(This would be the standard NDA the FBI appends to every Stingray purchase by local law enforcement agencies -- one that says all public records requests should be forwarded to the feds and encourages locals to toss cases rather than expose Stingray use. It's also the same contract the FBI was shocked to hear agencies were complying with after signing on the dotted line to take ownership of their new cell tower spoofers.)

The lawsuit was filed under the state's open records law, with Mocek challenging the Tacoma PD's use of the "investigative records" exemption to withhold significant amounts of a mostly bog-standard nondisclosure agreement. As was noted back then, the continued withholding of this information could become costly (for taxpayers): the state's public records law allows for fines of $500/day for violations.

The court has spoken and the Tacoma PD's excessive secrecy is indeed going to cost residents a chunk of change.

The city of Tacoma will pay a $50,000 fine as well as legal fees for violating the Public Records Act by withholding most of a nondisclosure agreement it signed to obtain cellphone surveillance equipment commonly known as a Stingray.

[...]

In an order signed Friday, Pierce County Superior Court Judge Frank Cuthbertson said the city’s redactions violated state law.

He ordered Tacoma to pay $100 a day for every day the city “wrongfully withheld the unredacted NDA from June 21, 2014, until November 3, 2015, when the city provided this record to plaintiffs,” a penalty period of 500 days. The penalty is the maximum allowable under state law.

The judge determined the exemption cited was improper and withholding large amounts of contractual language served no conceivable law enforcement purpose. The city blamed the FBI for its lavish deployment of black toner. Presumably, the FBI will push back, stating it expects no one to uphold the terms of an agreement it forces them to sign before they can acquire the devices.

This unjustified secrecy is going to hurt the city (and its taxpaying residents) a few more times. The Tacoma New Times points out there are several pending lawsuits dealing with the same Stingray documents, including one filed by the ACLU. The city says it won't seek reimbursement from the federal government for fines and fees, but maybe it should, especially if it's going to blame the FBI for the Tacoma PD's secrecy. This actually sounds like a "good faith" attempt to respect the terms of its agreement with the FBI. The FBI got the secrecy it wanted -- at least temporarily. The least it can do is offer to cover the damages of the NDA it says everyone must sign, but apparently doesn't expect anyone to follow.

Filed Under: fbi, imsi catcher, non-disclosure, phil mocek, privacy, stingray, tacoma

Phone Searches Now Default Mode At The Border; More Searches Last Month Than In All Of 2015

from the [Oprah-voice]-YOU'RE-GETTING-A-PHONE-SEARCH!-AND-YOU'RE-GETTING-A-PHONE dept

The Constitution -- which has always been malleable when national security interests are in play -- simply no longer applies at our nation's borders. Despite the Supreme Court's finding that cell phone searches require warrants, the DHS and CBP have interpreted this to mean it doesn't apply to searches of devices entering/leaving the country.

For the past 15 years, the government has won 9/10 constitutional-violation edge cases if they occurred within 100 miles of our borders -- a no man's land colloquially referred to as the "Constitution-free zone." But the pace of device searches has increased exponentially over the last couple of years. The "border exception" is no longer viewed as an "exception" -- something to be deployed only when customs officers had strong suspicions about a person or their devices. Now, it's the rule, as NBC News reports.

Data provided by the Department of Homeland Security shows that searches of cellphones by border agents has exploded, growing fivefold in just one year, from fewer than 5,000 in 2015 to nearly 25,000 in 2016.

According to DHS officials, 2017 will be a blockbuster year. Five-thousand devices were searched in February alone, more than in all of 2015.

Given the current state of immigration policy, this will get a whole lot worse before it gets better… if it ever does. Expanding government power is easy. Contracting it is almost impossible.

In practical terms, boots-on-the-ground travelers are being subjected to intrusive searches just because there's nothing effectual in the law to prevent it. Asserting your rights at the border is a non-starter. You simply don't have any. No one's going to be playing Twenty Quasi-Relevant Questions with travelers hoping to luck into consent. Officers and agents are seizing and searching devices by force.

A couple who had traveled to Canada twice in a period of three days were subjected to invasive device searches both time. The second time much more force was applied to ensure compliance.

Three days later, they returned from another trip to Canada and were stopped again by CBP.

"One of the officers calls out to me and says, 'Hey, give me your phone,'" recalled Shibly. "And I said, 'No, because I already went through this.'"

The officer asked a second time..

Within seconds, he was surrounded: one man held his legs, another squeezed his throat from behind. A third reached into his pocket, pulling out his phone. McCormick watched her boyfriend's face turn red as the officer's chokehold tightened.

Then they asked McCormick for her phone.

"I was not about to get tackled," she said. She handed it over.

The coercion doesn't have to be a chokehold. It can just be the fact that government agents stand between you and your home and aren't willing to let you get back to the part of the country where your rights still exist without you handing over PINs and passwords.

On February 9, Haisam Elsharkawi was stopped by security while trying to board his flight out of Los Angeles International Airport. He said that six Customs officers told him he was randomly selected. They demanded access to his phone and when he refused, Elsharkawi said they handcuffed him, locked him in the airport's lower level and asked questions including how he became a citizen. Elsharkawi thought he knew his rights and demanded access to legal counsel.

"They said if I need a lawyer, then I must be guilty of something," said Elsharkawi, and Egyptian-born Muslim and naturalized U.S. citizen. After four hours of questioning in detention, he unlocked his smartphone and, after a search, was eventually released. Elsharkawi said he intends to sue the Department of Homeland Security.

This is how certain government agents and agencies view constitutional rights: as luxuries only needed by people with something to hide. This mindset -- combined with Trump's "gloves off" approach to immigration enforcement -- helps explain the 5,000 device searches in the last 30 days. Device searches were always considered intrusive, despite the Constitution-free aspect of US borders. These were saved for criminal suspects and watchlisted travelers. Now, it's everyone.

The only good news to come out of this is a potential change in applicable laws. Sen. Ron Wyden is introducing a bill to create a warrant requirement for device searches at the border. Unfortunately, it's being introduced into an ecosystem now streamlined to reject affirmations of existing rights. If it somehow makes it to the President's desk without being amended into uselessness, there's almost zero chance Donald Trump won't veto it. Given the current makeup of Congress, it's unlikely there's enough support for a bill that might give "bad hombres" more rights to override a veto.

Filed Under: 4th amendment, border searches, cbp, constitution free zone, device searches, dhs, privacy

Body Cameras Used By UK Local Government To Catch People Dropping Litter And Walking Dogs

from the illegal-pigeon-feeders-beware dept

We've just written about the use of body cameras in UK schools. One reason these trials are taking place is probably because the technology is now relatively cheap, which lowers previous barriers to deploying it. So it should perhaps come as no surprise to learn from a new report from Big Brother Watch that body cameras are also widely used by UK local government departments (pdf). Here are some of the figures Big Brother Watch gathered using Freedom of Information requests to over 400 UK councils:

54% of all local [government] authorities across the UK are equipping members of staff or contractors with body worn cameras at a cost of £1,791,960.81 [about $2.2 million].

66% of local authorities are failing to completing Privacy Impact Assessments (PIAs) before deploying the technology and

21% of councils are holding non-evidential footage for longer than 31 days; the time limit adhered to by police forces.

The report has details about how many body cameras each local authority has -- one in London has 202 -- how much has been spent, and with which suppliers. It also offers some information about the kind of uses to which the cameras are being put:

the decision by some councils to equip staff with the cameras in order to film people dropping litter, walking dogs, parking or to monitor people's recycling, in order to use the "evidence" to issue a fine, we would argue is a disproportionate use of an intrusive surveillance capability and a potential breach of the privacy of law abiding citizens.

Many local government officials would doubtless disagree. After all, we know that UK councils are using highly-intrusive surveillance powers supposedly needed to fight terrorism in order to spy on excessively barking dogs and illegal pigeon feeding. It's a natural, if worrying, extension of that approach to start using body cameras for similarly trivial purposes.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: body cameras, littering, privacy, uk

EFF: Data Collected From Utility Smart Meters Should Be Protected By The Fourth Amendment

from the I-always-feel-like-somebody's-watching-me dept

For years, electric utilities have increasingly embraced smart meters. Roughly 65 million of the devices have been installed in the United States over the last few years, with 57 million of them in consumer homes. The meters provide innumerable benefits to utility companies, often delivering an ocean of new remote access and monitoring tools to better manage the network and reduce meter reading truck rolls. The benefits to consumers (outside of accuracy) have been less notable, including interference with some home routers, as well as the fact that a number of models have been shown to be relatively easily hacked.

In addition to hackability, the sheer volume of data being gobbed up by utility companies tells an awful lot about you (when you wake, when you sleep, when you're home or away). This has, at times, sparked outrage from locals in places like Naperville, Illinois, where, since 2011, meter opponents have been fighting the intrusive nature of the devices:

"...Opponents say the meters provide so much information that everyone from cops to criminals to marketing departments can learn when people are home and what they do when they're there. Last year, the anti-meter movement fell just short of collecting enough signatures to place a question on the ballot asking residents to decide whether the devices should be removed. They also have a pending federal lawsuit against the city alleging that their constitutional right to due process has been violated."

That was 2013. In 2015, the city of Naperville was forced to settle with one smart meter opponent after she sued the city and four of its police officers for violating her constitutional rights. That same year, another man sued the city over what he claimed was an unwarranted search into his home. But last fall, a federal district court in Illinois declared that Americans can't reasonably expect any privacy in the data collected by these devices, and utility collection of it is completely beyond the protection of the Fourth Amendment.

That case is currently on appeal to the United States Court of Appeals for the Seventh Circuit. And the EFF and Privacy International have asked the Seventh Circuit if they can weigh in on the case. In a blog post, the EFF points out that the court's decision was based on a misunderstanding of how the technology actually works. Basically, the court assumed that these new meters work in exactly the same way as their older counterparts, ignoring the significantly-expanded data collected:

"The court was convinced that data collected from smart meters is no different from data collected from analog meters, in terms of what it reveals about what’s going on inside the home. But that’s simply not the case. Smart meters not only produce far more data than analog meters—those set at collecting data in 15-minute intervals produce 2,880 meter readings per month compared to just one monthly reading for analog meters—but the data is also far more intimate. A single monthly read of cumulative household energy use does not reveal how energy is being used throughout the course of a day. But smart meter data does. And its time granularity tells a story about what is going on inside the home for anyone who wishes to read it."

As we've seen with cellular location data, once companies collect this information, it's often sold to any number of third parties who may be using this data in ways that aren't always in your best interests. But as Tim Cushing has occassionally noted, getting companies to be forthcoming about what they're collecting and who they may be selling it to is sometimes difficult, with at least one company suing to thwart transparency efforts on the subject in Seattle. And as Glyn Moody has also noted, this collision between privacy rights and utility data collection on the smart meter front isn't just an American phenomenon.

Filed Under: 4th amendment, illinois, naperville, privacy, smart meters