UK Information Commissioner Says Police Are Grabbing Too Much Data From Phones Owned By Crime Victims

from the losing-the-tech-race,-eh? dept

The UK's Information Commissioner's Office (ICO) has taken a look at what law enforcement officers are hoovering up from citizens' phones and doesn't like what it sees. The relentless march of technology has enabled nearly everyone to walk around with a voluminous, powerful computer in their pocket -- one filled with the details and detritus of everyday living. And that relentless march has propelled citizens and their pocket computers right into the UK's regulatory void.

The ICO's report [PDF] doesn't just deal with the amount of data and communications UK cops can get from suspects' phones. It also deals with the insane amount of data cops are harvesting from devices owned by victims and witnesses of criminal acts. Left unaddressed, the lack of a solid legal framework surrounding mobile phone extractions (MPEs) will continue to lead law enforcement officers to believe they can harvest everything and look for the relevant stuff at their leisure.

Very few people would consent to this sort of intrusive search, but some aren't aware of how extensive these searches are. Those that are aware are less likely to come forward to help further an investigation, even if they're a victim of a crime.

Large volumes of data are likely to include intimate details of the private lives of not only device owners but also third parties (eg their family and friends). In other words, it is not just the privacy of the device owner that is affected, but all individuals that have communicated digitally with that person or whose contact details have been added by the owner. This presents considerable risks to privacy through excessive processing of data held on or accessed through the phone.

Left unexplained, or in cases where it is not necessary or justified, this intrusion into individuals’ privacy presents a risk of undermining confidence in the criminal justice system. People may feel less inclined to assist the police as witnesses or to come forward as a victim, if they are concerned that their and their friends’ and families’ private lives will be open to police scrutiny without proper safeguards…

Privacy is paramount when dealing with those not suspected of committing criminal acts. Standard MPE practice appears to ignore this crucial element, which only heightens distrust of law enforcement agencies. But privacy concerns are being swept aside in favor of efficiency. Why do things the right way when it's so much easier to do them this way?

PI [Privacy International] published a report calling for an urgent review of the use of MPE by the police, (“Digital stop and search: how the UK police can secretly download everything from your mobile phone” 15). It raised questions over the lawful bases for carrying out extractions, the lack of national and local guidance, and the authorisation process. [...] PI were also concerned that the use of MPE kiosks (‘self-service’ devices used by police forces to download and analyse the contents of individuals’ mobile phones) is becoming more common and forming part of ‘business as usual’ for officers, despite a lack of governance, oversight and accountability in their use.

But if law enforcement officers don't get what they want, there's a good chance crime victims won't get what they want. Here's where things get extremely unpleasant. It's not that crime victims feel this way. It's what's actually happening. When investigators aren't given consent to perform MPEs on crime victims' phones, there's a chance law enforcement will just decide to stop pursuing the investigation.

Here's what Big Brother Watch discovered after obtaining records from multiple police forces in England and Wales:

It found officers had asked for the complainant's mobile phone data in 84 sexual assault cases.

And every one of the 14 of those in which the complainant had declined had then been dropped by police.

The report calls for a long list of improvements and reforms, with an eye on safeguarding the privacy of crime victims and witnesses. ICO says all extractions should be logged and audited routinely. Investigators should be made aware that it's almost impossible to comply with data privacy laws when performing MPEs due to the amount of data/communications present on the average phone -- much of which "belongs" to other people who have communicated with the victim/witness.

It won't be enough to establish guidelines under the current legal framework. ICO says new laws must be put in place to make it explicit what can and can't be obtained with phone searches and when they can be lawfully carried out. This law would also need to set time constraints on examinations of extracted data, as well as the length of time it can be stored once obtained.

For now, the UK's legal framework is more limited than law enforcement's powers. The ICO's report aims to change that. Unfortunately, this will move at the speed of bureaucracy while tech continues to move at the speed of innovation. It's impossible to play catch-up at this speed. I say it's time to hit law enforcement with some broadly-written legislation -- you know, the sort of stuff the normals are forced to deal with all the time. Maybe that will slow the roll of data extraction until the government as a whole has time to address all the nuances.

Filed Under: data, ico, phones, police, privacy, uk

Give Me Liberty, Or Give Me Data Protection? A Troubling Implication Of The American Voter UK Data Protection Case

from the frying-pan-to-fire dept

The Guardian had an article this past weekend about what looks like a potentially successful attempt by an American to use UK data protection law to force Cambridge Analytica to divulge what information it had collected about US voters like him. Whether the UK Information Commissioner’s Office (ICO) is truly entitled to compel Cambridge Analytica to do anything, much less on behalf of an American, is an open question. But for purposes here, let's assume that UK data protection law works this way, that it was intended to work this way, and that it's good policy for it to work this way.

The problem is, it's one thing for the ICO to force Cambridge Analytica to share with the American voter himself what personal data it had about him. But it's another thing entirely for the ICO to force Cambridge Analytica to share the personal data it has about American voters with it. Yet it looks from the article like that's what ICO may have threatened to force Cambridge Analytica to do.

The troubling passage:

The covering letter from the ICO says that if Cambridge Analytica has difficulties complying, it should hand over passwords for the servers seized during its raid on the company’s office – something that raises questions also about what it has managed to retrieve from the servers so far.

Insert record scratch noise here. The framing of the article, and a lot of reaction to it, is that ICO is the white knight here, seeking to vindicate the privacy rights of Americans whose data has been scooped by Cambridge Analytica. Maybe so, but to the extent it proposes to do this by itself scooping up Americans' data (and hopefully future reporting can be more explicit on whether this is what is truly proposed; the Guardian article did not link to the cover letter, nor does the ICO's press announcement) such a move is extremely concerning.

Because regardless of how problematic it is for a private entity like Cambridge Analytica to have access to lots of data about American voters, for all those same reasons it is even more problematic for a government to. And while it would be bad enough if it were the American government demanding it, it's even worse if it's a foreign government that now has access to all this data about American voters.

It's not a question of how much we trust that foreign government. We might see the problem more easily if it were, say, Russian regulators demanding Cambridge Analytica give it all the data it has, but the fact that it is our UK ally demanding it makes no difference. Irrespective of how well-intentioned or trust-worthy one considers the UK government of today, or its data protection authority, we still fought a war or two to keep it out of American democracy. In fact, so unhappy were we about things the UK government had done to help itself to information about American lives that we even came up with a couple of constitutional amendments to ensure the practice would not be continued.

Thus no matter how we feel about Cambridge Analytica having acquired our data without our permission, it would be a strange thing to encourage governments to return to those old ways and get to acquire our data without our permission too. Especially not governments so politically unaccountable to those whose data they would now collect.

Because while voters like Professor Carroll might not care, the apparently indiscriminate way the ICO has acquired data by copying entire servers would seem to capture the data of many more American voters than just him. Which, to put into the language of EU privacy regulators, would constitute a sort of data acquisition that not all of us affected had consented to.

Filed Under: data protection, foreign governments, ico, information commissioner's office, uk, voter info
Companies: cambridge analytica

How To Avoid Future Krack-Like Failures: Create Well-Maintained 'Fat' Protocols Using Initial Coin Offerings

from the blockchain-cryptocurrency-fashionable-moi? dept

It came as something of a shock to learn recently that several hugely-popular security protocols for Wi-Fi, including WPA (Wireless Protected Access) and WPA2, were vulnerable to a key re-installation attack (pdf). A useful introduction from the EFF puts things in context, while more technical details can be found on the krackattacks.com site, and in a great post by Matthew Green. As well as the obvious security implications, there's another angle to the Krack incident that Techdirt readers may find of note. It turns out that one important reason why what is a fairly simple flaw was not spotted earlier is that the main documentation was not easily accessible. As Wired explains:

The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security [TLS], the popular cryptographic protocol used in web encryption, WPA2 doesn't make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.

The obvious way to avoid this issue is to ensure that key protocols are all freely available so that they can be scrutinized by the greatest number of people. But the Wired article points out that there's a different problem in that situation:

Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, but don't have the funding for deep, robust maintenance and vetting

It's another well-known concern: just because protocols and software are open doesn't necessarily mean that people will find even obvious bugs. That's because they may not have the time to look for them, which in turn comes down to incentives and rewards. Peer esteem only goes to far, and even hackers have to eat. If they receive no direct reward for spending hours searching through code for bugs, they may not bother.

So if we want to avoid major failures like the Krack vulnerability, we need to do two things. First, key protocols and software should be open and freely available. That's the easy part, since openness is now a well-accepted approach in the digital world. Secondly, we need to find a way to reward people for looking at all this stuff. As Krack shows, current incentives aren't working. But there's a new approach that some are touting as the way forward. It involves the fashionable idea of Initial Coin Offerings (ICO) of cryptocurrency tokens. A detailed article on qz.com explains how ICOs can be used to fund new software projects by encouraging people to buy tokens speculatively:

The user would pay for a token upfront, providing funds for coders to develop the promised technology. If the technology works as advertised and gains popularity, it should attract more users, thus increasing demand for the token offered at the start. As the token value increases, those early users who bought tokens will benefit from appreciating token prices.

It's that hope of future investment gains that would encourage people to buy ICO tokens from a risky venture. But it's not just the early users who benefit from a technology that takes off. A key idea of this kind of ICO is that the coders behind the technology would own a sizable proportion of the total token offering; as the technology becomes popular, and tokens gain in value, so does their holding.

This novel approach could be applied to protocol development. The hope is that by creating "fat" protocols that can capture more of the value of the ecosystem that is built on top of them, there would be funds available to pay people to look for bugs in the system, which would be totally open. It's an intriguing idea -- one that may be worth trying given the problems with today's approaches.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: cryptocurrency, funding, ico, krack, protocols, standards, wpa2