jm + privacy   233

Unroll.me sold your data to Uber
'Uber devoted teams to so-called competitive intelligence, purchasing data from Slice Intelligence, which collected customers' emailed Lyft receipts via Unroll.me and sold the data to Uber'.

Also: 'Unroll.me allegedly "kept a copy of every single email that you sent or received" in "poorly secured S3 buckets"': https://news.ycombinator.com/item?id=14180463

Unroll.me CEO: 'felt bad “to see that some of our users were upset to learn about how we monetise our free service”.'
https://www.theguardian.com/technology/2017/apr/24/unrollme-mail-unsubscription-service-heartbroken-sells-user-inbox-data-slice
uber  unroll.me  gmail  google  privacy  data-protection  lyft  scumbags  slice-intelligence 
yesterday by jm
Australian Doctor on Twitter: "Outcry as MyHealthRecord default privacy setting left open to universal access"
Funnily enough, this is exactly what Ross Anderson warned about 10 years ago re patient record digitisation in the UK.

'Occupational therapists working for an employer, doctors working for insurance companies, a dietitian, an optometrist or a dentist or their staff can view the [patient] record and see if individuals have a sexually transmitted disease, a mental illness, have had an abortion or are using Viagra.'
privacy  heaith  australia  myhealthrecord  data-protection  data-privacy  healthcare  medicine 
13 days ago by jm
serviette/serviette.py at master · heathervm/serviette · GitHub
Delete tweets based on search terms. Wonder why you'd want that
twitter  tweets  delete  privacy  social-media 
14 days ago by jm
Research Blog: Federated Learning: Collaborative Machine Learning without Centralized Training Data
Great stuff from Google - this is really nifty stuff for large-scale privacy-preserving machine learning usage:

It works like this: your device downloads the current model, improves it by learning from data on your phone, and then summarizes the changes as a small focused update. Only this update to the model is sent to the cloud, using encrypted communication, where it is immediately averaged with other user updates to improve the shared model. All the training data remains on your device, and no individual updates are stored in the cloud.

Federated Learning allows for smarter models, lower latency, and less power consumption, all while ensuring privacy. And this approach has another immediate benefit: in addition to providing an update to the shared model, the improved model on your phone can also be used immediately, powering experiences personalized by the way you use your phone.

Papers:
https://arxiv.org/pdf/1602.05629.pdf , https://arxiv.org/pdf/1610.05492.pdf
google  ml  machine-learning  training  federated-learning  gboard  models  privacy  data-privacy  data-protection 
18 days ago by jm
UN privacy watchdog says 'little or no evidence' that mass surveillance works | ZDNet
The United Nations' special rapporteur on privacy has lambasted a spate of new surveillance laws across Europe and the US, saying that there is "little or no evidence" that mass monitoring of communications works. In a report published this week, Prof. Joseph Cannataci, the first privacy watchdog to take up the post, said he was neither convinced of the effectiveness or the proportionality "of some of the extremely privacy-intrusive measures that have been introduced by new surveillance laws."

He also said that bulk records collection, such as call and email metadata, runs the risk of "being hacked by hostile governments or organized crime."

Cannataci singled out recently-passed laws in France, Germany, the UK and the US, all of which have pushed through new legislation in the wake of the threat from the so-called Islamic State. He said that the passed laws amount to "gesture-politics," which in his words, "have seen politicians who wish to be seen to be doing something about security, legislating privacy-intrusive powers into being -- or legalize existing practices -- without in any way demonstrating that this is either a proportionate or indeed an effective way to tackle terrorism." A rise in public support of increased surveillance powers is "predicated on the psychology of fear," he said, referring to the perceived threat of terrorism.
surveillance  law  privacy  un  joseph-cannataci  watchdogs  terrorism  fear  fud 
5 weeks ago by jm
Minor Infractions — Real Life
When our son turned 12, we gave him a phone and allowed him to use social media, with a condition: He had no right to privacy. We would periodically and without warning read his texts and go through his messenger app. We would follow him on Facebook, Instagram and Twitter (though we wouldn’t comment or tag him — we’re not monsters). We wouldn’t ambush him about what we read and we wouldn’t attempt to embarrass him. Anything that wasn’t dangerous or illegal, we would ignore.


Food for thought. But not yet!
surveillance  family  kids  privacy  online  social-media  teenagers 
10 weeks ago by jm
What Vizio was doing behind the TV screen | Federal Trade Commission
This is awful:
Starting in 2014, Vizio made TVs that automatically tracked what consumers were watching and transmitted that data back to its servers. Vizio even retrofitted older models by installing its tracking software remotely. All of this, the FTC and AG allege, was done without clearly telling consumers or getting their consent.

What did Vizio know about what was going on in the privacy of consumers’ homes? On a second-by-second basis, Vizio collected a selection of pixels on the screen that it matched to a database of TV, movie, and commercial content. What’s more, Vizio identified viewing data from cable or broadband service providers, set-top boxes, streaming devices, DVD players, and over-the-air broadcasts. Add it all up and Vizio captured as many as 100 billion data points each day from millions of TVs.

Vizio then turned that mountain of data into cash by selling consumers’ viewing histories to advertisers and others. And let’s be clear: We’re not talking about summary information about national viewing trends. According to the complaint, Vizio got personal. The company provided consumers’ IP addresses to data aggregators, who then matched the address with an individual consumer or household. Vizio’s contracts with third parties prohibited the re-identification of consumers and households by name, but allowed a host of other personal details – for example, sex, age, income, marital status, household size, education, and home ownership.  And Vizio permitted these companies to track and target its consumers across devices.

That’s what Vizio was up to behind the screen, but what was the company telling consumers? Not much, according to the complaint.

Vizio put its tracking functionality behind a setting called “Smart Interactivity.”  But the FTC and New Jersey AG say that the generic way the company described that feature – for example, “enables program offers and suggestions” – didn’t give consumers the necessary heads-up to know that Vizio was tracking their TV’s every flicker. (Oh, and the “Smart Interactivity” feature didn’t even provide the promised “program offers and suggestions.”)
privacy  ftc  surveillance  tv  vizio  ads  advertising  smart-tvs 
11 weeks ago by jm
Data from pacemaker used to arrest man for arson, insurance fraud
Compton has medical conditions which include an artificial heart linked to an external pump. According to court documents, a cardiologist said that "it is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions."

After US law enforcement caught wind of this peculiar element to the story, police were able to secure a search warrant and collect the pacemaker's electronic records to scrutinize his heart rate, the demand on the pacemaker and heart rhythms prior to and at the time of the incident.
pacemakers  health  medicine  privacy  data  arson  insurance  fraud  heart 
11 weeks ago by jm
The hidden cost of QUIC and TOU
The recent movement to get all traffic encrypted has of course been great for the Internet. But the use of encryption in these protocols is different than in TLS. In TLS, the goal was to ensure the privacy and integrity of the payload. It's almost axiomatic that third parties should not be able to read or modify the web page you're loading over HTTPS. QUIC and TOU go further. They encrypt the control information, not just the payload. This provides no meaningful privacy or security benefits.

Instead the apparent goal is to break the back of middleboxes [0]. The idea is that TCP can't evolve due to middleboxes and is pretty much fully ossified. They interfere with connections in all kinds of ways, like stripping away unknown TCP options or dropping packets with unknown TCP options or with specific rare TCP flags set. The possibilities for breakage are endless, and any protocol extensions have to jump through a lot of hoops to try to minimize the damage.
quic  tou  protocols  http  tls  security  internet  crypto  privacy  firewalls  debugging  operability 
december 2016 by jm
IPBill ICRs are the perfect material for 21st-century blackmail
ICRs are the perfect material for blackmail, which makes them valuable in a way that traditional telephone records are not. And where potentially large sums of money are involved, corruption is sure to follow. Even if ICR databases are secured with the best available technology, they are still vulnerable to subversion by individuals whose jobs give them ready access.
This is no theoretical risk. Just one day ago, it emerged that corrupt insiders at offshore call centres used by Australian telecoms were offering to sell phone records, home addresses, and other private details of customers. Significantly, the price requested was more if the target was an Australian "VIP, politician, police [or] celebrity."
blackmail  privacy  uk-politics  uk  snooping  surveillance  icrs  australia  phone-records 
november 2016 by jm
Stealth Cell Tower
'an antagonistic GSM base station [disguised] in the form of an innocuous office printer. It brings the covert design practice of disguising cellular infrastructure as other things - like trees and lamp-posts - indoors, while mimicking technology used by police and intelligence agencies to surveil mobile phone users.'
gsm  hardware  art  privacy  surveillance  hacks  printers  mobile-phones 
november 2016 by jm
Remarks at the SASE Panel On The Moral Economy of Tech
Excellent talk. I love this analogy for ML applied to real-world data which affects people:
Treating the world as software promotes fantasies of control. And the best kind of control is control without responsibility. Our unique position as authors of software used by millions gives us power, but we don't accept that this should make us accountable. We're programmers—who else is going to write the software that runs the world? To put it plainly, we are surprised that people seem to get mad at us for trying to help. Fortunately we are smart people and have found a way out of this predicament. Instead of relying on algorithms, which we can be accused of manipulating for our benefit, we have turned to machine learning, an ingenious way of disclaiming responsibility for anything. Machine learning is like money laundering for bias. It's a clean, mathematical apparatus that gives the status quo the aura of logical inevitability. The numbers don't lie.


Particularly apposite today given Y Combinator's revelation that they use an AI bot to help 'sift admission applications', and don't know what criteria it's using: https://twitter.com/aprjoy/status/783032128653107200
culture  ethics  privacy  technology  surveillance  ml  machine-learning  bias  algorithms  software  control 
october 2016 by jm
Snooping powers saw 13 people wrongly held on child sex charges in the UK
Sorry, Daily Mail article --
Blunders in the use of controversial snooping powers meant 13 people were wrongly arrested last year on suspicion of being paedophiles. Another four individuals had their homes searched by detectives following errors in attempts to access communications data, a watchdog revealed yesterday.

Other mistakes also included people unconnected to an investigation being visited by police and delayed welfare checks on vulnerable people including children whose lives were at risk, said the Interception of Communications Commissioner. [....] A large proportion of the errors involved an internet address which was wrongly linked to an individual.

Of the 23 serious mistakes, 14 were human errors and the other nine ‘technical system errors’.
surveillance  ip-addresses  privacy  uk  daily-mail  snooping  interception  errors 
september 2016 by jm
The Internet Thinks I’m Still Pregnant - The New York Times
This is pretty awful -- an accidental, careless and brutal side effect of marketers passing on sensitive info to one another, without respect for their users' privacy:

'I hadn’t realized, however, that when I had entered my information into the pregnancy app, the company would then share it with marketing groups targeting new mothers. Although I logged my miscarriage into the app and stopped using it, that change in status apparently wasn’t passed along. Seven months after my miscarriage, mere weeks before my due date, I came home from work to find a package on my welcome mat. It was a box of baby formula bearing the note: “We may all do it differently, but the joy of parenthood is something we all share.”'
privacy  pregnancy  miscarriage  data-protection  apps  babies  parenthood 
september 2016 by jm
Sex toy tells manufacturer when you’re using it
the "We-Vibe 4 Plus" phones home with telemetry data including temperature, and when the user "changes the vibration level". wtf
wtf  privacy  sex-toys  telemetry  metrics  vibrators  we-vibe 
august 2016 by jm
Self-driving cars: overlooking data privacy is a car crash waiting to happen
Interesting point -- self-driving cars are likely to be awash in telemetry data, "phoned home"
self-driving  cars  vehicles  law  data  privacy  data-privacy  surveillance 
july 2016 by jm
Cops Use Stingray To Almost Track Down Suspected Fast Food Thief
Law enforcement spokespeople will often point to the handful of homicide or kidnapping investigations successfully closed with the assistance of cell site simulators, but they'll gloss over the hundreds of mundane deployments performed by officers who will use anything that makes their job easier -- even if it's a tool that's Constitutionally dubious.

Don't forget, when a cell site simulator is deployed, it gathers cell phone info from everyone in the surrounding area, including those whose chicken wings have been lawfully purchased. And all of this data goes... somewhere and is held onto for as long as the agency feels like it, because most agencies don't seem to have Stingray data retention policies in place until after they've been FOIA'ed/questioned by curious legislators.

Regular policework -- which seemed to function just fine without cell tracking devices -- now apparently can't be done without thousands of dollars of military equipment. And it's not just about the chicken wing thieves law enforcement can't locate. It's about the murder suspects who are caught but who walk away when the surveillance device wipes its feet on the Fourth Amendment as it serves up questionable, post-facto search warrants and pen register orders.
stingrays  mobile  surveillance  imsi-catchers  data-retention  privacy  chicken-wings  fast-food 
june 2016 by jm
Sample letter to refuse permission for a child's data to be transferred into POD - Tuppenceworth.ie blog
The Department of Education has issued a new circular accepting it cannot defund the education of children whose parents do not want their kid’s data to be in POD [the privacy-infringing database of all Irish primary-school children]. They’ll only accept a written request as the basis of that refusal, however. So, here’s one you can use that meets the requirements. Send or give it to your school.
pod  privacy  ireland  children  kids  school 
june 2016 by jm
Differential Privacy
Apple have announced they plan to use it; Google use a DP algorithm called RAPPOR in Chrome usage statistics. In summary: "novel privacy technology that allows inferring statistics about populations while preserving the privacy of individual users".
apple  privacy  anonymization  google  rappor  algorithms  sampling  populations  statistics  differential-privacy 
june 2016 by jm
Ireland goes Big Brother as police upgrade snooping abilities - The Register
The Garda Síochána has proposed to expand its surveillance on Irish citizens by swelling the amount of data it collects on them through an increase in its CCTV and ANPR set-ups, and will also introduce facial and body-in-a-crowd biometrics technologies. [...] The use of Automated Facial Recognition (AFR) technology is fairly troubled in the UK, with the independent biometrics commissioner warning the government that it was risking inviting a legal challenge back in March. It is no less of an issue in Ireland, where the Data Protection Commissioner (DPC) audited Facebook in 2011 and 2012, and scolded the Zuckerborg over its use of facial recognition technology.
afr  facial-recognition  minority-report  surveillance  ireland  gardai  cctv  anpr  biometrics  privacy 
june 2016 by jm
German Privacy Regulators Fined Adobe, Others Over U.S. Data Transfers
Adobe was fined 8,000 euros, Punica 9,000 euros and Unilever 11,000 euros. The regulator said they had put in place alternative legal mechanisms for transferring data to the United States following the fine. “The fact that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favorable way for the calculation of the fines,” said Johannes Caspar, the Hamburg Commissioner for Data Protection. “For future infringements, stricter measures have to be applied.”
data-protection  eu  fines  us  privacy  safe-harbor 
june 2016 by jm
MPs’ private emails are routinely accessed by GCHQ
65% of parliamentary emails are routed via Dublin or the Netherlands, so liable to access via Tempora; NSA's Prism program gives access to all Microsoft Office 365 docs; and MessageLabs, the anti-spam scanning system in use, has a GCHQ backdoor program called Haruspex, allegedly.
snowden  privacy  mps  uk  politics  gchq  nsa  haruspex  messagelabs  symantec  microsoft  parliament 
june 2016 by jm
Public preferences for electronic health data storage, access, and sharing – evidence from a pan-European survey | Journal of the American Medical Informatics Association
Results: We obtained 20 882 survey responses (94 606 preferences) from 27 EU member countries. Respondents recognized the benefits of storing electronic health information, with 75.5%, 63.9%, and 58.9% agreeing that storage was important for improving treatment quality, preventing epidemics, and reducing delays, respectively. Concerns about different levels of access by third parties were expressed by 48.9% to 60.6% of respondents. On average, compared to devices or systems that only store basic health status information, respondents preferred devices that also store identification data (coefficient/relative preference 95% CI = 0.04 [0.00-0.08], P = 0.034) and information on lifelong health conditions (coefficient = 0.13 [0.08 to 0.18], P < 0.001), but there was no evidence of this for devices with information on sensitive health conditions such as mental and sexual health and addictions (coefficient = −0.03 [−0.09 to 0.02], P = 0.24). Respondents were averse to their immediate family (coefficient = −0.05 [−0.05 to −0.01], P = 0.011) and home care nurses (coefficient = −0.06 [−0.11 to −0.02], P = 0.004) viewing this data, and strongly averse to health insurance companies (coefficient = −0.43 [−0.52 to 0.34], P < 0.001), private sector pharmaceutical companies (coefficient = −0.82 [−0.99 to −0.64], P < 0.001), and academic researchers (coefficient = −0.53 [−0.66 to −0.40], P < 0.001) viewing the data.

Conclusions: Storing more detailed electronic health data was generally preferred, but respondents were averse to wider access to and sharing of this information. When developing frameworks for the use of electronic health data, policy makers should consider approaches that both highlight the benefits to the individual and minimize the perception of privacy risks.


Via Antoin.
privacy  data  medicine  health  healthcare  papers  via:antoin 
april 2016 by jm
Primary Online Database: POD now (mostly) not compulsory (for now)
Ever since the introduction of the Primary Online Database of schoolchildren by the Department of Education, the Department and its Minister have been eager to point out that any parent who refused to allow a child’s data to be transferred would see that child’s education defunded.

Well, for all children other than this week’s crop of new Junior Infants, that threat has now collapsed. This is despite the Minister and her department having claimed that the drastic threat of defunding was because it simply wasn’t possible to give grants without a child’s full data being transferred. [...]

Oddly, as the prospect of defunding the education of 30% of the nation’s children in the run up to an election loomed large, the Department discovered it could, after all, pay for a child’s education without all its POD data.
pod  law  ireland  data-protection  privacy  children  school 
april 2016 by jm
Mass surveillance silences minority opinions, according to study - The Washington Post
This is excellent research, spot on.
Elizabeth Stoycheff, lead researcher of the study and assistant professor at Wayne State University, is disturbed by her findings. “So many people I've talked with say they don't care about online surveillance because they don't break any laws and don't have anything to hide. And I find these rationales deeply troubling,” she said.

She said that participants who shared the “nothing to hide” belief, those who tended to support mass surveillance as necessary for national security, were the most likely to silence their minority opinions.

“The fact that the 'nothing to hide' individuals experience a significant chilling effect speaks to how online privacy is much bigger than the mere lawfulness of one's actions. It's about a fundamental human right to have control over one's self-presentation and image, in private, and now, in search histories and metadata,” she said.
culture  privacy  psychology  surveillance  mass-surveillance  via:snowden  nothing-to-hide  spiral-of-silence  fear 
march 2016 by jm
Microsoft warns of risks to Irish operation in US search warrant case

“Our concern is that if we lose the case more countries across Europe or elsewhere are going to be concerned about having their data in Ireland, ” Mr Smith said, after testifying before the House judiciary committee.
Asked what would happen to its Irish unit if the company loses the case or doesn’t convince Congress to pass updated legislation governing cross-border data held by American companies, the Microsoft executive said: “We’ll certainly face a new set of risks that we don’t face today.”
He added that the issue could be resolved by an executive order by the White House or through international negotiations between the Irish Government or the European Union and the US.
microsoft  data  privacy  us-politics  surveillance  usa 
february 2016 by jm
Exclusive: Snowden intelligence docs reveal UK spooks' malware checklist / Boing Boing
This is an excellent essay from Cory Doctorow on mass surveillance in the post-Snowden era, and the difference between HUMINT and SIGINT. So much good stuff, including this (new to me) cite for, "Goodhart's law", on secrecy as it affects adversarial classification:
The problem with this is that once you accept this framing, and note the happy coincidence that your paymasters just happen to have found a way to spy on everyone, the conclusion is obvious: just mine all of the data, from everyone to everyone, and use an algorithm to figure out who’s guilty. The bad guys have a Modus Operandi, as anyone who’s watched a cop show knows. Find the MO, turn it into a data fingerprint, and you can just sort the firehose’s output into ”terrorist-ish” and ”unterrorist-ish.”

Once you accept this premise, then it’s equally obvious that the whole methodology has to be kept from scrutiny. If you’re depending on three ”tells” as indicators of terrorist planning, the terrorists will figure out how to plan their attacks without doing those three things.

This even has a name: Goodhart's law. "When a measure becomes a target, it ceases to be a good measure." Google started out by gauging a web page’s importance by counting the number of links they could find to it. This worked well before they told people what they were doing. Once getting a page ranked by Google became important, unscrupulous people set up dummy sites (“link-farms”) with lots of links pointing at their pages.
adversarial-classification  classification  surveillance  nsa  gchq  cory-doctorow  privacy  snooping  goodharts-law  google  anti-spam  filtering  spying  snowden 
february 2016 by jm
Journalists, this GSOC story isn’t all about you, you know
Karlin Lillington in the Irish Times, going through journos for a shortcut:
All the hand-wringing from journalists, unions and media companies – even politicians and ministers – over the GSOC’s accessing of journalist’s call records? Oh, please. What wilful ignorance, mixed with blatant hypocrisy. Where have you all been for the past decade and a half, as successive Irish governments and ministers for justice supported and then rammed through legislation for mandatory call data retention for one of the longest periods in the world, with some of the weakest legal constraints and oversight?
karlin-lillington  privacy  data-protection  dri  law  journalists  gsoc  surveillance  data-retention 
january 2016 by jm
EU counter-terror bill is 'indiscriminate' data sweep
"To identify if someone is travelling outside the EU, we don't need an EU PNR. This data are already easily available in the airline reservation system,” [Giovanni Buttarelli, the European data protection supervisor] said. EU governments want more information in the belief it will help law enforcement in tracking down terrorists and are demanding access to information, such as travel dates, travel itinerary, ticket information, contact details, baggage information, and payment information of anyone flying in or out of the EU. ... EU PNR data would be retained for up to five years
pnr  eu  law  privacy  data-protection  europe  counter-terrorism  travel  air-travel 
december 2015 by jm
One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids | Motherboard
VTech got hacked, and millions of parents and 200,000 kids had their privacy breached as a result. Bottom line is summed up by this quote from one affected parent:
“Why do you need know my address, why do you need to know all this information just so I can download a couple of free books for my kid on this silly pad thing? Why did they have all this information?”


Quite. Better off simply not to have the data in the first place!
vtech  privacy  data-protection  data  hacks 
november 2015 by jm
Did you know that Dublin Airport is recording your phone's data? - Newstalk
Ugh. Queue tracking using secret MAC address tracking in Dublin Airport:
"I think the fundamental issue is one of consent. Dublin Airport have been tracking individual MAC addresses since 2012 and there doesn't appear to be anywhere in the airport where they warn passengers that this is this occurring. "If they have to signpost CCTV, then mobile phone tracking should at a very minimum be sign-posted for passengers," he continues.


And how long are MAC addresses retained for, I wonder?
mac-addresses  dublin-airport  travel  privacy  surveillance  tracking  wifi  phones  cctv  consent 
november 2015 by jm
No Harm, No Fowl: Chicken Farm Inappropriate Choice for Data Disposal
That’s a lesson that Spruce Manor Special Care Home in Saskatchewan had to learn the hard way (as surprising as that might sound). As a trustee with custody of personal health information, Spruce Manor was required under section 17(2) of the Saskatchewan Health Information Protection Act to dispose of its patient records in a way that protected patient privacy. So, when Spruce Manor chose a chicken farm for the job, it found itself the subject of an investigation by the Saskatchewan Information and Privacy Commissioner.  In what is probably one of the least surprising findings ever, the commissioner wrote in his final report that “I recommend that Spruce Manor […] no longer use [a] chicken farm to destroy records”, and then for good measure added “I find using a chicken farm to destroy records unacceptable.”
data  law  privacy  funny  chickens  farming  via:pinboard  data-protection  health  medical-records 
november 2015 by jm
User data plundering by Android and iOS apps is as rampant as you suspected
An app from Drugs.com, meanwhile, sent the medical search terms "herpes" and "interferon" to five domains, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com, although those domains didn't receive other personal information.
privacy  security  google  tracking  mobile  phones  search  pii 
november 2015 by jm
Tesla Autopilot mode is learning
This is really impressive, but also a little scary. Drivers driving the Tesla Model S are "phoning home" training data as they drive:
A Model S owner by the username Khatsalano kept a count of how many times he had to “rescue” (meaning taking control after an alert) his Model S while using the Autopilot on his daily commute. He counted 6 “rescues” on his first day, by the fourth day of using the system on his 23.5 miles commute, he only had to take control over once. Musk said that Model S owners could add ~1 million miles of new data every day, which is helping the company create “high precision maps”.


Wonder if the data protection/privacy implications have been considered for EU use.
autopilot  tesla  maps  mapping  training  machine-learning  eu  privacy  data-protection 
november 2015 by jm
Your Relative's DNA Could Turn You Into A Suspect
Familial DNA searching has massive false positives, but is being used to tag suspects:
The bewildered Usry soon learned that he was a suspect in the 1996 murder of an Idaho Falls teenager named Angie Dodge. Though a man had been convicted of that crime after giving an iffy confession, his DNA didn’t match what was found at the crime scene. Detectives had focused on Usry after running a familial DNA search, a technique that allows investigators to identify suspects who don’t have DNA in a law enforcement database but whose close relatives have had their genetic profiles cataloged. In Usry’s case the crime scene DNA bore numerous similarities to that of Usry’s father, who years earlier had donated a DNA sample to a genealogy project through his Mormon church in Mississippi. That project’s database was later purchased by Ancestry, which made it publicly searchable—a decision that didn’t take into account the possibility that cops might someday use it to hunt for genetic leads.

Usry, whose story was first reported in The New Orleans Advocate, was finally cleared after a nerve-racking 33-day wait — the DNA extracted from his cheek cells didn’t match that of Dodge’s killer, whom detectives still seek. But the fact that he fell under suspicion in the first place is the latest sign that it’s time to set ground rules for familial DNA searching, before misuse of the imperfect technology starts ruining lives.
dna  familial-dna  false-positives  law  crime  idaho  murder  mormon  genealogy  ancestry.com  databases  biometrics  privacy  genes 
october 2015 by jm
How is NSA breaking so much crypto?
If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.
How enormous a computation, you ask? Possibly a technical feat on a scale (relative to the state of computing at the time) not seen since the Enigma cryptanalysis during World War II. Even estimating the difficulty is tricky, due to the complexity of the algorithm involved, but our paper gives some conservative estimates. For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.
Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.


(via Eric)
via:eric  encryption  privacy  security  nsa  crypto 
october 2015 by jm
After Bara: All your (Data)base are belong to us
Sounds like the CJEU's Bara decision may cause problems for the Irish government's wilful data-sharing:
Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.
data  databases  bara  cjeu  eu  law  privacy  data-protection 
october 2015 by jm
Tech companies like Facebook not above the law, says Max Schrems
“Big companies didn’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses. But it’s interesting that the court decided the case on fundamental rights grounds: so it doesn’t matter remotely what ground you transfer on, if that process is still illegal under 7 and 8 of charter, it can’t be done.”


Also:
“Ireland has no interest in doing its job, and will continue not to, forever. Clearly it’s an investment issue – but overall the policy is: we don’t regulate companies here. The cost of challenging any of this in the courts is prohibitive. And the people don’t seem to care.”


:(
ireland  guardian  max-schrems  privacy  surveillance  safe-harbor  eu  us  nsa  dpc  data-protection 
october 2015 by jm
net.wars: Unsafe harbor
Wendy Grossman on where the Safe Harbor decision is leading.
One clause would require European companies to tell their relevant data protection authorities if they are being compelled to turn over data - even if they have been forbidden to disclose this under US law. Sounds nice, but doesn't mobilize the rock or soften the hard place, since companies will still have to pick a law to violate. I imagine the internal discussions there revolving around two questions: which violation is less likely to land the CEO in jail and which set of fines can we afford?


(via Simon McGarr)
safe-harbor  privacy  law  us  eu  surveillance  wendy-grossman  via:tupp_ed 
october 2015 by jm
ECJ ruling on Irish privacy case has huge significance
The only current way to comply with EU law, the judgment indicates, is to keep EU data within the EU. Whether those data can be safely managed within facilities run by US companies will not be determined until the US rules on an ongoing Microsoft case.
Microsoft stands in contempt of court right now for refusing to hand over to US authorities, emails held in its Irish data centre. This case will surely go to the Supreme Court and will be an extremely important determination for the cloud business, and any company or individual using data centre storage. If Microsoft loses, US multinationals will be left scrambling to somehow, legally firewall off their EU-based data centres from US government reach.


(cough, Amazon)
aws  hosting  eu  privacy  surveillance  gchq  nsa  microsoft  ireland 
october 2015 by jm
The Surveillance Elephant in the Room…
Very perceptive post on the next steps for safe harbor, post-Schrems.
And behind that elephant there are other elephants: if US surveillance and surveillance law is a problem, then what about UK surveillance? Is GCHQ any less intrusive than the NSA? It does not seem so – and this puts even more pressure on the current reviews of UK surveillance law taking place. If, as many predict, the forthcoming Investigatory Powers Bill will be even more intrusive and extensive than current UK surveillance laws this will put the UK in a position that could rapidly become untenable. If the UK decides to leave the EU, will that mean that the UK is not considered a safe place for European data? Right now that seems the only logical conclusion – but the ramifications for UK businesses could be huge.

[....] What happens next, therefore, is hard to foresee. What cannot be done, however, is to ignore the elephant in the room. The issue of surveillance has to be taken on. The conflict between that surveillance and fundamental human rights is not a merely semantic one, or one for lawyers and academics, it’s a real one. In the words of historian and philosopher Quentin Skinner “the current situation seems to me untenable in a democratic society.” The conflict over Safe Harbor is in many ways just a symptom of that far bigger problem. The biggest elephant of all.
ec  cjeu  surveillance  safe-harbor  schrems  privacy  europe  us  uk  gchq  nsa 
october 2015 by jm
5 takeaways from the death of safe harbor – POLITICO
Reacting to the ruling, the [EC] stressed that data transfers between the U.S. and Europe can continue on the basis of other legal mechanisms.

A lot rides on what steps the Commission and national data protection supervisors take in response. “It is crucial for legal certainty that the EC sends a clear signal,” said Nauwelaerts.

That could involve providing a timeline for concluding an agreement with U.S. authorities, together with a commitment from national data protection authorities not to block data transfers while negotiations are on-going, he explained.
safe-harbor  data  privacy  eu  ec  snowden  law  us 
october 2015 by jm
Daragh O'Brien on the CJEU judgement on Safe Harbor
Many organisations I've spoken to have had the cunning plan of adopting model contract clauses as their fall back position to replace their reliance on Safe Harbor. [....] The best that can be said for Model Clauses is that they haven't been struck down by the CJEU. Yet.
model-clauses  cjeu  eu  europe  safe-harbor  us  nsa  surveillance  privacy  law 
october 2015 by jm
Schneier on Automatic Face Recognition and Surveillance
When we talk about surveillance, we tend to concentrate on the problems of data collection: CCTV cameras, tagged photos, purchasing habits, our writings on sites like Facebook and Twitter. We think much less about data analysis. But effective and pervasive surveillance is just as much about analysis. It's sustained by a combination of cheap and ubiquitous cameras, tagged photo databases, commercial databases of our actions that reveal our habits and personalities, and ­-- most of all ­-- fast and accurate face recognition software.

Don't expect to have access to this technology for yourself anytime soon. This is not facial recognition for all. It's just for those who can either demand or pay for access to the required technologies ­-- most importantly, the tagged photo databases. And while we can easily imagine how this might be misused in a totalitarian country, there are dangers in free societies as well. Without meaningful regulation, we're moving into a world where governments and corporations will be able to identify people both in real time and backwards in time, remotely and in secret, without consent or recourse.

Despite protests from industry, we need to regulate this budding industry. We need limitations on how our images can be collected without our knowledge or consent, and on how they can be used. The technologies aren't going away, and we can't uninvent these capabilities. But we can ensure that they're used ethically and responsibly, and not just as a mechanism to increase police and corporate power over us.
privacy  regulation  surveillance  bruce-schneier  faces  face-recognition  machine-learning  ai  cctv  photos 
october 2015 by jm
In China, Your Credit Score Is Now Affected By Your Political Opinions – And Your Friends’ Political Opinions
China just introduced a universal credit score, where everybody is measured as a number between 350 and 950. But this credit score isn’t just affected by how well you manage credit – it also reflects how well your political opinions are in line with Chinese official opinions, and whether your friends’ are, too.


Measuring using online mass surveillance, naturally. This may be the most dystopian thing I've heard in a while....
via:raycorrigan  dystopia  china  privacy  mass-surveillance  politics  credit  credit-score  loans  opinions 
october 2015 by jm
From Radio to Porn, British Spies Track Web Users’ Online Identities
Inside KARMA POLICE, GCHQ's mass-surveillance operation aimed to record the browsing habits of "every visible user on the internet", including UK-to-UK internal traffic. more details on the other GCHQ mass surveillance projects at https://theintercept.com/gchq-appendix/
surveillance  gchq  security  privacy  law  uk  ireland  karma-police  snooping 
september 2015 by jm
What Happens Next Will Amaze You
Maciej Ceglowski's latest talk, on ads, the web, Silicon Valley and government:
'I went to school with Bill. He's a nice guy. But making him immortal is not going to make life better for anyone in my city. It will just exacerbate the rent crisis.'
talks  slides  funny  ads  advertising  internet  web  privacy  surveillance  maciej  silicon-valley 
september 2015 by jm
EU court adviser: data-share deal with U.S. is invalid | Reuters
The Safe Harbor agreement does not do enough to protect EU citizen's private information when it reached the United States, Yves Bot, Advocate General at the European Court of Justice (ECJ), said. While his opinions are not binding, they tend to be followed by the court's judges, who are currently considering a complaint about the system in the wake of revelations from ex-National Security Agency contractor Edward Snowden of mass U.S. government surveillance.
safe-harbor  law  eu  ec  ecj  snowden  surveillance  privacy  us  data  max-schrems 
september 2015 by jm
Chinese scammers are now using Stingray tech to SMS-phish
A Stingray-style false GSM base station, hidden in a backpack; presumably they detect numbers in the vicinity, and SMS-spam those numbers with phishing messages. Reportedly the scammers used this trick in "Guangzhou, Zhuhai, Shenzhen, Changsha, Wuhan, Zhengzhou and other densely populated cities".

Dodgy machine translation:
March 26, Zhengzhou police telecommunications fraud cases together, for the first time seized a small backpack can hide pseudo station equipment, and arrested two suspects. Yesterday, the police informed of this case, to remind the general public to pay attention to prevention.

“I am the landlord, I changed number, please rent my wife hit the bank card, card number ×××, username ××.” Recently, Jiefang Road, Zhengzhou City Public Security Bureau police station received a number of cases for investigation brigade area of ​​the masses police said, frequently received similar phone scam messages. Alarm, the police investigators to determine: the suspect may be in the vicinity of twenty-seven square, large-scale use of mobile pseudo-base release fraudulent information. [...]

Yesterday afternoon, the Jiefang Road police station, the reporter saw the portable pseudo-base is made up of two batteries, a set-top box the size of the antenna box and a chassis, as well as a pocket computer composed together at most 5 kg.


(via t byfield and Danny O'Brien)
via:mala  via:tbyfield  privacy  scams  phishing  sms  gsm  stingray  base-stations  mobile  china 
august 2015 by jm
How your entire financial life will be stored in a new 'digital vault' - Telegraph
In a move to make it easier to open bank accounts and Isas, people will be asked to share all of their accounts, tax records and personal details with a central service.
To check someone's identity, a company would then ask potential customers a series of questions and check the answers against the information in the vault. The checks would replace the current system in which new customers must send by post copies of their passports, cross-signed by a friend, along with bank statements and utility bills.


hahahaha NO FUCKING WAY.
bills  banking  uk  tax  privacy  digital-vault  accounts  authentication  identity-theft  bad-ideas 
august 2015 by jm
Care.data and access to UK health records: patient privacy and public trust
'In 2013, the United Kingdom launched care.data, an NHS England initiative to combine patient records, stored in the machines of general practitioners (GPs), with information from social services and hospitals to make one centralized data archive. One aim of the initiative is to gain a picture of the care being delivered between different parts of the healthcare system and thus identify what is working in health care delivery, and what areas need greater attention and resources. This case study analyzes the complications around the launch of care.data. It explains the historical context of the program and the controversies that emerged in the course of the rollout. It explores problems in management and communications around the centralization effort, competing views on the safety of “anonymous” and “pseudonymous” health data, and the conflicting legal duties imposed on GPs with the introduction of the 2012 Health and Social Care Act. This paper also explores the power struggles in the battle over care.data and outlines the tensions among various stakeholders, including patients, GPs, the Health and Social Care Information Centre (HSCIC), the government, privacy experts and data purchasers. The predominant public policy question that emerges from this review centers on how best to utilize technological advances and simultaneously strike a balance between the many competing interests around health and personal privacy.'
care.data  privacy  healthcare  uk  nhs  trust  anonymity  anonymization  gps  medicine 
august 2015 by jm
That time the Internet sent a SWAT team to my mom's house - Boing Boing
The solution is for social media sites and the police to take threats or jokes about swatting, doxxing, and organized crime seriously. Tweeting about buying a gun and shooting up a school would be taken seriously, and so should the threat of raping, doxxing, swatting or killing someone. Privacy issues and online harassment are directly linked, and online harassment isn’t going anywhere. My fear is that, in reaction to online harassment, laws will be passed that will break down our civil freedoms and rights online, and that more surveillance will be sold to users under the guise of safety. More surveillance, however, would not have helped me or my mother. A platform that takes harassment and threats seriously instead of treating them like jokes would have.
twitter  gamergate  4chan  8chan  privacy  doxxing  swatting  harrassment  threats  social-media  facebook  law  feminism 
july 2015 by jm
"Customer data is a liability, not an asset."
Great turn of phrase from Matthew Green (@matthew_d_green). Emin Gün Sirer adds some detail: "well, an asset with bounded value, and an unbounded liability"
data  privacy  data-protection  ashleymadison  hacks  security  liability 
july 2015 by jm
Government forum to discuss increasing use of personal data
Mr Murphy said it was the Government’s objective for Ireland to be a leader on data protection and data-related issues.
The members of the forum include Data Protection Commissioner Helen Dixon, John Barron, chief technology officer with the Revenue Commissioners, Seamus Carroll, head of civil law reform division at the Department of Justice and Tim Duggan, assistant secretary with the Department of Social Protection.
Gary Davis, director of privacy and law enforcement requests with Apple, is also on the forum. Mr Davis is a former deputy data protection commissioner in Ireland.
There are also representatives from Google, Twitter, LinkedIn and Facebook, from the IDA, the Law Society and the National Statistics Board.
Chair of Digital Rights Ireland Dr TJ McIntyre and Dr Eoin O’Dell, associate professor, School of Law, Trinity College Dublin are also on the voluntary forum.
ireland  government  dri  law  privacy  data  data-protection  dpc 
july 2015 by jm
China’s Spies Hit the Blackmail Jackpot With Data on 4 Million Federal Workers
The Daily Beast is scathing re the OPM hack:
Here’s where things start to get scary. Whoever has OPM’s records knows an astonishing amount about millions of federal workers, members of the military, and security clearance holders. They can now target those Americans for recruitment or influence. After all, they know their vices, every last one—the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side—since all that is recorded in security clearance paperwork. (To get an idea of how detailed this gets, you can see the form, called an SF86, here.) Speaking as a former counterintelligence officer, it really doesn’t get much worse than this.
daily-beast  sf86  clearance  us-government  america  china  cyberwar  hacking  opm  privacy 
june 2015 by jm
The Violence of Algorithms: Why Big Data Is Only as Smart as Those Who Generate It
The modern state system is built on a bargain between governments and citizens. States provide collective social goods, and in turn, via a system of norms, institutions, regulations, and ethics to hold this power accountable, citizens give states legitimacy. This bargain created order and stability out of what was an increasingly chaotic global system. If algorithms represent a new ungoverned space, a hidden and potentially ever-evolving unknowable public good, then they are an affront to our democratic system, one that requires transparency and accountability in order to function. A node of power that exists outside of these bounds is a threat to the notion of collective governance itself. This, at its core, is a profoundly undemocratic notion—one that states will have to engage with seriously if they are going to remain relevant and legitimate to their digital citizenry who give them their power.
palantir  algorithms  big-data  government  democracy  transparency  accountability  analytics  surveillance  war  privacy  protest  rights 
june 2015 by jm
How the NSA Converts Spoken Words Into Searchable Text - The Intercept
This hits the nail on the head, IMO:
To Phillip Rogaway, a professor of computer science at the University of California, Davis, keyword-search is probably the “least of our problems.” In an email to The Intercept, Rogaway warned that “When the NSA identifies someone as ‘interesting’ based on contemporary NLP methods, it might be that there is no human-understandable explanation as to why beyond: ‘his corpus of discourse resembles those of others whom we thought interesting'; or the conceptual opposite: ‘his discourse looks or sounds different from most people’s.' If the algorithms NSA computers use to identify threats are too complex for humans to understand, it will be impossible to understand the contours of the surveillance apparatus by which one is judged.  All that people will be able to do is to try your best to behave just like everyone else.”
privacy  security  gchq  nsa  surveillance  machine-learning  liberty  future  speech  nlp  pattern-analysis  cs 
may 2015 by jm
In the privacy of your own home
I didn't know about this:
Last spring, as 41,000 runners made their way through the streets of Dublin in the city’s Women’s Mini Marathon, an unassuming redheaded man by the name of Candid Wueest stood on the sidelines with a scanner. He had built it in a couple of hours with $75 worth of parts, and he was using it to surreptitiously pick up data from activity trackers worn on the runners’ wrists. During the race, Wueest managed to collect personal info from 563 racers, including their names, addresses, and passwords, as well as the unique IDs of the devices they were carrying.
dublin  candid-wueest  privacy  data  marathon  running  iot  activity-trackers 
may 2015 by jm
Privacy Security Talk in TOG – 22nd April @ 7pm – FREE
Dublin is lucky enough to have great speakers pass through town on occasion and on Wednesday the 22nd April 2015, Runa A. Sandvik (@runasand) and Per Thorsheim (@thorsheim) have kindly offered to speak in TOG from 7pm. The format for the evening is a general meet and greet, but both speakers have offered to give a presentation on a topic of their choice. Anyone one interested in privacy, security, journalism, Tor and/or has previously attended a CryptoParty would be wise to attend. Doors are from 7pm and bring any projects with you you would like to share with other attendees. This is a free event, open to the public and no need to book. See you Wednesday.

Runa A. Sandvik is an independent privacy and security researcher, working at the intersection of technology, law and policy. She contributes to The Tor Project, writes for Forbes, and is a technical advisor to both the Freedom of the Press Foundation and the TrueCrypt Audit project.

Per Thorsheim as founder/organizer of PasswordsCon.org, his topic of choice is of course passwords, but in a much bigger context than most people imagine. Passwords, pins, biometrics, 2-factor authentication, security/usability and all the way into surveillance and protecting your health, kids and life itself.
privacy  security  runa-sandvik  per-thorsheim  passwords  tor  truecrypt  tog  via:oisin  events  dublin 
april 2015 by jm
Tim Bray on one year as an xoogler
Seems pretty insightful; particularly "I do think the In­ter­net econ­o­my would be bet­ter and more hu­mane if it didn’t have a sin­gle white-hot highly-overprivileged cen­ter. Al­so, soon­er or lat­er that’ll stop scal­ing. Can’t hap­pen too soon."
google  tim-bray  via:nelson  xoogler  funding  tech  privacy  ads  internet 
march 2015 by jm
EU-US data pact skewered in court hearing
A lawyer for the European Commission told an EU judge on Tuesday (24 March) he should close his Facebook page if he wants to stop the US snooping on him, in what amounts to an admission that Safe Harbour, an EU-US data protection pact, doesn’t work.
safe-harbour  privacy  data-protection  ecj  eu  ec  surveillance  facebook  nsa  gchq 
march 2015 by jm
ECJ case debates EU citizens' right to privacy
The US wields secretive and indiscriminate powers to collect data, he said, and had never offered Brussels any commitments to guarantee EU privacy standards for its citizens’ data. On the contrary, said [Max Schrems' counsel] Mr Hoffmann, “Safe Harbour” provisions could be overruled by US domestic law at any time.
Thus he asked the court for a full judicial review of the “illegal” Safe Harbour principles which, he said, violated the essence of privacy and left EU citizens “effectively stripped of any protection”.
[Irish] DPC counsel Paul Anthony McDermott SC suggested that Mr Schrems had not been harmed in any way by the status quo. “This is not surprising, given that the NSA isn’t currently interested in the essays of law students in Austria,” he said.
Mr Travers for Mr Schrems disagreed, saying “the breach of the right to privacy is itself the harm”.
ireland  dpc  data-protection  privacy  eu  ec  ecj  law  rights  safe-harbour 
march 2015 by jm
Meet the man whose utopian vision for the Internet conquered, and then warped, Silicon Valley - The Washington Post
Thought-provoking article looking back to John Perry Barlow's "A Declaration of the Independence of Cyberspace", published in 1996:
Barlow once wrote that “trusting the government with your privacy is like having a Peeping Tom install your window blinds.” But the Barlovian focus on government overreach leaves its author and other libertarians blind to the same encroachments on our autonomy from the private sector. The bold and romantic techno-utopian ideals of “A Declaration” no longer need to be fought for, because they’re already gone.
john-perry-barlow  1990s  history  cyberspace  internet  surveillance  privacy  data-protection  libertarianism  utopian  manifestos 
march 2015 by jm
Ireland accused of weakening data rules
Privacy campaign group Lobbyplag puts Ireland one of top three offenders in pushing for changes to EU privacy law
privacy  data-protection  lobbyplag  ireland  eu  germany  lobbying 
march 2015 by jm
Ask the Decoder: Did I sign up for a global sleep study?
How meaningful is this corporate data science, anyway? Given the tech-savvy people in the Bay Area, Jawbone likely had a very dense sample of Jawbone wearers to draw from for its Napa earthquake analysis. That allowed it to look at proximity to the epicenter of the earthquake from location information.

Jawbone boasts its sample population of roughly “1 million Up wearers who track their sleep using Up by Jawbone.” But when looking into patterns county by county in the U.S., Jawbone states, it takes certain statistical liberties to show granularity while accounting for places where there may not be many Jawbone users.

So while Jawbone data can show us interesting things about sleep patterns across a very large population, we have to remember how selective that population is. Jawbone wearers are people who can afford a $129 wearable fitness gadget and the smartphone or computer to interact with the output from the device.

Jawbone is sharing what it learns with the public, but think of all the public health interests or other third parties that might be interested in other research questions from a large scale data set. Yet this data is not collected with scientific processes and controls and is not treated with the rigor and scrutiny that a scientific study requires.

Jawbone and other fitness trackers don’t give us the option to use their devices while opting out of contributing to the anonymous data sets they publish. Maybe that ought to change.
jawbone  privacy  data-protection  anonymization  aggregation  data  medicine  health  earthquakes  statistics  iot  wearables 
march 2015 by jm
"Everything you've ever said to Siri/Cortana has been recorded...and I get to listen to it"
This should be a reminder.
At first, I though these sound bites were completely random. Then I began to notice a pattern. Soon, I realized that I was hearing peoples commands given to their mobile devices. Guys, I'm telling you, if you've said it to your phone, it's been recorded...and there's a damn good chance a 3rd party is going to hear it.
privacy  google  siri  cortana  android  voice-recognition  outsourcing  mobile 
march 2015 by jm
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
Holy shit. Gemalto totally rooted.
With [Gemalto's] stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

[...] According to one secret GCHQ slide, the British intelligence agency penetrated Gemalto’s internal networks, planting malware on several computers, giving GCHQ secret access. We “believe we have their entire network,” the slide’s author boasted about the operation against Gemalto.
encryption  security  crypto  nsa  gchq  gemalto  smartcards  sim-cards  privacy  surveillance  spying 
february 2015 by jm
Police have asked Dropcam for video from people's home cameras -- Fusion
“Like any responsible father, Hugh Morrison had installed cameras in every room in the flat,” is the opening line of Intrusion, a 2012 novel set in the near future. Originally installed so that Hugh and his wife can keep an eye on their kids, the Internet-connected cameras wind up being used later in the novel by police who tap into the feeds to monitor the couple chatting on their couch when they are suspected of anti-societal behavior. As with so many sci-fi scenarios, the novel’s vision was prophetic. People are increasingly putting small Internet-connected cameras into their homes. And law enforcement officials are using the cameras to collect evidence about them.
privacy  dropcam  cameras  surveillance  law-enforcement 
february 2015 by jm
Superfish: A History Of Malware Complaints And International Surveillance - Forbes
Superfish, founded and led by former Intel employee and ex-surveillance boffin Adi Pinhas, has been criticised by users the world over since its inception in 2006.
superfish  lenovo  privacy  surveillance  ads  java  windows  mac  firefox  pups  ssl  tls  ad-injection  komodia 
february 2015 by jm
South Korea faces $1bn bill after hackers raid national ID database • The Register
Simon McGarr says: '80% of S.Korea's population have had their ID number stolen, crimewave ongoing. >> Turns out a pot of honey is sweet'
fail  south-korea  korea  security  id-cards  ssn  id-numbers  privacy 
february 2015 by jm
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
'"Equation Group" ran the most advanced hacking operation ever uncovered.' Mad stuff. The security industry totally failed here
nsa  privacy  security  surveillance  hacking  keyloggers  malware 
february 2015 by jm
Digital Rights Ireland announces its first conference!
Digital Rights Europe, Wednesday, April 15th in Dublin. deadly!
digital-rights  ireland  dri  privacy  data-protection  europe  eu 
february 2015 by jm
Can we have medical privacy, cloud computing and genomics all at the same time?
Today sees the publication of a report I [Ross Anderson] helped to write for the Nuffield Bioethics Council on what happens to medical ethics in a world of cloud-based medical records and pervasive genomics.

As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the care.data catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically?

We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.
ethics  medicine  health  data  care.data  privacy  healthcare  ross-anderson  genomics  data-protection  human-rights 
february 2015 by jm
Excellent example of failed "anonymisation" of a dataset
Fred Logue notes how this failed Mayo TD Michelle Mulherin:
From recent reports it mow appears that the Department of Education is discussing anonymisation of the Primary Online Database with the Data Protection Commissioner. Well someone should ask Mayo TD Michelle Mulherin how anonymisation is working for her.

The Sunday Times reports that Ms Mulherin was the only TD in the Irish parliament on the dates when expensive phone calls were made to a mobile number in Kenya. The details of the calls were released under the Freedom of Information Act in an “anonymised” database. While it must be said the fact that Ms Mulherin was the only TD present on those occasions does not prove she made the calls – the reporting in the press is now raising the possibility that it was her.

From a data protection point of view this is a perfect example of the difficulty with anonymisation. Data protection rules apply to personal data which is defined as data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information. Anonymisation is often cited as a means for processing data outside the scope of data protection law but as Ms Mulherin has discovered individuals can be identified using supposedly anonymised data when analysed in conjunction with other data.

In the case of the mysterious calls to Kenya even though the released information was “anonymised” to protect the privacy of public representatives, the phone log used in combination with the attendance record of public representatives and information on social media was sufficient to identify individuals and at least raise evidence of association between individuals and certain phone calls. While this may be well and good in terms of accounting for abuses of the phone service it also has worrying implications for the ability of public representatives to conduct their business in private.

The bottom line is that anonymisation is very difficult if not impossible as Ms Mulherin has learned to her cost. It certainly is a lot more complex than simply removing names and other identifying features from a single dataset. The more data that there is and the more diverse the sources the greater the risk that individuals can be identified from supposedly anonymised datasets.
data  anonymisation  fred-logue  ireland  michelle-mulherin  tds  kenya  data-protection  privacy 
january 2015 by jm
No POD
This group aims to consolidate opposition, give clear information and support letter writing and information awareness against the Dept. of Education's Primary Online Database.
pod  ireland  privacy  data-protection  children  kids  schools 
january 2015 by jm
« earlier      
per page:    204080120160

related tags

2fa  3g  4chan  8chan  23andme  1990s  a-b-testing  abuse  academia  accountability  accounts  accuracy  aclu  acs-law  activism  activity-trackers  ad-injection  adrian-weckler  ads  adversarial-classification  advertising  afr  aggregation  ai  air-travel  airport  algorithms  amazon  america  amesys  amicus-briefs  analytics  ancestry.com  android  andy-greenberg  anonymisation  anonymity  anonymization  anonymous  anpr  anti-spam  apis  apple  apps  arab-spring  ars-technica  arson  art  ashleymadison  attacks  australia  authentication  authoritarianism  autopilot  awards  aws  babies  backup  backups  bad-ideas  bahrain  banking  bara  base-stations  bbc  behavioral  belgacom  belgium  belle-du-jour  ben-goldacre  bias  big-brother  big-data  bill-davidow  bills  billy-hawkes  bins  biometrics  bitcoin  bittorrent  blackmail  blocking  blocklists  blogging  blogs  bloom-cookies  bloom-filters  borders  brendan-howlin  bridging  browser  browsers  bruce-schneier  brute-force  bugging  bull-sa  business  business-models  ca  cameras  candid-wueest  care.data  cars  cbp  ccpc  cctv  celebrities  cellphones  celtic-tiger  censorship  certificates  certification  cheap  chicago  chicken-wings  chickens  children  china  chris-andrews  cia  civil-liberties  civil-service  cjeu  classification  clearance  cloud  cloud-computing  cloud-services  colin-holder  comments  competition  consent  consumer  content-blocking  control  convictions  cookies  copyfight  copyright  cortana  cory-doctorow  counter-terrorism  courtventures  crackdown  crapware  credit  credit-cards  credit-score  crime  crypto  cs  css  culture  customs  cybercrime  cyberspace  cyberwar  daily-beast  daily-mail  dan-kaminsky  danah-boyd  dara-murphy  daragh-obrien  dark-mail  darknet  data  data-aggregation  data-breaches  data-centers  data-dumps  data-leaks  data-mining  data-privacy  data-protection  data-retention  data-structures  database  databases  datamining  datap  david-cameron  david-simon  dea  debugging  delete  democracy  depression  desfire  dhs  dianne-feinstein  differential-privacy  digital-natives  digital-rights  digital-vault  direct-marketing  directories  diseases  dna  dns  do-not-like  doh  dole  dorian-nakamoto  downloading  doxxing  dpa  dpa-section-4  dpc  dri  drones  dropcam  dublin  dublin-airport  dutch  dystopia  earthquakes  ec  ec2  ecj  ecuador  edri  edward-snowden  eff  egypt  eircode  email  embassies  emotion  encryption  ep  epic  epic-marketplace  equifax  eric-garner  errors  ethan-zuckerberg  ethics  eu  eu-central-1  eu-council  europarl  europe  events  experian  experimentation  experiments  exploits  export  extradition  eyes  face-recognition  facebook  facebook-api  faces  facial-recognition  fail  false-positives  familial-dna  family  farce  farebot  farming  fast-food  fbi  fear  federated-learning  feelings  feminism  fergal-crehan  fianna-fail  filesharing  filtering  find-my-iphone  fines  finfisher  firefox  firewalls  fisa  fisaaa  five-eyes  flash  foi  forbes  forward-secrecy  france  fraud  fred-logue  free-trade  freedom  freedom-of-expression  ftc  fud  funding  funny  future  gadhafi  gamergate  gamma  gamma-international  gardai  gboard  gchq  gcsb  gemalto  genealogy  genentech  genes  genomics  geotargeting  germany  gmail  goodharts-law  google  google-glass  googlewhack  goverment  government  gpg  gps  grep  grim  grim-meathook-future  groklaw  gsm  gsoc  gsocgate  guardian  hacking  hacks  hadopi  hardware  harrassment  haruspex  haystack  heaith  health  healthcare  heart  heathrow  henry-porter  high-court  history  history-stealing  holland  hospitals  hosting  hotmail  hscic  hse  http  https  human-rights  iab  iab-europe  icloud  ico  icrs  id-cards  id-numbers  idaho  identity  identity-theft  illiteracy  images  imsi  imsi-catcher  imsi-catchers  india  insurance  interception  international-law  internet  ios  iot  ip  ip-addresses  ipad  iphone  ireland  irish-times  irish-water  irma  isps  jan-phillip-albrecht  jason-kottke  java  javascript  jawbone  jgc  john-lanchester  john-perry-barlow  jon-callas  joseph-cannataci  journalism  journalists  julian-assange  karlin-lillington  karma-police  kenya  key-management  key-ratcheting  key-rotation  keyloggers  keyservers  kids  kim-dotcom  kolab  komodia  korea  l2tp  laplace  lavabit  law  law-enforcement  leaks  legal  lenovo  liability  libertarianism  liberty  libya  license-fee  life  likes  linkedin  linx  loans  lobbying  lobbyplag  location-tracking  logistep  london  long-reads  loyaltybuild  lucid-intelligence  lyft  mac  mac-address  mac-addresses  machine-learning  maciej  mail  malcolm-hutty  malware  manifestos  mapping  maps  marathon  marketing  marks  mass-surveillance  massive-interception  max-schrems  medical  medical-records  medicine  megaupload  meps  messagelabs  messaging  metadata  metrics  mfa  michael-hayden  michael-mcdowell  micheal-martin  michelle-mulherin  microsoft  mifare  minority-report  miscarriage  misrepresentation  ml  mlat  mlats  mobile  mobile-phones  model-clauses  models  money  mormon  mozilla  mpn  mps  murder  myhealthrecord  nai  nat  nca  needle  neelie-kroes  network-traffic  networking  new-media  new-yorker  new-zealand  newspapers  newsweek  next  nhs  nlp  noise  northern-ireland  notaries  nothing-to-hide  nsa  nsls  nyc  nyms  o2  office-365  offshoring  okcupid  online  open-data  open-source  operability  opinions  opm  opt-in  opt-out  org  ouch  outsourcing  overreach  oz  p2p  pacemakers  palantir  papers  parenthood  parkinsons  parliament  passwords  pathetic  patricia-cronin  pattern-analysis  per-thorsheim  personal-data  personality  personalization  pervasive-computing  pfs  pgp  phil-zimmermann  phishing  phone-records  phones  photography  photos  pics  pii  piracy  pnr  pod  police  police-state  policing  policy  politics  polls  populations  porn  postcodes  ppsn  pr  prefetching  pregnancy  presentations  press-releases  primary-schools  printers  prism  privacy  privacy-international  probable-cause  profiling  protectionism  protest  protests  protocols  psychology  public-data  pups  questions  quic  quotes  randomness  rappor  red-bull  redaction  reform  regin  regions  regulation  renew  revenge  revenge-porn  rfid  rick-falkvinge  right-to-be-forgotten  rights  ripa  root-cas  rootkits  ross-anderson  routers  runa-sandvik  running  russia  s3  safe-harbor  safe-harbour  sampling  sanitisation  satoshi-nakamoto  sca  scams  scanners  scarlet  school  schools  schrems  scope-creep  scroogled  scumbags  sean-kelly  search  searching  secrecy  security  seizures  self-driving  selfies  servers  sex-toys  sf86  si336  silent-circle  silentcircle  silicon-valley  sim-cards  simon-davies  siri  slice-intelligence  slides  smart-tvs  smartcards  smc8014  sms  smtp  snapchat  sniffing  snooping  snowden  social  social-media  social-publishing  society  software  south-africa  south-korea  spam  speech  spies  spinvox  spiral-of-silence  spying  spyware  sql  ssl  ssn  standards  state  state-control  statistics  stingray  stingrays  street-view  stupid  superfish  superget  surveillance  swatting  switzerland  symantec  syria  sysadmins  talks  tao  targeting  tax  taxis  tds  tech  technology  teenagers  teens  telemetry  terms-of-service  terrorism  tesla  testing  text-messaging  the-atlantic  the-journal  the-register  threats  three-strikes  thunderbird  tim-berners-lee  tim-bray  timbl  time-warner  tj-mcintyre  tls  tog  tor  tor-bridges  torrents  tos  totalitarianism  tou  tracking  trade-secrets  training  transcription  transit  transparency  travel  truecrypt  trust  tsa  tunneling  turkey  turkmenistan  tv  tweets  twitpic  twitter  uber  ucas  uganda  ugh  uidh  uk  uk-politics  ukraine  un  universities  unroll.me  urls  us  us-government  us-law  us-politics  usa  user-tracking  users  utopian  vc  vehicles  verizon  via:adamshostack  via:anildash  via:antoin  via:boingboing  via:bruces  via:cjodea  via:dad  via:dobrien  via:eric  via:ethanz  via:hn  via:ioerror  via:irr  via:jordansissel  via:lhl  via:mala  via:mynosql  via:nelson  via:oisin  via:pinboard  via:raycorrigan  via:reddit  via:ronanlyons  via:snowden  via:tbyfield  via:tjmcintyre  via:tupp_ed  via:waxy  vibrators  victoria  video  videos  viviane-reding  vizio  vodafone  voice-recognition  vpn  vtech  war  watchdogs  we-vibe  wearables  web  web-of-trust  web-we-want  welfare  wendy-grossman  wickr  wifi  wikileaks  windows  wired  wireless  wiretapping  wtf  x-ray  xelerance  xkeyscore  xl2tpd  xoogler  yahoo  youth  youtube  zoom-and-enhance 

Copy this bookmark:



description:


tags: