For the first time, a federal judge has thrown out evidence obtained by police without a warrant using the controversial “Stingray” device that mimics cell phone towers to trick nearby devices into connecting with them, revealing private information. U.S. District Judge William Pauley said the defendant’s rights were violated when the U.S. Drug Enforcement Administration (DEA) used a Stingray to figure out his home address during a drug investigation. Pauley rejected the evidence, writing, “The use of a cell-site simulator constitutes a Fourth Amendment search…. Absent a search warrant, the government may not turn a citizen’s cell phone into a tracking device.” The ACLU said it was the first time such a ruling has been issued and was a significant victory for privacy rights.
The Human Rights Council in Geneva passed a unanimous resolution on March 26, 2015, to appoint a new independent expert, or Special Rapporteur, with the mandate of promoting and protecting the right to privacy worldwide. Responding to calls from civil society, and the leadership of Brazil and Germany, the UN Human Rights Council made a decisive step toward long-term protection of the right to privacy, online and offline. “Nearly two years after revelations of mass surveillance online, world leaders have recognized the need for a long-lasting, singular authority to guide governments and companies on how to protect and respect our privacy rights,” said Peter Micek, Senior Policy Counsel at Access. “We champion this move, and pledge to join with all stakeholders to ensure this new office exercises its fullest potential in the name of users at risk around the world.” The vote follows extensive work on privacy in the digital age at the UN.
BY DAVID INGRAM REUTERS
The U.S. National Security Agency was sued on Tuesday by Wikimedia and other groups challenging one of its mass surveillance programs that they said violates Americans’ privacy and makes individuals worldwide less likely to share sensitive information. The lawsuit filed in federal court in Maryland, where the spy agency is based, said the NSA is violating U.S. constitutional protections and the law by tapping into high-capacity cables, switches and routers that move Internet traffic through the United States. The case is a new potential legal front for privacy advocates who have challenged U.S. spying programs several times since 2013, when documents leaked by former NSA contractor Edward Snowden revealed the long reach of government surveillance. Other lawsuits have challenged the bulk collection of telephone metadata and are pending in U.S. appeals courts. The litigation announced on Tuesday takes on what is often called “upstream” collection because it happens along the so-called backbone of the Internet and away from individual users.
BY GLYN MOODY COMPUTERWORLD – UK
Things have gone rather quiet on the Snowden leaks front recently, prompting some to wonder whether we have now heard all the really shocking stories. That’s been denied a few times by people in the know, who suggested that there was, indeed, more big stuff to come. And some of it turned up yesterday:
American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. It’s one of the longest, most-detailed stories that The Intercept has published so far, and is well-worth reading in its entirety. What it shows is that GCHQ and the NSA really do want access to everything, and that they are prepared to do more or less anything to get that.
Jeb Bush, a rumored 2016 Republican presidential candidate, just decided to publish hundreds of thousands of emails sent to him during his time as governor of Florida. On its face it seems like a great idea in the name of transparency, but there’s one huge problem: neither Bush nor those who facilitated the publication of the records, including the state government, decided to redact potentially sensitive personal information from them. “In the spirit of transparency, I am posting the emails of my governorship here,” a note on Bush’s website says. “Some are funny; some are serious; some I wrote in frustration.” Some also contain the email addresses, home addresses, phone numbers, and social security numbers of Florida residents.
A landmark resolution demanding privacy protection in the digital age and urging governments to offer redress to citizens targeted by mass surveillance has been approved by the UN general assembly’s human rights committee. The resolution, which was adopted in the face of attempts by the US and others to water it down and which comes at a time when the UK government is calling for increased surveillance powers, had been put forward by Brazil and Germany in the wake of revelations by US intelligence whistleblower Edward Snowden about large-scale US surveillance. However, diplomats reported that a reference to surveillance using metadata – information generated through the use of technology – as an intrusive act was removed in order to appease the US and its British, Canadian, Australian and New Zealand allies in the so-called “Five Eyes” surveillance alliance. Nevertheless, the text does still contain a precedent-setting mention of metadata, warning that “certain types of metadata, when aggregated, can reveal personal information and give an insight into an individual’s behaviour, social relationships, private preferences and identity.”
It also emphasises the role of the private sector in digital surveillance, saying, “business enterprises have a responsibility to respect human rights.”
While not naming any in particular, it calls on states to review their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, with a view to upholding the right to privacy under international human rights law. Although are non-binding, such resolutions carry significant moral and political weight if they are supported by enough states.
The Privacy Commissioner of Canada has made it clear that, while privacy is not a barrier to businesses using cloud computing, it must be taken into consideration. Related guidance has been issued in which businesses are reminded that the Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules “with respect to obtaining consent for the collection, use and disclosure of personal information, securing the data, and ensuring accountability for the information and transparency in terms of practices.”
Organizations are expected to assess the benefits, risks, and implications for privacy when considering a cloud computing service. What this means in practice, however, often creates operational challenges – particularly for those businesses who do not have the internal expertise or resources to undertake this analysis. For context, guidance for small and medium-sized enterprises prepared jointly by the federal Commissioner and the information and privacy commissioners in Alberta and British Columbia includes a “non-exhaustive” list of more than forty questions that need to be considered. To facilitate contracting for cloud services, the International Standards Organization (ISO), has issued a code of practice for protection of personally identifiable information in public clouds (ISO/IEC 27018).
Techdirt has been reporting on the disturbing rise in the use of malware by governments around the world to spy on citizens. One name that keeps cropping up in this context is the FinFisher suite of spyware products from the British company Gamma. Its code was discovered masquerading as a Malay-language version of Mozilla Firefox, and is now at the center of a complaint filed in the UK:
Privacy International today has made a criminal complaint to the National Cyber Crime Unit of the National Crime Agency, urging the immediate investigation of the unlawful surveillance of three Bahraini activists living in the UK by Bahraini authorities using the intrusive malware FinFisher supplied by British company Gamma. Here’s why Privacy International is acting now:
While it’s long been known that Gamma has provided surveillance capabilities to Bahrain, amongst other countries, the extent of Gamma’s complicity in Bahrain’s unlawful surveillance of individuals located abroad has only recently been confirmed. Two months ago, a number of internal Gamma documents were published revealing that Gamma is both aware of, and actively facilitating, the Bahraini regime’s surveillance of targets located outside Bahrain through the provision of intrusion technology called FinFisher to the Bahraini authorities.
By Kathleen Hall
Law Society Gazette – UK
Lawyers are being urged to encrypt their data following revelations by whistleblower Edward Snowden that the sector is among those at high risk of surveillance threats. ‘What last year’s revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default,’ he told the Guardian. Responding to the interview, Law Society president Andrew Caplen said a review of the ramifications of surveillance for lawyers is currently underway. ‘I will be writing to other professional bodies to discuss the impact spying is having on members’ confidential communication with clients or patients,’ he said.
By Michael Geist
Canadian Internet and telecom providers have, for many years, disclosed basic subscriber information, including identifiers such as name, address, and IP address, to law enforcement without a warrant. Last month, the Supreme Court of Canada struck a blow against warrantless disclosure of subscriber information, ruling that there is a reasonable expectation of privacy in that information and that voluntary disclosures therefore amount to illegal searches. My weekly technology law column (Toronto Star version, homepage version) notes the decision left little doubt that Internet and telecom providers would need to change their disclosure policies. Last week, Rogers, the country’s largest cable provider,publicly altered its procedures for responding to law enforcement requests by announcing that it will now require a court order or warrant for the disclosure of basic subscriber information to law enforcement in all instances except for life threatening emergencies (warrantless disclosures may still occur where legislation provides the lawful authority to do so). Telus advised that it has adopted a similar approach.
The Fourth Amendment protects our “persons, houses, papers, and effects, against unreasonable searches and seizures.” Today, in the case of Riley v. California, the U.S. Supreme Court ruled unanimously that this constitutional protection extends to the cellphones we carry around with us, even when the police have placed us under arrest and would like to search those cellphones without a warrant in the hopes of finding some incriminating evidence. “Our answer to the question of what police must do before searching a cell phone seized incident to an arrest is accordingly simple,” declared Chief Justice John Roberts, “get a warrant.” It’s a welcome decision and a well-deserved victory for digital privacy. It’s also a stinging benchslap for the Obama administration and the other parties who lined up in favor of aggressive law enforcement tactics in this case.