Tag: privacy

NSA secretly buying Americans’ data without a warrant

The National Security Agency has secretly been buying Americans’ internet records and using them for spying purposes without obtaining a warrant, a senior senator revealed Thursday.

Sen. Ron Wyden, Oregon Democrat, said the practice had been a “legal gray area,” with data brokers quietly obtaining and reselling the internet “metadata” without the users’ consent. He said the NSA has been trying to keep the whole thing under wraps.

In a letter to Director of National Intelligence Avril Haines, the senator said the government needs a “wake-up call,” and he called for new rules limiting purchases only to data that Americans have consented to be sold.

He also asked for Ms. Haines to take an inventory of what the government already has and toss out any information that doesn’t meet the standard of consent.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” he said.

He released a letter from Army General Paul M. Nakasone, director of the NSA, detailing and justifying the agency’s actions.

Gen. Nakasone said it acquires what it calls “commercially available information” but said the acquisitions are limited. They don’t include location data from phones “known to be used in the United States,” and they don’t buy or use location data from automobiles in the U.S.

They do buy “non-content” data “where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.”

The general said that information was critical for “the U.S. Defense Industrial Base.”

“NSA understands and greatly values the congressional and public trust it has been granted to carry out its critical foreign intelligence and cybersecurity missions on behalf of the American people,” Gen. Nakasone wrote.

In a separate letter, Under Secretary of Defense Ronald S. Moultrie defended the legality.

“I am not aware of any requirement in U.S. law or judicial opinion … that DoD obtain a court order in order to acquire, access or use information, such as CAI, that is equally available for purchase to foreign adversaries, U.S. companies and private persons as it is to the U.S. government,” he wrote.

Mr. Wyden, though, says the legal landscape may have just changed.

Keep reading

Reddit must share IP addresses of piracy-discussing users, film studios say

For the third time in less than a year, film studios with copyright infringement complaints against a cable Internet provider are trying to force Reddit to share information about users who have discussed piracy on the site.

In 2023, film companies lost two attempts to have Reddit unmask its users. In the first instance, US Magistrate Judge Laurel Beeler ruled in the US District Court for the Northern District of California that the First Amendment right to anonymous speech meant Reddit didn’t have to disclose the names, email addresses, and other account registration information for nine Reddit users. Film companies, including Bodyguard Productions and Millennium Media, had subpoenaed Reddit in relation to a copyright infringement lawsuit against Astound Broadband-owned RCN about subscribers allegedly pirating 34 movie titles, including Hellboy (2019), Rambo V: Last Blood, and Tesla.

In the second instance, the same companies sued Astound Broadband-owned ISP Grande, again for alleged copyright infringement occurring over the ISP’s network. The studios subpoenaed Reddit for user account information, including “IP address registration and logs from 1/1/2016 to present, name, email address, and other account registration information” for six Reddit users, per a July 2023 court filing.

In August, a federal court again quashed that subpoena, citing First Amendment rights. In her ruling, Beeler noted that while the First Amendment right to anonymous speech is not absolute, the film producers had already received the names of 118 Grande subscribers. She also said the film producers had failed to prove that “the identifying information is directly or materially relevant or unavailable from another source.”

Keep reading

CBDCs are steeped in human rights abuses and are a new way to track citizens

Many people regularly use multiple forms of digital money.  We make digital payments using credit, debit, and prepaid cards, as well as mobile payment apps like PayPal.

It’s not just payments that have gone digital. Nearly every financial institution offers services – from savings accounts to mortgages – via mobile applications.

So, money is already widely available in digital form. The current system works so well that few people ever take the time to worry about whether the digital money they are using is a liability of, for example, Visa or a liability of their bank.

So why are governments considering implementing CBDCs?

Unlike the current system of digital money, with CBDCs, digital money would be a liability of the central bank. In other words, governments have the direct responsibility to hold, transfer or otherwise remit those funds to the ostensible owner. This feature creates a direct link between citizens and the central bank. And it is this feature that opens the door to so many human rights concerns when it comes to the adoption of CBDCs.

These concerns cover issues of financial privacy, freedom, stability and cybersecurity.  The Human Rights Foundation’s (“HRF’s”) CBDC Tracker website notes the following as the concerns regarding CBDCs:

  • Sweeping financial surveillance. Around the world, governments routinely pressure banks and other financial institutions to supply customer information. From Canada to Russia, this practice has become all too common. The difference between what is experienced today and what would be experienced with a CBDC, however, is that the financial records would be on government databases by default. In other words, a CBDC could spell doom for what little protection remains because it would give governments complete visibility into every financial transaction.
  • Restricting financial activity.
  • Freezing funds.
  • Seizing funds.
  • Imposing negative interest rates.  Proposals for CBDCs often tout negative interest rates as a benefit because it would offer policymakers “greater control” over the economy. For citizens, however, a negative interest rate amounts to a fine or tax for saving money.
  • Disrupting financial stability.
  • Disrupting cryptocurrency.  Globally, governments have demonstrated that they want a CBDC specifically to hold on to their monopoly over national currencies. For instance, China banned cryptocurrencies just as its CBDC was launched; India announced its plans for a CBDC while simultaneously calling for a ban on cryptocurrency; and Nigeria prohibited banks from cryptocurrency transactions just as it launched its CBDC.
  • Putting the economy at risk of cyberattacks.
  • Creating a new tool for corruption.

For additional information on concerns regarding the risks of CBDCs, HRF recommends the Cato Institute’s webpage titled ‘The Risks of CBDCs: Why Central Bank Digital Currencies Shouldn’t Be Adopted’ and report titled ‘Central Bank Digital Currency: Assessing the Risks and Dispelling the Myths’.

Keep reading

LAPD Plans To Include Private Cameras In 10K-Strong Surveillance Network

The Los Angeles Police Department (LAPD) intends to develop a new surveillance center that will give police centralized access to live security feeds from cameras in public and private spaces, pending budget approval from Mayor Karen Bass. The department hopes to be able to access 10,000 cameras through the city through the program, which has been dubbed LAPD Live.

Real-time surveillance center to utilize life feeds from home security cameras

The real-time crime command center would give police access to security cameras in and on city buildings, stores, police body cams and the department’s helicopters. It would integrate other software such as the Compstat intelligence tool onto one single screen. Homeowners could also register their own security cameras with the department to share footage from their property and be notified if a crime is committed nearby.

LAPD argues the program will reduce time and money spent on investigating crimes, gathering evidence, and talking to witnesses while “eliminat[ing] the need for officer visits to private residents” which in turn “preserves individual privacy.” It would also help mitigate the effect of a recent decline in sworn officers.

The LAPD previously tried to do something similar with Neighbors, an app that shares Ring camera footage and alerts with public safety officials. Those who agreed to Neighbors’ terms of service shared their information with police that would normally require a warrant, even when a crime hasn’t occurred. Some may have unknowingly shared their data with police.

Ring also made the LAPD a brand ambassador through a program, giving out free cameras in exchange for sign-ups. The program ended in 2019, and shortly after the Electronic Frontier Foundation reported that the LAPD had sent requests to Ring users to obtain footage of Black Lives Matter protests.

Around the same time frame, at least 50 other local police throughout the U.S. also partnered with Ring, subsidizing doorbell purchases that would in turn expand surveillance capabilities for police while allowing them to circumvent traditional approval processes. Ring also filed a patent to add facial recognition to the devices but never announced plans to add the feature after public criticism.

Keep reading

Hackers Exploit Third-Party Cookies to Access Google Accounts Without Passwords

Security experts at CloudSEK have reportedly identified a new form of malware that exploits third-party cookies, allowing unauthorized access to Google accounts without the need for passwords.

The Independent reports the alarming security breach, first announced on a Telegram channel by a hacker in October 2023, exploits vulnerabilities in third-party cookies. Specifically, it targets Google authentication cookies, which are normally used to streamline user access without repeated logins.

Hackers have devised a method to extract these cookies, allowing them to bypass password-based security and even two-factor authentication mechanisms to access user accounts.

This exploit is a major risk for all Google accounts as it allows for ongoing access to Google services, even after a user’s password has been changed. An analysis by the cybersecurity firm CloudSEK indicates that several hacking groups are actively experimenting with this technique.

Keep reading

The Digital ID Rollout Is Becoming a Hacker’s Dream

Governments and corporations around the world are showing great enthusiasm in either already implementing, or planning to implement some form of digital IDs.

As it turns out ironically, these efforts are presented to citizens as not only making their lives easier through convenience, but also making sure their personal data contained within these digital IDs is safer in a world teeming with malicious actors.

Opponents have been warning about serious privacy implications, but also argue against the claim that data security actually gets improved.

It would appear they are right – at least according to a report by a cybersecurity firm issued after the hacker attacks happening around the Christmas holiday, something that’s now been dubbed “Leaksmas.”

Not only governments, but hackers as well love digital IDs and huge amounts of personal information all neatly gathered in one place, and, judging by what’s been happening recently, in many instances, sitting there pretty much easily available to them.

And hackers have expressed this love by making digital ID data their primary focus, the firm, Resecurity, said in its report. Resecurity claims that this is a clear fact, and that it was able to discern it by analyzing data dumps once they started appearing on the dark web after the Christmas-time “digital smash-and-grabs.”

In numbers, a staggering 50 million records containing personally identifiable information have surfaced on the dark web. The reason so many stolen datasets have made it to the black digital market all at once appear to be “technicalities” related to the time window during which most of it will be “sellable”.

Keep reading

PRISONS ACROSS THE U.S. ARE QUIETLY BUILDING DATABASES OF INCARCERATED PEOPLE’S VOICE PRINTS

Roughly six months ago at New York’s Sing Sing prison, John Dukes says he was brought out with cellmates to meet a corrections counselor. He recalls her giving him a paper with some phrases, and offering him a strange choice: He could go up to the phone and utter the phrases that an automated voice would ask him to read, or he could choose not to and lose his phone access altogether.

Dukes did not know why he was being asked to make this decision, but he felt troubled as he heard other men ahead of him speaking into the phone and repeating certain phrases from the sheets the counselors had given them.

“I was contemplating, ‘Should I do it? I don’t want my voice to be on this machine,’” he recalls. “But I still had to contact my family, even though I only had a few months left.”

So, when it was his turn, he walked up to the phone, picked up the receiver, and followed a series of automated instructions. “It said, ‘Say this phrase, blah, blah, blah,’ and if you didn’t say it clearly, they would say, ‘Say this phrase again,’ like ‘Cat’ or ‘I’m a citizen of the United States of America.’” Dukes said he repeated such phrases for a minute or two. The voice then told him the process was complete.

“Here’s another part of myself that I had to give away again in this prison system,” he remembers thinking as he walked back to the cell.

Dukes, who was released in October, says he was never told about what that procedure was meant to do. But contracting documents for New York’s new prison phone system, obtained by The Appeal in partnership with The Intercept, and follow-up interviews with prison authorities, indicate that Dukes was right to be suspicious: His audio sample was being “enrolled” into a new voice surveillance system.

In New York and other states across the country, authorities are acquiring technology to extract and digitize the voices of incarcerated people into unique biometric signatures, known as voice prints. Prison authorities have quietly enrolled hundreds of thousands of incarcerated people’s voice prints into large-scale biometric databases. Computer algorithms then draw on these databases to identify the voices taking part in a call, and to search for other calls where the voices of interest are detected. Some programs, like New York’s, even analyze the voices of call recipients outside prisons to track which outsiders speak to multiple prisoners regularly.

Keep reading

Judge Rules Assange Visitors May Sue CIA For Allegedly Violating Privacy

A federal judge ruled that four American attorneys and journalists, who visited WikiLeaks founder Julian Assange while he was in the Ecuador embassy in London, may sue the Central Intelligence Agency (CIA) for their role in the alleged copying of the contents of their electronic devices.

The Americans sufficiently alleged that the CIA and CIA Director Mike Pompeo—through the Spanish security company UC Global and its director David Morales—“violated their reasonable expectation of privacy” under the Fourth Amendment of the United States Constitution.

Richard Roth, attorney for the four Americans, reacted, “We are thrilled that the court rejected the CIA’s efforts to silence the plaintiffs, who merely seek to expose the CIA’s attempt to carry out Pompeo’s vendetta against WikiLeaks.”

Keep reading

America’s largest pharmacies are handing over medical records to police WITHOUT a warrant, congressional probe finds – amid fears women could be hunted down for taking abortion drugs

America’s biggest pharmacies have been quietly sharing Americans’ private medical records with police without their knowledge.

In what is being described as a ‘staggering’ breach of privacy, a congressional probe found the seven largest chains released people’s sensitive information to law enforcement or federal investigators without a warrant. 

While some of the pharmacy chains required their lawyers to review law enforcement requests, three of them — CVS, Kroger and Rite Aid which have 60,000 stores nationwide — said they allowed staff to hand over the records in their stores.

Senator Ron Wyden, who led the investigation, said it raised grave concerns because medical records were among the ‘most personal’ information for patients — revealing long-term conditions, sexual behavior and birth control.

There are now concerns that women could be hunted down by officials in states where abortions are illegal for taking abortion drugs.

Sen Wyden warned the current rules allowed for a ‘full blown witch hunt’ by Republican states against women.

This week mother-of-two Kate Cox was forced to travel out of Texas after a court denied her an abortion for her fetus which has a fatal genetic complication.

Current rules allow law enforcement to request medical records using a subpoena.

These can be issued by court clerks or government agencies but, unlike a warrant, do not require the approval of a judge.

And unlike subpoenas, warrants require law enforcement to establish a probable cause to believe a crime has been committed before making the request.

Keep reading

The UN Is Threatening Privacy Under Pretense of New Cybercrime Treaty

The US digital rights group EFF is describing the latest UN Cybercrime Treaty draft as “a significant step backward” and a case of “perilously broadening its scope beyond the cybercrimes specifically defined in the convention, encompassing a long list of non-cybercrimes.”

This “dance” – with some reported progress, for things to then again get worse – is not exactly new in the now lengthy process of negotiating the document, amid criticism not only from observers among the involved rights non-profits, but also UN member-countries.

EFF is also convinced that these latest developments are not accidental, i.e., a case of oversight, but rather an essentially purposeful wrong step that diminishes chances of the treaty, once/if adopted being the result of proper consensus.

When it all started, the Treaty was presented as a “standardized” manner for the world to combat cybercrime.

What has been happening in the meanwhile, though, is a seemingly never-ending stream of additions and expansions of the document’s original powers, to the point where it has now, in the words of EFF, “morphed into an expansive surveillance treaty.”

A major concern is what EFF calls possible overreach as national and international investigations are carried out. And instead of improving on these concerns, the new draft is said to have held on to past controversial rules, only to add even more.

This time, it’s in the form of “allowing states to compel engineers or employees to undermine security measures, posing a threat to encryption.”

Keep reading