Archive for the ‘privacy’ Category

A wide swath of the net’s top websites, including MTV, ESPN, MySpace, Hulu, ABC, NBC and Scribd, were sued in federal court Friday on the grounds they violated federal computer intrusion law by secretly using storage in Adobe’s Flash player to re-create cookies deleted by users.

At issue is technology from Quantcast, also targeted in the lawsuit. Quantcast created Flash cookies that track users across the web, and used them to re-create traditional browser cookies that users deleted from their computers. These “zombie” cookies came to light last year, after researchers at UC Berkeley documented deleted browser cookies returning to life. Quantcast quickly fixed the issue, calling it an unintended consequence of trying to measure web traffic accurately.

Flash cookies are used by many of the net’s top websites for a variety of purposes, from setting default volume levels on video players to assigning a unique ID to users that tracks them no matter what browser they use. (Disclosure: The last time we reported on this issue, we found that Wired.com used one to set video preferences.)

The lawsuit (.pdf), filed in U.S. district court in San FranciscoCentral California, asks the court to find that the practice violated eavesdropping and hacking laws, and that the practice of secretly tracking users also violated state and federal fair trade laws. The lawsuit alleges a “pattern of covert online surveillance” and seeks status as a class action lawsuit. The lawsuit was filed by Joseph Malley, a privacy activist lawyer who also played key roles in other high profile privacy lawsuits, including a $9.5 million settlement earlier this year from Facebook over its ill-fated Beacon program and a settlement with Netflix after the company gave imperfectly anonymized data to contestants in a movie recommendation contest.

“The objective of this scheme was the online harvesting of consumers’ personal information for Defendants’ use in online marketing activities,” wrote Malley, who called the technique “as simple as it was deceptive and devious.”

Continue Reading “Privacy Lawsuit Targets Net Giants Over ‘Zombie’ Cookies” »

Lonnie David Franklin Jr. appears for arraignment on multiple charges as the alleged "Grim Sleeper" killer, in Los Angeles Superior Court Thursday, July 8, 2010. (AP Photo/Al Seib, Pool)

When California authorities arrested Lonnie David Franklin Jr. as the suspected “Grim Sleeper” serial killer last week, they based their case in part on a DNA match of crime scene evidence to a sample from his incarcerated son — a relatively new and controversial technique critics say raises ethical and legal questions that need to be examined by legislators.

Police had forensic evidence from the crime scenes, but no match to suspects in the FBI’s DNA database, which contains samples from people arrested or convicted of a felony crime. Then last year, Franklin’s son Christopher was incarcerated on a felony weapons conviction. When police ran a so-called “familial search” of the database to find a match with the Grim Sleeper’s DNA, they got a match on Christopher.

Franklin Jr. was arrested July 7 on suspicion that he was the “Grim Sleeper” serial killer, allegedly responsible for killing nearly a dozen women in Los Angeles over a period of 25 years. The gruesome name stems from the fact that the killer took a break from murder for a dozen years at one point before resuming his killing spree.

The FBI DNA database, CODIS, contains the genetic fingerprint of millions of people. The database initially contained only DNA profiles of people convicted of violent felonies, but it has recently expanded to include anyone arrested in some states under suspicion of committing a felony.

The database allows police to compare crime-scene DNA samples to the genetic profiles of people who have been previously arrested. But states have begun allowing authorities to conduct “partial” and “familial” searches in the database to expand the scope of the database. A disproportionate number of people with profiles in the database are African American. Continue Reading “DNA Sample from Son Led to Arrest of Accused ‘Grim Sleeper’” »

We’re not sure what’s more humorous: That California Rep. Jane Harman, the ranking member of the House Intelligence Committee, maintains two unencrypted Wi-Fi networks at her residence, or that a consumer group sniffed her unsecured traffic in a bid to convince lawmakers to hold hearings about Google.

A representative for Consumer Watchdog — a group largely funded by legal fees, the Rose Foundation, Streisand Foundation, Tides Foundation and others — parked outside Harman’s and other lawmakers’ Washington-area residences to determine whether they had unsecured Wi-Fi networks that might have been sniffed by Google as part of the internet giant’s Street View and Google Maps program.

The group wants the House Energy and Commerce Committee, of which Harman is also a member, to haul Google executives before it, so they can publicly explain why, for three years, Google was downloading data packets from unencrypted Wi-Fi networks in neighborhoods in dozens of countries. Google has repeatedly said it didn’t realize it was storing snippets of payload data on unsecured Wi-Fi networks, until German privacy authorities began questioning what data Google was collecting.

Consumer Watchdog’s wardriving unintentionally highlights the murky state of wiretapping laws in the United States. According to the text of the federal wiretapping statute, it’s not considered felony wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.”

So even if had been deliberate, Google’s sniffing would arguably not have been illegal. For its part, Consumer Watchdog says it only grabbed frame data, not content, in order to enumerate the devices on Harman’s network.

“This was a deliberate attempt to focus attention on how Google could well have gathered information on the members of Congress who are members of the very committee who we think should be holding hearings on this,” John Simpson, a consumer advocate for the group, said in a telephone interview.

Continue Reading “Consumer Group Sniffs Congresswoman’s Open Wi-Fi” »

Spokeo, an online data broker, is accused of peddling inaccurate information and violating consumer protection laws in a complaint sent to the Federal Trade Commission on Wednesday.

The Center for Democracy and Technology, which filed the complaint, alleges Spokeo purports to provide information about individuals’ credit ratings and other financial data, but fails to disclose the source of the data or allow consumers an opportunity to dispute and correct false information.

The site also does not let consumers know who has sought access to their information or inform users, such as employers, that federal law requires them to notify a job applicant if they have reached an adverse determination about an applicant based on information they may have obtained from the site.

The CDT notes in its complaint (.pdf) that much of the information provided in Spokeo profiles is inaccurate, a point verified by Threat Level in searches conducted on various individuals in the Spokeo database.

Spokeo President and co-founder Harrison Tang did not respond to a call for comment from Threat Level, but he has admitted in previous media interviews that the information his site provides contains inaccuracies, which he has blamed on errors in original source materials and in the way the algorithm assesses aggregated information.

Under the Fair Credit Reporting Act, entities that broker certain information about consumers, such as credit reporting agencies that provide credit assessments of consumers, must make an effort to provide fair and accurate information and give consumers an opportunity to correct inaccurate information and put limits on who can access their data.

The company does publish a disclaimer on its site that data provided through its service “may not be used as a factor” in establishing a consumer’s eligibility for credit, insurance, or employment and appears to deny that the FCRA applies to it — Spokeo asserts in its terms of use that it is not a consumer reporting agency.

But at the same time the company markets itself to human resource professionals as a service for conducting background checks on job applicants as well as to law enforcement agencies, and does provides “credit estimates” on individuals, as well as information on their income, investments and mortgage.

Consumers must pay a subscription fee to Spokeo to see the credit level the site attributes to them — such as “low” or “high” credit — but are not given information about how Spokeo arrives at its determinations about their credit. There is also no way for someone to restrict access to their profile, though the site says individuals can opt to have their profile removed from the site. Some consumers have complained, however, that the opt out feature does not work sufficiently.

The FCRA defines a “consumer reporting agency” as any entity that regularly engages in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. . . .”

Spokeo offers free and subscription-based searches of detailed profiles on individuals. The profiles can include information on an individual’s religious and political affiliation and ethnic background as well as information about education level, family relationships (such as the names of other adults living in a residence and the number and ages of children living there) and shopping preferences and recreational activities, such as interests in casino gambling and genres of books and music that an individual favors.

The site, which claims to receive millions of hits a day, also provides vague assessments about people, such as whether someone “seeks opportunity,” is “self driven,” “is not interested in politics,” and “cares about healthy living.”

The site claims to get its information from hundreds of online and offline sources, such as phone book databases, social networks, marketing lists, business sites and “other public resources.” In a recent interview with Fox News, Tang said his site grabs photos, videos and blog data from 43 social networks, including Google map images of an individual’s residence. Most of the data is publicly available on the web, though the company doesn’t say what information it possesses may not be publicly available.

Spokeo’s advantage, the site claims, is its algorithms, which aggregate “scattered data into coherent people profiles, giving you the most comprehensive intelligence about anyone you want to find.” But Tang has acknowledged the algorithm’s limitations on providing accurate information.

See also:

• Choicepoint’s Checks Under Fire
• Bad Data Fouls Background Checks

If you have checked in with Foursquare in San Francisco in the last three weeks, Jesper Andersen probably knows where and when — even if you’ve set your check-ins to be published to friends only.

Andersen, a coder who recently built a service called Avoidr that helps you avoid social network “friends” you don’t really like, figured out that Foursquare had a privacy leak because of how it published user check-ins on web pages for each location.

On pages like the one for San Francisco’s Ferry Building, Foursquare shows a random grid of 50 pictures of users who most-recently checked in at that location — no matter what their privacy settings. When a new check-in occurs, the site includes that person’s photo somewhere in the grid. So Andersen built a custom scraper that loaded the Foursquare web page for each location in San Francisco, looked for the differences and logged the changes.

Even though he was using an old computer running through the slow but anonymous Tor network, Andersen estimates he logged about 70 percent of all check-ins in San Francisco over the last three weeks.

That amounts to 875,000 check-ins.

Foursquare is one of the most popular of a growing number of services that let people quickly report to friends, family or the entire world where they are — and is part of a growing trend of making public more information that used to be private. Foursquare’s popularity is tied to its game-like ecosystem, where users can win “badges” for certain actions or become the “mayor” of locations by checking in there more than any other users.

Andersen reported the privacy breach to Foursquare two Sundays ago — and the company admitted the bug existed. They asked for a week or so to fix the bug, and now, according to an e-mail sent to Alexander, the company is modifying its privacy settings to let users opt out of being listed on location’s web pages. The site previously allowed users to opt out of being listed in the “Who’s here now” function, but until Tuesday that button didn’t apply to listing “Who’s checked in there.”

“I’m trying to be white-hat,” Andersen said. “It definitely felt icky at times.”

Andersen confirmed the validity of his script’s findings by checking the results with people he knew. And even though his groups of friends “live in a data mining culture,” the findings didn’t sit well with all of them.

“Some were grossed out by it, and a couple of people stopped using Foursquare,” Andersen said. “One had a stalker and got creeped out by it.”

Foursquare declined to respond to two e-mail requests for comment, but in an e-mail to Andersen, Foursquare programmer Jon Hoffman thanked Alexander for bringing the issue to the company’s attention.

“The privacy leak on the venue page was something that was overlooked when we added privacy-protection features to the ‘who’s here now’ section of the venue page on the mobile clients (the data that’s exposed via the API),” Hoffman wrote Tuesday morning. “There already is a privacy toggle on the /settings page to control privacy for that feature, but it did not extend to the ‘who’s been here’ section of the venue page on the website. We’ve recently locked down the ‘who’s been here’ section so that it respects the ‘Who’s here’ privacy toggle.”

While Jesper praised the company for its speed in handling the privacy leak report, he’s less enthusiastic about the solution.

“It’s not clear that users will really understand that,” Jesper said, referring to the new check box. “I certainly haven’t seen a drop-off in check-in collections.”

By default, Foursquare users are included in both the lists of who is currently at a location and who has visited it, and the company did not tell its users Tuesday of the privacy leak or the changes.

Continue Reading “White Hat Uses Foursquare Privacy Hole to Capture 875K Check-Ins” »

Welcome to the surveillance society.

That’s what the American Civil Liberties Union concluded Tuesday with a report chronicling government spying and the detention of groups and individuals “for doing little more than peacefully exercising their First Amendment rights.”

The report, Policing Free Speech: Police Surveillance and Obstruction of First Amendment-Protected Activity (.pdf), surveys news accounts and studies of questionable snooping and arrests in 33 states and the District of Columbia over the past decade.

The survey provides an outline of, and links to, dozens of examples of Cold War-era snooping in the modern age.

“Our review of these practices has found that Americans have been put under surveillance or harassed by the police just for deciding to organize, march, protest, espouse unusual viewpoints and engage in normal, innocuous behaviors such as writing notes or taking photographs in public,” Michael German, an ACLU attorney and former Federal Bureau of Investigation agent, said in a statement.

Continue Reading “ACLU Study Highlights U.S. Surveillance Society” »

Starbucks is rolling out free, unsecured Wi-Fi access at about 7,000 coffee shops across the United States beginning July 1. But will there be packet-sniffing with your latte?

The Seattle-based coffee concern’s move to lure customers with free internet comes amid a growing legal uncertainty about privacy on open Wi-Fi networks, kicked off by Google’s admission its Street View cars intercepted data on unsecured Wi-Fi networks in neighborhoods across the globe.

Google, in response to government inquiries and lawsuits, claims it is lawful to use packet-sniffing tools readily available on the internet to spy on and download payload data from others using the same open Wi-Fi access point.

“We believe it does not violate U.S. law to collect payload data from networks that are configured to be openly accessible (.pdf)  (i.e., not secured by encryption and thus accessible by any user’s device). We emphasize that being lawful and being the right thing to do are two different things, and that collecting payload data was a mistake for which we are profoundly sorry,” Google wrote Congress.

It’s not considered felony wiretapping “to intercept or access an electronic communication made through an electronic communication system that is configured to that such electronic communication is readily accessible to the general public,” according to the text of the federal wiretapping statute. Password protected — encrypted Wi-Fi networks — are not considered “readily accessible,” Google maintains.

Continue Reading “Packet-Sniffing Laws Murky as Open Wi-Fi Proliferates” »

With neighbors like this, who needs enemies?

A Minnesota man accused of hacking into his neighbor’s computer and sending a threatening e-mail to Vice President Joe Biden has turned down a two-year plea deal and is negotiating for less, the defendant’s attorney said Monday.

Barry Ardolf, a Minnesota computer technician, is accused of unlawfully accessing his neighbor’s computer last year and sending an e-mail under the neighbor’s identity to the vice president, saying “I swear to God I’m going to kill you!”

The 45-year-old of Blaine, Minnesota, among other things also wrote in the e-mail: “This is a terrorist threat! Take this seriously,”(.pdf) according to the June 7 federal charges.

This is a terrorist threat! Take this seriously. I hate the way you people are spending money you don’t have. …I”m assigning myself to be judge jury and executioner. Since you folks have spent what you don’t have it’s time to pay the ultimate price. Time for new officials after you all are put to death by us. … Fuck you all for spending money you don’t have. I’ll kill you all one at a time. I”ll take any opportunity I can get so better have eyes on the back of your heads. You guys better start watching your back. I’m coming for you all. I swear to God I’m going to kill you!

Ardolf rejected a two-year plea deal last week, a decision his attorney said Monday “was a difficult one.”

Continue Reading “Feds Say Man E-mailed Biden ‘I’m Going to Kill You!’” »

The Supreme Court said Thursday a California police officer’s privacy was not breached when his superiors read transcripts of hundreds of his text messages. The Ontario Police Department was looking at the transcripts as part of an effort to determine whether it was providing an adequate quota of monthly pager texts to its officers.

The SWAT officer, Jeff Quon, was exceeding the limit for months, and his superiors wanted to know why. Quon was originally paying the extra fees out of his own pocket. He sued after the inquiry, alleging his privacy was violated. Many of the text messages were sexually explicit.

“The city and OPD had a legitimate interest in ensuring that employees were not being forced to pay out of their own pockets for work-related expenses, or on the other hand that the city was not paying for extensive personal communications,” Justice Anthony Kennedy wrote for the 9-0 court, its first ruling directly addressing text-message privacy (.pdf) in the work context.

Silicon Valley privacy attorney Christine Lyon said the high court’s analysis was not founded on the police department’s policy that text messages were the department’s property. Lyon, who was not involved in the case, said even if the department did not have such a privacy policy, the outcome likely would have been the same.

“What they’re saying, even if the employee had an expectation of privacy, it can be effectively trumped,” Lyon said in a telephone interview.

Continue Reading “Supreme Court: Officer’s Texting Not Private” »

A hard drive with perhaps several hundred gigabytes of internet surfers’ private data resides under lock and key in a Portland, Oregon, federal courthouse.

Regulators and private lawyers across Europe and the United States are demanding, and in some cases obtaining, access to data that Google sniffed for the past three years from unsecured Wi-Fi hot spots across the globe.

The requests are coming in some of the eight proposed class actions targeting Google that have cropped up across the United States, as well as from various governments investigating whether Google violated their laws.

The demands for data raise a paradox of sorts: How many eyeballs, in the name of privacy, will eventually see the data that likely includes snippets of e-mail, web surfing, documents and other private data?

“It will be relevant evidence in our lawsuit. We will ask for production of that data. Lawyers representing plaintiffs in the case will review the data,” said Patrick Keyes, a top lawyer in one of the proposed class actions lodged in the District of Columbia. “This would be in the context of presenting the legal interests of those who have had their data intercepted, and would typically be produced under a protective order.”

Google has already said it would forward to German, French and Spanish authorities the portion of the data intercepted in those countries.

No government agency in the United States has yet demanded a copy of the intercepted data, but several are investigating Google.

Missouri Attorney General Chris Koster said he wanted to “scrutinize this situation” while Connecticut Attorney General Richard Blumenthal has demanded “detailed records on any information taken from networks” from his state.

Federal Trade Commission Chairman Jon Leibowitz told Congress, “We’re going to take a very, very close look at this.”

Rep. Joe Barton (R-Texas) said Friday that Google’s actions “warrants a hearing, at minimum.”

Ironically, it appears that protecting privacy and administering justice might just involve violating privacy.

“That’s true. All of this raises a lot of First Amendment questions,” said Jeffrey Chester, director of the Center for Digital Democracy. “It is problematic. Some of these lawyers see a quick buck without thinking of the consequences.”

U.S. District Judge Michael Mosman in Oregon has locked away the data (.pdf) as that class action proceeds. ISec Partners, a San Francisco security consulting firm, has made encrypted copies of the drives at Google’s request and destroyed the originals.

Continue Reading “Privacy in Peril: Lawyers, Nations Clamor for Google Wi-Fi Data” »