Privacy Potpourri: Homeland Security inserts itself into local sex trade, and more

Privacy headlines popped in January like champagne corks on New Year’s Eve. Here are a few highlights, starting in Reno, where nine hapless SOBs were snagged by a law enforcement team including agents of the U.S. Department of Homeland Security, for attempting to purchase unspecified sexual services on the street.

Recall that the mission of Homeland Security was supposed to be preventing actual breaches of homeland security. The DHS website gives only the barest hint of the mission creep that has it preventing transactional sex between Reno street hookers and their prospective customers.

Here’s the department’s “vital mission.”

“…to secure the nation from the many threats we face. This requires the dedication of more than 240,000 employees in jobs that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. Our duties are wide-ranging, but our goal is clear – keeping America safe.”

The Sparks Crime Suppression Team, apparently finding no crime to suppress in its own city, was on hand to help Reno PD and the feds with the six-hour sting, as were workers from the Washoe County Health Department, who performed mandatory HIV tests. Florence Nightingale must be smiling in heaven.

The first weeks of 2015 also revealed that at least 50 American law enforcement agencies have been secretly using a hand-held radar device to perform surveillance of human activity inside of homes, despite a U.S. Supreme Court ruling requiring a warrant for similar searches that rely on thermal readers to detect heat behind the walls of buildings.

The radar devices were designed for military use, to spot human presence inside buildings by detecting movements as subtle as breathing, reports USA Today.

The 10th Circuit Court of Appeals upheld a search by U.S. Marshals using the device, but noted that it raises “many questions.”

Speaking of invasive technology with ostensibly benign intentions, the National Science Foundation is paying a professor $50,000 to develop a facial recognition app that monitors student attendance at college lectures. The developer teaches at Missouri University of Science and Technology. He uses his smart phone to take a video of students in the lecture hall. His finished product will automatically take attendance by applying a facial recognition algorithm to the video.

The rationale for this NSF investment is that attendance is the best predictor of graduation rates, and that students who don’t graduate are less able to pay off their student loan debt. No word on the controlling classroom policy when an adult student declines to have his image captured on his prof’s phone.

The private sector has a solution, too. The Class120 app costs $199. Installed on the student’s own smartphone, it overlays geolocation data with campus maps, notifying parents if the phone is not in the right classroom at the right time of day. Nothing wrong with that, if the parents and the students agree on it. But here’s the kicker from the Wall Street Journal:

“As online interactions have grown, schools have realized they have a trove of new data to look at, such as how much a student is accessing the syllabus, taking part in online discussions with classmates and reading assigned material. Such technology “shows faculty exactly where students are interacting outside as well inside the classroom…”

Then there’s the insurance company that promised a discount to drivers who allow it to digitally monitor driving habits. Progressive Insurance has distributed two million dongles that port into the OBD (on-board diganostics) console, which is the electronic communication center for the moving components of the car. The dongle monitors brakes, acceleration and other readings, including mileage and time of day, creating a record of the driver’s vehicle usage.

Seems that a skilled hacker can use the the dongle to get into the vehicle’s core systems, according to a Forbes interview with security researcher Corey Thuen, who discovered that he could unlock doors and gather information about his truck’s engine by hooking up his laptop to the dongle. Says Theun:

“It (the dongle) has no secure boot mechanism, no cellular communications authentication, and uses no secure communications protocols, possibly putting the lives of people inside the vehicle in danger.”

Safety implications aside, the driver information itself is vulnerable. It would be a piece of cake to intercept the dongle’s transmissions to Progressive, and to steal, erase, or alter the data, with potentially serious and possibly irrevocable consequences for the driver.  Happy New Year!


Feinstein versus the CIA: Incident reveals hypocrisy and incompetence

What do you call it when someone rifles through your computer files without your knowledge? Employers call it monitoring, and civil libertarians call it surveillance. U. S. Senator Dianne Feinstein calls it a “separation of powers” issue.

So Feinstein described her headline-grabbing dustup last year with the Central Intelligence Agency, in which the agency spied on staffers of the Senate Intelligence Committee while the committee was investigating certain interrogations by the CIA.

The squabble started after the CIA set up a dark network in an out-of-the-way location for Senate investigators to view specified CIA documents. When the agency realized it had not sufficiently blocked access to other files that should have remained hidden, five CIA staffers tried to assess the damage by snooping through Intelligence Committee computer files, and even reading email messages. Feinstien went public when she found out, blasting the agency for “violating separation of powers.”

While the senator rooted her fury in the CIA’s apparent intention to undermine her investigation, she discussed the incident in the language of inter-branch conflict, rather than call it what it was — spying by a spy agency. This suggests she stands by her vilification of Edward Snowden and her defense of the programs he leaked, while claiming that her own digital affairs should be off-limits to the prying eyes of alphabet soup agencies. In other words, Constitutional principles apply differently to powerful elected officials than to regular citizens.

Feinstein repeated the separation-of-powers charge when the story resurfaced this week, after a CIA investigative panel cleared the agency’s five snoops of wrongdoing. The agency’s internal report found its employees’ hacking activities had been “clearly inappropriate,” but were not cause for discipline.

But the report revealed something else: There were very basic failures of information governance that enabled the senate committee to grab documents it shouldn’t have, and that subsequently justified clearing the CIA of bad faith or malfeasance.

The Washington Post reports: “… the accountability review board concluded that the CIA-Senate arrangement was so convoluted that the panel could find no clear rules on how the shared computer system was to be run, let alone whether any rules had been violated.”

Notwithstanding the novelty of the “arrangement,” please note that the world’s most powerful spy agency and the nation’s most powerful legislative body abdicated well-established standards that would have determined in advance the protocol for a digital data transaction. This planning is fundamental to digital security and privacy.

Contemplating the agency’s sloppy information governance, especially given what was at stake, should lead to serious doubts about extending to any federal agency more authority to collect, store, or probe the digital records of Americans. For anyone who’s still not clear that the federal government is a poor steward of information, please do a careful reading of the above linked story in the Post.

That brings us (briefly) to President Obama’s 2015 cybersecurity initiatives. The president’s package would facilitate continued government access to citizen communications, and would snag security researchers, journalists, lawyers, and others in a net cast much too wide for cybercriminals. A recent surge in global terrorist activities validates the need for strong cyberdefense, but does not justify tossing all the cybercrime and national security concerns into a cybersecurity blender and turning on the blades.

It’s only a proposal right now, but there are elements that cry out already for the kind of definition that was lacking from the Senate-CIA plan. Selecting a bullet point at random:

“All monitoring, collection, use, retention, and sharing of information are limited to protecting against cybersecurity threats…”

Well, one would hope.  But what does the protection entail, and how do we define the threats? These are not nit-picky questions, they are essential to information governance that does the intended tasks, and mitigates privacy invasion. Or whatever you prefer to call it.

The privacy apartheid: no money, no time, no education, adds up to no privacy.

When privacy was a natural state of affairs, protecting it required a set of window shades, and maybe a hedge between you and the neighbor.

Modern privacy is a commodity, and the price is staggering. I’s not just money. Privacy protection is really inconvenient now, and intellectually challenging – not always in a good way. It requires a combination of education, time, prosperity, and technical aptitude that’s rare in a single human being. If you’re deficient in two or more of those categories, welcome to the privacy apartheid. You’re the have-not.

Here’s a brief and partial survey of the cost of privacy.

On the practically free end, you can make sure your internet browsers run in in SSL mode by default. The cost is a bit of time. It requires a Google search and ability to download a plugin. You also need to understand when and why this will preclude internet access in certain circumstances, so you won’t freak out when it happens.

If you’re very serious and skilled, you can run your own email server. Hardcore privacy advocates recommend this as if it were a walk in the park. It requires equipment, dozens of hours to implement, and a great deal of technical aptitude to maintain, with numerous headaches guaranteed.

Recently, consumer-grade privacy-enhancing products have become available. Check out the Consumer Electronics Show, where for many years, gee-whiz products with the greatest privacy-invading potential have been the highlight. This year, a tiny space on the show floor features vendors of privacy, starting with signal-blocking cases for mobile devices ($69-$199, no technical proficiency required). Last Private Place featured a competing product for phones a few months back, the $80 Privacy Case.

Vysk is there, with a phone sleeve that has an encryption feature in the microphone to keep conversations private ($229). Using Vysk’s QS1 case requires a technical comfort level sufficient to activate the product’s privacy modes and download the subscription-based apps. Add a monthly charge of $9.99, plus at least an hour to experiment and understand settings and capabilities.

Virtual Private Network service provider PIA offers encrypted internet access on demand, with tech support. (Annual packge price $39.95). But it’s not simple. You need basic knowledge of how networks function and probably about three hours to understand and activate the service.

Privacy advocates also suggest staying off most social media. There’s always been a privacy bonus for avoiding gossipy neighbors, and there still is. But there’s also a professional penalty, because those gossips now call themselves LinkedIn and Facebook, and your competitors are present in droves. Opportunity cost: incalculable.

If you’re looking for cheap solutions, a hat and sunglasses may provide a defense against surveillance cameras. For a few bucks and a few minutes you can sew a couple of infrared LED lights into the hat, with a 9 volt battery to power them. Hacker lore says in certain lighting conditions, this will obscure your face from the cameras.

So you pay with money or you pay with time and know-how, or you pay with isolation. And no matter how you pay, no product exists to completely eradicate the ubiquitous privacy challenges that show up daily disguised as fun and convenience.