Privacy

Oracle Is Funding a New Anti-Google Group

Your rights online - Fri, 08/19/2016 - 21:30
An anonymous reader writes from a report via Fortune: Oracle says it is funding a new non-profit called "Campaign for Accountability," which consists of a campaign called "The Google Transparency Project" that claims to expose criminal behavior carried out by Google. "Oracle is absolutely a contributor (one of many) to the Transparency Project. This is important information for the public to know. It is 100 percent public records and accurate," said Ken Glueck, Senior Vice President of Oracle. Fortune reports: "Oracle's hidden hand is not a huge surprise since the company has a history of sneaky PR tactics, and is still embroiled in a bitter intellectual property lawsuit with Google." One would think Microsoft may be another contributor, but the company said it is not. Daniel Stevens, the deputy director of the CfA, declined to name the group's other donors, or to explain why it does not disclose its funders. Why does this matter? "When wealthy companies or individuals pose as a grass-roots group like the so-called 'campaign for accountability' project, [it] can confuse news and public relations, and foster public cynicism," writes Jeff John Roberts via Fortune.

Read more of this story at Slashdot.

Categories: Privacy

EFF Accuses T-Mobile of Violating Net Neutrality With Throttled Video

Your rights online - Fri, 08/19/2016 - 20:10
An anonymous reader writes: T-Mobile's new "unlimited" data plan that throttles video has upset the Electronic Frontier Foundation (EFF), which accuses the company of violating net neutrality principles. The new $70-per-month unlimited data plan "limits video to about 480p resolution and requires customers to pay an extra $25 per month for high-definition video," reports Ars Technica. "Going forward, this will be the only plan offered to new T-Mobile customers, though existing subscribers can keep their current prices and data allotments." EFF Senior Staff Technologist Jeremy Gillula told the Daily Dot, "From what we've read thus far it seems like T-Mobile's new plan to charge its customers extra to not throttle video runs directly afoul of the principle of net neutrality." The FCC's net neutrality rules ban throttling, though Ars notes "there's a difference between violating 'the principle of net neutrality' and violating the FCC's specific rules, which have exceptions to the throttling ban and allow for case-by-case judgements." "Because our no-throttling rule addresses instances in which a broadband provider targets particular content, applications, services, or non-harmful devices, it does not address a practice of slowing down an end user's connection to the internet based on a choice made by the end user," says the FCC's Open Internet Order (PDF). "For instance, a broadband provider may offer a data plan in which a subscriber receives a set amount of data at one speed tier and any remaining data at a lower tier." The EFF is still determining whether or not to file a complaint with the Federal Communications Commission.

Read more of this story at Slashdot.

Categories: Privacy

Scammers Use Harvard Education Platform to Promote Pirated Movies

Your rights online - Fri, 08/19/2016 - 18:30
TorrentFreak reports: Spammers are using Harvard's educational sharing tool H2O to promote pirated movies. Thousands of links to scammy sites have appeared on the site in recent weeks. Copyright holders are not happy with this unintended use and are targeting the pages with various takedown notices. H2O is a tool that allows professors and students to share learning material in a more affordable way. It is a welcome system that's actively used by many renowned scholars. However, in recent weeks the platform was also discovered by scammers. As a result, it quickly filled up with many links to pirated content. Instead of course instructions and other educational material, the H2O playlists of these scammers advertise pirated movies. The scammers in question are operating from various user accounts and operate much like traditional spam bots, offering pages with movie links and related keywords such as putlocker, megashare, viooz, torrent and YIFY.

Read more of this story at Slashdot.

Categories: Privacy

Tesla Owner in Autopilot Crash Won't Sue, But Car Insurer May

Your rights online - Fri, 08/19/2016 - 17:40
Dana Hull, reporting for Bloomberg: A Texas man said the Autopilot mode on his Tesla Model S sent him off the road and into a guardrail, bloodying his nose and shaking his confidence in the technology. He doesn't plan to sue the electric-car maker, but his insurance company might. Mark Molthan, the driver, readily admits that he was not paying full attention. Trusting that Autopilot could handle the route as it had done before, he reached into the glove box to get a cloth and was cleaning the dashboard seconds before the collision, he said. The car failed to navigate a bend on Highway 175 in rural Kaufman, Texas, and struck a cable guardrail multiple times, according to the police report of the Aug. 7 crash. "I used Autopilot all the time on that stretch of the highway," Molthan, 44, said in a phone interview. "But now I feel like this is extremely dangerous. It gives you a false sense of security. I'm not ready to be a test pilot. It missed the curve and drove straight into the guardrail. The car didn't stop -- it actually continued to accelerate after the first impact into the guardrail." Cozen O'Connor, the law firm that represents Molthan's auto-insurance carrier, a unit of Chubb Ltd., said it sent Tesla Motors Inc. a notice letter requesting joint inspection of the vehicle, which has been deemed a total loss.

Read more of this story at Slashdot.

Categories: Privacy

PSA: Twitch's 'Activity Sharing' Feature Exposes Your Activity By Default

Your rights online - Fri, 08/19/2016 - 13:30
The 'Activity Sharing' feature that Twitch announced on Thursday aims to notify your entire Friends list if you're doing something interesting. The video games streaming platform hopes that it would bolster the engagement level, as people will want to know what their friends are doing. The problem is that this feature is on by default. An anonymous reader writes: While the feature is fairly harmless, it is understandable that some people won't want others to easily spy on their behaviors. As an example, maybe you are watching a Hello Kitty game stream -- some folks might be embarrassed to have that displayed under their name. To turn it off, simply deselect the box as seen in this image.

Read more of this story at Slashdot.

Categories: Privacy

AT&T, Apple, Google To Work On 'Robocall' Crackdown

Your rights online - Fri, 08/19/2016 - 13:03
Last month the FCC had pressed major U.S. phone companies to take immediate steps to develop technology that blocks unwanted automated calls available to consumers at no charge. It had demanded the concerned companies to come up with a "concrete, actionable" plan within 30 days. Well, the companies have complied. On Friday, 30 major technology companies announced they are joining the U.S. government to crack down on automated, pre-recorded telephone calls that regulators have labeled as "scourge." Reuters adds: AT&T, Alphabet, Apple, Verizon Communications and Comcast are among the members of the "Robocall Strike Force," which will work with the U.S. Federal Communications Commission. The strike force will report to the commission by Oct. 19 on "concrete plans to accelerate the development and adoption of new tools and solutions," said AT&T Chief Executive Officer Randall Stephenson, who is chairing the group. The group hopes to put in place Caller ID verification standards that would help block calls from spoofed phone numbers and to consider a "Do Not Originate" list that would block spoofers from impersonating specific phone numbers from governments, banks or others.

Read more of this story at Slashdot.

Categories: Privacy

An Update on Patent Troll Shipping & Transit, LLC

Deep Links - Fri, 08/19/2016 - 13:02

There has been significant activity relating to cases and patent infringement claims made by Shipping & Transit, LLC, formerly known as ArrivalStar. Shipping & Transit, who we’ve written about on numerous occasions, is currently one of the most prolific patent trolls in the country. Lex Machina data indicates that, since January 1, 2016, Shipping & Transit has been named in almost 100 cases. This post provides an update on some of the most important developments in these cases.

In many Shipping & Transit cases, Shipping & Transit has alleged that retailers allowing their customers to track packages sent by USPS infringe various claims of patents owned by Shipping & Transit, despite previously suing (and settling with) USPS. EFF represents a company that Shipping & Transit accused of infringing four patents.

Shipping & Transit Is Facing Numerous Alice Motions

In April 2014, the Supreme Court decided Alice v. CLS Bank, holding that “abstract ideas” are not patentable. Many courts have since applied that ruling, finding that patents are “abstract” and therefore invalid, often very early in litigation, saving significant time, money, and effort by the parties.

Several defendants have now asked courts to quickly find Shipping & Transit’s patents invalid under Alice. Neptune Cigars has filed a motion with the Central District of California, arguing that two Shipping & Transit patents (U.S. Patent Nos. 6,763,299 and 6,415,207) are invalid. That motion is pending.

Another defendant, Loginext, also filed a motion arguing that U.S. Patent 6,415,207 was invalid under Alice. Shipping & Transit quickly dismissed its case against Loginext, with Loginext paying nothing to Shipping & Transit. Loginext had also sent a “Rule 11” letter to Shipping & Transit pointing out that Loginext did not even exist when U.S. Patent No. 6,763,299 expired.

Our clients, Triple7Vaping.com LLC and Jason Cugle (together, Triple7), have also noted that the patents are likely invalid under Alice. When another party in the Southern District of Florida moved to dismiss under Alice, we asked the court to consolidate our case with that one, and provided a brief explaining in detail why the claims are invalid under Alice. The motion, however, was not decided after the original party that moved to dismiss settled with Shipping & Transit.

Unified Patents Filed an Inter Partes Review Against the ’270 patent

On July 25, 2015, Unified Patents filed a petition for inter partes review of U.S. Patent 6,415,207 (the ’270 patent), one of the few Shipping & Transit patents that remains in force (many of Shipping & Transit’s patent expired in 2013). In its petition to the Patent Office to review the ’207 patent, Unified Patents argues that the patent is invalid because it is obvious in light of other patents, including a different, much older, Shipping & Transit patent. 

Shipping & Transit Disclaims All Liability by Triple7

On May 31, 2016, Triple7 filed a lawsuit asking for a declaratory judgment that four of Shipping & Transit’s patents were invalid and not infringed. Triple7 also asked the court to find that Shipping & Transit violated Maryland state law when it made its claims of infringement, because the claims were made in bad faith.

In response, on July 21, 2016, Shipping & Transit covenanted not to sue Triple7, meaning it has disclaimed any possible claim of infringement against Triple7. In doing so, Shipping & Transit has sought to prevent the court from deciding the merits of Shipping & Transit’s claims of infringement. Triple7 has argued that the court retains that ability as part of the Maryland claim, and the court is expected to decide the issue soon.

Shipping & Transit Reveals The Minimal Investigation It Does Before It Sends A Demand Letter 

Shipping & Transit asked the Court to dismiss Triple7’s claims for violations of Maryland State law. In doing so, it submitted two affidavits that detailed the investigation it engages in before sending a demand letter. In response, Triple7 argued that Shipping & Transit’s investigation was plainly deficient under binding Federal Circuit law.

While every individual case will have some differences, we hope that these materials are useful to current and future targets of Shipping & Transit’s trolling campaign.

Related Cases: Triple7Vaping.com, LLC et al. v. Shipping & Transit LLC
Share this: Join EFF
Categories: Privacy

The NSA Leak Is Real, Snowden Documents Confirm

Your rights online - Fri, 08/19/2016 - 12:20
Sam Biddle, reporting for The Intercept: On Monday, A hacking group calling itself the "ShadowBrokers" announced an auction for what it claimed were "cyber weapons" made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide. The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA's virtual fingerprints and clearly originates from the agency. The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, "ace02468bdf13579." That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE. SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA's offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don't always have the last word when it comes to computer exploitation.

Read more of this story at Slashdot.

Categories: Privacy

'Smart' Electrical Socket Leaks Your Email Address, Can Launch DDoS Attacks

Your rights online - Thu, 08/18/2016 - 19:40
An anonymous reader writes from a report via Softpedia: There is an insecure IoT smart electrical socket on the market that leaks your Wi-Fi password, your email credentials (if configured), and is also poorly coded, allowing attackers to hijack the device via a simple command injection in the password field. Researchers say that because of the nature of the flaws, attackers can overwrite its firmware and add the device to a botnet, possibly using it for DDoS attacks, among other things. Bitdefender didn't reveal the device's manufacturer but said the vendor is working on a fix, which will be released in late Q3 2016. Problems with the device include a lack of encryption for device communications and the lack of any basic input sanitization for the password field. "Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the internet and bypass the limitations of the network address translation," says Alexandru Balan, Chief Security Researcher at Bitdefender. "This is a serious vulnerability, we could see botnets made up of these power outlets."

Read more of this story at Slashdot.

Categories: Privacy

How The US Will Likely Respond To Shadow Brokers Leak

Your rights online - Thu, 08/18/2016 - 19:00
blottsie writes: The NSA and FBI are both expected to investigate the leak of NSA-linked cyberweapons this week by an entity calling itself the Shadow Brokers, experts with knowledge of the process tell the Daily Dot. However, multiple experts say any retaliation by the U.S. will likely remain secret to keep the tactical advantage. Meanwhile, Motherboard reports that some former NSA staffers believe the leak is the work of a "rogue NSA insider." "First, the incident will be investigated by the National Security Agency as it tracks down exactly what went so wrong that top-secret offensive code and exploits ended up stolen and published for the world to see," reports Daily Dot. "An FBI counterintelligence investigation will likely follow, according to experts with knowledge of the process. [...] Following the investigation, the NSA and other entities within the United States government will have to decide on a response." The response will depend on a lot of things, such as whether or not an insider at the NSA is responsible for the breach -- a theory that is backed by a former NSA staffer and other experts. "The process is called an IGL: Intelligence Gain/Loss," reports Daily Dot. "Authorities suss out a pro and con list for various reactions, including directly and publicly blaming another country. [Chris Finan, a former director of cybersecurity legislation in the Obama administration and now CEO of the security firm Manifold Technology, said:] 'Some people think about responding in kind: A U.S. cyberattack. Doing that gives up the asymmetric response advantage you have in cyberspace.' Finan urged authorities to look at all tools, including economic sanctions against individuals, companies, groups, governments, or diplomatic constraints, to send a message through money rather than possibly burning a cyberwar advantage. Exactly if and how the U.S. responds to the Shadow Brokers incident will depend on the source of the attack. Attribution in cyberwar is tricky or even impossible much of the time. It quickly becomes a highly politicized process ripe with anonymous sources and little solid fact."

Read more of this story at Slashdot.

Categories: Privacy

The Global Ambitions of Pakistan's New Cyber-Crime Act

Deep Links - Thu, 08/18/2016 - 18:13

Despite near universal condemnation from Pakistan's tech experts; despite the efforts of a determined coalition of activists, and despite numerous attempts by alarmed politicians to patch its many flaws, Pakistan's Prevention of Electronic Crimes Bill (PECB) last week passed into law. Its passage ends an eighteen month long battle between Pakistan's government, who saw the bill as a flagship element of their anti-terrorism agenda, and the technologists and civil liberties groups who slammed the bill as an incoherent mix of anti-speech, anti-privacy and anti-Internet provisions.

But the PECB isn't just a tragedy for free expression and privacy within Pakistan. Its broad reach has wider consequences for Pakistan nationals abroad, and international criminal law as it applies to the
Net.

The new law creates broad crimes related to "cyber-terrorism" and its "glorification" online. It gives the authorities the opportunity to threaten, target and censor unpopular online speech in ways that go far beyond international standards or Pakistan's own free speech protections for offline media. Personal digital data will be collected and made available to the authorities without a warrant: the products of these data retention programs can then be handed to foreign powers without oversight.

PECB is generous to foreign intelligence agencies. It is far less tolerant of other foreigners, or of Pakistani nationals living abroad. Technologists and online speakers outside Pakistan should pay attention to the first clause of the new law:

  1. This Act may be called the Prevention of Electronic Crimes Act, 2016.
  2. It extends to the whole of Pakistan.
  3. It shall apply to every citizen of Pakistan wherever he may be and also to every other person for the time being in Pakistan.
  4. It shall also apply to any act committed outside Pakistan by any person if the act constitutes an offence under this Act and affects a person, property, information system or data location in Pakistan.

Poorly-written cyber-crime laws criminalize these everyday and innocent actions by technology users, and the PECB is no exception. It criminalizes the violation of terms of service in some cases, and ramps up the penalties for many actions that would be seen as harmless or positive acts in the non-digital world, including unauthorized copying and access. Security researchers and consumers frequently conduct "unauthorized" acts of access and copying for legitimate and lawful reasons. They do it to exercise of their right of fair use, to exposing wrongdoing in government, or to protect the safety and privacy of the public. Violating website terms of service may be a violation of your agreement with that site, but no nation should turn those violations into felonies.

The PECB asserts an international jurisdiction for these new crimes. It says that if you are a Pakistan national abroad (over 8.5 million people, or 4% of Pakistan's total population) you too can be prosecuted for violating its vague statutes. And if a Pakistan court determines that you have violated one of the prohibitions listed in the PECB in such a way that it affects any Pakistani national, you can find yourself prosecuted in the Pakistan courts, no matter where you live.

Pakistan isn't alone in making such broad claims of jurisdiction. Some countries claim the power to prosecute a narrow set of serious crimes committed against their citizens abroad under international law's "passive personality principle" (the U.S. does so in some of its anti-terrorism laws). Other countries claim jurisdiction over the actions of its own nationals abroad under the "active personality principle" (for instance, in cases of treason.)

But Pakistan's cyber-crime law asserts both principles simultaneously, and explicitly applies them to all cyber-crime, both major and minor, defined in PECB. That includes creating "a sense of insecurity in the [Pakistani] government" (Ch.2, 10), offering services to change a computer's MAC address (Ch.2, 16), or building tools that let you listen to licensed radio spectrum (Ch.2, 13 and 17).

The universal application of such arbitrary laws could have practical consequences for the thousands of overseas Pakistanis working in the IT and infosecurity industries, as well for those in the Pakistan diaspora who wish to publicly critique Pakistani policies. It also continues the global jurisdictional trainwreck that surrounds digital issues, where every country demands that its laws apply and must be enforced across a  borderless Internet.

Applying what has been described as "the worst piece of cyber-crime legislation in the world" to the world is a bold ambition, and the current Pakistani government's reach may well have exceeded its grasp, both under international law and its own constitutional limits. The broad coalition who fought PECB in the legislature will now seek to challenge it in the courts.

But until they win, Pakistan has overlaid yet another layer of vague and incompatible crimes over the Internet, and its own far-flung citizenry.


Share this: Join EFF
Categories: Privacy

California Lawmaker Pulls Digital Currency Bill After EFF Opposition

Deep Links - Thu, 08/18/2016 - 12:52

For the second year in a row, EFF and a coalition of virtual currency and consumer protection organizations have beaten back a California bill that would have created untenable burdens for the emerging cryptocurrency community.

This week, the author of A.B. 1326, Assemblymember Matt Dababneh withdrew the bill from consideration, saying in a statement:

Unfortunately, the current bill in print does not meet the objectives to create a lasting regulatory framework that protects consumers and allows this industry to thrive in our state. More time is needed and these conversations must continue in order for California to be at the forefront of this effort.

State lawmakers were poised to quickly jam through an amended version of a digital currency licensing bill­ with new provisions that were even worse than last year’s version.

As in the previous version, the bill required a “digital currency business” to get approval from the state before operating in California and also comply with regulations similar to those applicable to banks and money transmitters. The amended bill, however, was so carelessly drafted that it would have forced Bitcoin miners, video game makers, and even digital currency users to register with a state agency and be subject to the new regulations.

Worse, the bill failed to accomplish its intent—protecting consumers—because it would have limited the number of digital currency options available to Californians.

EFF is grateful that Assemblymember Dababneh recognized there were problems with the legislation and put the brakes on sending it through the legislature as its session winds down.

That said, the bill demonstrates that there are still too many technical and policy gaps in the current thinking about digital currencies and the need for regulation.

EFF continues to believe that before lawmakers anywhere consider legislation regulating digital currencies, they need to better understand the technology at issue as well as demonstrating how the legislation actually benefits consumers. The California bill unfortunately failed in both respects.

A.B. 1326 Would Have Hurt Consumers

First, as EFF’s opposition letter to A.B. 1326 stated, the bill’s goal to protect consumers would have ironically been frustrated by the legislation, as it would have restricted access to currencies that benefit consumers in ways that non-digital currencies do not.

Many digital currencies allow individuals to directly transact with one another even when they do not know or trust each other. These currencies have significant benefits to consumers as they eliminate the third parties needed in non-digital transactions that can often be the sources of fraud or other consumer harm.

Further, intermediaries in traditional currency transactions, such as payment processers, are often the targets of financial censorship, which ultimately inhibits people’s ability to support controversial causes or organizations.

Because the bill would have allowed California’s Department of Business Oversight to determine which digital currency businesses operated in California, the government would have been deciding which currencies and businesses could be used, rather than consumers. This would have significantly limited Californians’ digital currency options, to their detriment.

A.B. 1326’s Vague Terms Would Have Required Consumers to Register

The bill was also written in a manner that failed to grasp how digital currencies work, leading to broad definitions of “digital currency business” that would have regulated not just businesses transacting on behalf of digital currency users, but the users themselves.

There were many vague definitions in the bill. Take for example, a provision requiring anyone who transmits digital currencies to another person to register and comply with its complex regulations.

Digital currency users often directly transmit digital currency value to others without any intermediary, meaning those users would have been subject to the regulations even though they are merely using a digital currency. Additionally, despite the bill purporting to have an exemption for parties such as Bitcoin miners, they would also have to register because in appending transactions to the Blockchain, they could be viewed as transmitting digital currency.

The bill also would have required video game makers who offer in-game digital currency or goods to register, as the exemption for such activity is limited to items or currency that have no value outside of the game. The reality is that many items and currencies within games often have independent markets in which players buy, sell, or exchange items, regardless of whether a game maker allows for those transactions. Those game makers, however, would have to obtain a license under the bill even though they often do not control the outside markets. The bill would have also created roadblocks for video game companies who offer in-game currency that can be used to buy real world items, such as T-shirts or stickers.

Additionally, the bill contained no exemption for start-ups or smaller companies innovating digital currencies, giving established currencies such as Bitcoin and its more sophisticated industry a leg up over competition.

The many problems with the bill would ultimately have been bad for the state, as it would have pushed innovation elsewhere and chilled a young and quickly evolving industry.

EFF recognizes that there are risks for consumers using digital currencies and appreciates lawmakers interested in addressing them.  We think any legislative response, however, should be based on a better understanding of the state of digital currencies and narrowly focused on the situations that pose risks for consumers. Such an approach would preserve space for innovation in the industry while still protecting users.


Share this: Join EFF
Categories: Privacy

Nintendo Shuts Down 'Pokemon Uranium' Fan Game After 1.5 Million Downloads

Your rights online - Wed, 08/17/2016 - 22:05
An anonymous reader quotes a report from The Wrap: The fan-made "Pokemon Uranium" game took a pair of programmers more than nine years to develop. Nintendo needed just about nine days to kill it. "After receiving more than 1,500,000 downloads of our game, we have been notified of multiple takedown notices from lawyers representing Nintendo of America," the creators of "Pokemon Uranium" said in a statement. "While we have not personally been contacted, it's clear what their wishes are, and we respect those wishes deeply. Therefore, we will no longer provide official download links for the game through our website," they continued. "We have no connection to fans who re-upload the game files to their own hosts, and we cannot verify that those download links are all legitimate. We advise you to be extremely cautious about downloading the game from unofficial sources." The role-playing game was free, though creators @JVuranium and Involuntary Twitch were open to suggested PayPal donations of $2-$10. Set in the tropical Tandor region, "Uranium" players can encounter more than 150 all-new species of Pokemon in their quest to collect all eight Gym Badges and triumph over the Tandor League, per the official description. Along the way, the players must battle against a sinister threat that's causing Nuclear Meltdowns.

Read more of this story at Slashdot.

Categories: Privacy

Civil Rights Coalition files FCC Complaint Against Baltimore Police Department for Illegally Using Stingrays to Disrupt Cellular Communications

Deep Links - Wed, 08/17/2016 - 21:18

Civil Rights Groups Urge FCC to Issue Enforcement Action Prohibiting Law Enforcement Agencies From Illegally Using Stingrays

This week the Center for Media Justice, ColorOfChange.org, and New America’s Open Technology Institute filed a complaint with the Federal Communications Commission alleging the Baltimore police are violating the federal Communications Act by using cell site simulators, also known as Stingrays, that disrupt cellphone calls and interfere with the cellular network—and are doing so in a way that has a disproportionate impact on communities of color.

Stingrays operate by mimicking a cell tower and directing all cellphones in a given area to route communications through the Stingray instead of the nearby tower. They are especially pernicious surveillance tools because they collect information on every single phone in a given area—not just the suspect’s phone—this means they allow the police to conduct indiscriminate, dragnet searches. They are also able to locate people inside traditionally-protected private spaces like homes, doctors’ offices, or places of worship. Stingrays can also be configured to capture the content of communications.

Because Stingrays operate on the same spectrum as cellular networks but are not actually transmitting communications the way a cell tower would, they interfere with cell phone communications within as much as a 500 meter radius of the device (Baltimore’s devices may be limited to 200 meters). This means that any important phone call placed or text message sent within that radius may not get through. As the complaint notes, “[d]epending on the nature of an emergency, it may be urgently necessary for a caller to reach, for example, a parent or child, doctor, psychiatrist, school, hospital, poison control center, or suicide prevention hotline.” But these and even 911 calls could be blocked.

The Baltimore Police Department could be among the most prolific users of cell site simulator technology in the country. A Baltimore detective testified last year that the BPD used Stingrays 4,300 times between 2007 and 2015. Like other law enforcement agencies, Baltimore has used its devices for major and minor crimes—everything from trying to locate a man who had kidnapped two small children to trying to find another man who took his wife’s cellphone during an argument (and later returned it). According to logs obtained by USA Today, the Baltimore PD also used its Stingrays to locate witnesses, to investigate unarmed robberies, and for mysterious “other” purposes. And like other law enforcement agencies, the Baltimore PD has regularly withheld information about Stingrays from defense attorneys, judges, and the public.

Moreover, according to the FCC complaint, the Baltimore PD’s use of Stingrays disproportionately impacts African American communities. Coming on the heels of a scathing Department of Justice report finding “BPD engages in a pattern or practice of conduct that violates the Constitution or federal law,” this may not be surprising, but it still should be shocking. The DOJ’s investigation found that BPD not only regularly makes unconstitutional stops and arrests and uses excessive force within African-American communities but also retaliates against people for constitutionally protected expression, and uses enforcement strategies that produce “severe and unjustified disparities in the rates of stops, searches and arrests of African Americans.”

Adding Stingrays to this mix means that these same communities are subject to more surveillance that chills speech and are less able to make 911 and other emergency calls than communities where the police aren’t regularly using Stingrays. A map included in the FCC complaint shows exactly how this is impacting Baltimore’s African-American communities. It plots hundreds of addresses where USA Today discovered BPD was using Stingrays over a map of Baltimore’s black population based on 2010 Census data included in the DOJ’s recent report:

The Communications Act gives the FCC the authority to regulate radio, television, wire, satellite, and cable communications in all 50 states, the District of Columbia and U.S. territories. This includes being responsible for protecting cellphone networks from disruption and ensuring that emergency calls can be completed under any circumstances. And it requires the FCC to ensure that access to networks is available “to all people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.” Considering that the spectrum law enforcement is utilizing without permission is public property leased to private companies for the purpose of providing them next generation wireless communications, it goes without saying that the FCC has a duty to act.

The FCC must protect the American people from law enforcement practices that disrupt emergency communications and unconstitutionally discriminate against communities based on race. The FCC is charged with safeguarding the public's interest in transparency and equality of access to communication over the airwaves. Please join us in calling on the FCC to enforce the Communications Act and put an end to widespread network interference by the rampant unauthorized transmissions of the BPD's illegal use of stingray technology.

But we should not assume that the Baltimore Police Department is an outlier—EFF has found that law enforcement has been secretly using stingrays for years and across the country. No community should have to speculate as to whether such a powerful surveillance technology is being used on its residents. Thus, we also ask the FCC to engage in a rule-making proceeding that addresses not only the problem of harmful interference but also the duty of every police department to use Stingrays in a constitutional way, and to publicly disclose—not hide—the facts around acquisition and use of this powerful wireless surveillance technology. 

Anyone can support the complaint by tweeting at FCC Commissioners or by signing the petitions hosted by Color of Change or MAG-Net.

Related Cases: U.S. v. Damian Patrick State of Maryland v. Kerron Andrews
Share this: Join EFF
Categories: Privacy

Cisco Patches 'ExtraBacon' Zero-day Exploit Leaked By NSA Hackers

Your rights online - Wed, 08/17/2016 - 20:45
Patrick O'Neill quotes a report from The Daily Dot: After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks. "Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention," the company said in a statement. "On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible." The report adds: "An unknown group of hackers dubbed the Shadow Brokers posted cyberweapons stolen from the so-called Equation Group, the National Security Agency-linked outfit known as 'the most advanced' group of cyberwarriors in the internet's history. One of the cyberweapons posted was an exploit called ExtraBacon that can be used to attack Cisco Adaptive Security Appliance (ASA) software designed to protect corporate networks and data centers. 'ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,' Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, told the Daily Dot. 'If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.' ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."

Read more of this story at Slashdot.

Categories: Privacy

Oracle Says Trial Wasn't Fair, It Should Have Known About Google Play For Chrome

Your rights online - Wed, 08/17/2016 - 18:40
Two and a half months after a federal jury concluded that Google's Android operating system does not infringe Oracle-owned copyrights because its re-implementation of 37 Java APIs is protected by "fair use," Oracle's attorney says her client missed a crucial detail in the trial, adding that this detail could change everything. ArsTechnica reports: Oracle lawyers argued in federal court today that their copyright trial loss against Google should be thrown out because they were denied key evidence in discovery. Oracle attorney Annette Hurst said that the launch of Google Play on Chrome OS, which happened in the middle of the trial, showed that Google was trying to break into the market for Java SE on desktops. In her view, that move dramatically changes the amount of market harm that Oracle experienced, and the evidence should have been shared with the jury. "This is a game-changer," Hurst told U.S. District Judge William Alsup, who oversaw the trial. "The whole foundation for their case is gone. [Android] isn't 'transformative'; it's on desktops and laptops." Google argued that its use of Java APIs was "fair use" for several reasons, including the fact that Android, which was built for smartphones, didn't compete with Java SE, which is used on desktops and laptops. During the post-trial hearing today, Hurst argued that it's clear that Google intends to use Android smartphones as a "leading wedge" and has plans to "suck in the entire Java SE market. [...] Android is doing this using Java code," said Hurst. "That's outrageous, under copyright law. This verdict is tainted by the jury's inability to hear this evidence. Viewing the smartphone in isolation is a Google-gerrymandered story."In the meanwhile, Google attorney said Oracle was aware of Google's intentions of porting Android to laptops and desktops, and that if Oracle wanted to use this piece of information, it could have.

Read more of this story at Slashdot.

Categories: Privacy

Tell Your University: Don't Sell Patents to Trolls

Deep Links - Wed, 08/17/2016 - 18:18

When universities invent, those inventions should benefit everyone. Unfortunately, they sometimes end up in the hands of patent trolls—companies that serve no purpose but to amass patents and demand money from others. When a university sells patents to trolls, it undermines the university’s purpose as a driver of innovation. Those patents become landmines that make innovation more difficult.

A few weeks ago, we wrote about the problem of universities selling or licensing patents to trolls. We said that the only way that universities will change their patenting and technology transfer policies is if students, professors, and other members of the university community start demanding it.

It’s time to start making those demands.

We’re launching Reclaim Invention, a new initiative to urge universities to rethink how they use patents. If you think that universities should keep their inventions away from the hands of patent trolls, then use our form to tell them.

EFF is proud to partner with Creative Commons, Engine, Fight for the Future, Knowledge Ecology International, and Public Knowledge on this initiative.

Tell your university: Don’t sell patents to trolls.

A Simple Promise to Defend Innovation

Central to our initiative is the Public Interest Patent Pledge (PIPP), a pledge we hope to see university leadership sign. The pledge says that before a university sells or licenses a patent, it will first check to make sure that the potential buyer or licensee doesn’t match the profile of a patent troll:

When determining what parties to sell or license patents to, [School name] will take appropriate steps to research the past practices of potential buyers or licensees and favor parties whose business practices are designed to benefit society through commercialization and invention. We will strive to ensure that any company we sell or license patents to does not have a history of litigation that resembles patent trolling. Instead, we will partner with those who are actively working to bring new technologies and ideas to market, particularly in the areas of technology that those patents inhabit.

One of our sources of inspiration for the pledge was the technology transfer community itself. In 2007, the Association of University Technology Managers (AUTM) released a document called Nine Points to Consider, which advocates transferring to companies that are actively working in the same fields of technology the patents cover, not those that will simply use them to demand licensing fees from others. More recently, the Association of American Universities (AAU) launched a working group on technology transfer policy, and that group’s early recommendations closely mirror AUTM’s (PDF). EFF has often found itself on the opposite side of policy fights from AUTM and AAU, but we largely agree with them on this issue that something needs to change.

Despite that good advice, many research universities continue to sell patents to trolls. Just a few weeks ago, we wrote about My Health, a company that appears to do nothing but file patent and trademark lawsuits. Its primary weapon is a patent from the University of Rochester. Rochester isn’t alone: dozens of universities regularly license patents to the notorious mega-troll Intellectual Ventures.

Good intentions and policy statements won’t solve the problem. Universities will change when students, professors, and alumni insist on it.

Local Organizers: You Can Make a Difference

We’re targeting this campaign at every college and university in the United States, from flagship state research institutions to liberal arts colleges. Why? Because patents affect everyone. The licensing decisions that universities make today will strengthen or sabotage the next generation of inventors and innovators. Together, we can make a statement that universities want more innovation-friendly laws and policies nationwide.

It would be impossible for any one organization to persuade every college and university to sign the pledge, so we’re turning to our network of local activists in the Electronic Frontier Alliance and beyond.

We’ve designed our petition to make it easy for local organizers to share the results with university leadership. For example, here are all of the people who’ve signed the petition with a connection to the University of South Dakota. If you volunteer for the USD digital civil liberties club—or if you’ve been looking to start it—then your group could write a letter to university leadership urging them to sign the pledge, and include the names of all of the signatories. We’re eager to work with you to make sure your voice is heard. You can write me directly with any questions.

Reclaim Invention represents a new type of EFF campaign. This is the first time we’ve launched a campaign targeting thousands of local institutions at once. It’s a part of our ongoing work to unite the efforts of grassroots digital rights activists across the country. Amazing things can happen when local activists coordinate their efforts.

Tell your university: Don’t sell patents to trolls.


Share this: Join EFF
Categories: Privacy

Transfer of Internet Governance Will Go Ahead On Oct. 1

Your rights online - Wed, 08/17/2016 - 18:00
An anonymous reader writes from a report via Computerworld: The U.S. says it will proceed with its plan to hand over oversight of the internet's domain name system functions to a multistakeholder body on Oct. 1. Computerworld reports: "The Internet Corporation for Assigned Names and Numbers (ICANN), under contract with the U.S. Department of Commerce, operates the Internet Assigned Numbers Authority (IANA) which enables the operation of the internet domain name system (DNS). These include responsibility for the coordination of the DNS root, IP addressing and other internet protocol resources. The National Telecommunications and Information Administration (NTIA), an agency within the Commerce Department, said in March 2014 that it planned to let its contract with ICANN expire on Sept. 30, 2015, passing the oversight of the functions to a global governance model. NTIA made it clear that it would not accept a plan from internet stakeholders that would replace its role by that of a government-led or intergovernmental organization or would in any way compromise the openness of the internet. The transfer was delayed to September as the internet community needed more time to finalize the plan for the transition. The new stewardship plan submitted by ICANN was approved by the NTIA in June. NTIA Administrator Lawrence E. Strickling said Tuesday that the agency had informed ICANN that 'barring any significant impediment,' NTIA intends to allow the IANA functions contract it has with ICANN to expire as of Oct. 1, said Strickling, who is also assistant secretary for communications and information."

Read more of this story at Slashdot.

Categories: Privacy

Maker of Web Monitoring Software Can Be Sued

Your rights online - Wed, 08/17/2016 - 16:15
Reader Presto Vivace shares a CIO report: The maker of so-called spyware program WebWatcher can be sued for violating state and federal wiretap laws, a U.S. appeals court has ruled, in a case that may have broader implications for online monitoring software and software as a service. The U.S. Court of Appeals for the Sixth Circuit rejected WebWatcher vendor Awareness Technologies' motion to dismiss a lawsuit against the company. The appeals court overturned a lower court ruling granting the motion to dismiss. The appeals court, in a 2-1 decision rejected Awareness' claims that WebWatcher does not intercept communications in real time, in violation of the U.S. wiretap act, but instead allows users to review targets' communications. While plaintiff Javier Luis' lawsuit doesn't address real-time interception of communications, his allegations "give rise to a reasonable inference" of that happening, Judge Ronald Lee Gilman wrote. Awareness pitches WebWatcher as monitoring software for parents and employers. "All WebWatcher products install easily in 5 minutes or less, are undetectable (thus tamper proof) and all recorded data is sent to a secure web-based account which allows you to monitor kids and employees at your convenience from any computer," the company says.

Read more of this story at Slashdot.

Categories: Privacy

NSA Worried About Implications of Leaked Toolkits

Your rights online - Wed, 08/17/2016 - 10:40
Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)

Read more of this story at Slashdot.

Categories: Privacy
Syndicate content