aggregator

Border Agents Need A Warrant to Search Travelers’ Phones, EFF Tells Court

Electronic Frontier Foundation - Pn, 2017-03-20 20:56
The Border Isn’t a Constitution-Free Zone

Richmond, Virginia—Border agents must obtain a warrant to search travelers’ phones, tablets, and laptops, which contain a vast trove of sensitive, highly personal information that is protected by the Fourth Amendment, the Electronic Frontier Foundation (EFF) told a federal appeals court today.

Searches of devices at the border have more than doubled since the inauguration of President Trump—from nearly 25,000 in all of 2016, to 5,000 in February alone. This increase, along with the increasing number of people who carry these devices when they travel, has heightened awareness of the need for stronger privacy rights while crossing the U.S. border. 

While the Fourth Amendment ordinarily requires law enforcement officials to get a warrant supported by probable cause before searching our property, in cases that predate the rise of digital devices, courts granted border agents the power to search our luggage without a warrant or any suspicion of wrongdoing.

But portable digital devices differ wildly from luggage or other physical items we carry with us to the airport because they provide access to the entirety of our private lives, EFF said in an amicus brief filed at the U.S. Court of Appeals for the Fourth Circuit in the border search case U.S. v. Kolsuz. In 2014 the Supreme Court noted that cellphones now hold “the privacies of life” for people, including highly personal, private information such as photos, texts, contact lists, email messages, and videos. Many digital devices can access personal records stored in the “cloud,” such as financial or medical information. Before smartphones were invented, that kind of information would be kept in our home offices, desk drawers, or basement storage. If law enforcement officers wanted to enter your home or lock box as part of a search, they’d need to go before a judge, prove probable cause that you’re involved in a crime, and get a warrant. 

“The border isn’t a constitution-free zone,” said Adam Schwartz, EFF senior staff attorney. “The U.S. Supreme Court ruled in 2014 that mobile phones are a window into our private lives and police need to show there’s probable cause that the people they arrest have committed crimes and obtain a warrant to search their phones. There should be no less protection for individuals who have not been arrested or shown to have committed any crime, but who instead simply want to enter the United States.”

It’s never been more important for courts to follow the standard set by the Supreme Court about cell phone searches and apply it to borders searches. Reports have surfaced of border agents searching the devices of innocent U.S. citizens, green card holders, and foreign visitors. While all kinds of travelers have suffered this intrusion, many reports involve journalists, Muslim-Americans, and Americans with Middle Eastern-sounding names. Asian Americans Advancing Justice-Asian Law Caucus, Brennan Center for Justice, Council on American-Islamic Relations and six of its chapters, and The National Association of Criminal Defense Lawyers joined EFF in filing the brief.

“Law enforcement officials should be required to meet the same standards for searching our cell phones wherever we are—in our cities, on the highway, at vehicle checkpoints, and at the border. Regardless of the location, when officials want to crack open the private information in someone’s phone, they must first obtain a warrant,” said Schwartz.

For the brief:
https://www.eff.org/document/us-v-kolsuz-eff-amicus-brief

For EFF’s new border guide:
https://www.eff.org/wp/digital-privacy-us-border-2017

For EFF’s new border pocket guide:
https://www.eff.org/document/eff-border-search-pocket-guide

Contact:  AdamSchwartzSenior Staff Attorneyadam@eff.org
Share this: Join EFF

Hearing Wednesday: National Security Letters Violate the First Amendment

Electronic Frontier Foundation - Pn, 2017-03-20 18:52
EFF to Argue NSL Gag Orders Are Unconstitutional in San Francisco Appeals Court

San Francisco – The Electronic Frontier Foundation (EFF) will urge an appeals court Wednesday to find that the FBI violates the First Amendment when it unilaterally gags recipients of national security letters (NSLs), and the law should therefore be found unconstitutional. The hearing is set for Wednesday, March 22, at 1:30pm in San Francisco.

EFF represents two communications service providers—CREDO Mobile and Cloudflare—that were restrained for years from speaking about the NSLs they received, including even acknowledging that they had received any NSLs. Early Monday, just days before the hearing, the FBI finally conceded that EFF could reveal that these two companies were fighting a total of five NSLs.

CREDO and Cloudflare have fought for years to publicly disclose their roles in battling NSL gag orders. Both companies won the ability to talk about some of the NSLs they had received several months ago, but Monday’s decision by the FBI allows them to acknowledge all the NSLs at issue in this case.

On Wednesday, EFF Staff Attorney Andrew Crocker will tell the United States Court of Appeals for the Ninth Circuit that these gags are unconstitutional restrictions on CREDO and Cloudflare’s free speech and that the FBI’s belated decision to lift some of the gags only underscores why judicial oversight is needed in every case. The gag orders barred these companies from participating in discussion and debate about government use of NSLs—even as Congress was debating changes to the NSL statute in 2015.

What:
In re National Security Letters

Who:
EFF Staff Attorney Andrew Crocker

Date:
March 22
1:30 pm

Where:
Courtroom 3, 3rd Floor Room 307
U.S. Court of Appeals for the Ninth Circuit
James R. Browning U.S. Courthouse
95 Seventh Street
San Francisco, CA 94103

For the FBI notice allowing the companies to identify themselves:
https://www.eff.org/document/notice-regarding-public-identification-nsl-recipients

For more on this case:
https://www.eff.org/issues/national-security-letters

Contact:  AndrewCrockerStaff Attorneyandrew@eff.org
Share this: Join EFF

FBI Director Comey Confirms Investigation Into Trump Campaign

Slashdot - Your Rights Online - Pn, 2017-03-20 17:20
FBI Director James Comey confirmed during testimony before Congress Monday that the FBI is investigating whether the Trump campaign colluded with a covert Russian campaign to interfere with the election. From a report on Reuters: Comey told a congressional hearing on Russian activities that the probe "includes investigating the nature of any links between individuals associated with the Trump campaign and the Russian government and whether there was any coordination between the campaign and Russia's efforts. Because it is an open, ongoing investigation and is classified, I cannot say more about what we are doing and whose conduct we are examining," Comey said. Earlier, the chairman of the U.S. House of Representatives Intelligence Committee, Republican Representative Devin Nunes, told the same hearing that the panel had seen no evidence of collusion between Russia and Trump's 2016 campaign. Nunes also denied an unsubstantiated claim from Trump that there had been a wiretap on his Trump Tower in New York but said it was possible other surveillance was used against the Republican.

Read more of this story at Slashdot.

Indiana Considers Prohibiting Cities From Banning Airbnb

Slashdot - Your Rights Online - Pn, 2017-03-20 12:34
"Indiana's cities and towns wouldn't be allowed to put their own restrictions on companies such as Airbnb under a proposal state lawmakers are considering," reports the Associated Press. Slashdot reader El Cubano writes: The proposed legislation would prohibit local government in the state from banning Airbnb rentals by their residents. There are exceptions for home owner associations (which will still be allowed to ban rentals in their communities) and 180-day per year cap. It is interesting to see something like this being considered at the state level. Supporters say that they are trying to prevent knee-jerk regulations and to protect an innovative emerging market. At the same time, local authorities are upset that they will no longer have the option to make the determination for themselves. The bill has already been approved by the Indiana House, as well as a key committee in the Indiana Senate.

Read more of this story at Slashdot.

Two More Executives Are Leaving Uber, Drivers May Unionize

Slashdot - Your Rights Online - Pn, 2017-03-20 06:46
First the resignations. "The beliefs and approach to leadership that have guided my career are inconsistent with what I saw and experienced at Uber," the company's former president told Recode on Sunday, announcing his resignation. "The departures add to the executive exodus from Uber this year," writes The New York Times. An anonymous reader quotes their report. Brian McClendon, vice president of maps and business platform at Uber, also plans to leave at the end of the month... Raffi Krikorian, a well-regarded director in Uber's self-driving division, left the company last week, while Gary Marcus, who joined Uber in December after Uber acquired his company, left this month. Uber also asked for the resignation of Amit Singhal, a top engineer who failed to disclose a sexual harassment claim against him at his previous employer, Google, before joining Uber. And Ed Baker, another senior executive, left this month as well. Jones left Uber after less than six months, though McClendon's departure is said to be more amicable. "Mr. McClendon, in a statement, said he was returning to his hometown, Lawrence, Kansas, after 30 years away. 'This fall's election and the current fiscal crisis in Kansas is driving me to more fully participate in our democracy -- and I want to do that in the place I call home." In other news, the Teamsters labor union plans to start organizing Uber's drivers into a union, after a Washington judge rejected Uber's attempt to overturn a right-to-unionize ordinance passed by the city of Seattle.

Read more of this story at Slashdot.

Apple Paid $0 In Taxes To New Zealand, Despite Sales of $4.2 Billion

Slashdot - Your Rights Online - Pn, 2017-03-20 03:46
Apple paid no income tax to New Zealand's Inland Revenue Department for the last 10 years, according to an article shared by sit1963nz, prompting calls for the company to "do the right thing" even from some American-based Apple users. From the New Zealand Herald: Bryan Chaffin of The Mac Observer, an Apple community blog site founded in 1998...wrote that Apple was the largest taxpayer in the United States, but 'pays next to nothing in most parts of the world... [L]ocal taxes matter. Roads matter. Schools matter. Housing authorities matter. Health care matters. Regulation enforcement matters. All of the things that support civil society matter. Apple's profits are made possible by that civil society, and the company should contribute its fair share.'" Apple's accounts "show apparent income tax payments of $37 million," according to an earlier article, "but a close reading shows this sum was actually sent abroad to the Australian Tax Office, an arrangement that has been in place since at least 2007. Had Apple reported the same healthy profit margin in New Zealand as it did for its operations globally it would have paid $356 million in taxes over the period." "It is absolutely extraordinary that they are able to get away with paying zero tax in this country," said Green Party co-leader James Shaw. "I really like Apple products -- they're incredibly innovative -- but it looks like their tax department is even more innovative than their product designers."

Read more of this story at Slashdot.

Maryland Legislator Wants To Keep State University Patents Away From Trolls

Slashdot - Your Rights Online - Pn, 2017-03-20 00:46
The EFF's "Reclaim Invention" campaign provided the template for a patent troll-fighting bill recently introduced in the Maryland legislature to guide public universities. An anonymous reader writes: The bill would "void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll)," according to the EFF, requiring universities to manage their patent portfolios in the public interest. James Love, the director of the nonprofit Knowledge Ecology International, argues this would prevent assigning patents to "organizations who are just suing people for infringement," which is especially important for publicly-funded colleges. "You don't want public sector patents to be used in a way that's a weapon against the public." Yarden Katz, a fellow at Harvard's Berkman Klein Center for Internet amd Society, says the Maryland legislation would "set an example for other states by adopting a framework for academic research that puts public interests front and center." The EFF has created a web page where you can encourage your own legislators to pass similar bills, and to urge universities to pledge "not to knowingly license or sell the rights of inventions, research, or innovation...to patent assertion entities, or patent trolls."

Read more of this story at Slashdot.

WikiLeaks Won't Tell Tech Companies How To Patch CIA Zero-Days Until Demands Are Met

Slashdot - Your Rights Online - N, 2017-03-19 22:35
"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told Motherboard -- but then things apparently stalled. An anonymous reader quotes Fortune: Wikileaks this week contacted major tech companies including Apple and Google, and required them to assent to a set of conditions before receiving leaked information about security "zero days" and other surveillance methods in the possession of the Central Intelligence Agency... Wikileaks' demands remain largely unknown, but may include a 90-day deadline for fixing any disclosed security vulnerabilities. According to Motherboard's sources, at least some of the involved companies are still in the process of evaluating the legal ramifications of the conditions. Julian Assange announced Friday that Mozilla had already received information after agreeing to their "industry standard responsible disclosure plan," then added that "most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies... such associations limit industry staff with U.S. security clearances from fixing security holes based on leaked information from the CIA." Assange suggested users "may prefer organizations such as Mozilla or European companies that prioritize their users over government contracts. Should these companies continue to drag their feet we will create a league table comparing company responsiveness and government entanglements so users can decided for themselves."

Read more of this story at Slashdot.

NY Bill Would Require Removal of Inaccurate, Irrelevant Or Excessive Statements

Slashdot - Your Rights Online - N, 2017-03-19 21:35
schwit1 writes: In a bill aimed at securing a "right to be forgotten," introduced by Assemblyman David I. Weprin and (as Senate Bill 4561 by state Sen. Tony Avella), New York politicians would require people to remove "inaccurate," "irrelevant," "inadequate" or "excessive" statements about others... Failure to comply would make the search engines or speakers liable for, at least, statutory damages of $250/day plus attorney fees. The Washington Post reports the bill's provisions would be as follows: Within 30 days of a "request from an individual, all search engines [and online speakers] shall remove...content about such individual, and links or indexes to any of the same, that is 'inaccurate', 'irrelevant', 'inadequate' or 'excessive,' and without replacing such removed...content with any disclaimer [or] takedown notice.... [I]naccurate', 'irrelevant', 'inadequate', or 'excessive' shall mean content, which after a significant lapse in time from its first publication, is no longer material to current public debate or discourse, especially when considered in light of the financial, reputational and/or demonstrable other harm that the information...is causing to the requester's professional, financial, reputational or other interest, with the exception of content related to convicted felonies, legal matters relating to violence, or a matter that is of significant current public interest, and as to which the requester's role with regard to the matter is central and substantial."

Read more of this story at Slashdot.

Your Hotel Room Photos Could Help Catch Sex Traffickers

Slashdot - Your Rights Online - N, 2017-03-19 20:35
100,000 people people have already downloaded an app that helps fight human trafficking. dryriver summarizes a report from CNN: Police find an ad for paid sex online. It's an illegally trafficked underage girl posing provocatively in a hotel room. But police don't know where this hotel room is -- what city, what neighborhood, what hotel or hotel room. This is where the TraffickCam phone app comes in. When you're staying at a hotel, you take pictures of your room... The app logs the GPS data (location of the hotel) and also analyzes what's in the picture -- the furniture, bed sheets, carpet and other visual features. This makes the hotel room identifiable. Now when police come across a sex trafficking picture online, there is a database of images that may reveal which hotel room the picture was taken in. "Technology drives everything we do nowadays, and this is just one more tool that law enforcement can use to make our job a little safer and a little bit easier," says Sergeant Adam Kavanaugh, supervisor of the St. Louis County Multi-Jurisdictional Human Trafficking Task Force. "Right now we're just beta testing the St. Louis area, and we're getting positive hits," he says (meaning ads that match hotel-room photos in the database). But the app's creators hope to make it available to all U.S. law enforcement within the next few months, and eventually globally, so their app is already collecting photographs from hotel rooms around the world to be stored for future use.

Read more of this story at Slashdot.

Company's Former IT Admin Accused of Accessing Backdoor Account 700+ Times

Slashdot - Your Rights Online - N, 2017-03-19 17:34
An anonymous reader writes: "An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its new employer," reports BleepingComputer. Court papers reveal the IT admin left to be the CTO at one of the sportswear company's IT suppliers after working for 14 years at his previous employer. For more than two years, he's [allegedly] been using an account he created before he left to access his former colleagues' emails and gather information about the IT services they might need in the future. The IT admin was fired from his CTO job after his new employer found out what he was doing. One backdoor, which enabled both VPN and VDI connections to the company's network, granted access to a "jmanming" account for a non-existent employee named Jeff Manning...

Read more of this story at Slashdot.

The US Army Finally Gets The World's Largest Laser Weapon System

Slashdot - Your Rights Online - N, 2017-03-19 16:34
It's been successfully tested on trucks, as well as UAVs and small rockets, according to a video from Lockheed Martin, which is now shipping the first 60kW-class "beam combined" fiber laser for use by the U.S. Army. An anonymous reader quotes the Puget Sound Business Journal: Lockheed successfully developed and tested the 58 kW laser beam earlier this year, setting a world record for this type of laser. The company is now preparing to ship the laser system to the U.S. Army Space and Missile Defense Command/Army Forces Strategic Command in Huntsville, Alabama [according to Robert Afzal, senior fellow for Lockheed's Laser and Sensor Systems in Bothell]. "We have shown that a powerful directed energy laser is now sufficiently light-weight, low volume and reliable enough to be deployed on tactical vehicles for defensive applications on land, at sea and in the air..." Laser weapons, which complement traditional kinetic weapons in the battlefield, will one day protect against threats such as "swarms of drones" or a flurry of rockets and mortars, Lockheed said.

Read more of this story at Slashdot.

Ask Slashdot: How Would You Implement Site-Wide File Encryption?

Slashdot - Your Rights Online - N, 2017-03-19 13:34
Recently-leaked CIA documents prove that encryption works, according to the Associated Press. But how should sys-admins implement site-wide file encryption? Very-long-time Slashdot reader Pig Hogger writes: If you decide to implement server-level encryption across all your servers, how do you manage the necessary keys/passwords/passphrases to insure that you have both maximum uptime (you can access your data if you need to reboot your servers), yet that the keys cannot be compromised... What are established practices to address this issue? Keep in mind that you can't change your password once the server's been seized, bringing up the issue of how many people know that password. Or is there a better solution? Share you suggestions and experiences in the comments. How would you implement site-wide file encryption?

Read more of this story at Slashdot.

CBS Reports 'Suspicious' Cell Phone Tower Activity In Washington DC

Slashdot - Your Rights Online - N, 2017-03-19 01:34
"An unusually high amount of suspicious cell phone activity in the nation's capital has caught the attention of the Department of Homeland Security, raising concerns that U.S. officials are being monitored by a foreign entity," reports CBS News: The issue was first reported in the Washington Free Beacon, but a source at telecom security firm ESD America confirmed the spike in suspicious activity to CBS News. ESD America, hired preemptively for a DHS pilot program this January called ESD Overwatch, first noticed suspicious activity around cell phone towers in certain parts of the capital, including near the White House. This kind of activity can indicate that someone is monitoring specific individuals or their devices... According to the ESD America source, the first such spike of activity was in D.C. but there have been others in other parts of the country. Based on the type of technology used, the source continued, it is likely that the suspicious activity was being conducted by a foreign nation. The news coincides with a letter sent to the DHS by two congressmen "deeply concerned" about vulnerabilities in the SS7 protocol underlying U.S. cellular networks, according to an article shared by Slashdot reader Trailrunner7. Senator Ron Wyden and Representative Ted Lieu are asking if the agency has enough resources to address the threat. "Although there have been a few news stories about this topic, we suspect that most Americans simply have no idea how easy it is for a relatively sophisticated adversary to track their movements, tap their calls, and hack their smartphones."

Read more of this story at Slashdot.

China's Police Will Shoot Illegal Drones With Radio-Jamming Rifles

Slashdot - Your Rights Online - So, 2017-03-18 23:34
"Police in China are being equipped with new high-tech weaponry to help them fight back against illegal drone use," writes new submitter drunkdrone. Mashable reports: A Chinese city's police department is arming itself with more than 20 drone-jamming rifles...which work by emitting radio signals that force the drones to land, purportedly without damaging them. The drone-killing rifles will be used during the upcoming 2017 Wuhan Marathon, to raise security. Wuhan police demonstrated the drone-killing rifles last week, where they shot down six drones, according to the Chutian Metropolitan Daily. Each rifle costs $36,265, and has a range of 0.6 miles.

Read more of this story at Slashdot.

Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot

Slashdot - Your Rights Online - So, 2017-03-18 21:34
"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said... "I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

Read more of this story at Slashdot.

Could We Eliminate Spam With DMARC?

Slashdot - Your Rights Online - So, 2017-03-18 18:34
An anonymous reader writes: "The spam problem would not only be significantly reduced, it'd probably almost go away," argues Paul Edmunds, the head of technology from the cybercrimes division of the U.K.'s National Crime Agency -- suggesting that more businesses should be using DMARC, an email validation system that uses both the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). "Edmunds argued, if DMARC was rolled out everywhere in order to verify if messages come from legitimate domains, it would be a major blow to spam distributors and take a big step towards protecting organizations from this type of crime..." reports ZDNet. "However, according to a recent survey by the Global Cyber Alliance, DMARC isn't widely used and only 15% of cybersecurity vendors themselves are using DMARC to prevent email spoofing. Earlier this month America's FTC also reported that 86% of major online businesses used SPF to help ISPs authenticate their emails -- but fewer than 10% have implemented DMARC.

Read more of this story at Slashdot.

US Lawmakers Propose Minimum Seat Sizes For Airlines

Slashdot - Your Rights Online - So, 2017-03-18 15:34
The size of each passenger's seat on an airplane -- as well as the distance between rows of seats -- should be standardized, according to legislation proposed by two American lawmakers. Slashdot reader AmiMoJo quotes Consumerist: The text of the bill does not specify any dimensions for seat widths or legroom. Rather, if the legislation is passed, the particulars would be left up to the FAA to sort out... Though seat size may vary from airline to airline, Cohen notes that the average distance between rows of seats has dropped from 35 inches before airline deregulation in the 1970s, to around 31 inches today. Your backside is getting the squeeze, as well, as the average width of an airline seat has also shrunk from 18 inches to about 16.5 inches.

Read more of this story at Slashdot.

Windows 10 UAC Bypass Uses Backup and Restore Utility

Slashdot - Your Rights Online - So, 2017-03-18 04:05
An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility

Read more of this story at Slashdot.

Judge Grants Search Warrant For Everyone Who Searched a Crime Victim's Name On Google

Slashdot - Your Rights Online - So, 2017-03-18 00:40
Hennepin County District Judge Gary Larson has issued a search warrant to Edina, Minnesota police to collect information on people who searched for variations of a crime victim's name on Google from Dec. 1 through Jan. 7. Google would be required to provide Edina police with basic contact information for people targeted by the warrant, as well as Social Security numbers, account and payment information, and IP and MAC addresses. StarTribune reports: Information on the warrant first emerged through a blog post by public records researcher Tony Webster. Edina police declined to comment Thursday on the warrant, saying it is part of an ongoing investigation. Detective David Lindman outlined the case in his application for the search warrant: In early January, two account holders with SPIRE Credit Union reported to police that $28,500 had been stolen from a line of credit associated with one of their accounts, according to court documents. Edina investigators learned that the suspect or suspects provided the credit union with the account holder's name, date of birth and Social Security number. In addition, the suspect faxed a forged U.S. passport with a photo of someone who looked like the account holder but wasn't. Investigators ran an image search of the account holder's name on Google and found the photo used on the forged passport. Other search engines did not turn up the photo. According to the warrant application, Lindman said he had reason to believe the suspect used Google to find a picture of the person they believed to be the account holder. Larson signed off on the search warrant on Feb. 1. According to court documents, Lindman served it about 20 minutes later.

Read more of this story at Slashdot.