Saturday, March 16, 2013

For those of you who missed the Privacy Foundation seminar just because we here in Colorado were enjoying 75 degree weather, shame one you. When we bring really interesting people from a variety of backgrounds together and drop them in a room with 60 or 70 curious lawyers, it makes for some memorable (and not always heated) discussions.

Just a taste of the topics we discussed... (The author of this article could have been at the seminar)
Everyone with an Android device should know that your private information isn’t treated as private. For example, making an app purchase may expose personal contact information, including one’s name, physical address and email address, to developers. Another major debacle occurred when Path Inc. began lifting contact information from its users’ phones. In response to these privacy breaches, some legislators announced plans for legal action: California’s Attorney General, Kamala Harris, recently announced an agreement with major technology firms to improve user privacy standards, particularly on handsets.
However, at present, few users know of the potential security and privacy concerns. Few even know the difference between Android and iOS’s security measures. For example, the Android operating system’s security differs from the iPhone OS in one major regard: Apple exercises very strict quality control guidelines for apps, whereas Android permits a broader range of software. Android apps request “permission” from users to access your sensitive data. Unfortunately, Google doesn’t fully explain the potential security risks that that some permissions present users. What we don’t know can hurt us, particularly when we install apps from the dark nether-regions of the internet.
This article explains how seven potentially deadly app permissions might hurt you and how best to avoid such calamitous installations.


An article for my Ethical Hackers and my Statistics students. Road trip, anyone?
Crooks Spy on Casino Card Games With Hacked Security Cameras, Win $33M
A high-roller and hacker accomplices made off with about $33 million after they gamed a casino in Australia by hacking its surveillance cameras and gaining an advantage in several rounds of high-stakes card games.
The Ocean’s Eleven-style heist played out over eight hands of cards before the gambler was caught, though not before the money was gone, according to the Herald Sun.
… According to authorities, accomplices gained remote access to the casino’s state-of-the-art, high-resolution cameras to spy on card hands being played by the house and other guests in the casino’s VIP high-roller’s room, and fed the gambler signals based on the cards his opponents held.
The gambler was still staying in the villa when the casino discovered the fraud and sent security to his abode to boot him from the premises during the night. He’s banned from ever returning. [But not arrested? Lack of evidence? Bob]
U.S. gambling expert Barron Stringfellow told ABC Melbourne that accessing a casino’s internal video monitoring system is “not as hard as you would think.”
“It’s very easy to intercept a signal from many casinos that don’t take precautions,” he said.


Maybe you can't trust Doctors...
"At a Brazilian hospital, doctors were required to check in with a fingerprint scanner to show that they've showed up for work. Naturally, they developed a system to bypass this requirement, creating fake fingers so that they could cover for one another when they took unauthorized time off. Another good example of how supposedly foolproof security tech can in fact be fooled pretty easily."


A wise law professor once said that Californua law leads the way, even if we didn't know we were moving in that direction...
This almost calls for animated graphics with fireworks. All right, nothing really calls for animated graphics, but this is HUGE. Kim Zetter reports:
Ultra-secret national security letters that come with a gag order on the recipient are an unconstitutional impingement on free speech, a federal judge in California ruled Friday.
U.S. District Judge Susan Illston ordered the government to stop issuing so-called NSLs across the board, in a stunning defeat for the Obama administration’s surveillance practice. However, she also stayed her order for 90 days to give the government a chance to appeal to the Ninth Circuit Court of Appeals.
Read her excellent reporting on Threat Level.

(Related) Another judge finds government arguments absurd. (I picked the article with the best “quotes”)
Federal court rejects CIA's denial of drone strikes as 'fiction'
WASHINGTON—A federal appeals court said Friday that it will no longer accept the “fiction” from the Obama administration’s lawyers that the CIA has no interest or documents that describe drone strikes.
“It is neither logical nor plausible for the CIA to maintain that it would reveal anything not already in the public domain to say the Agency at least has an intelligence interest in such strikes,” said Chief Judge Merrick Garland. “The defendant is, after all, the Central Intelligence Agency.”
The decision gave a partial victory to the American Civil Liberties Union in a Freedom of Information Act lawsuit that seeks documents on the government’s still-secret policy on drone strikes. The three judges did not say any particular documents must be released, but they rejected the administration’s position that it could simply refuse to “confirm or deny” that it had any such documents.
A federal judge had rejected the ACLU’s suit entirely, but the three-judge appeals court revived the suit. The agency’s non-response does not pass the “straight face” test, Garland concluded.
He cited public statements from President Obama, new CIA Director John Brennan and former Defense Secretary Leon Panetta that discussed the use of drone strikes abroad. In the past, the courts have sometimes allowed government agencies in sensitive cases to refuse to say whether they have certain documents in their files.
In this case, the CIA has asked the courts to stretch that doctrine too far — to give their imprimatur to a fiction of deniability that no reasonable person would regard as plausible,” Garland wrote in ACLU vs. CIA.
ACLU attorney Jameel Jaffer called the decision a victory. “It requires the government to retire the absurd claim that the CIA’s interest in targeted killing is a secret,” he said. “It also means that the CIA will have to explain what records it is withholding and on what grounds it is withholding them.
“We hope that this ruling will encourage the Obama administration to fundamentally reconsider the secrecy surrounding the drones program,” said Jaffer, a deputy legal director for the ACLU.

(Related)
U.N. Drone Inquisitor Says It’s Time to End Robot War in Pakistan
After days of meeting with Pakistani officials, the United Nations official investigating Washington’s global campaign of drone strikes attacked the legal and strategic basis for the robotic war in its biggest battlefield. And he raised doubts over whether Americans operating the drones can actually distinguish terrorists from average Pakistanis.


I can see that I have some reading to do. Fortunately, it's finals week and I get a couple of weeks off after that.
We should call it “Collected Speech”
Is Data Speech?
Jane Bambauer University of Arizona – James E. Rogers College of Law March 11, 2013
Stanford Law Review, Forthcoming Arizona Legal Studies Discussion Paper No. 13-19
Abstract:
Privacy laws rely on the unexamined assumption that the collection of data is not speech. That assumption is incorrect. Privacy scholars, recognizing an imminent clash between this long-held assumption and First Amendment protections of information, argue that data is different from the sort of speech the Constitution intended to protect. But they fail to articulate a meaningful distinction between data and other, more traditional forms of expression. Meanwhile, First Amendment scholars have not paid sufficient attention to new technologies that automatically capture data. These technologies reopen challenging questions about what “speech” is.
This Article makes two bold and overdue contributions to the First Amendment literature. First, it argues that when the scope of First Amendment coverage is ambiguous, courts should analyze the government’s motive for regulating. Second, it highlights and strengthens the strands of First Amendment theory that protect the right to create knowledge. Whenever the state regulates in order to interfere with knowledge, that regulation should draw First Amendment scrutiny.
In combination, these theories show clearly why data must receive First Amendment protection. When the collection or distribution of data troubles lawmakers, it does so because data has the potential to inform, and to inspire new opinions. Data privacy laws regulate minds, not technology. Thus, for all practical purposes, and in every context relevant to the privacy debates, data is speech.
You can download the full article from SSRN.


Do we have anything similar in the US? Perhaps someone could translate it?
Christopher Parsons writes:
Last year I was invited to submit a brief to the Canadian Parliament’s Access to Information, Privacy and Ethics Committee. For my submission (.pdf), I tried to capture some of of the preliminary research findings that have been derived from social media and surveillance project I’m co-investigating with Colin Bennett. Specifically, the brief focuses on questions of jurisdiction, data retention, and data disclosure in the context of social media use in Canada. The ultimate aim of the submission was to give the committee members insight into the problems that Canadians experience when accessing the records held by social networking companies.

(Related) Apparently the Brief (above) grew a bit...
Real and Substantial Connections: Enforcing Canadian Privacy Laws Against American Social Networking Companies
Colin Bennett University of Victoria Christopher A. Parsons University of Victoria – Political Science Adam Molnar University of Victoria, Department of Political Science February 28, 2013
Abstract:
Any organization that captures personal data in Canada for processing is deemed to have a “real and substantial connection” to Canada and fall within the jurisdiction of the Personal Information Protection and Electronic Documents Act (PIPEDA) and of the Office of the Privacy Commissioner of Canada. What has been the experience of enforcing Canadian privacy protection law on US-based social networking services? We analyze some of the high-profile enforcement actions by the Privacy Commissioner. We also test compliance through an analysis of the privacy policies of the top 23 SNSs operating in Canada with the use of access to personal information requests. Most of these companies have failed to implement some of the most elementary requirements of data protection law. We conclude that an institutionalization of non-compliance is widespread, explained by the countervailing conceptions of jurisdiction inherent in corporate policy and technical system design.
You can download the full article from SSRN.

(Related) even more thinking!
Forgetting, Non-Forgetting and Quasi-Forgetting in Social Networking: Canadian Policy and Corporate Practice
Colin Bennett University of Victoria Adam Molnar University of Victoria, Department of Political Science Christopher A. Parsons University of Victoria – Political Science January 28, 2013
Abstract:
In this paper we analyze some of the practical realities around deleting personal data on social networks with respect to the Canadian regime of privacy protection. We first discuss the extent to which Canadian privacy law imposes access, deletion, and retention requirements on data brokers. After this discussion we turn to corporate organizational practices. Our analyses of social networking sites’ privacy policies reveal how poorly companies recognize the right to have one’s personal information deleted in their existing privacy commitments and practices. Next, we turn to Law Enforcement Authorities (LEAs) and how their practices challenge the deletion requirements because of LEAs’ own capture, processing, and retention of social networking information. We conclude by identifying lessons from the Canadian experience and raising them against the intense transatlantic struggle over the scope of the deletion of data stored in cloud-based computing infrastructures.
You can download the full article from SSRN.


And one from south of the (Canadian) border...
March 15, 2013
Much Ado about Mosaics: How Original Principles Apply to Evolving Technology in United States v. Jones
Much Ado about Mosaics: How Original Principles Apply to Evolving Technology in United States v. Jones, by Priscilla J. Smith. Yale University - Information Society Project. March 14, 2013. North Carolina Journal of Law and Technology, Vol. 14, 2013 Yale Law School, Public Law Working Paper
  • "This paper argues that supporters and detractors of the concurring opinions in United States v. Jones have overemphasized the role of the “mosaic” or “aggregation” theory in the concurrences. This has led to a misreading of those opinions, an overly narrow view of the Justices’ privacy concerns, and has obscured two limiting principles that are vital to their analysis. This paper provides a path forward by revealing the analysis of reasonable expectation of privacy concerns that is common to both concurrences. The endpoint is a rule both more limited and broader than a simple application of a “mosaic theory.” It is more limited in the sense that the rule applies only to surveillance using technology that operates outside of individual human control and is thus susceptible to overuse and abuse. It is broader in the sense that it finds surveillance intrusive not just where the technology will collect a mosaic of information that reveals more than each one tile of information itself, but where the technology will chill expression of constitutionally protected behavior, behavior that can take place “in public,” with other people, but is shared with a limited group."


Just because I don't think doing away with telecommuters will always solve your problems.
How WordPress Thrives with a 100% Remote Workforce


Always amusing...
… Legislation was introduced in the California Senate this week that, if passed, could drastically reshape public higher education as we know it. SB520, authored by President Pro Tem Darrell Steinberg, will require the state’s public colleges and universities to accept credit for certain online classes if a student is unable to get into the class on-campus. The state will identify some 50 introductory classes, available from any online provider, including unaccredited ones. While the proposal is being hailed in some quarters as making higher education more accessible, it’s hard not to see this being a dangerous spiral, where for-profit providers (Straighterline, Coursera, Udacity, etc etc etc etc) lobby the state legislature to limit higher education funding. See e-Literate for the most complete coverage on the bill.

No comments: