Wednesday, November 29, 2006

EFF Fights to Shield Email from Secret Government Searches. EFF Fights to Shield Email from Secret Government Searches. Email Deserves Same Constitutional Protections as Phone Calls, Postal Mail San Francisco - The government must have a search warrant before it can search and seize emails stored by email service providers, according to a friend-of-the-court brief filed last week by the Electronic Frontier Foundation (EFF) and a coalition of civil liberty groups. EFF filed the brief in support of a landmark district court decision finding that the federal Stored Communications Act (SCA) violates the Fourth Amendment by allowing secret, warrantless searches and seizures of email stored with a third party. EFF's amicus brief was filed in Warshak vs. United States, a case brought in the Southern District of Ohio federal court by Steven Warshak to stop the government's repeated secret searches and seizures of his stored email using the SCA. The district court ruled that the government cannot use the SCA to obtain stored email without a warrant or prior notice to the email account holder. The government, which has routinely used the SCA over the past 20 years to secretly obtain stored email without a warrant, appealed the decision to the 6th U.S. Circuit Court of Appeals. That court is now primed to be the first circuit court ever to decide whether email users have a "reasonable expectation of privacy" in their stored email. "Email users clearly expect that their inboxes are private, but the government argues the Fourth Amendment doesn't protect emails at all when they are stored with an ISP or a webmail provider like Hotmail or Gmail," said EFF Staff Attorney Kevin Bankston. "EFF disagrees. We think that the Fourth Amendment applies online just as strongly as it does offline, and that your email should be as safe against government intrusion as your phone calls, postal mail, or the private papers you keep in your home." The EFF brief was also signed by the American Civil Liberties Union, the ACLU of Ohio, and the Center for Democracy and Technology. For the full amicus brief: http://eff.org/legal/cases/warshack_v_usa/warshack_amicus.pdf Contact: Kevin Bankston Staff Attorney Electronic Frontier Foundation bankston@eff.org [EFF: Breaking News] 4:25:42 PM  PermaLink   / trackback []

Groups Urge Court to Give E-mail Full Constitutional Protection. Groups Urge Court to Give E-mail Full Constitutional Protection. Last week, CDT and the ACLU joined a friend-of-the-court brief written by the Electronic Frontier Foundation, urging a federal appeals court to extend to e-mail the same constitutional protection accorded to telephone calls and regular mail. Remarkably, the constitutional status of e-mail has never been decided, and the Justice Department claims that opened e-mail and older stored e-mail can be obtained from service providers without a court order and without notice to the e-mail user. In the case, Warshak v. U.S., a lower federal court ruled that government agents could not force disclosure of email from a service provider unless they provided the relevant subscriber notice and an opportunity to object. [Center for Democracy and Technology] 4:23:25 PM  PermaLink   / trackback []

Justice Official Opens Spying Inquiry - New York Times After months of pressure from Congressional Democrats, the Justice Department's inspector general said Monday that his office had opened a full review into the department's role in President Bush's domestic eavesdropping program and the legal requirements governing the program. Democrats said they saw the investigation as a welcome step that could answer questions about the operations and legal underpinnings of the program, which allows the National Security Agency to monitor, without obtaining court warrants, the international communications of Americans and others inside this country with suspected terrorist ties. "This is a long overdue investigation of a highly controversial program," said Representative John Conyers Jr., the Michigan Democrat who will take over as chairman of the House Judiciary Committee. 4:16:32 PM  PermaLink   / trackback []

EFF Accepts Barney's Surrender. EFF Accepts Barney's Surrender. Purple Dinosaur Backs Off and Pays Up; Free Speech Rights Preserved San Francisco - The corporate owners of the popular children's television character Barney the Purple Dinosaur have agreed to withdraw their baseless legal threats against a website publisher who parodied the character and to compensate him for fees expended in defending himself. The agreement settles a suit filed by the Electronic Frontier Foundation (EFF) in August on behalf of Dr. Stuart Frankel against Lyons Partnership, owners of the Barney character. Frankel received repeated, meritless cease-and-desist letters from Lyons, claiming his online parody violated copyright and trademark law. EFF's suit asked the court to declare that Frankel's parody was a noninfringing fair use protected by the First Amendment. "We wish we hadn't had to file a lawsuit to finally get Barney's lawyers to stop harassing a man who was just expressing his opinion about a cultural phenomenon," said EFF Staff Attorney Corynne McSherry. "Hopefully Lyons Partnership has learned its lesson and will have more respect for fair use in the future." This settlement is the latest development in EFF's ongoing campaign to protect online free speech from the chilling effects of bogus copyright claims. Earlier this month, EFF filed suit against Michael Crook -- a man who claimed copyright infringement in an effort to censor his online critics. "Those who misuse copyright should know that they can be sued for doing so," said McSherry. "This settlement should send a message to those who want to use copyright law as a pretext for censorship." EFF was assisted in this case by Elizabeth Rader, James d'Auguste, and Brian Carney, attorneys with the firm of Akin, Gump, Strauss, Hauer & Feld LLP, which is defending Dr. Frankel's free speech rights on a pro bono basis. For the original complaint: http://www.eff.org/legal/cases/barney/frankel_v_lyons_complaint.pdf For more on Barney's copyright abuses: http://www.eff.org/legal/cases/barney/ Contacts: Corynne McSherry Staff Attorney Electronic Frontier Foundation corynne@eff.org Fred von Lohmann Senior Intellectual Property Attorney Electronic Frontier Foundation fred@eff.org [EFF: Breaking News] 4:07:06 PM  PermaLink   / trackback []

YouTube and Shifting Norms of Public/Private. YouTube and Shifting Norms of Public/Private. The theory of  "privacy as contextual integrity" provides the tools for considering how the introduction of new technologies/practices within a particular context might disrupt norms of information flow, potentially threatening values of privacy, autonomy, or liberty. It is especially useful when considering subtle shifts in information flows that flirt with the boundaries between public & private spheres, such as driving along the highway, having your photo taken in public, or providing information on social network sites such as Facebook. Another important sphere to consider within the framework of contextual integrity is the explosion of online video sharing sites such as YouTube. Michael Geist starts the conversation in this BBC essay on how private lives are increasingly exposed on net video sites, which concludes with concern about how the spread of these sites might affect our expectations of privacy: As technology continues to evolve, it is unlikely that such measures will prove successful. With built-in video cameras on laptop computers, portable devices and cell phones, and widespread internet access, the clip culture is rapidly morphing from bits of favourite television shows to videos of our friends, neighbours, and even ourselves. Rather than banning the technology, we must instead begin to grapple with the implications of these changes by considering the boundaries between transparency and privacy. As our expectations of the availability of video changes, so too must our sense of the video rules of the road. There is important work to be done in this area[sigma]after the dissertation. [via Pogo Was Right] [michaelzimmer.org] 4:04:25 PM  PermaLink   / trackback []

Google Now Gets Purchasing Data, Too. Google Now Gets Purchasing Data, Too. With their recent push to get the citizens of Planet Google to start using Google Checkout, Google[base ']s growing infrastructure of dataveillance now includes purchasing data. From Google Checkout[base ']s privacy policy: Registration information - When you sign up for Google Checkout, we ask for your personal information so that we can provide you with the service. The information we require to register for the service includes your name, credit or debit card number, card expiration date, card verification number (CVN), address, phone number, and email address. For sellers, we also require you to provide your bank account number, and in some situations, your personal address, your business category, your taxpayer identification number or social security number, and certain information about your sales or transaction volume. This information allows us to process payments and protect users from fraud. In some cases, we may also ask you to send us additional information or to answer additional questions to help verify your information. The information we collect is stored in association with your Google Account. Information obtained from third parties - In order to protect you from fraud or other misconduct, we may obtain information about you from third parties to verify the information you provide. For example, we may use card authorization and fraud screening services to verify that your credit or debit card information and address match the information that you provided to us. Also, for sellers, we may obtain information about you and your business from a credit bureau or a business information service such as Dun & Bradstreet. Transaction information - When you use Google Checkout to conduct a transaction, we collect information about each transaction, including the transaction amount, a description provided by the seller of the goods or services being purchased, the names of the seller and buyer, and the type of payment used. John Battelle has much more. [michaelzimmer.org] 3:44:49 PM  PermaLink   / trackback []

Google Earth Boosts Social Activism in Bahrain. Google Earth Boosts Social Activism in Bahrain. A student (thanks, Gui!) pointed me to this Financial Times story about how Google Earth is fueling the push towards a more egalitarian society now that poorer citizens can spy on the massive and extravagant properties of the wealthier class: The site allows internet users to view satellite images of the world in varying degrees of detail. When Google updated its images of Bahrain to higher definition, cyber-activists seized on the view it gave of estates and private islands belonging to the ruling al-Khalifa family to highlight the inequity of land distribution in the tiny Gulf kingdom. [sigma]activists claim that 80 per cent of the island has been carved up between royals and other private landlords, while much of the rest of the population faces an acute housing shortage. [sigma][base ']ÄúSome of the palaces take up more space than three or four villages nearby and block access to the sea for fishermen. People knew this already. But they never saw it. All they saw were the surrounding walls,[base ']Äù said Mr Yousif, who is seen in Bahrain as the grandfather of its blogging community. He and other activists believe creative use of the internet [base ']Äì connectivity in Bahrain is among the highest in the Arab world [base ']Äì is forcing the country to confront awkward realities and will speed the march towards a more egalitarian society. In reaction, the ruling Bahrainian government has attempted to block access to Google Earth, but activists (as they usually do) have found a work-around: [sigma]most subscribers in Bah¬[not equal]rain have downloaded free software [base ']Äì partly thanks to technical advice on his own site [base ']Äì enabling them to mask their location and access censored sites. Echoing that, Najeel Rajab, the director of the banned Bahrain Centre for Human Rights, says since his organisation[base ']Äôs site was blocked two weeks ago the number of visitors has trebled. And even those with slower connections have found ways to participate: For those with insufficient bandwidth to access Google Earth, a PDF file with dozens of downloaded images of royal estates has been circulated anonymously by e-mail. Mr Yousif, among others, initially encouraged web users to post images on photo-sharing websites. More at Boing Boing and Ogle Earth. [michaelzimmer.org] 3:17:21 PM  PermaLink   / trackback []

Audio captchas when visual images are unusable Audio captchas when visual images are unusable Posted by T.V. Raman, Research Scientist From time to time, our own T.V. Raman shares his tips on how to use Google from his perspective as a technologist who cannot see -- tips that sighted people, among others, may also find useful. - Ed. Wikipedia defines 'captcha' as an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart" -- a word which is trademarked by Carnegie Mellon University. Most web users think of captchas as those hard to read distorted letters or images that one often is confronted by when websites attempt to verify that they're indeed talking to a live human. Google Accounts support captchas. Of course, bloggers (no matter which platform they use) can also use them to prevent comment spam. Captchas were never intended to be purely visual -- however, most initial implementations used fuzzy images, and in attempting to lock out automated agents also inadvertently locked out people unable to see the image. As an alternative to these, this past spring Google Services that require verification began to provide an audio alternative -- people have the option of listening to a sequence of spoken digits that they then type into a form field to verify to the web application that there is indeed a live human at the other end. To keep the audio captcha as challenging as the visual captcha when confronted by automated agents, we add some distortion to the spoken digits, and we're still experimenting with different distortion techniques to ease the burden on the genuine human user while locking out automated agents. We welcome feedback on the effectiveness of these techniques from you (we automatically collect feedback from those evil automated agents pretending to be human) :-). You can easily spot the availability of audio captchas by the presence of the well-recognized "wheelchair" icon for accessibility --- the image is tagged with appropriate alt text to help blind users. Incidentally you donít have to be visually impaired to use the audio captcha; if you are in a situation where you find it hard to view the visual captcha -- either because you're at a non-graphical display, or because the specific visual challenge we offered you turned out to be unusable in a given situation, feel free to give the audio captcha a try. We've worked hard to ensure that the audio captchas work on different hardware/software combinations, and you do not need any special hardware (or software) other than a sound card to be able to use them. - A Googler [Official Google Blog] 3:15:21 PM  PermaLink   / trackback []

Web browsing behind closed doors. Web browsing behind closed doors. Psiphon bypasses government censors Canadian developers will next month release a tool to bypass government-enforced restrictions on web browsing in countries like China, Syria and Iran. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 3:13:23 PM  PermaLink   / trackback []

Boarding Pass Hacker Breaks Silence. Boarding Pass Hacker Breaks Silence. Chris Soghoian, the Indiana University doctoral student whose online demonstration of serious flaws in airport security prompted an FBI investigation, broke his silence this week after the government terminated its investigation into the matter. Soghoian had refused to talk to the media ever since the FBI visited his home in Bloomington, Ind., on Oct. 27 and carted away computers and other equipment. The federal action came in response to Soghoian's decision to post a tool on his Web site that would allow someone to print a fake boarding pass that could be used to evade the "no-fly" list -- a key government tool in keeping suspected terrorists off of airplanes. In an interview with Security Fix on Saturday, Soghoian said he was ready to set the record straight now that the FBI had ended its investigation and the local U.S. attorney had declined to press charges. A spokesperson for the FBI's Indianapolis field office confirmed that the investigation was closed on Nov. 14. Soghoian's boarding pass generator highlighted a loophole in the Transportation Security Administration's policy for screening passengers against the no-fly list. The problem is that boarding passes are compared to a person's ID only at initial airport security checkpoints, not at the gates where passengers board planes. And the boarding passes are scanned and verified only at departure gates, not security checkpoints. In discussing the tool that he created, Soghoian said that even if the TSA plugged the security loophole -- by requiring ticket readers at the initial terminal security checkpoint and integrating the no-fly list with every airlines' computer systems -- the current legal status of the TSA's policy allows anyone to refuse to show ID at check-in if they consent to additional screening. "Everyone focused on this issue of fake boarding passes, but no one touched on the issue of a person [telling airline security screeners] that they don't have any ID on them," Soghoian said. To help put Soghoian's point in perspective, consider the case of John Gilmore, co-founder the Electronic Frontier Foundation. In 2002, Gilmore refused to show his ID while checking in for a cross-country flight. He was told he could fly if he agreed to a "secondary screening," which he also refused. Gilmore said he was told that there were security directives that mandated the showing of ID, but that he was not allowed to view said rules. Gilmore later sued the government to gain access to the rules. The case wound its way up to the 9th Circuit Court of Appeals, which privately viewed the rules and decided that airline passengers could either present identification OR opt to be subjected to a more extensive search. [Security Fix] 3:11:29 PM  PermaLink   / trackback []

With Fans Like These.... With Fans Like These.... Achieving celebrity in the Internet age can be fraught with complications and, sometimes, lead to some downright creepy situations. First, there were the hackers who gained access to Hollywood socialite Paris Hilton's cell phone and voice mail messages in 2005, an exploit that led to the online posting of nude photos of the hotel heiress. Now comes news that an apparently obsessed fan of the rock band Linkin Park is accused of hacking into Verizon's computer system to obtain private information and records of the group's lead singer and his family. According to documents posted online at FindLaw, 27-year-old Albuquerque resident Devon Townsend has admitted using her employer's computer -- a machine assigned to the Department of Energy on a U.S. Air Force base in New Mexico -- to hack into Verizon's network and obtain private records on Chester Bennington and his wife Talinda. The government also alleges that Townsend used the access to compromise the Bennington's PayPal account and to steal photographs of the couple and their children. According to court documents, the Benningtons were tipped off to the compromise when they discovered that their Verizon and PayPal account passwords had been changed to "Who is doing this to you?" In addition, Townsend is accused of making telephone threats against the Bennington family and to selling bootlegged and pirated copies of Linkin Park recordings. The government executed a search warrant on Townsend's residence in mid-November, where they found "posters of Linkin Park members, signed Linkin Park memorabilia, pictures of Townsend taken with Chester Bennington, bootlegged music and video DVDs, concert schedules, copies of messages from Talinda and Chester's e-mail accounts, intercepted photographs from Talinda and Chester's e-mail accounts, and other items." After being confronted with the evidence against her, Townsend confessed to the whole ordeal, according to government documents. Findlaw has 18 pages of more delicious details from this case in a filing here. [Security Fix] 3:09:15 PM  PermaLink   / trackback []

Apple Patches 31 Security Holes. Apple Patches 31 Security Holes. Apple Computer today released software updates to fix at least 31 separate security flaws in computers powered by different versions of its Mac OS X operating systems. Users can download the free updates using OS X's Software Update feature, or directly from Apple Downloads. The first update listed in Apple's advisory addresses a problem with the built-in wireless cards on certain Mac systems that researcher HD Moore detailed earlier this month and which can be exploited by attackers to install malicious software. Apple said the vulnerability is present in eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card; systems with the AirPort Extreme card are not affected. Other fixes released today mend easily exploitable conditions, such as bugs that attackers could use to install malicious code just by convincing the user to visit a specially crafted site or font files. Among the many other updates included in this bundle are fixes for ClamAV (an antivirus program) for Mac OS X Server, as well as those to mend a slew of problems with the OS X utility used to unzip compressed files. [Security Fix] 3:05:27 PM  PermaLink   / trackback []