Privacy Digest

FTC Takes Aim at "Stalker Spyware" Company: Via Center for Democracy and Technology

Acting on a request from the Federal Trade Commission, a U.S. District Court has temporarily halted the sale of "stalker spyware," pending a decision on whether these products engage in unfair and deceptive practices by enabling and encouraging privacy invasion. Keylogger programs are often sold as "stalker spyware" and describe in detail how to spy on others without being detected, according to the FTC complaint. CDT applauds the hard work of the Electronic Privacy Information Center, which first brought a petition to the FTC to stop these deceptive, privacy invasive technologies.

FTC Notice on Court Action November 17, 2008 [off-site]

Read Original Article (Via Center for Democracy and Technology.)

Net Spying Firm and ISPs Sued Over Ad System: Via Threat Level

Net eavesdropping firm NebuAd and its partner ISPs violated hacking and wiretapping laws when they tested advertising technology that spied on ISP customers web searches and surfing, according to a lawsuit filed in federal court Monday.

The lawsuit seeks damages on behalf of thousands of subscribers to the five ISPs that are known to have worked with NebuAd. If successful, the suit could be the final blow to the company, which abandoned its eavesdropping plans this summer after powerful lawmakers began asking if the companies and ISPs violated federal privacy law by monitoring customers to deliver targeted ads.

NebuAd paid ISPs to let it install internet monitoring machines inside their network. Those boxes eavesdropped on users' online habits -- and altered the traffic going to users in order to track them better. That data was then used to profile users in order to deliver targeted ads on other websites.

For instance, if NebuAd noted that someone had repeatedly searched for information about smart phones, it would serve a targeted ad for iPhones the next time you went to a webpage NebuAd sold advertising on. Having that breadth of info on a user, which would be far deeper than any other only ad firm, the compnay would be able to charge advertisers a steep premium.

The suit alleges the ISPs and NebuAd both violated anti-wiretapping statutes by capturing users' online communications without giving adequate notice or getting consent.  read more »

EFF's "Yellow Dots of Mystery" on Instructables - Via EFF.org Updates:

Since late 2004, EFF has been warning the public about "printer dots" -- tiny yellow dots that appear on documents produced by many color laser printers and copiers. These yellow dots form a coded pattern on every page the printer produces and can be used to identify specific details about a document; for example, the brand, model, and serial number of the device that printed it and when it was printed. In short, the printer dots are a surveillance tool that can link each printed page to the printer that printed it.

To help individuals learn more about printer dots and how to find them, EFF posted a video and tutorial to Instructables, titled, "Yellow Dots of Mystery: Is Your Printer Spying on You?". You can also watch the video here:  read more »

What Your Mailman Knows (Part 1 of 2) - Via Freedom to Tinker:

A few days ago, National Public Radio (NPR) tried to offer some lighter fare to break up the death march of gloomier stories about economic calamity. You can listen to the story online. The story's reporter, Chana Joffe-Walt, followed a mail carrier named Andrea on her route around the streets of Seattle. The premise of the story is that Andrea can measure economic suffering along her mail route--and therefore in that mythical place, "Main Street"--by keeping tabs on the type of mail she delivered. I have two technology policy thoughts about this story, but because I have a lot to say, I will break this into two posts. In this post, I will share some general thoughts about privacy, and in the next post, I will tie this story to NebuAd and Phorm.

I was troubled by Andrea's and Joffe-Walt's cavalier approaches to privacy. In the course of the five minute story, Andrea reveals a lot of private, personal information about the people on her route. Only once does Joffe-Walt even hint at the creepiness of peering into people's private lives in this way, embracing a form of McNealy's "you have no privacy, get over it" declaration.  read more »

Book TV - After Words: James Bamford, author of "The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America " interviewed by Jonathan Landay - Via C-Span2 :

After Words: James Bamford, author of "The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America " interviewed by Jonathan Landay
 
Upcoming Schedule (Eastern time USA)
Saturday, October 18, at 10:00 PM
Sunday, October 19, at 6:00 PM
Sunday, October 19, at 9:00 PM
Monday, October 20, at 12:00 AM
   read more »

The trouble with 'deep packet inspection' - Via The Red Tape Chronicles - MSNBC.com :

Deep down, most Net users realize that everything they do online can be watched and tracked. Most, however, forget this on a day-to-day basis. That's why a new technology called deep packet inspection is potentially very disturbing.

The data is already dismal when it comes to people peeking at your Internet travels. Twenty percent of U.S. companies hire employees specifically to snoop at employee e-mail and 41 percent perform some kind of e-mail monitoring, according to a survey published earlier this year by Proofpoint. Two-thirds of companies monitor Web surfing, and 12 percent even monitor outside blog activity. Even if your company doesn't watch you as a matter of policy, employees might be sneaking a peek anyway. In a survey published in June by security firm Cyber-Ark, one-third of IT workers confessed to abusing their administrative passwords to read colleagues’ e-mail and compare salaries, and the like.

Still, people at work often realize their time is not their own, and their expectation of privacy -- at least according to under U.S. law -- is low. But now, a technology called deep packet inspection offers similar kind of monitoring capabilities that can be used on all Internet users -- at home, at work, even when using mobile devices.  read more »

ISPs pressed to become child porn cops - Via Security- msnbc.com :

New law, new monitoring technology raise concerns about privacy

New technologies and changes in U.S. law are adding to pressures to turn Internet service providers into cops examining all Internet traffic for child pornography.

One new tool, being marketed in the U.S. by an Australian company, offers to check every file passing through an Internet provider's network — every image, every movie, every document attached to an e-mail or found in a Web search — to see if it matches a list of illegal images.

The company caught the attention of New York's attorney general, who has been pressing Internet companies to block child porn. He forwarded the proposal to one of those companies, AOL, for discussion by an industry task force that is looking for ways to fight child porn. A copy of the company's proposal was also obtained by msnbc.com.

Privacy advocates are raising objections to such tools, saying that monitoring all traffic would be an unconstitutional invasion. They say companies can't start watching every customer's activity, and blocking files thought to be illegal, even when the goal is as noble as protecting children.  read more »

EFF Challenges Constitutionality of Telecom Immunity in Federal Court - Via EFF.org Updates:

San Francisco - The Electronic Frontier Foundation (EFF) Thursday challenged the constitutionality of a law aimed at granting retroactive immunity to telecommunications companies that participated in the president's illegal domestic wiretapping program.

In a brief filed in the U.S. District Court in San Francisco, EFF argues that the flawed FISA Amendments Act (FAA) violates the federal government's separation of powers as established in the Constitution and robs innocent telecom customers of their rights without due process of law. Signed into law earlier this year, the FAA allows for the dismissal of the lawsuits over the telecoms' participation in the warrantless surveillance program if the government secretly certifies to the court that either the surveillance did not occur, was legal, or was authorized by the president. Attorney General Michael Mukasey filed that classified certification with the court last month.  read more »

Lessons from the Fall of NebuAd - Via Freedom to Tinker:

With three Congressional hearings held within the past four months, U.S. legislators have expressed increased concern about the handling of private online information. As Paul Ohm mentioned yesterday, the recent scrutiny has focused mainly on the ability of ISPs to intercept and analyze the online traffic of its users-- in a word, surveillance. One of the goals of surveillance for ISPs is to yield new sources of revenue; so when a Silicon Valley startup called NebuAd approached ISPs last spring with its behavioral advertising technology, many were quick to sign on. But by summer's end, the company had lost all of its ISP partners, their CEO had resigned, and they announced their intention to pursue "more traditional" advertising channels.

How did this happen and what can we learn from this episode?  read more »

Chinese Skype Client Hands Confidential Communications to Eavesdroppers - Via EFF.org Updates:

This Wednesday, Information Warfare Monitor published damning evidence showing that TOM-Skype, the version of the voice and chat program distributed in China not only blocks keywords from chat conversations, but also spies on and remotely reports the contents of Skype users' private text conversations. This directly contradicts Skype's previous assurances that "full end-to-end security is preserved and there is no compromise of people’s privacy", even on the customized Chinese client.

This special breached version of Skype, distributed by the Chinese portal company TOM Online, has long been known to block certain contentious phrases from instant message conversations. IWM's Nart Villeneuve's research shows that when these keywords are mentioned in conversations, the client software also sends an encrypted message to one of eight remote servers hosted in China.

Due to poor security on these servers, Villeneuve was able to uncover what was being sent: extensive logs on user activity, including archives of more than 166,000 censored messages from 44,000 users.  read more »

CALL FOR ACTION INVESTIGATION: Your personal information for sale on eBay - Via PogoWasRIght - Privacy News Headlines:

... CALL FOR ACTION discovered the personal information you work hard to protect might be for sale on eBay. We simply typed in "used hard drives" on eBay and within minutes, we bought ten used hard drives. $50 bucks and a couple days later, the hard drives came in the mail.

We took the drives to a computer expert to see what was on them.

.... On one drive he found data for 200 financial transactions that appear to be from US Trust of New York, a company that manages money for wealthy clients.

The largest transaction he found involved just under $2 million dollars.

The records also contain what appears to be names, addresses, account numbers and Social Security numbers.

Another drive appears to come from the grocery store chain Giant of Maryland. It contains more than a thousand pharmacy prescriptions and 25 hundred suspected credit card numbers.

Two other drives we bought contain service calls from Sears. The data contained names, addresses and instructions, like how to get to customers' homes, where they kept spare keys, and more than 750 suspected credit card numbers.

Source - WINK News

(Read Original Article - Via PogoWasRIght - Privacy News Headlines.)

ISPs Facing Privacy Scrutiny Likely to Point At Google - Via Threat Level:

Google is not an ISP, but at Thursday’s Senate hearing on privacy and ISPs, expect the search and online advertising giant's name to be the keyword invoked by ISPs wishing to escape the attention of legislators.

ISPs have good reason to want to be forgotten.

Earlier this year, lawmakers all but killed off the idea of letting ISPs watch their customers' web usage in order to serve them targeted ads after Charter Communications retreated from its plan to test such technology and several smaller ISPs admitted to secret tests of such technology from NebuAd.

But ISPs are hungry for new revenue so expect that AT&T, Verizon and Time Warner – three of the nation’s top ISPs – will take the opportunity Thursday in front of the Senate Commerce committee to favorably compare their privacy practices and market reach to Google's.

In fact, don't be surprised if the ISPs suggest that Google is the one that needs some federal rules written for it and that ISPs need to be free to find ways to serve targeted ads to their customers.  read more »

If NSA Spying Not A 'Dragnet,' What Were They Doing? - Via Threat Level:

This was not a driftnet.  This was not dragnet.

The government doesn't and didn't have a massive computer listening into phone calls and emails inside the United States listening for keywords. That technology you've seen in movies like the Bourne Identity -- we don't use that.

That's what the Attorney General Michal Mukasey reiterated to a federal court Saturday, denying the NSA or its telecom partners engaged in"dragnet collection on the contents of millions of communications [...] for the purpose of analyzing those communication through key word searches to obtain information about possible terrorist attacks." (emphasis in original)

And since that did not happen, the dozens of suits filed against companies such as AT&T alleging such a thing should be dismissed, according to Mukasey, who was invoking the telecom immunity provisions passed by Congress in July.

That same bill legalized most of the spying program that was not a dragnet. It also oddly legalized dragnet surveillance of Americans' international communications.

So if there's no Big Brother ear listening for the perfectly wrong word, what was going on?

Well, one might look to the things Mukasey would not deny or perhaps, look closer at the language of the denial (.pdf).  read more »

CDT Policy Post: Closer Look at ISP-Ad Network Partnerships - Via Center for Democracy and Technology:

CDT issued a policy post today that takes a closer look at the privacy concerns raised by the ISP-ad network partnership model within the online behavioral advertising field. Behavioral advertising involves the compilation of detailed information about an Internet user’s online activities. That data, when collected, can be turned into detailed consumer profiles including articles read, web sites visited, and items purchased. Today's policy post says the ISP-ad network model may violate federal law if it deployed without express consent of subscribers. CDT notes that Congress is taking a closer look at the practice and that online consumer privacy law may be introduced to address concerns.

(Read Original Article - Via Center for Democracy and Technology.)

Exclusive: Widespread cell phone location snooping by NSA? - Via Surveillance State - CNET News :

If you thought that the National Security Agency's warrantless wiretapping was limited to AT&T, Verizon and