In a move applauded by privacy advocates, instant messaging service WhatsApp is introducing end-to-end encryption of user data on Android devices, meaning that any messages sent through the app cannot be decrypted by anyone, making it impossible for government agencies to access that data by any means.
The encryption protocol has been provided by Open Whisper Systems, a collaborative open source project. The protocol is still a work-in-progress, so doesn’t yet work for group messaging or interactions that contain videos or photos, but Open Whisper Systems promise to address these issues in future. Open Whisper Systems announced the news on their blog, saying, For the past three years, we’ve been developing a modern, open source, strong encryption protocol for asynchronous messaging systems, designed to make seamless end-to-end encrypted messaging possible.
“Today we’re excited to publicly announce a partnership with WhatsApp, the most popular messaging app in the world, to incorporate the TextSecure protocol into their clients and provide end-to-end encryption for their users by default.”
With Google Glass and Samsung Gear, the new paradigm of wearable devices is upon us. The latest upstart to step up is Everykey, a wristband that acts as a replacement for your passwords. It uses “military-grade encryption” to act like a form of tech-biometric replacement – your own virtual fingerprint. It can be coded to unlock your smartphone, tablet, computer, and even home security systems.
The device is customisable and is able to unlock an unlimited number of devices. It is waterproof with a battery life of about a month. In the event the device is lost or stolen, it can be remotely disabled, with a replacement available for a discount price with overnight shipping.
Everykey has raised $56,702 of its £100,000 goal, with nineteen days to go. The creators hope to ship the device to backers in March 2015.
The assumption that a factory reset erases all the data you’ve put onto an Android device is a fairly common one among most Android users. However, this simply may not be the case. This isn’t the first time that the utility of the factory reset function has been called into question, 5 months ago we wrote a piece about how used phone vendors were selling phones with recoverable data on. The latest details come from Avast who claim that wiping your Android device through the factory reset could still leave much of your personal data behind.
Avast went to the length of buying 20 used phones on eBay that had been wiped using Android’s factory reset function. With some digital recovery tools and a little effort Avast were able to recover data from all 20 devices.
“Although at first glance the phones appeared thoroughly erased, we quickly retrieved a lot of private data. In most cases, we got to the low-level analysis, which helped us recover SMS and chat messages,”
From the 20 smartphones Avast managed to extract:
40,000 images (1000 of those included partial or full nude images)
750 emails and texts
The identity of the previous owners
A completed loan application
GPS coordinates detailing the previous owners travelling habits
How did Avast recover all this data? Simply using FTK imager, a free digital forensics tool available on line. Avast also used knowledge and information provided on the XDA developer forums, such as the need to use the Android Debug Bridge and Backup Extractor functions which essentially allow data to be extracted without the device being unlocked. Worse still Avast’s consumer habits survey revealed only 8% use software intended to wipe these kind of digital footprints.
Short of burning your old smartphone into a pile of ashes there are not any easy ways to erase your digital footprint. What tools do you use to erase your Android data?
A new report suggests that hackers managed to access an American government server for the Department of Public Health and Human Services (DPHHS) in Montana. The data breach means that the sensitive personal data of 1.3 million individuals was exposed to the hackers. The details that were accessed included names, addresses, dates of birth, and Social Security numbers. Furthermore, there was information relating to health assessments, diagnoses, treatment, health condition, prescriptions, and insurance of certain individuals.
The initial findings suggest that it isn’t possible to determine if data was directly removed from the server but a breach did occur. The server was shut down a week after an investigation into suspicious activity started. Officials from the government of Montana have stated that all affected parties will be notified of the breach and offered credit monitoring and identity protection insurance in order to contain the damage. The security of the DPHHS servers has now been upgraded but it is clearly too little, too late for those affected by it.
According to the German Chancellor’s weekly podcast she will be working with France to develop a European Communications Network that bypasses any American-based nodes that are vulnerable to NSA surveillance. German Chancellor Angela Merkel will meet French President Francois Hollande as she prepares to make a formal state visit and European privacy is expected to be high on the agenda. Since the emergence of the NSA scandal Germany have been one of the staunchest critics of the USA’s wide-reaching surveillance programs.
“Above all, we’ll talk about how European providers can offer security for our citizens, so that one shouldn’t have to send emails and other information across the Atlantic. Rather one could build up a communication network inside Europe.” Said Angela Merkel.
There has been much discussion within Europe about how the privacy of European citizens can be protected from the USA’s snooping. Several European nations have called for penalties to be levied against the USA in retaliation, such as weakening or cancelling of trade links. Germany has been pushing for a “no-spying” agreement with the USA but so far they’ve refused to get involved with discussions. All this has occurred while the USA has begun reforms of the NSA but so far the reforms have been nothing but superficial PR exercises that are designed to bring no significant changes, the NSA’s power still remains pervasive and unrestrained.
After six months of legal drama, Google is set to be fined €900,000 Euro or $1.38 million in regards to serious violations of users’ privacy. The Spanish Data Protection Agency came out saying;
“Google unlawfully collects and processes personal information of users of various Google services such as Gmail. The agency considers that Google seriously violates the right to the protection of personal data.”
Just like other tech giants Google has come under fire following the leaks by Edward Snowden in regards to how the US has been collecting data from users all over the world. However a recent survey conducted for the Computer and Communications Industry Association claims that users are more concerned about the theft of personal and financial information than that of online privacy and tracking by marketers.
James Clapper, the director of National Intelligence, believes that the American Congress could soon amend or even halt the domestic surveillance programs of the NSA according to the Washington Times.
“It’s very clear that — to the extent we get to keep these tools at all — they’re going to be legislatively amended”
Members of both the House and the Senate are working to reform section 215 of the Patriot Act that the NSA has used to secretly force telecommunications company to hand over bulk data to the agency. Despite all the revelations James Clapper still states that:
“I can guarantee you that the privacy of Americans is not being compromised”
If James Clapper’s above statement was truthful then it would be unlikely that congress would even have a need to reform and “rein in” the NSA’s activity – since there would be no need for the outrage we’ve seen if it respected privacy laws. There is no doubt that change will happening to the way the NSA operates in the USA, whether that change is enough to appease the majority is another matter entirely.
The Herald Sun reports that Google is facing another lawsuit because of the way it scans the content of emails received by its Gmail users. Google does this so that it may more effectively calculate and target which advertisements to place in that person’s inbox and around that person’s Google account & services.
The plaintiffs claim that Google “unlawfully opens up, reads, and acquires the content of people’s private email messages” in violation of California’s privacy laws and even federal wire-tapping laws. Google on the other hand believes that “all users of email must necessarily expect that their emails will be subject to automated processing.” The judge for case Lucy Koh has indicated that she could terminate the case or schedule a fully fledged trial for it next year. There’s no telling which way the decision might go.
The New York Times reports that a Republican Senator, Rush D Holt, is trying to introduce legislation that would prevent the NSA from installing back doors into encryption. Holt believes that the NSA has overstepped its boundaries and that it could hurt the interests of the United States and its companies by damaging reputations.
“We pay them to spy. But if in the process they degrade the security of the encryption we all use, it’s a net national disservice.”
The “Surveillance State Repeal Act” put together by Holt cuts down the powers of the NSA to install back doors into encryptions that protect things like online communications and emails. This draft legislation is in response to revelations that broke early this week through the Guardian and New York Times which revealed the NSA has the power to bypass and crack the majority of encryption systems currently used.
RT reports that Swedish politicians have come forward to express concerns over public allegations that the Swedish government has been cooperating extensively with the NSA and GCHQ. Sweden’s Green Party IT policy spokeswoman stated that:
“It’s a very serious matter if Sweden is indeed involved in American surveillance programs. I’m very concerned about the information that came up in the hearing.”
Sweden is reported to have provided the USA’s NSA and the UK’s GCHQ (pictured above) with access to Baltic underwater internet cables. The allegations put the Swedish National Defence Radio Establishment (FRA) at the heart of the scandal and unsurprisingly they declined to comment.
Sweden’s Democracy Minister, Birgitta Ohlsson of the Liberal Party (Folkpartiet), also commented on the new revelations stating that:
“I absolutely think this is not good. I’ve also been engaged in issues related to personal privacy and transparency in Sweden and I think in all countries, including Sweden, the EU, and the United States…that things have gone too far.”
Sweden’s Defense Minister Karin Enström stated that such cooperations with other countries are “critical for our security” with rules that “balance security and privacy interests.”
“Intelligence operations occur within a framework with clear legislation, with strict controls, and under parliamentary oversight” Read part of Enström’s public statement.
If you live in the USA and are worried about your online privacy and data protection rights then chances are that you’ve already heard of the civil activist movement Restore the Fourth. The Restore the Fourth movement has already teamed up with the Electronic Frontier Foundation (EFF), Demand Progress, Free Press, Fight for the Future and many other big name organisations. The group are now planning a brand new mass protest which is to take place on October 26th.
What’s so special about October 26th? Well that date marks the anniversary of the Patriot Act – the controversial piece of legislation that essentially legitimises the mass surveillance infrastructure that the NSA have been legally allowed to build. Details of the event can be seen right here. The event will take place in the Capital, Washington DC, and the group is looking to make a stand to the government and congress showing them that people aren’t happy with the government persistently abusing the fourth amendment.
If you live in the USA and value your privacy then this could be something worth attending.
Speaking with the Washington Post Google has told the public that it is bolstering and upgrading its encryption methods amid fresh revelations that the NSA is capable of breaking through common encryption methods. Google has stated that it will fast track the upgrading of its encryption ahead of schedule. The plans are to bump up its SSL certificates to 2048 bits from the current 1024 making the keys 1024 times harder to break via brute force as each extra bit added increases difficulty exponentially.
Google is also apparently one of the few companies to use different encryption keys for each user sessions. As these keys change once a day it is possible to minimise the duration of a compromise of a user account. It is of course worth noting that these new methods by Google mean that you are protected from more widespread “drag net” style surveillance methods but if Google is served a legal document to reveal details on a particular individual then it still has to comply.
However, this is pretty much what all companies want anyway – a system whereby no one is “spied on” or put under “mass surveillance” but instead a system where everyone’s privacy is respected unless they are suspected of offences and criminality in which case a legally just court order should provide a warrant to seize their information. It does seem that the only way to achieve privacy for everyone is by forcing the NSA and other government agencies out of mass data flows by encryption.
Yahoo has addressed recent revelations that the NSA and the GCHQ are both capable of getting around encryption. The revelations coming from the New York Times and the Guardian, sourcing from the Snowden files, essentially stated the NSA and the GCHQ could both get around common encryption methods by bypassing them, cracking them or cracking the online security systems at either end. Yahoo is one of the companies who can reportedly be easily accessed by the NSA’s methods.
A Yahoo spokeswoman addressed the revelations to Bloomberg stating that:
“We are unaware of and do not participate in such an effort, and if it exists, it offers substantial potential for abuse…Yahoo zealously defends our users’ privacy and responds to government requests for data only after considering every applicable objection and in accordance with the law.”
Of course Google, Microsoft, Facebook and other large technology companies are likely to make a similar sentiment. The question is if they are genuinely surprised by these revelations, what can they do to fix this apparently huge security loophole that allows the NSA and GCHQ to get around certain encryption methods?
Microsoft has announced that it is making another push for transparency against the NSA. It claims that lawsuits filed against the U.S government have been totally ignored and despite extending the deadline six times and being actively involved in talks with the U.S government, everything has ended in failure. This has left Microsoft with no choice but to take things further in legal proceedings.
“We believe we have a clear right under the U.S. Constitution to share more information with the public. The purpose of our litigation is to uphold this right so that we can disclose additional data.
On six occasions in recent weeks we agreed with the Department of Justice to extend the Government’s deadline to reply to these lawsuits. We hoped that these discussions would lead to an agreement acceptable to all. While we appreciate the good faith and earnest efforts by the capable Government lawyers with whom we negotiated, we are disappointed that these negotiations ended in failure.”
Microsoft believes the government isn’t doing enough to be transparent and uphold the constitution and that there needs to be much more clarity.
“Yesterday, the Government announced that it would begin publishing the total number of national security requests for customer data for the past 12 months and do so going forward once a year. The Government’s decision represents a good start. But the public deserves and the Constitution guarantees more than this first step.
For example, we believe it is vital to publish information that clearly shows the number of national security demands for user content, such as the text of an email. These figures should be published in a form that is distinct from the number of demands that capture only metadata such as the subscriber information associated with a particular email address. We believe it’s possible to publish these figures in a manner that avoids putting security at risk. And unless this type of information is made public, any discussion of government practices and service provider obligations will remain incomplete.”
Despite the fact Microsoft and Google do not see eye-to-eye on many issues the two companies have joined together with others across the technology sector to challenge the morally corrupt surveillance policies of the U.S government.
“Over the past several weeks Microsoft and Google have pursued these talks in consultation with others across the technology sector. With the failure of our recent negotiations, we will move forward with litigation in the hope that the courts will uphold our right to speak more freely. And with a growing discussion on Capitol Hill, we hope Congress will continue to press for the right of technology companies to disclose relevant information in an appropriate way.”
Given all the recent revelations about the NSA you’d be surprised if you found out that there was something they weren’t spying on. The latest revelation by Der Spiegel indicates that the United Nations isn’t one of those things. The German newspaper reports that the NSA, as well as China, were both actively involved in spying on the United Nations’ internal video conferencing system.
This means that the NSA has now been recognised as spying on EU diplomats, foreign embassies and the United Nations. The NSA reportedly cracked the encryption code protecting the UN’s video conferencing system. After gaining access to the system the NSA increased the number decrypted communications from 12 to 458 so that monitoring of all communications became easier. However, the NSA weren’t the only ones up to some dubious business at the UN. China was also involved in a number of data breaches since 2004, from a Shanghai military unit. So far the UN has not commented on this incident but will probably launch an investigation into the incident later on this year.
Microsoft has just teamed up with the corporation Capita to offer them the Office 365 service according to the Channel. The deal will see Microsoft host all employee emails and some 20,000 staff will be migrated over to Microsoft’s cloud service. Apparently Microsoft’s service is more cost-effective and Microsoft has pledged to host entirely within the EU and that it will obey all data protection obligations within the EU.
Despite Microsoft pledging to host in the EU, so data is subject to European laws, Capita has still decided to host and secure its most sensitive data itself because it is naturally still dubious about Microsoft’s cooperation with the NSA and the PRISM program that saw the NSA using American companies in foreign nations to harvest data.
Microsoft’s Office 365 service was developed so that they could take Google on more strongly in the business and enterprise sector in response to losing a lot of accounts to Google. Despite early start-up problems the service now shows 99.7% up-time and even though it cannot compete with Google on price it is still doing reasonably well.
You can read more details on Microsoft’s Office 365 capita deal here, they also have a lot more information about Microsoft 365 and their competition with Google’s services if you’re interested in that kind of thing.
According to information obtained at RT.com Google has stated that it thinks its users should never expect data privacy for their emails. The Information that was spotted by the Consumer Watchdog was used by Google to challenge an ongoing litigation. In that litigation Google used an argument that Gmail users should assume any electronic correspondence passed through Google servers can be accessed and used for an array of options including selling adverts to them.
“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use Web-based email today cannot be surprised if their emails are processed by the recipient’s [email provider] in the course of delivery,” the motion reads in part. “Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’”
The Consumer Watchdog Privacy Project Director John M Simpson hit back at Google’s business colleague analogy, above, by stating that:
“Google’s brief uses a wrong-headed analogy; sending an email is like giving a letter to the Post Office. I expect the Post Office to deliver the letter based on the address written on the envelope. I don’t expect the mail carrier to open my letter and read it. Similarly when I send an email, I expect it to be delivered to the intended recipient with a Gmail account based on the email address; why would I expect its content will be intercepted by Google and read?”
What are your thoughts on Google’s interpretation of Gmail privacy?
With both Lavabit and Silent Circle shutting down their encrypted email services it is currently quite hard to find yourself an encrypted email client these days that has a safe and reliable future ahead of it. Anything based in the USA is vulnerable to NSA court orders and thus is not really safe at all. Kim Dotcom is looking to change this by providing a mainstream encrypted email service. Dotcom has been an enemy of the USA since they relentlessly hunted his Megaupload website, confiscated its servers and deleted the data without legally sound evidence. Now Kim Dotcom is looking to get back at the USA with a mainstream encrypted email service that the USA can’t touch, because Mega is based outside the USA.
“Mega’s open encrypted email service outside of #NSA reach will change the way people use email forever. You’ll see. Coming 2014,” Dotcom tweeted.
It will be interesting to see how Mega chooses to encrypt the email system given that they want to encrypt based on email protocols not based on the contents of the message. Maybe Mega will follow a similar route to that recently undertaken by two of Germany’s ISPs who encrypted their email services within Germany for a similar reason.
According to an RT report communicatons sent between two German email providers will now be encrypted to block out NSA surveillance. A project dubbed “e-mail made in Germany” has been set up in response to information brought forward by Edward Snowden. The NSA currently intercepts about 500 million phone calls, texts and emails in Germany each month.
“Germans are deeply unsettled by the latest reports on the potential interception of communication data,” said Rene Obermann, head of Deutsche Telekom, the country’s largest email provider. “Now, they can bank on the fact that their personal data online is as secure as it possibly can be.”
Deutsche Telecom and United Internet have now decided to implement SSL (Secure Sockets Layer) which is an industry standard form of encryption that scrambles signals as they are sent through cables – often when the NSA will try and intercept such communications. The companies will employ the use of exclusively German cables and servers when communicating with each other.
This initiative helps to tackle the-day-to-day sniffing around on the communication lines but it still doesn’t prevent governments from getting information,” Stefan Frei, a research director at information security company NSS Labs, told Reuters.
We have already see the encrypted email service Lavabit voluntarily shut down rather than comply with U.S government requests or try and fight the U.S federal court rulings in what would be a long and expensive legal battle. Now another encrypted email service provider, Silent Circle, has taken an identical move.
Silent Circle offered encrypted email services much like Lavabit. The company has opted to shut down its encrypted email service, before the U.S government had even filed any requests to them. It said it wanted to save its users from having to make an abrupt change thus giving them the time necessary to migrate to a new service before the Silent Mail service is forced offline.
“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now”, the company stated.
Silent Circle is continuing to keep all its other secure products – Silent Phone, Silent Text and Silent Eyes, since it can guarantee that the encryption is end-to-end. It claims its email service was inherently flawed which is why it is axing the service. It is not known if the U.S federal government intends, or is able, to file a lawsuit against Silent Circle’s other services.
According to a CNET report Google is preparing a new method of encrypting its Google Drive files to prevent the NSA and other intelligence organisations from accessing the files. This is apparently being designed to increase user privacy of its cloud storage and synchronisation service.
Google has been mentioned in the NSA PRISM scandals so taking such measures, according to two unnamed Google sources, is being done to improve Google’s public image and the public’s confidence in their services. By securing users’ private files with high-level encryption Google would not be able to give out the contents of storage data even if intelligence agencies demanded it with the help of a legally obtained warrant.
Widely circulated rumours have recently implicated Microsoft in assisting the NSA to get around its encryption for its SkyDrive service. Microsoft of course denied all allegations but the damage to their public reputation is unmeasurable. That said the Microsoft example dictates that encryption just isn’t enough for cloud storage as legal protection is also necessary to prevent companies being forced into sharing user data. As we mentioned a while back this has contributed to a growth of Swiss data storage as Switzerland has strong data protection laws.
Despite accusations by Edward Snowden that the NSA and German Intelligence authorities are “in bed together” Germany’s Chancellor Angela Merkel has called for better data protection laws in the EU according to the BBC. Angela Merkel says she wants German companies to publicly disclose who they are giving data to. This comes after PRISM has revealed several huge transnational internet companies like Google, Facebook, Microsoft and so on are all secretly working with the NSA sharing data. Since they are transnational companies the implications of their data sharing has European consequences.
Merkel believes the EU needs unified rules on data protection so that all companies know what they have to comply to and rule breakers can be punished. At the very least we may see laws in Germany that require all foreign companies operating in Germany to meet German privacy and data protection standards. At EU level this kind of unifying legislation could be troublesome to pass as it would require broad agreement across the entire EU, something that is very often difficult to achieve.
“I expect a clear commitment from the US government that in future they will stick to German law…We have a great data protection law. But if Facebook is registered in Ireland, then Irish law is valid, and therefore we need unified European rules” said Angela Merkel.
According to a new report by the Guardian the United Kingdom, with Sweden’s support, is now restricting EU-US discussions with the USA to the NSA and PRISM scandal . Apparently the UK isn’t happy for the USA to continue stalling on the topic and wants the USA to partake in discussions on data privacy and answer questions about the NSA’s PRISM program instead of just talking more broadly about espionage and intelligence.
The UK and Sweden were the only two nations to veto the two broad working groups on espionage and intelligence in favour of a tougher single working group to specifically discuss the NSA’s PRISM program and what that means for Europe. All other European countries voted in favour of the two working groups approach and are not pleased with the UK’s decision. With the UK and Sweden taking a different stance to the rest of Europe it is now up to individual European governments to discuss the issue of intelligence with the USA independently.
A lack of cohesion in the EU has always been a problem when it comes to getting things done and this latest disagreement is no different. The EU has already voted in favour of scrapping a EU-US data sharing deal and France has requested that trade agreement talks between the USA and then EU should be delayed until the NSA spying issue is resolved. We will be sure to bring you the outcome of these crucial talks as they over the next week. These could have major implications for transatlantic cyber-relations between the EU and the USA.
Vice President of the European Commission, Neelie Kroes, has made some dire predictions for the American cloud storage industry according to Russia Today. Neelie Kroes believes that U.S cloud storage providers are now going to suffer steep losses of revenue thanks to revelations about the NSA’s extensive spying programs.
“If businesses or governments think they might be spied on, they will have less reason to trust cloud, and it will be cloud providers who ultimately miss out…Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?”
He then went on to say he believes the scandal could cost the U.S cloud storage industry dearly with “multi-billion euro” consequences.
“It is often American providers that will miss out, because they are often the leaders in cloud services. If European cloud customers cannot trust the United States government, then maybe they won’t trust US cloud providers either. If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now.”
With the NSA’s PRISM program giving them unprecedented access to internet data and their spying activities covering emails, phone calls and numerous other things companies do not feel safe operating in the USA. This is hardly surprising and we may even see an exodus of U.S cloud storage companies from the USA to other countries in an attempt to prevent loss of earnings.
The NSA spying scandal has heightened concerns across the world about data integrity. Businesses and private individuals are queuing up in abundance to move their files and servers to Swiss Data Centers. Companies like Artmotion, Switzerland’s biggest offshore hosting company, has reported that it is seeing a rapid increase in revenues this year as people look to take advantage of data anonymity in Switzerland.
Artmotion’s secure data services are only subject to Swiss law which states that only a warrant proving criminal intent or liability is enough to allow anyone access to the data except the owners. In the USA and the EU the governments can gain access to any data, sometimes without any paperwork, and in most cases warrants issued do not have to prove any intent or liability just that the data is needed for an ongoing investigation by government authorities.
It is expected that cloud-based European and North American data hosting services will suffer at the hands of the recent NSA scandal that has left businesses and individuals worrying about who can access their data. While the dubious nature of the data Switzerland’s cloud storage hosts may be called into question, at least people know their data will be safe. Switzerland has a long history of protecting people’s privacy, money and data. The “Swiss Bank Account” is probably the most commonly held association with Switzerland.
“In particular, we believe that the updated policy does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products” stated the UK’s ICO in their full report.
To amend this lack of compliance Google must:
Google has already previously stated on several occasions that it believes it complies fully with EU regulations and laws. Google has already ignored many requests from EU data agencies in the past and I wonder how different that will be in the case of the UK.
I am certainly hoping that there will be some strong disciplinary actions in place if Google do not respect to data regulations of the UK by refusing to comply with the request.
There are currently eight principles of the UK’s data protection act which are to make sure personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection