Entries Tagged "privacy"

Page 93 of 144

Even More on the al-Mabhouh Assassination

This, from a former CIA chief of station:

The point is that in this day and time, with ubiquitous surveillance cameras, the ability to comprehensively analyse patterns of cell phone and credit card use, computerised records of travel documents which can be shared in the blink of an eye, the growing use of biometrics and machine-readable passports, and the ability of governments to share vast amounts of travel and security-related information almost instantaneously, it is virtually impossible for clandestine operatives not to leave behind a vast electronic trail which, if and when there is reason to examine it in detail, will amount to a huge body of evidence.

A not-terribly flattering article about Mossad:

It would be surprising if a key part of this extraordinary story did not turn out to be the role played by Palestinians. It is still Mossad practice to recruit double agents, just as it was with the PLO back in the 1970s. News of the arrest in Damascus of another senior Hamas operative ­ though denied by Mash’al ­ seems to point in this direction. Two other Palestinians extradited from Jordan to Dubai are members of the Hamas armed wing, the Izzedine al-Qassam brigades, suggesting treachery may indeed have been involved. Previous assassinations have involved a Palestinian agent identifying the target.

There’s no proof, of course, that Mossad was behind this operation. But the author is certainly right that the Palestinians believe that Mossad was behind it.

The Cold Spy lists what he sees as the mistakes made:

1. Using passport names of real people not connected with the operation.

2. Airport arrival without disguises in play thus showing your real faces.

3. Not anticipating the wide use of surveillance cameras in Dubai.

4. Checking into several hotels prior to checking in at the target hotel thus bringing suspicion on your entire operation.

5. Checking into the same hotel that the last person on the team checked into in order to change disguises.

6. Not anticipating the reaction that the local police had upon discovery of the crime, and their subsequent use of surveillance cameras in showing your entire operation to the world in order to send you a message that such actions or activities will not be tolerated on their soil.

7. Not anticipating the use of surveillance camera footage being posted on YouTube, thus showing everything about your operation right down to your faces and use of disguises to the masses around the world.

8. Using 11 people for a job that one person could have done without all the negative attention to the operation. For example, it could have been as simple as a robbery on the street with a subsequent shooting to cover it all up for what it really was.

9. Using too much sophistication in the operation showing it to be a high level intelligence/hit operation, as opposed to a simple matter using one person to carry out the assignment who was either used as a cutout or an expendable person which was then eliminated after the job was completed, thus covering all your tracks without one shred of evidence leading back to the original order for the hit.

10. Arriving too close to the date or time of the hit. Had the team arrived a few weeks earlier they could have established a presence in the city ­ thus seeing all the problems associated with carrying out said assignment ­ thus calling it off or having a counter plan whereby something else could have been tried elsewhere or in another country.

11. And to take everything to 11 points, not even noticing (which many on your team did in fact notice) all the surveillance you were under, and not calling the entire thing off because of it, and because you failed to see all of your mistakes made so far and then not calling it off because of them.

I disagree with a bunch of those.

My previous two blog posts on the topic.

EDITED TO ADD (3/22): The Israeli public believes Mossad was behind the assassination, too.

EDITED TO ADD (4/13): The Cold Spy responds in comments. Actually, there’s lots of interesting discussion in the comments.

Posted on March 22, 2010 at 9:10 AMView Comments

Marc Rotenberg on Google's Italian Privacy Case

Interesting commentary:

I don’t think this is really a case about ISP liability at all. It is a case about the use of a person’s image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.

The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video.

Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.

What is striking is that both cases involved the use of a person’s image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man’s image was placed in a newspaper, without his consent, to sell insurance.

Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person’s “name or likeness” for commercial use.

The whole thing is worth reading.

EDITED TO ADD (3/18): A rebuttal.

Posted on March 9, 2010 at 12:36 PMView Comments

Guide to Microsoft Police Forensic Services

The “Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)” (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here’s a good summary of what’s in it:

The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft’s stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.

I call it “quasi-comprehensive” because, at a mere 22 pages, it doesn’t explore the nitty-gritty of Microsoft’s systems; it’s more like a data-hunting guide for dummies.

When it was first leaked, Microsoft tried to scrub it from the Internet. But they quickly realized that it was futile and relented.

Lots more information.

Posted on March 9, 2010 at 6:59 AMView Comments

Google in The Onion

Funny:

MOUNTAIN VIEW, CA—Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday.

“We would like to extend our deepest apologies to each and every one of you,” announced CEO Eric Schmidt, speaking from the company’s Googleplex headquarters. “Clearly there have been some privacy concerns as of late, and judging by some of the search terms we’ve seen, along with the tens of thousands of personal e-mail exchanges and Google Chat conversations we’ve carefully examined, it looks as though it might be a while before we regain your trust.”

Google expressed regret to some of its third-generation Irish-American users on Smithwood between Barlow and Lake.

Added Schmidt, “Whether you’re Michael Paulson who lives at 3425 Longview Terrace and makes $86,400 a year, or Jessica Goldblatt from Lynnwood, WA, who already has well-established trust issues, we at Google would just like to say how very, truly sorry we are.”

Posted on March 8, 2010 at 2:24 PMView Comments

De-Anonymizing Social Network Users

Interesting paper: “A Practical Attack to De-Anonymize Social Network Users.”

Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.

In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.

The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.

News article. Moral: anonymity is really, really hard—but we knew that already.

Posted on March 8, 2010 at 6:13 AMView Comments

Tracking your Browser Without Cookies

How unique is your browser? Can you be tracked simply by its characteristics? The EFF is trying to find out. Their site Panopticlick will measure the characteristics of your browser setup and tell you how unique it is.

I just ran the test on myself, and my browser is unique amongst the 120,000 browsers tested so far. It’s my browser plugin details; no one else has the exact configuration I do. My list of system fonts is almost unique; only one other person has the exact configuration I do. (This seems odd to me, I have a week old Sony laptop running Windows 7, and I haven’t done anything with the fonts.)

EFF has some suggestions for self-defense, none of them very satisfactory. And here’s a news story.

EDITED TO ADD (1/29): There’s a lot in the comments leading me to question the accuracy of this test. I’ll post more when I know more.

EDITED TO ADD (2/12): Comments from one of the project developers.

Posted on January 29, 2010 at 7:06 AMView Comments

More Surveillance in the UK

This seems like a bad idea:

Police in the UK are planning to use unmanned spy drones, controversially deployed in Afghanistan, for the “routine” monitoring of antisocial motorists, protesters, agricultural thieves and fly-tippers, in a significant expansion of covert state surveillance.

Once again, laws and technologies deployed against terrorism are used against much more mundane crimes.

Posted on January 26, 2010 at 7:16 AMView Comments

Google vs. China

I’m not sure what I can add to this: politically motivated attacks against Gmail from China. I’ve previously written about hacking from China. Shishir Nagaraja and Ross Anderson wrote a report specifically describing how the Chinese have been hacking groups that are politically opposed to them. I’ve previously written about censorship, Chinese and otherwise. I’ve previously written about broad government eavesdropping on the Internet, Chinese and otherwise. Seems that the Chinese got in through back doors installed to facilitate government eavesdropping, which I even talked about in my essay on eavesdropping. This new attack seems to be highly sophisticated, which is no surprise.

This isn’t a new story, and I wouldn’t have mentioned it at all if it weren’t for the surreal sentence at the bottom of this paragraph:

The Google-China flap has already reignited the debate over global censorship, reinvigorating human rights groups drawing attention to abuses in the country and prompting U.S. politicians to take a hard look at trade relations. The Obama administration issued statements of support for Google, and members of Congress are pushing to revive a bill banning U.S. tech companies from working with governments that digitally spy on their citizens.

Of course, the bill won’t go anywhere, but shouldn’t someone inform those members of Congress about what’s been going on in the United States for the past eight years?

In related news, Google has enabled https by default for Gmail users. In June 2009, I cosigned a letter to the CEO of Google asking for this change. It’s a good thing.

EDITED TO ADD (1/19): Commentary on Google’s bargaining position.

Posted on January 19, 2010 at 12:45 PMView Comments

1 91 92 93 94 95 144

Sidebar photo of Bruce Schneier by Joe MacInnis.