Download - INF529: Security and Privacy In Informatics
INF529: Security and Privacy
In Informatics
International and Jurisdictional Issues
Prof. Clifford Neuman
Lecture 927 March 2020Online via Webex
Course Outline
• What data is out there and how is it used
• Technical means of protection
• Identification, Authentication, Audit
• The right of or expectation of privacy
• Social Networks and the social contract – February 21st
• Criminal law, National Security, and Privacy – March 6th
• Big data – Privacy Considerations – March 13th
• International law, Jurisdiction, Privacy RegulationsPrivacy
Regulation (civil) and also Healthcare – April 3rd
• The Internet of Things – April 10th
• Technology – April 17th
• Other Topics – April 24th
• The future – What can we do – may 1st
Homework 2: Big Data, Due 1 April
Consider the articles that have been assigned as readings in the
past three weeks (from the website, and from the lecture slides).
Based on these readings, and discussions in class, please answer the
following question.
Explain how machine learning, data mining, and statistical inference
methods can use “big data” about us in ways that are against our
personal well-being. How can these techniques uncover (or discover)
possibly incorrect information, and how do they create or reinforce
profiles and stereotypes that society has long sought to abolish.
Your answer should be roughly four pages in length ( about 1600 to 2000
words), but this is not a strict limit. Please submit your answers
before noon on Monday 27 March sending your submissions to
Today’s Presentations
International Law and Jurisdictional Conflict
• Weici Mah – Privacy in China Today
• Amarbir Singh – Cyber Warfare
• Shannon Tee - How China uses Facial Recognition
• Pavas Navaney – Data residency and localization
• Brian Ostler – International Law for Security/Privacy
April 3rd Presentations
Healthcare and Privacy• Uma Kanumuri – HIPAA and other Healthcare Privacy Regulation
• Pratyush Prakhar - Healthcare IoT
Internet of Things
• Aditya Goindi – Privacy in Internet of Things
• Ayush Ambastha – IoT and the Threat to Privacy
• Yang Xue – The internet of things and ratings
• Jianan Wu – The Future of IoT Privacy
April 10th Presentations
Internet of Things • Divya Sinha - Security of Internet of Things
• Marco Gomez - Doorbells, Refrigerators, voice video
• Douglas Platt - Digital Voice Assistants
• Khalid Mansory - Autonomous vehicles and Aerial drones
• Mohhamed Abatain - Autonomous vehicles and Aerial drones
• Jaynee Shah - IOT Wearables, Connceted Cars, Smarthome
• Fudha Alabdulrazaq -Amazon Alexa Privacy Concerns
• MaryLiza Walker - Rise of IoT – Impact on Privacy
April 17th Presentations
Privacy Technologies
• Neekita Salvankar - Geospacial Data and Privacy
• Kriti Jain - Blockchain and Data Privacy
• Dimple Gajra - Privacy in the Chrome Browser
• Vraj Patel - privacy-focused browsing
• Aakarsh Sharma - A Framework for Improving Data
Privacy and Security of Public Cloud-based Enterprise
Resource Planning Systems - Privacy in Cloud
Computing
April 24th Presentations
Elections and Politics
• Jon Melloy - Elections
• Carlin Cherry - Security of Political data and its
monetization
May 1st Presentations
Biometrics and related technologies
• Vaidhyanathan S - Privacy Concerns for Biometrics
• Yi-Ting Lin - Privacy of Facial Recognition
• Haotian Mai - Access and use of DNA database by
government agencies especially for criminal
investigation.
Privacy In ChinaToday
INF 529 Weici Ma
Spring 2020
Presentation Outline
•Hongkong’s Personal Data (Privacy) Ordinance
•Mainland China’s Cybersecurity Law
• Recent Incidents
Personal Data (Privacy) Ordinance
4
S. Korea - 2011
Hong Kong -1995
Macau - 2005
Singapore - 2012
Malaysia - 2010
Vietnam - 2010
India - 2011
Japan - 2003
Taiwan - 2010
Philippines - 2012
Thailand - 1997
Nepal - 2007
The Personal Data Protection Landscape inAsia
Indonesia - 2016
1
2
Personal Data (Privacy) Ordinance
•Enacted in 1995
•Core provisions came into effect on 20 December 1996
•Covers the public (government) and private sectors
What is “Personal Data” in policy?
“Personal data” means any data:
• Relating to a living individual;
• Practicable
• Any representation of information (including an expression of opinion) in any document.
一些突发事件China’s Cybersecurity Law
China’s Cybersecurity Law
• Effective on 1 June 2017
• Purposes:
- Guarantee cybersecurity
- Safeguard national security and public interest
- Protect lawful rights and interests of citizens, legal persons and other organizations
- Promote sound development of economic and social informatization
China’s Cybersecurity Law
- Scope of Application- Administration of cybersecurity
- Network operators
- Technology companies
- Data Collection & Use- Notify users and obtain their consent
- Follow principles of legality, rightfulness and necessity
China’s Cybersecurity Law
- Data Accuracy & Record Retention:
- No tamper
- Preserve weblogs for not less than 6 months
- Data Security & Breach Notification
- Confidential users’ personal information
- Prevent information leakage, damage and loss
- Take remedial measures
China’s Cybersecurity Law
- Data Deletion & Correction:
- Individual can request network operator to delete his personal information
- Individual can request network operator to correct his personal information
China’s Cybersecurity Law
Data Localization & Cross-Border Data Transfer:
- Important data collected and produced by CII operators during their operations within China shall be stored within China.
- Overseas data should measure by the CyberspaceAdministration of China (CAC)
China’s Cybersecurity Law
Sanctions and Fines:• Warning, confiscate illegal income and impose• If no illegal income, impose fine on both company
and directly responsible person• Suspend operation, or revoke business permit or
license
Apple Opening Data Centre in China to
Comply With Cybersecurity Law
Source: The New York Times 12 July 2017
Direct Marketing Conviction Cases on PCPD
Date Case Penalty
Nov2016 • Two financial intermediaries used personal data in
direct marketing without taking specified actions
and obtaining data subject’s consent, total 11
charges, and all convicted.
Two companies fined
$165,000 in total
($15,000 percharge),
plus damages to
claimants for 25% of
profits ($47,800).
Dec2016 • A watch company used an individual’s personal
data in direct marketing without taking specified
actions and obtaining his consent.
• The company also failed to inform the individual
of his opt-out right when using his personal data
in direct marketing for the first time.
Fined $8,000
for eachcharge
Jan2017 • A bank failed to comply with client’s opt-out request. Fined$10,000
Shannon
Tee
Background
• Facial recognition technology used to identify, authenticate/verify, categorize an individual
• 200 million surveillance cameras reported in China during November 2019 and projected to rise to 626 million by 2020
• Facial recognition has become widespread in China and a convenience according to some citizens
• Pay for purchases such as at convenience stores, restaurants, and pharmacies
• Scan faces instead of using bank cards at some ATMs
• Unlock your house just by looking into a camera
• Check into airports, hotels, trains, and hospitals
How authorities are using it
• Project Skynet and Sharp Eyes
• Identify blacklisted or wanted individuals
• Railway police use facial recognition sunglasses to screen and identify people
• Some provinces records and shame jaywalkers
• Toilet paper dispensers use the technology to prevent stealing from public bathrooms
• Help individuals recovered stolen motorcycles or lost purses
• Assist storeowners in figuring out who was stealing from their stores
• Identify single person among stadium crowds of tens of thousands of people
Privacy vs. Security
• Intrusive to individuals’ privacy since the systems collect and process people’s biometric facial data
• Damage could be irreversible since can’t be changed/updated like a password
• Few regulations dictating where it can be used and what happens to the data that is collected
• China’s authorities cite safety and public order as reasons for deploying facial recognition
• Some citizens also willing to trade their privacy for public security
China introduces face scans for mobile users
• Required to have face scanned when registering for new mobile phone service so authorities can verify identity matches ID provided
• Government wants to “protect the legitimate rights and interest of citizens”
• Get rid of anonymous phone numbers and internet accounts
• Smart phones morphed into identity authenticators and therefore need strong authentication when subscribing to a new service
• Some complain China has seen too many data breaches: “Before thieves knew what your name was, in the future they’ll know what you’ll look like”
December 2019
How China is using AI to profile a minority
• Devoted major resources towards facial recognition technology to look for and track Uyghurs, a large Muslim minority
• Those who grow a beard or visit a mosque are often flagged by system and interrogated
• Many are thrown into re-education camps to undergo “political education”
• A Uyghur was placed on house arrest where policeman would call to ask where he was going every time he opened his front door
• China claims they’re battling ethnic violence and Uyghur terror attacks
• Companies who sell technology are not aware its being used to profile, but focused on well-being and safety of individual citizens rather than monitoring groups
• Facial recognition technology is imperfect and accuracy depends on various factors such as environmental factors and training data
May 2019
How China is using AI to fight coronavirus
• Upgrading thermal scanners in train stations to include facial recognition technology
• Allows train station employees to swiftly and accurately identify those who may have fever without individually testing everyone
• Man ordered by local authorities to quarantine himself for 14 days after returning to Sichuan from Hubei, the province at center of outbreak
• Believed they tracked his movements using the four cameras near his house to ensure he didn’t leave his place
March 2020
“Facial recognition and the real-name system will help us track down those who have been potentially
exposed to the virus and effectively curb spreading of pathogen”
- Zeng Yixin, Deputy Director of China’s National Health Commission
Social Credit Score
Vast ranking system that will monitor the behavior of its population and rank them based on their social credit score
Those deemed “untrustworthy” with low scores will be penalized like transportation restrictions or loss of employment and educational opportunities, while those with high scores get perks like utility bill discounts and faster application processes to travel abroad
Trustworthiness score can fluctuate based on actions – going up for good deeds such as donating to charity or go down for negative actions such as getting a speeding ticket
Images from surveillance cameras and facial recognition software can influence the social credit score
Pedestrians caught jaywalking more than five times a year will be classified as ‘untrustworthy’ and have their social credit score lowered
Regulations
• Personal Information Specification, under the Cybersecurity Law, is the most extensive document to date on protection of personal information
• Addresses collection, processing, transfer, disclosure, and consent needed for personal information
• Not law or regulation that requires mandatory compliance
• Consent not required for the purpose of national and social security, public interest, or criminal case investigation
• National Information Security Standardization Technical Committee (TC260) is working on security requirements for online verification systems using facial recognition
• China Communications Standards Association is working on regulations for the use of facial recognition in mobile smart devices
Regulations
• 2017 National Intelligence Law – any organization or citizen shall support, assist, and cooperate with the state intelligence work in accordance with the law
• 2014 Counter-Espionage Law – organizations and individuals must truthfully provide and not refuse relevant evidence when the state security investigates and understands the situation of espionage
• Country’s first lawsuit against use of facial recognition technology filed in November 2019
In relation to United States
• Chinese authorities find public security more important than privacy, while regulators in Europe/US want to ensure consumers’ privacy rights are respected
• In 2019, Department of Commerce added 28 Chinese AI and digital surveillance companies to the blacklist of those banned from doing business in the United States
• Prevent Chinese companies from providing tech infrastructure that is hard to replace once its been acquired and used for China’s intelligence and military organizations
• Creates division with commerce organizations focused on free trade and further disruption in ongoing trade negotiations between US and China
Conclusion
• Privacy vs. Security
• Provides convenience and security in China at the expense of privacy
• Aligns with the East’s cybersecurity approach to have centralized, state-centric government command and control
• Facial recognition systems are not perfect
• Potential bias in technology and sensitive to environmental factors
• Lack of regulations surrounding use of facial recognition especially for China government’s use
Referenceshttps://www.aljazeera.com/news/2020/03/china-ai-big-data-combat-coronavirus-outbreak-200301063901951.html
https://www.scmp.com/tech/policy/article/3039383/facial-recognition-tech-races-ahead-regulation-chinese-residents-grow
https://www.nytimes.com/2019/04/14/technology/china-surveillance-artificial-intelligence-racial-profiling.html
https://time.com/5735411/china-surveillance-privacy-issues/
https://www.businessinsider.com/how-china-uses-facial-recognition-technology-surveillance-2018-2
https://www.bbc.com/news/world-asia-china-50587098
https://www.welivesecurity.com/2019/12/05/face-scanning-privacy-concern-identity-protection/
https://www.wbur.org/hereandnow/2018/12/21/facial-recognition-privacy-concerns
https://thediplomat.com/2020/03/chinas-ubiquitous-facial-recognition-tech-sparks-privacy-backlash/
https://www.chinalawblog.com/2018/02/chinas-personal-information-security-specification-get-ready-for-may-1.html
http://www.globaltimes.cn/content/1168421.shtml
https://www.dailymail.co.uk/news/article-7228205/Chinese-city-punishes-JAYWALKERS-listing-untrustworthy-people-social-credit-system.html
https://www.vox.com/the-goods/2018/11/2/18057450/china-social-credit-score-spend-frivolously-video-games
References continuedhttps://www.forbes.com/sites/ywang/2017/07/11/how-china-is-quickly-embracing-facial-recognition-tech-for-better-and-worse/#3390de0e6856
https://mlexmarketinsight.com/insights-center/editors-picks/Data-Protection-Privacy-and-Security/asia/facial-recognition-takes-off-in-china-leaving-regulators-to-play-catch-up
https://chinadigitaltimes.net/2019/09/sharper-eyes-surveilling-the-surveillers-part-1/
https://news.yahoo.com/privacy-vs-security-the-fight-over-facial-recognition-144911253.html
www.reedsmith.com › perspectives › chinas-cybersecurity-law-002
https://www.forbes.com/sites/bernardmarr/2019/01/21/chinese-social-credit-score-utopian-big-data-bliss-or-black-mirror-on-steroids/#3e02fa7348b8
newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-personal-information-security-specification/
https://www.cnbc.com/2019/10/08/trumps-latest-china-blacklist-hits-several-huge-companies.html
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.htm
P A V A S N A V A N E Y
M A R C H 2 7 T H 2 0 2 0
Data Residency and Localization
Data Residency v/s Data Localization
Data residency is when an organization specifiesthat their data must be stored in a geographicallocation of their choice, usually for regulatory, tax orpolicy reasons.
By contrast, data localization is when a lawrequires that data created within a certain territorystays within that territory.
Objectives of Residency/Localization
1. Exert more control over data retention and thereby have greatercontrol over compliance.
2. In the EU, it is seen as means to encourage data controllers to storeand process data within the EU or within those countries deemed tohave the same level of data protection as in the EU, as opposed tomoving data to those territories considered to have less than“adequate” data protection regimes.
3. To strengthen the market position of local data center providers byforcing data to be stored in-country.
However, it is important to note that accessingpersonal data is considered a “transfer” under dataprotection law.
Additionally, payment processing functions alsosometimes occur in other countries, so make sure toconsider them as well. This is an important pointthat is often missed or misunderstood.
DR/DL and GDPR
Q. Does GDPR introduce any data residency orlocalization obligations?
GDPR does not introduce and does not include any dataresidency or localization obligations.
Having said that, it is important to note that local law mayimpose certain requirements on the location of the datastorage
Russian Data Localization Law
In 2015 , Russia introduced a data localization law, requiring “dataoperators” to ensure that recording, systematization, accumulation,storage, refinement and extraction of personal data of Russian citizensis done using databases located in Russia.
In 2015, this law did not give the Russian data protection authority theability to impose any meaningful monetary penalties. Instead it justwas able to block websites that it deemed to be non-compliant.
A new law was passed in December 2019. Under the new law, fines forfirst time offences for legal entities can be between USD 16,000 – USD96,000, increasing to USD 288,000 for repeat offences.
Russia Bans Linkedin
On Nov. 17, 2016, Roskomnadzor (the Russian data protectionauthority) included LinkedIn within the database on the Registerof Personal Data Infringers as a violator of data subjects’ rightsand sent an order to telecommunications companies to blockaccess to LinkedIn within Russia. The order was issuedaccording to a Moscow District Court decision from August, 42016, to block LinkedIn, and was followed by the formalopinion of Moscow City Court from November 10 to uphold thatdecision.
US is a partially adequate country in terms of data protection.
The Court concluded that LinkedIn’s servers are located only in theU.S. based on publicly available data from the WHOIS database.Therefore, LinkedIn is in non-compliance with the requirement totransfer Russian user data to servers located in Russia. According to thelaw, personal data from Russian users should be collected andprocessed in Russia, any change or amendment to such data should bealways collected, stored and further processed in Russia, and anysubsequent processing abroad should be exactly the same as theprocessing already done in Russia.
Source : https://iapp.org/news/a/why-linkedin-was-banned-in-russia/
German Telecom Data Retention Law
On May 28, 2015, the German government adopted a draft lawthat would require telecommunications and Internet serviceproviders to retain Internet and telephone usage data.
User location data retained for a period of four weeks.
The draft law also requires the data to be deleted without unduedelay after the expiration of the relevant retention period, and inany event, within one week following the expiration of theretention period.
Telecommunications and Internet service providers also wouldbe required to ensure that :
1. data is stored in accordance with the highest possible levels ofsecurity
2. data is stored within Germany.
3. measures are in place to protect data from unauthorizedinspection and use.
Non-compliance with the data retention requirements wouldconstitute an administrative offense that would be punishable bya maximum fine of 500,000 EUR.
Data Localization Laws - Countries
Country Scope
Australia Health Records
Canada(Nova Scotia , British Columbia) All Personal Data
China Personal , Business & Financial Data
Germany Telecommunications Metadata
India Payment System Data
Kazakhstan Servers running on country domain(.kz)
Nigeria All Government Data
Russia All Personal Data
South Korea Geospatial and Map Data
Vietnam Service Providers Usage Data
Data Transfer to Other Locations
Q. So, if there is no data residency or localization requirementunder GDPR, can we transfer the data to other locations?
Yes , if there is a legal transfer mechanism in place. Some of themechanisms are :
1. Adequacy
2. Binding Corporate Rules
3. Standard Contractual Clauses / Model Clauses
4. Privacy Shield
Data Protection Around the World
Privacy Shield Framework
The Privacy Shield Framework, approved by theEuropean Union (EU) and U.S. Government, is arecognized mechanism for complying with EUdata protection requirements when transferringpersonal data from the European Economic Area (EEA)to the United States.
7 Principles of Privacy Shield
1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability
Advantages of DL/DR
Data is considered as a ‘new form of wealth’. With datalocalization, domestic companies and the country’s economy willbe benefited.
While investigating crimes, there will be a need to access thepayments data.
Data localization laws result in setting up of multiple datacenters locally. This will create many jobs and will help thecountry’s economy immensely
Data localization is also important for data sovereignty.
Disadvantages of DL/DR
Without efficient infrastructure, the data is prone to cyberattacks.
Data localization is also a threat to the main essence of theinternet.
Data localization may result in government surveillance ofits citizens.
It is also against intellectual property rights because theyuse their intelligence to form systems that can benefit fromthe data it generates
Data Residency doesn’t provide Security
Data Residency doesn’t provide security because :
1. Most Vulnerabilities are Exploited Remotely.
2. Manual Processes Present Risk of Human Error.
3. Insider Threats Prevail as a Significant Risk.
References
1. : https://iapp.org/news/a/why-linkedin-was-banned-in-russia/
2.https://www.huntonprivacyblog.com/2015/06/04/germany-adopts-telecom-data-retention-law-includes-localization-requirement/
3. https://www.groupdiscussionideas.com/data-localisation-benefits-challenges/
4.https://d1.awsstatic.com/whitepapers/compliance/Data_Residency_Whitepaper.pdf
5. https://www.bankinfosecurity.asia/interviews/impact-localization-on-cloud-service-providers-i-4330
6. https://www.impact-advisors.com/security/eu-us-privacy-shield-framework/
7. https://www.privacyshield.gov/list
References(Contd.)
8. https://blog.eperi.com/en/data-protection-on-premise-vs.-the-cloud-the-advantages-and-disadvantages
9. https://www.cnil.fr/en/data-protection-around-the-world
10. https://en.wikipedia.org/wiki/Data_localization
11. https://www.insightsforprofessionals.com/en-us/it/storage/data-sovereignty-data-residency-data-localization
Efforts to Establish International Cybercrime Law
Brian Ostler
Agenda
• Regionally recognized treaties
• UN Protocols / Working Groups
• Recent Proposal
Major International Organizations
• G8
• United Nations
• International Telecommunications Union
• Council of Europe
Budapest Convention
• First international cybercrime treaty presented at the Council of Europe
• Presented for signature in 2001
• Ratified by 5 countries by 2004
• Currently ratified by 64 countries
• Considered by some as controversial
Related International Treaties
• United Nations Convention Against Transnational Organized Crime (2000)
• United Nations Optional Protocol to the Convention on the Rights of the Child (2001)
• CoE Additional Protocol on the Convention on Cybercrime (2003)
• CoE Convention on the Protection of Children (2007)
United Nations
• UN Resolution• General assembly resolutions are mostly non-binding, unless explicitly
instructive to their addressees
• UN Group of Governmental Experts
• UN Open Ended Working Group
New UN Resolution (December 2019)
• Russian-drafted resolution
• Establishes a committee of experts to consider a new UN cybercrime treaty
• Meant to replace the Budapest Convention
• Lots of ambiguity in defining criminal use of information and communications technologies
Future Concerns
• Lack of specificity can criminalize ordinary behavior
• Human rights can be infringed upon in many ways
• Potential to overreach in the disclosure of data requested
• Conflicts with already established OEWG
• Excludes key stakeholders in favor of closed committee
References
• Budapest Convention• https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185
• GGEs / OEWGs
• https://dig.watch/processes/un-gge
• December 2019 UN Resolution• https://www.cfr.org/blog/new-un-cybercrime-treaty-way-forward-
supporters-open-free-and-secure-internet
• https://www.undocs.org/A/74/401
• https://www.apc.org/sites/default/files/Open_letter_re_UNGA_cybercrime_resolution_0.pdf
INF529: Security and Privacy
In Informatics
Apple v. FBI
Prof. Clifford Neuman
Lecture 913 March 2020Online
Access to Data on Protected Devices
• For many years, law enforcement has been accessing data
on devices seized in raids, or incident to arrest. There is a
whole business around forensic analysis of such devices.
• With the widespread adoption of memory encryption in
phones around 2014 this process was made more difficult.
• There had been proposed legislation to limit this kind of
effective encryption, and we saw some of these bills earlier
in this class. The events that follow effect the debate on the
some of those bills.
Apple opposes order to help FBI unlock phone belonging to San Bernardino shooter
The News Release
The Motion and Order
The motion describes the reasons that the government is seeking an order to force Apple to assist them in getting access to the data on the device, and it describes the specific steps that they want Apple to perform.
Once issued (if issued) the order tells Apple what they must do, but Apple may appeal the order, or if “Apple believes that compliance with this order would be unreasonably burdensome,” they may make an application to this court for relief within five business days.
Apple chose to appeal, and also to argue their case in “the court of public opinion”. That option is not always possible since certain court orders prohibit disclosure of the request altogether. In any event, the issue became moot when the government was able to obtain the data on the phone through other sill undisclosed means. The debate is still important as it influences policy.
Ethical Issues
• Authority to search
– Device owned by SB County
– Court order based on showing of probably
cause.
– Genuine Probably Cause exists in this case
• Broader separate issue
– Intentional vulnerabilities (back doors) in
phone sold to other customers
– Many problems with this
Legal Issues
• All Writs Act – a very board law used to provide the
courts authority to order.
• At issue is the burden this imposes on Apple and
whether that is appropriate. Apple further argued 1st
amendment rights (no compelled speech).
• 4th Amendment Rights not at issue in this matter as
cause has been established.
• 4th Amendment is an issue in the broader discussion
regarding impact on privacy of other users.
• Would complying create a precedent.
Public Policy Issues
• Impact of Required Backdoors
• Requirements to provide access to cloud data
Technical Issues
• What data likely on phone: location, app data including
communications.
• Which keys
– Data key combined phone specific & passcode
– Entropy of passcode
– Different key (Apple’s) used to sign new iOS.
– Creating Backdoor vs using vulnerability
• Why not Google
– Open nature of Android means different parties needed to
sign the code.
– Similar technical approaches exist.
• Newer hardware and iOS: capability for secure element (used for
payment, but similar techniques can be applied.
International issues
• Level Playing Field
– Other Countries will demand same access
• Access to cloud data across jurisdictions
– International assistance
In the News FBI paid $1M for iPhone hack CBS News – April 21, 2016
• http://www.cbsnews.com/news/fbi-paid-more-than-1-million-for-
san-bernardino-iphone-hack-james-comey/
• LONDON -- FBI Director James Comey alluded to the fact the
bureau paid more than $1 million for the method used to disable
the security feature of the San Bernardino shooter's iPhone.
• At an Aspen Institute discussion in London, Comey said the FBI
paid more money than he would make in the time left as FBI
director.
INF529: Security and Privacy
In Informatics
Wikileaks v. CIA
Prof. Clifford Neuman
Lecture 912 March 2020Online
An Overview
• A couple of news stories
• Now let’s analyze using the same framework
Ethical Issues
Apple v FBI• Authority to search
– Device owned by SB
County
– Court order based on
showing of probably
cause.
– Genuine Probably Cause
exists in this case
• Broader separate issue– Intentional vulnerabilities
(back doors) in phone
sold to other customers
– Many problems with this
Wikileaks Disclosure• Authority to “hack”
• Broader separate issue
Legal Issues
Apple v FBI
• All Writs Act
• Burden on 3rd
parties
• Constitutionality
• Precedent.
Wikileaks DisclosuresIs the Hacking legal?
Broader Public Policy Issues
Apple v FBI
• Impact of
Required
Backdoors
• Requirements to
provide access
to existing data.
Wikileaks Disclosures
• Use of existing
exploits
• Duty to protect?
Technical Issues
Apple v FBI
• Data on Phone
• Cryptography
• Security of Software
• Upgrades
• be applied.
Wikileak Disclosures
• IoT Security
• Sensors Everywhere
International issues
Apple v FBI
• Level Playing Field
• Access across
jurisdictions
Wikileak Discosures
• Level Playing Field
Turning Devices Off
• How the NSA can 'turn on' your phone remotely –
CNN Money June 6 2014 - Jose Pagliery
• Even if you power off your cell phone, the U.S. government can turn it back on.
• That's what ex-spy Edward Snowden revealed in last week's interview with NBC's
Brian Williams. It sounds like sorcery. Can someone truly bring your phone back to life
without touching it?
• No. But government spies can get your phone to play dead.
• It's a crafty hack. You press the button. The device buzzes. You see the usual power-
off animation. The screen goes black. But it'll secretly stay on -- microphone listening
and camera recording.
Why some apps want access to the microphone
• FTC Warns App Developers Over Use of Audio Tracking
Code
– Used to figure out what is playing on the TV in the
background.
– But what else does this imply.
Camera Access
• Disable Your Laptop's Built-in Webcam to Protect Your
Privacy – Mark Wilson – Lifehacker – 6/27/14• Windows: Webcams offer a window
into your home, and they've been
known to targets for malware. If you
have a built-in camera, here's how
disable it and protect yourself.
• Malware can take over webcams,
so there is potential for your camera
to spy on you. You can easily
disable an external webcam just by unplugging it, but things are a little
different for integrated cameras.
• The simple solution is to just pop a piece of tape over the lens, but this is not
ideal. Sticky residue is left behind, and there is a risk that your improved
privacy shield could fall off. You could turn to third party software, but you can
also disable a webcam from within Device Manager.
Some Questions
• What’s newsworthy?– None of what came out is really surprising in that we
have known of these kinds of weakness for some time.
We voluntarily surround ourselves with surveillance
devices, i.e. cameras and microphones and location
tracking, and it is only the strength of the security for the
software on these devices that has protected us, and we
know that thestate of software security is abysmal.
Some Questions
• How worried should the general public be about
claims the government agencies can hack their
electronic devices?– The public should be very concerned that their devices
are hackable, not just by our own government agencies,
but even more so by foreign intelligence services that
also use these techniques, and by criminal enterprises
that may have or might acquire such capabilities.
Some Questions
• Could you explain how you see the main
vulnerabilities to users — is it mainly from apps or
devices and operating systems?– The weakness are all in software, and that includes apps,
operating systems, and software running on internet of things
type devices like smart TVs. The impact occurs because the
(vulnerable) software on these devices has access to the
sensors that acquire sensitive information.
Some Questions
• What can tech companies do to protect users?– "control their software supply chains". By this I mean that they need to
digitally sign updates to the software that runs on their devices, and
protect the systems they use for development and distribution of such
updates. They also need to ensure that thinks like "apps" that might
run on their systems are appropriately examined before they are
endorsed for use by their customers.
Some Questions
• Have the WikiLeaks releases provided enough
detail for tech companies to recognize
vulnerabilities and fix them?
– It helps direct scrutiny to the areas that need examination and it will
assist companies in identifying and fixing vulnerabilities, the current set
of vulnerabilities will only be replaced by a new set of zero-days down
the road, and one should never consider a software system to be
completely secure.
Some Questions
• Wikileaks said in a statement it is "avoiding the
distribution of 'armed' cyber weapons” — how
damaging could these tools be if they fell into the
hands of hackers and cyber criminals?
– Many of these tools are already in the hands of cyber-criminals, and
some might have been purchased from that community.
Some Questions
• How worried should we be that our smart TVs and wifi-
enabled refrigerators and toasters could be spying on us?
– They already are, the only question is one of what they do with the information
they collect. We expect the information to be used for our benefit. More often
than not, some of that information is used for commercial purposes (marketing),
and as we saw from these leaks, the information may also be used for intelligence
gathering. The only question is how much confidence we have in the software
running on those devices, and the answer to that is "not much confidence at all".
– Regularly when we install apps on our devices, we grant permission for the app to
access sensitive information (camera, microphone, address book, location, etc).
More often than not, if the app is commercial, that information is being sent to the
provider of the app. Consider recent changes to the location information gathered
by the uber app. The capability of apps to collect such information is not surprising.
Disclosure of Techniques in Legal Proceedings
• In FBI hacks, tech firms get left in the dark as feds resist
call to divulge secrets - Los Angeles Times, March 31, 2016.
– In US, when evidence is presented in court, defense has
opportunity to refute, and due process may require
disclosure of methods through which the evidence was
collected.
– In many cases, this limits the prosecutors ability to
present certain pieces of evidence.
5th Amendement Rights?
Child porn suspect jailed indefinitely for refusing to decrypt
hard drives – Ars Technia – April 27, 2016 – By David Kravets
A Philadelphia man suspected of possessing child pornography has been in
jail for seven months and counting after being found in contempt of a court
order demanding that he decrypt two password-protected hard drives.
The suspect, a former Philadelphia Police Department sergeant, has not
been charged with any child porn crimes. Instead, he remains indefinitely
imprisoned in Philadelphia's Federal Detention Center for refusing to unlock
two drives encrypted with Apple's FileVault software in a case that once
again highlights the extent to which the authorities are going to crack
encrypted devices. The man is to remain jailed "until such time that he fully
complies" with the decryption order.
115
Tracking TOR usersFebruary 2016
• A judge has ordered the Federal Bureau of Investigation to turn over the complete code it used to infiltrate a child pornography site on the Dark Web, Motherboard reports. The FBI seized the Tor-based site known as "Playpen" in February 2015 and kept it running via its own servers for two weeks --during this time, the bureau deployed a hacking tool that identified at least 1,300 IP addresses of visitors to the site worldwide.
• Playpen was "the largest remaining known child pornography hidden service in the world," according to the FBI. Roughly 137 people have been charged in the sting so far, Motherboard says. On Wednesday, a lawyer for one of the defendants won the right to view all of the code that the FBI used during the Playpen operation, apparently including the exploit that bypassed the Tor Browser's security features.
116