INF529: Security and Privacy

In Informatics

International and Jurisdictional Issues

Prof. Clifford Neuman

Lecture 927 March 2020Online via Webex

Course Outline

• What data is out there and how is it used

• Technical means of protection

• Identification, Authentication, Audit

• The right of or expectation of privacy

• Social Networks and the social contract – February 21st

• Criminal law, National Security, and Privacy – March 6th

• Big data – Privacy Considerations – March 13th

• International law, Jurisdiction, Privacy RegulationsPrivacy

Regulation (civil) and also Healthcare – April 3rd

• The Internet of Things – April 10th

• Technology – April 17th

• Other Topics – April 24th

• The future – What can we do – may 1st

Homework 2: Big Data, Due 1 April

Consider the articles that have been assigned as readings in the

past three weeks (from the website, and from the lecture slides).

Based on these readings, and discussions in class, please answer the

following question.

Explain how machine learning, data mining, and statistical inference

methods can use “big data” about us in ways that are against our

personal well-being. How can these techniques uncover (or discover)

possibly incorrect information, and how do they create or reinforce

profiles and stereotypes that society has long sought to abolish.

Your answer should be roughly four pages in length ( about 1600 to 2000

words), but this is not a strict limit. Please submit your answers

before noon on Monday 27 March sending your submissions to

inf529@csclass.info .

Today’s Presentations

International Law and Jurisdictional Conflict

• Weici Mah – Privacy in China Today

• Amarbir Singh – Cyber Warfare

• Shannon Tee - How China uses Facial Recognition

• Pavas Navaney – Data residency and localization

• Brian Ostler – International Law for Security/Privacy

April 3rd Presentations

Healthcare and Privacy• Uma Kanumuri – HIPAA and other Healthcare Privacy Regulation

• Pratyush Prakhar - Healthcare IoT

Internet of Things

• Aditya Goindi – Privacy in Internet of Things

• Ayush Ambastha – IoT and the Threat to Privacy

• Yang Xue – The internet of things and ratings

• Jianan Wu – The Future of IoT Privacy

April 10th Presentations

Internet of Things • Divya Sinha - Security of Internet of Things

• Marco Gomez - Doorbells, Refrigerators, voice video

• Douglas Platt - Digital Voice Assistants

• Khalid Mansory - Autonomous vehicles and Aerial drones

• Mohhamed Abatain - Autonomous vehicles and Aerial drones

• Jaynee Shah - IOT Wearables, Connceted Cars, Smarthome

• Fudha Alabdulrazaq -Amazon Alexa Privacy Concerns

• MaryLiza Walker - Rise of IoT – Impact on Privacy

April 17th Presentations

Privacy Technologies

• Neekita Salvankar - Geospacial Data and Privacy

• Kriti Jain - Blockchain and Data Privacy

• Dimple Gajra - Privacy in the Chrome Browser

• Vraj Patel - privacy-focused browsing

• Aakarsh Sharma - A Framework for Improving Data

Privacy and Security of Public Cloud-based Enterprise

Resource Planning Systems - Privacy in Cloud

Computing

April 24th Presentations

Elections and Politics

• Jon Melloy - Elections

• Carlin Cherry - Security of Political data and its

monetization

May 1st Presentations

Biometrics and related technologies

• Vaidhyanathan S - Privacy Concerns for Biometrics

• Yi-Ting Lin - Privacy of Facial Recognition

• Haotian Mai - Access and use of DNA database by

government agencies especially for criminal

investigation.

Privacy In ChinaToday

INF 529 Weici Ma

Spring 2020

Presentation Outline

•Hongkong’s Personal Data (Privacy) Ordinance

•Mainland China’s Cybersecurity Law

• Recent Incidents

Personal Data (Privacy) Ordinance

4

S. Korea - 2011

Hong Kong -1995

Macau - 2005

Singapore - 2012

Malaysia - 2010

Vietnam - 2010

India - 2011

Japan - 2003

Taiwan - 2010

Philippines - 2012

Thailand - 1997

Nepal - 2007

The Personal Data Protection Landscape inAsia

Indonesia - 2016

1

2

Personal Data (Privacy) Ordinance

•Enacted in 1995

•Core provisions came into effect on 20 December 1996

•Covers the public (government) and private sectors

What is “Personal Data” in policy?

“Personal data” means any data:

• Relating to a living individual;

• Practicable

• Any representation of information (including an expression of opinion) in any document.

一些突发事件China’s Cybersecurity Law

China’s Cybersecurity Law

• Effective on 1 June 2017

• Purposes:

- Guarantee cybersecurity

- Safeguard national security and public interest

- Protect lawful rights and interests of citizens, legal persons and other organizations

- Promote sound development of economic and social informatization

China’s Cybersecurity Law

- Scope of Application- Administration of cybersecurity

- Network operators

- Technology companies

- Data Collection & Use- Notify users and obtain their consent

- Follow principles of legality, rightfulness and necessity

China’s Cybersecurity Law

- Data Accuracy & Record Retention:

- No tamper

- Preserve weblogs for not less than 6 months

- Data Security & Breach Notification

- Confidential users’ personal information

- Prevent information leakage, damage and loss

- Take remedial measures

China’s Cybersecurity Law

- Data Deletion & Correction:

- Individual can request network operator to delete his personal information

- Individual can request network operator to correct his personal information

China’s Cybersecurity Law

Data Localization & Cross-Border Data Transfer:

- Important data collected and produced by CII operators during their operations within China shall be stored within China.

- Overseas data should measure by the CyberspaceAdministration of China (CAC)

China’s Cybersecurity Law

Sanctions and Fines:• Warning, confiscate illegal income and impose• If no illegal income, impose fine on both company

and directly responsible person• Suspend operation, or revoke business permit or

license

Apple Opening Data Centre in China to

Comply With Cybersecurity Law

Source: The New York Times 12 July 2017

Direct Marketing Conviction Cases on PCPD

Date Case Penalty

Nov2016 • Two financial intermediaries used personal data in

direct marketing without taking specified actions

and obtaining data subject’s consent, total 11

charges, and all convicted.

Two companies fined

$165,000 in total

($15,000 percharge),

plus damages to

claimants for 25% of

profits ($47,800).

Dec2016 • A watch company used an individual’s personal

data in direct marketing without taking specified

actions and obtaining his consent.

• The company also failed to inform the individual

of his opt-out right when using his personal data

in direct marketing for the first time.

Fined $8,000

for eachcharge

Jan2017 • A bank failed to comply with client’s opt-out request. Fined$10,000

https://www.goodreads.com/work/quotes/3200649

Shannon

Tee

Background

• Facial recognition technology used to identify, authenticate/verify, categorize an individual

• 200 million surveillance cameras reported in China during November 2019 and projected to rise to 626 million by 2020

• Facial recognition has become widespread in China and a convenience according to some citizens

• Pay for purchases such as at convenience stores, restaurants, and pharmacies

• Scan faces instead of using bank cards at some ATMs

• Unlock your house just by looking into a camera

• Check into airports, hotels, trains, and hospitals

How authorities are using it

• Project Skynet and Sharp Eyes

• Identify blacklisted or wanted individuals

• Railway police use facial recognition sunglasses to screen and identify people

• Some provinces records and shame jaywalkers

• Toilet paper dispensers use the technology to prevent stealing from public bathrooms

• Help individuals recovered stolen motorcycles or lost purses

• Assist storeowners in figuring out who was stealing from their stores

• Identify single person among stadium crowds of tens of thousands of people

Privacy vs. Security

• Intrusive to individuals’ privacy since the systems collect and process people’s biometric facial data

• Damage could be irreversible since can’t be changed/updated like a password

• Few regulations dictating where it can be used and what happens to the data that is collected

• China’s authorities cite safety and public order as reasons for deploying facial recognition

• Some citizens also willing to trade their privacy for public security

China introduces face scans for mobile users

• Required to have face scanned when registering for new mobile phone service so authorities can verify identity matches ID provided

• Government wants to “protect the legitimate rights and interest of citizens”

• Get rid of anonymous phone numbers and internet accounts

• Smart phones morphed into identity authenticators and therefore need strong authentication when subscribing to a new service

• Some complain China has seen too many data breaches: “Before thieves knew what your name was, in the future they’ll know what you’ll look like”

December 2019

How China is using AI to profile a minority

• Devoted major resources towards facial recognition technology to look for and track Uyghurs, a large Muslim minority

• Those who grow a beard or visit a mosque are often flagged by system and interrogated

• Many are thrown into re-education camps to undergo “political education”

• A Uyghur was placed on house arrest where policeman would call to ask where he was going every time he opened his front door

• China claims they’re battling ethnic violence and Uyghur terror attacks

• Companies who sell technology are not aware its being used to profile, but focused on well-being and safety of individual citizens rather than monitoring groups

• Facial recognition technology is imperfect and accuracy depends on various factors such as environmental factors and training data

May 2019

How China is using AI to fight coronavirus

• Upgrading thermal scanners in train stations to include facial recognition technology

• Allows train station employees to swiftly and accurately identify those who may have fever without individually testing everyone

• Man ordered by local authorities to quarantine himself for 14 days after returning to Sichuan from Hubei, the province at center of outbreak

• Believed they tracked his movements using the four cameras near his house to ensure he didn’t leave his place

March 2020

“Facial recognition and the real-name system will help us track down those who have been potentially

exposed to the virus and effectively curb spreading of pathogen”

- Zeng Yixin, Deputy Director of China’s National Health Commission

Social Credit Score

Vast ranking system that will monitor the behavior of its population and rank them based on their social credit score

Those deemed “untrustworthy” with low scores will be penalized like transportation restrictions or loss of employment and educational opportunities, while those with high scores get perks like utility bill discounts and faster application processes to travel abroad

Trustworthiness score can fluctuate based on actions – going up for good deeds such as donating to charity or go down for negative actions such as getting a speeding ticket

Images from surveillance cameras and facial recognition software can influence the social credit score

Pedestrians caught jaywalking more than five times a year will be classified as ‘untrustworthy’ and have their social credit score lowered

Regulations

• Personal Information Specification, under the Cybersecurity Law, is the most extensive document to date on protection of personal information

• Addresses collection, processing, transfer, disclosure, and consent needed for personal information

• Not law or regulation that requires mandatory compliance

• Consent not required for the purpose of national and social security, public interest, or criminal case investigation

• National Information Security Standardization Technical Committee (TC260) is working on security requirements for online verification systems using facial recognition

• China Communications Standards Association is working on regulations for the use of facial recognition in mobile smart devices

Regulations

• 2017 National Intelligence Law – any organization or citizen shall support, assist, and cooperate with the state intelligence work in accordance with the law

• 2014 Counter-Espionage Law – organizations and individuals must truthfully provide and not refuse relevant evidence when the state security investigates and understands the situation of espionage

• Country’s first lawsuit against use of facial recognition technology filed in November 2019

In relation to United States

• Chinese authorities find public security more important than privacy, while regulators in Europe/US want to ensure consumers’ privacy rights are respected

• In 2019, Department of Commerce added 28 Chinese AI and digital surveillance companies to the blacklist of those banned from doing business in the United States

• Prevent Chinese companies from providing tech infrastructure that is hard to replace once its been acquired and used for China’s intelligence and military organizations

• Creates division with commerce organizations focused on free trade and further disruption in ongoing trade negotiations between US and China

Conclusion

• Privacy vs. Security

• Provides convenience and security in China at the expense of privacy

• Aligns with the East’s cybersecurity approach to have centralized, state-centric government command and control

• Facial recognition systems are not perfect

• Potential bias in technology and sensitive to environmental factors

• Lack of regulations surrounding use of facial recognition especially for China government’s use

Referenceshttps://www.aljazeera.com/news/2020/03/china-ai-big-data-combat-coronavirus-outbreak-200301063901951.html

https://www.scmp.com/tech/policy/article/3039383/facial-recognition-tech-races-ahead-regulation-chinese-residents-grow

https://www.nytimes.com/2019/04/14/technology/china-surveillance-artificial-intelligence-racial-profiling.html

https://time.com/5735411/china-surveillance-privacy-issues/

https://www.businessinsider.com/how-china-uses-facial-recognition-technology-surveillance-2018-2

https://www.bbc.com/news/world-asia-china-50587098

https://www.welivesecurity.com/2019/12/05/face-scanning-privacy-concern-identity-protection/

https://www.wbur.org/hereandnow/2018/12/21/facial-recognition-privacy-concerns

https://thediplomat.com/2020/03/chinas-ubiquitous-facial-recognition-tech-sparks-privacy-backlash/

https://www.chinalawblog.com/2018/02/chinas-personal-information-security-specification-get-ready-for-may-1.html

http://www.globaltimes.cn/content/1168421.shtml

https://www.dailymail.co.uk/news/article-7228205/Chinese-city-punishes-JAYWALKERS-listing-untrustworthy-people-social-credit-system.html

https://www.vox.com/the-goods/2018/11/2/18057450/china-social-credit-score-spend-frivolously-video-games

References continuedhttps://www.forbes.com/sites/ywang/2017/07/11/how-china-is-quickly-embracing-facial-recognition-tech-for-better-and-worse/#3390de0e6856

https://mlexmarketinsight.com/insights-center/editors-picks/Data-Protection-Privacy-and-Security/asia/facial-recognition-takes-off-in-china-leaving-regulators-to-play-catch-up

https://chinadigitaltimes.net/2019/09/sharper-eyes-surveilling-the-surveillers-part-1/

https://news.yahoo.com/privacy-vs-security-the-fight-over-facial-recognition-144911253.html

www.reedsmith.com › perspectives › chinas-cybersecurity-law-002

https://www.forbes.com/sites/bernardmarr/2019/01/21/chinese-social-credit-score-utopian-big-data-bliss-or-black-mirror-on-steroids/#3e02fa7348b8

newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-personal-information-security-specification/

https://www.cnbc.com/2019/10/08/trumps-latest-china-blacklist-hits-several-huge-companies.html

https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.htm

P A V A S N A V A N E Y

M A R C H 2 7 T H 2 0 2 0

Data Residency and Localization

Data Residency v/s Data Localization

Data residency is when an organization specifiesthat their data must be stored in a geographicallocation of their choice, usually for regulatory, tax orpolicy reasons.

By contrast, data localization is when a lawrequires that data created within a certain territorystays within that territory.

Objectives of Residency/Localization

1. Exert more control over data retention and thereby have greatercontrol over compliance.

2. In the EU, it is seen as means to encourage data controllers to storeand process data within the EU or within those countries deemed tohave the same level of data protection as in the EU, as opposed tomoving data to those territories considered to have less than“adequate” data protection regimes.

3. To strengthen the market position of local data center providers byforcing data to be stored in-country.

However, it is important to note that accessingpersonal data is considered a “transfer” under dataprotection law.

Additionally, payment processing functions alsosometimes occur in other countries, so make sure toconsider them as well. This is an important pointthat is often missed or misunderstood.

DR/DL and GDPR

Q. Does GDPR introduce any data residency orlocalization obligations?

GDPR does not introduce and does not include any dataresidency or localization obligations.

Having said that, it is important to note that local law mayimpose certain requirements on the location of the datastorage

Russian Data Localization Law

In 2015 , Russia introduced a data localization law, requiring “dataoperators” to ensure that recording, systematization, accumulation,storage, refinement and extraction of personal data of Russian citizensis done using databases located in Russia.

In 2015, this law did not give the Russian data protection authority theability to impose any meaningful monetary penalties. Instead it justwas able to block websites that it deemed to be non-compliant.

A new law was passed in December 2019. Under the new law, fines forfirst time offences for legal entities can be between USD 16,000 – USD96,000, increasing to USD 288,000 for repeat offences.

Russia Bans Linkedin

On Nov. 17, 2016, Roskomnadzor (the Russian data protectionauthority) included LinkedIn within the database on the Registerof Personal Data Infringers as a violator of data subjects’ rightsand sent an order to telecommunications companies to blockaccess to LinkedIn within Russia. The order was issuedaccording to a Moscow District Court decision from August, 42016, to block LinkedIn, and was followed by the formalopinion of Moscow City Court from November 10 to uphold thatdecision.

US is a partially adequate country in terms of data protection.

The Court concluded that LinkedIn’s servers are located only in theU.S. based on publicly available data from the WHOIS database.Therefore, LinkedIn is in non-compliance with the requirement totransfer Russian user data to servers located in Russia. According to thelaw, personal data from Russian users should be collected andprocessed in Russia, any change or amendment to such data should bealways collected, stored and further processed in Russia, and anysubsequent processing abroad should be exactly the same as theprocessing already done in Russia.

Source : https://iapp.org/news/a/why-linkedin-was-banned-in-russia/

German Telecom Data Retention Law

On May 28, 2015, the German government adopted a draft lawthat would require telecommunications and Internet serviceproviders to retain Internet and telephone usage data.

User location data retained for a period of four weeks.

The draft law also requires the data to be deleted without unduedelay after the expiration of the relevant retention period, and inany event, within one week following the expiration of theretention period.

Telecommunications and Internet service providers also wouldbe required to ensure that :

1. data is stored in accordance with the highest possible levels ofsecurity

2. data is stored within Germany.

3. measures are in place to protect data from unauthorizedinspection and use.

Non-compliance with the data retention requirements wouldconstitute an administrative offense that would be punishable bya maximum fine of 500,000 EUR.

Data Localization Laws - Countries

Country Scope

Australia Health Records

Canada(Nova Scotia , British Columbia) All Personal Data

China Personal , Business & Financial Data

Germany Telecommunications Metadata

India Payment System Data

Kazakhstan Servers running on country domain(.kz)

Nigeria All Government Data

Russia All Personal Data

South Korea Geospatial and Map Data

Vietnam Service Providers Usage Data

Data Transfer to Other Locations

Q. So, if there is no data residency or localization requirementunder GDPR, can we transfer the data to other locations?

Yes , if there is a legal transfer mechanism in place. Some of themechanisms are :

1. Adequacy

2. Binding Corporate Rules

3. Standard Contractual Clauses / Model Clauses

4. Privacy Shield

Data Protection Around the World

Privacy Shield Framework

The Privacy Shield Framework, approved by theEuropean Union (EU) and U.S. Government, is arecognized mechanism for complying with EUdata protection requirements when transferringpersonal data from the European Economic Area (EEA)to the United States.

7 Principles of Privacy Shield

1. Notice

2. Choice

3. Accountability for Onward Transfer

4. Security

5. Data Integrity and Purpose Limitation

6. Access

7. Recourse, Enforcement and Liability

Advantages of DL/DR

Data is considered as a ‘new form of wealth’. With datalocalization, domestic companies and the country’s economy willbe benefited.

While investigating crimes, there will be a need to access thepayments data.

Data localization laws result in setting up of multiple datacenters locally. This will create many jobs and will help thecountry’s economy immensely

Data localization is also important for data sovereignty.

Disadvantages of DL/DR

Without efficient infrastructure, the data is prone to cyberattacks.

Data localization is also a threat to the main essence of theinternet.

Data localization may result in government surveillance ofits citizens.

It is also against intellectual property rights because theyuse their intelligence to form systems that can benefit fromthe data it generates

Data Residency doesn’t provide Security

Data Residency doesn’t provide security because :

1. Most Vulnerabilities are Exploited Remotely.

2. Manual Processes Present Risk of Human Error.

3. Insider Threats Prevail as a Significant Risk.

References

1. : https://iapp.org/news/a/why-linkedin-was-banned-in-russia/

2.https://www.huntonprivacyblog.com/2015/06/04/germany-adopts-telecom-data-retention-law-includes-localization-requirement/

3. https://www.groupdiscussionideas.com/data-localisation-benefits-challenges/

4.https://d1.awsstatic.com/whitepapers/compliance/Data_Residency_Whitepaper.pdf

5. https://www.bankinfosecurity.asia/interviews/impact-localization-on-cloud-service-providers-i-4330

6. https://www.impact-advisors.com/security/eu-us-privacy-shield-framework/

7. https://www.privacyshield.gov/list

References(Contd.)

8. https://blog.eperi.com/en/data-protection-on-premise-vs.-the-cloud-the-advantages-and-disadvantages

9. https://www.cnil.fr/en/data-protection-around-the-world

10. https://en.wikipedia.org/wiki/Data_localization

11. https://www.insightsforprofessionals.com/en-us/it/storage/data-sovereignty-data-residency-data-localization

Efforts to Establish International Cybercrime Law

Brian Ostler

Agenda

• Regionally recognized treaties

• UN Protocols / Working Groups

• Recent Proposal

Major International Organizations

• G8

• United Nations

• International Telecommunications Union

• Council of Europe

Budapest Convention

• First international cybercrime treaty presented at the Council of Europe

• Presented for signature in 2001

• Ratified by 5 countries by 2004

• Currently ratified by 64 countries

• Considered by some as controversial

Related International Treaties

• United Nations Convention Against Transnational Organized Crime (2000)

• United Nations Optional Protocol to the Convention on the Rights of the Child (2001)

• CoE Additional Protocol on the Convention on Cybercrime (2003)

• CoE Convention on the Protection of Children (2007)

United Nations

• UN Resolution• General assembly resolutions are mostly non-binding, unless explicitly

instructive to their addressees

• UN Group of Governmental Experts

• UN Open Ended Working Group

New UN Resolution (December 2019)

• Russian-drafted resolution

• Establishes a committee of experts to consider a new UN cybercrime treaty

• Meant to replace the Budapest Convention

• Lots of ambiguity in defining criminal use of information and communications technologies

Future Concerns

• Lack of specificity can criminalize ordinary behavior

• Human rights can be infringed upon in many ways

• Potential to overreach in the disclosure of data requested

• Conflicts with already established OEWG

• Excludes key stakeholders in favor of closed committee

References

• Budapest Convention• https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185

• GGEs / OEWGs

• https://dig.watch/processes/un-gge

• December 2019 UN Resolution• https://www.cfr.org/blog/new-un-cybercrime-treaty-way-forward-

supporters-open-free-and-secure-internet

• https://www.undocs.org/A/74/401

• https://www.apc.org/sites/default/files/Open_letter_re_UNGA_cybercrime_resolution_0.pdf

INF529: Security and Privacy

In Informatics

Apple v. FBI

Prof. Clifford Neuman

Lecture 913 March 2020Online

Access to Data on Protected Devices

• For many years, law enforcement has been accessing data

on devices seized in raids, or incident to arrest. There is a

whole business around forensic analysis of such devices.

• With the widespread adoption of memory encryption in

phones around 2014 this process was made more difficult.

• There had been proposed legislation to limit this kind of

effective encryption, and we saw some of these bills earlier

in this class. The events that follow effect the debate on the

some of those bills.

Apple opposes order to help FBI unlock phone belonging to San Bernardino shooter

The News Release

The Motion and Order

The motion describes the reasons that the government is seeking an order to force Apple to assist them in getting access to the data on the device, and it describes the specific steps that they want Apple to perform.

Once issued (if issued) the order tells Apple what they must do, but Apple may appeal the order, or if “Apple believes that compliance with this order would be unreasonably burdensome,” they may make an application to this court for relief within five business days.

Apple chose to appeal, and also to argue their case in “the court of public opinion”. That option is not always possible since certain court orders prohibit disclosure of the request altogether. In any event, the issue became moot when the government was able to obtain the data on the phone through other sill undisclosed means. The debate is still important as it influences policy.

Ethical Issues

• Authority to search

– Device owned by SB County

– Court order based on showing of probably

cause.

– Genuine Probably Cause exists in this case

• Broader separate issue

– Intentional vulnerabilities (back doors) in

phone sold to other customers

– Many problems with this

Legal Issues

• All Writs Act – a very board law used to provide the

courts authority to order.

• At issue is the burden this imposes on Apple and

whether that is appropriate. Apple further argued 1st

amendment rights (no compelled speech).

• 4th Amendment Rights not at issue in this matter as

cause has been established.

• 4th Amendment is an issue in the broader discussion

regarding impact on privacy of other users.

• Would complying create a precedent.

Public Policy Issues

• Impact of Required Backdoors

• Requirements to provide access to cloud data

Technical Issues

• What data likely on phone: location, app data including

communications.

• Which keys

– Data key combined phone specific & passcode

– Entropy of passcode

– Different key (Apple’s) used to sign new iOS.

– Creating Backdoor vs using vulnerability

• Why not Google

– Open nature of Android means different parties needed to

sign the code.

– Similar technical approaches exist.

• Newer hardware and iOS: capability for secure element (used for

payment, but similar techniques can be applied.

International issues

• Level Playing Field

– Other Countries will demand same access

• Access to cloud data across jurisdictions

– International assistance

In the News FBI paid $1M for iPhone hack CBS News – April 21, 2016

• http://www.cbsnews.com/news/fbi-paid-more-than-1-million-for-

san-bernardino-iphone-hack-james-comey/

• LONDON -- FBI Director James Comey alluded to the fact the

bureau paid more than $1 million for the method used to disable

the security feature of the San Bernardino shooter's iPhone.

• At an Aspen Institute discussion in London, Comey said the FBI

paid more money than he would make in the time left as FBI

director.

INF529: Security and Privacy

In Informatics

Wikileaks v. CIA

Prof. Clifford Neuman

Lecture 912 March 2020Online

An Overview

• A couple of news stories

• Now let’s analyze using the same framework

Ethical Issues

Apple v FBI• Authority to search

– Device owned by SB

County

– Court order based on

showing of probably

cause.

– Genuine Probably Cause

exists in this case

• Broader separate issue– Intentional vulnerabilities

(back doors) in phone

sold to other customers

– Many problems with this

Wikileaks Disclosure• Authority to “hack”

• Broader separate issue

Legal Issues

Apple v FBI

• All Writs Act

• Burden on 3rd

parties

• Constitutionality

• Precedent.

Wikileaks DisclosuresIs the Hacking legal?

Broader Public Policy Issues

Apple v FBI

• Impact of

Required

Backdoors

• Requirements to

provide access

to existing data.

Wikileaks Disclosures

• Use of existing

exploits

• Duty to protect?

Technical Issues

Apple v FBI

• Data on Phone

• Cryptography

• Security of Software

• Upgrades

• be applied.

Wikileak Disclosures

• IoT Security

• Sensors Everywhere

International issues

Apple v FBI

• Level Playing Field

• Access across

jurisdictions

Wikileak Discosures

• Level Playing Field

Turning Devices Off

• How the NSA can 'turn on' your phone remotely –

CNN Money June 6 2014 - Jose Pagliery

• Even if you power off your cell phone, the U.S. government can turn it back on.

• That's what ex-spy Edward Snowden revealed in last week's interview with NBC's

Brian Williams. It sounds like sorcery. Can someone truly bring your phone back to life

without touching it?

• No. But government spies can get your phone to play dead.

• It's a crafty hack. You press the button. The device buzzes. You see the usual power-

off animation. The screen goes black. But it'll secretly stay on -- microphone listening

and camera recording.

Why some apps want access to the microphone

• FTC Warns App Developers Over Use of Audio Tracking

Code

– Used to figure out what is playing on the TV in the

background.

– But what else does this imply.

Camera Access

• Disable Your Laptop's Built-in Webcam to Protect Your

Privacy – Mark Wilson – Lifehacker – 6/27/14• Windows: Webcams offer a window

into your home, and they've been

known to targets for malware. If you

have a built-in camera, here's how

disable it and protect yourself.

• Malware can take over webcams,

so there is potential for your camera

to spy on you. You can easily

disable an external webcam just by unplugging it, but things are a little

different for integrated cameras.

• The simple solution is to just pop a piece of tape over the lens, but this is not

ideal. Sticky residue is left behind, and there is a risk that your improved

privacy shield could fall off. You could turn to third party software, but you can

also disable a webcam from within Device Manager.

Some Questions

• What’s newsworthy?– None of what came out is really surprising in that we

have known of these kinds of weakness for some time.

We voluntarily surround ourselves with surveillance

devices, i.e. cameras and microphones and location

tracking, and it is only the strength of the security for the

software on these devices that has protected us, and we

know that thestate of software security is abysmal.

Some Questions

• How worried should the general public be about

claims the government agencies can hack their

electronic devices?– The public should be very concerned that their devices

are hackable, not just by our own government agencies,

but even more so by foreign intelligence services that

also use these techniques, and by criminal enterprises

that may have or might acquire such capabilities.

Some Questions

• Could you explain how you see the main

vulnerabilities to users — is it mainly from apps or

devices and operating systems?– The weakness are all in software, and that includes apps,

operating systems, and software running on internet of things

type devices like smart TVs. The impact occurs because the

(vulnerable) software on these devices has access to the

sensors that acquire sensitive information.

Some Questions

• What can tech companies do to protect users?– "control their software supply chains". By this I mean that they need to

digitally sign updates to the software that runs on their devices, and

protect the systems they use for development and distribution of such

updates. They also need to ensure that thinks like "apps" that might

run on their systems are appropriately examined before they are

endorsed for use by their customers.

Some Questions

• Have the WikiLeaks releases provided enough

detail for tech companies to recognize

vulnerabilities and fix them?

– It helps direct scrutiny to the areas that need examination and it will

assist companies in identifying and fixing vulnerabilities, the current set

of vulnerabilities will only be replaced by a new set of zero-days down

the road, and one should never consider a software system to be

completely secure.

Some Questions

• Wikileaks said in a statement it is "avoiding the

distribution of 'armed' cyber weapons” — how

damaging could these tools be if they fell into the

hands of hackers and cyber criminals?

– Many of these tools are already in the hands of cyber-criminals, and

some might have been purchased from that community.

Some Questions

• How worried should we be that our smart TVs and wifi-

enabled refrigerators and toasters could be spying on us?

– They already are, the only question is one of what they do with the information

they collect. We expect the information to be used for our benefit. More often

than not, some of that information is used for commercial purposes (marketing),

and as we saw from these leaks, the information may also be used for intelligence

gathering. The only question is how much confidence we have in the software

running on those devices, and the answer to that is "not much confidence at all".

– Regularly when we install apps on our devices, we grant permission for the app to

access sensitive information (camera, microphone, address book, location, etc).

More often than not, if the app is commercial, that information is being sent to the

provider of the app. Consider recent changes to the location information gathered

by the uber app. The capability of apps to collect such information is not surprising.

Disclosure of Techniques in Legal Proceedings

• In FBI hacks, tech firms get left in the dark as feds resist

call to divulge secrets - Los Angeles Times, March 31, 2016.

– In US, when evidence is presented in court, defense has

opportunity to refute, and due process may require

disclosure of methods through which the evidence was

collected.

– In many cases, this limits the prosecutors ability to

present certain pieces of evidence.

5th Amendement Rights?

Child porn suspect jailed indefinitely for refusing to decrypt

hard drives – Ars Technia – April 27, 2016 – By David Kravets

A Philadelphia man suspected of possessing child pornography has been in

jail for seven months and counting after being found in contempt of a court

order demanding that he decrypt two password-protected hard drives.

The suspect, a former Philadelphia Police Department sergeant, has not

been charged with any child porn crimes. Instead, he remains indefinitely

imprisoned in Philadelphia's Federal Detention Center for refusing to unlock

two drives encrypted with Apple's FileVault software in a case that once

again highlights the extent to which the authorities are going to crack

encrypted devices. The man is to remain jailed "until such time that he fully

complies" with the decryption order.

115

Tracking TOR usersFebruary 2016

• A judge has ordered the Federal Bureau of Investigation to turn over the complete code it used to infiltrate a child pornography site on the Dark Web, Motherboard reports. The FBI seized the Tor-based site known as "Playpen" in February 2015 and kept it running via its own servers for two weeks --during this time, the bureau deployed a hacking tool that identified at least 1,300 IP addresses of visitors to the site worldwide.

• Playpen was "the largest remaining known child pornography hidden service in the world," according to the FBI. Roughly 137 people have been charged in the sting so far, Motherboard says. On Wednesday, a lawyer for one of the defendants won the right to view all of the code that the FBI used during the Playpen operation, apparently including the exploit that bypassed the Tor Browser's security features.

116