Canada incentivizes mass surveillance with a mobile app called Carrot Rewards

Canada incentivizes mass surveillance with a mobile app called Carrot Rewards
By Caleb Chen

The Canadian government is using carrots to lure in new helpers in its quest for mass surveillance powers. A new app called Carrot Rewards is a behavioral modification mobile app that was originally created to reward users with redeemable points for taking healthy actions. Carrot Reward’s founder Andreas Souvaliotis explained to the CTV that he had originally started the company to focus on health but quickly realized, through government partnerships, that his app would also be effective in “modifying behavior in other areas as well.” Now, Carrot Rewards has raised over $1.5 million from several local Canadian governments and have rolled out the app to hundreds of thousands of users. According to a July 2017 press release, more than 1% of the Canadian population already has this app downloaded – including over 200k Ontarians.

Would you give up your privacy for a carrot?

Per Carrot’s privacy policy, the app (and therefore its government partners) have permission to “access and collect information from your mobile device, including but not limited to, geo-location data, accelerometer/gyroscope data, your mobile device’s camera, microphone, contacts, calendar and Bluetooth connectivity in order to operate additional functionalities of the Services.” The Foundation for Economic Education (FEE) called the app, “creepy.”

While Canada offers only carrots, other countries offer sticks, too

Another question that begs to be asked is this: What is the stick in this carrot and stick approach? In China, where a social credit score is being used to monitor people, a higher score for doing government-approved actions is used as a carrot while a lower score for doing government-disproved actions is used as a stick. Lower scores can result in lowered internet connection speeds from the state-run ISPs or a host of other government sanctioned penalties, for instance. While the Canadian government hasn’t yet funded an app called “Stick Enforcement,” that could be in the stars.

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

The post Canada incentivizes mass surveillance with a mobile app called Carrot Rewards appeared first on Privacy Online News.

August 2, 2017 at 03:34PM
via Privacy Online News

Encrypted Media Extensions: Copyright, DRM and the end of the open Web

Encrypted Media Extensions: Copyright, DRM and the end of the open Web
By Glyn Moody

The World Wide Web Consortium (W3C), which sets standards for the Web, has released what it calls a “disposition of comments“, designed to address objections to the controversial Encrypted Media Extensions (EME). EME is officially “a common API that may be used to discover, select and interact with content encryption systems”. In practice, for the first time it builds DRM officially into the very fabric of the Web, a move that will destroy an openness that has underpinned it since its public release in 1991.

The “disposition of comments” is the formal version of an earlier blog spost by the inventor of the Web, Sir Tim Berners-Lee, which he published back in February. There he explains in more detail why he wants to allow DRM to become part of HTML. It’s clear from both documents that the central argument is that the W3C is simply standardizing an existing situation where many DRM schemes are used, and that by providing a rigorous framework it is making life easier and better for the user. In fact, the W3C even went so far as to insist on Twitter that “There’s no DRM baked in the EME spec.” But as Florian Rivoal pointed out in reply, this is like claiming “Guns are not dangerous if you don’t put bullets in them. We’re just working on guns not bullets, so we’re not doing anything dangerous.”

Some people objected to the comparison, saying that DRM should not be compared to bullets, because DRM can’t kill. But it can, thanks to one of the biggest policy defeats ever suffered by civil society: the WIPO Copyright Treaty, agreed in 1996. Article 11 says:

“Contracting Parties shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors in connection with the exercise of their rights under this Treaty or the Berne Convention”

This is the famous anti-circumvention provision, which is enshrined in the Digital Millennium Copyright Act in the US, and the European Copyright Directive in the EU. It means that it is illegal to circumvent DRM applied to copyright material, even for legal purposes. It effectively raises the protection of copyright material above all other rights. In a world where software is becoming ubiquitous, that’s a big problem. Software is covered by copyright, which means that if DRM is applied to protecting that software, it is illegal to circumvent it, even in order to save lives. Here’s why that is not hyperbole:

“Because of the DMCA, as much as 40% of the computer code in [critical] medical devices remains untested for safety by independent security experts. I am confident that I would find serious flaws in some or all of these devices if the DMCA did not prevent my research. Because of this lack of safety research, as a type 1 diabetic, I feel that using an insulin pump is too unsafe, and I instead self-inject with needles many times daily. I am not alone in this safety assessment: other diabetic security researchers behave similarly.”

As that analysis by a security research professional points out, thanks to the DMCA’s ban on circumventing DRM, it is impossible to look at the code in insulin pumps, artificial organs, birth control implants, kidney dialysis machines and morphine infusion pumps that collectively keep millions of people alive. There is thus no way of checking whether such systems have bugs that could lead to injury or death, either through accidental malfunction or because of malicious interference. One person taking the latter threat very seriously is former US Vice-President Dick Cheney, whose heart defibrillator was modified to prevent external access. DRM can indeed kill, although probably not when used on Web pages. But even there it is undeniably harmful, as Berners-Lee recognizes:

“Since EME directly interacts with CDMs [Content Decryption Modules – the DRM “bullets” for EME’s “gun”], it may appear that the W3C specification sanctions the notion that research into EME may be deemed “circumvention” under copyright anti-circumvention laws.”

Cory Doctorow explains how top researchers, digital rights activists and well-known tech organizations all suggested ways of addressing that serious issue, but copyright companies refused to allow even the narrowest protection to researchers. Instead, this is what the W3C came up with:

“We also recommend that such [organizations involved in DRM and EME implementations] not use the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA) and similar laws around the world to prevent security and privacy research on the specification or on implementations.”

A “recommendation” – a pious hope – with no obligation, is worthless in terms of shielding researchers. They will naturally want to avoid the risk of prosecution, and so EME code will remain unchecked by them, making it likely that bugs will not be spotted. Thus, contrary to Berners-Lee’s claim that the new DRM in HTML approach will bring with it better security – one of his primary justifications for EME – it will in fact mean that there are unsuspected, possibly serious vulnerabilities.

And yet even the problems caused by anti-circumvention laws are dwarfed by the central threat of the new EME approach: that once a precedent has been set by introducing it for video, it will then be extended to other media. Berners-Lee himself admits this is a risk:

“For books, yes this could be a problem, because there have been a large number of closed non-web devices which people are used to, and for which the publishers are used to using DRM. For many the physical devices have been replaced by apps, including DRM, on general purpose devices like closed phones or open computers. We can hope that the industry, in moving to a web model, will also give up DRM, but it isn’t clear.”

Even that downplays the full catalog of horrors we could face once DRM has been definitively blessed and normalized by the W3C as an official part of HTML (the Free Software Foundation points out that there is still a tiny chance it could be stopped.) Some years back, the EFF spelt out what EME could lead to:

“A Web where you cannot cut and paste text; where your browser can’t “Save As…” an image; where the “allowed” uses of saved files are monitored beyond the browser; where JavaScript is sealed away in opaque tombs; and maybe even where we can no longer effectively “View Source” on some sites, is a very different Web from the one we have today.”

It is simply tragic that the man who created the World Wide Web, and then, in an act of great generosity, released it freely to the world, should acquiesce in this terrible mistake that will destroy a key aspect of his gift: its openness.

Featured image by Nino Barbieri.

The post Encrypted Media Extensions: Copyright, DRM and the end of the open Web appeared first on Privacy Online News.

July 9, 2017 at 05:25PM
via Privacy Online News

Canadian Supreme Court decision forces Google to participate in censorship by removing search results worldwide

Canadian Supreme Court decision forces Google to participate in censorship by removing search results worldwide
By Caleb Chen

A recent decision by the Canadian Supreme Court will force Google to remove a particular site from search results all around the world, not just in Canada. While Canada has committed to upholding net neutrality and treating all data traffic the same; they have definitely also taken a hard stance on how they wish to treat search results. The Canadian Supreme Court ruled 7-2 to uphold an order to force Google to de-index and de-list an entire domain from its search results all over the world. The recent court decision strikes down Google’s appeal to that decision. The EFF in America tried to intervene in the case, telling the Canadian courts that the injunction ran contrary to American law. Despite that, the Supreme Court defended their decision:

“This is not an order to remove speech that, on its face, engages freedom of expression values, it is an order to de-index websites that are in violation of several court orders. We have not, to date, accepted that freedom of expression requires the facilitation of the unlawful sale of goods.”

Canada enforces censorship worldwide

David Christopher, a spokesperson for the Open Media Group, explained that the Canadian Supreme Court decision potentially opens a Pandora’s box of censorship all around the world:

“There is great risk that governments and commercial entities will see this ruling as justifying censorship requests that could result in perfectly legal and legitimate content disappearing off the web because of a court order in the opposite corner of the globe.”

Even if this particular site violated Canadian law and is rightfully delisted within its jurisdiction, being able to extend Canadian law onto the global internet is a huge stretch and sets us on a very slippery slope. What if a country like Iran decides to force Google to block things that are expressly illegal in Iran but completely legal most everywhere else around the world? In fact, this particular case, involving copyright infringement, was very likely cherry picked to provide the least amount of public resistance. The fact of the matter remains: An international legal censorship precedent has been set. Dina PoKempner of the Human Rights Watch also commented:

“The court presumed no one could object to delisting someone it considered an intellectual property violator. But other countries may soon follow this example, in ways that more obviously force Google to become the world’s censor. If every country tries to enforce its own idea of what is proper to put on the Internet globally, we will soon have a race to the bottom where human rights will be the loser.”

Google responded:

“We are carefully reviewing the court’s findings and evaluating our next steps.”

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

The post Canadian Supreme Court decision forces Google to participate in censorship by removing search results worldwide appeared first on Privacy Online News.

June 29, 2017 at 01:56PM
via Privacy Online News

Bag searches at borders reveal more than ornamental nipple clamps

Bag searches at borders reveal more than ornamental nipple clamps
By Simon Davies

bag search 2 edit

Bag searches at the border are becoming a privacy issue. Simon Davies explains why we need to put our foot down on zealous security officials. 

The online world is replete with embarrassing tales of air travellers who have suffered the indignity of having the intimate contents of their luggage aired in public by zealous security officials. I’ve seen more and more of these accounts lately, often involving the waving around of everything from kinky underwear to jumbo condom packets.

I can empathise, though on this occasion I’d like to focus on the rarely discussed aspect of international rail travel.

Some time ago, I travelled by train from Hamburg to Copenhagen. It’s normally a peaceful journey, stopping along the way to board the ferry between the towns of Puttgarden (on the German side) and Rodby (on the Denmark side).

It turned out that “probable cause” and “reasonable suspicion” are not legal terms in the vocabulary of most officials.

On this occasion the trip was not so convivial. Thanks to various reactionary government edicts, border controls throughout this European region – and almost everywhere else – have been ramped up (though there is, as some reports describe it, a glimmer of hope that the EU borders are being relaxed in places).

Three border officials approached me en-masse and politely requested to search my bags. Well, they asked as politely as border officials are pathologically able to ask.

As seasoned travellers will know, I use the word “requested” with a tinge of irony. Refusing search requests at a border would probably result in me being escorted to the next train back to Germany. Cancellation of your privacy and fourth amendment rights is not confined to airports.

It turned out that “probable cause” and “reasonable suspicion” are not legal terms in the vocabulary of most officials. I reluctantly consented, under protest.

I’ll hand them something; they were meticulous. Meticulous to the point of obsession. In hindsight, when they asked if I had any drugs on me I shouldn’t have responded “No, but I know a guy who does if you really want some”. You can’t get away with joviality at the border, even on a train.

The search began in earnest and I started to worry whether I might have something “of interest”, or even slightly humiliating. After a few weeks of travel you collect a lot of random stuff. You know, some prankster friend hilariously gives you a pair or ornamental nipple clamps after a long night on the booze. That sort of thing. I got to thinking of that iconic search scene in Austin Powers. The one with the Swedish penis enlarger pump.

Sydney Airport Media demonstration of new carry on baggage restrictons and security check in measures for International passengers. A security officer examins a womans carry on containers. All containers must now be 100 millilitres or less and sealed in a clear plastic bag. ( airport staff posing as passengers) SMH NEWS PIC BY LEE BESFORD. Thursday 29th March 2007.

On a more serious note, did I pack those conference papers on terrorist networking? Or that academic report on radicalism? Shades of the McArthyism era sprang to mind.

They started by holding aloft a roll of toilet paper from my backpack.

OK, let me be clear here. There are some items that the long-haul traveller packs as a matter of necessity. Toilet paper is one such item.

I polled a number of colleagues on this point, and our list of essentials and emergency items eerily converged. We all travel for long periods and have independently gained a common understanding of such matters. For the record, here is the list:

Passport, umbrella, grocery bags, power adapter, ethernet cable, toilet roll and basic toiletries, combined bottle opener and cork screw, pen and paper, asprin, water bottle, ingredients for making tea or coffee, plasters, spare shoe laces, reading material, rubber bands, snacks, cash, dental floss and ear plugs.

Beyond that list, almost everything is suspect – but also toilet roll, apparently.

Why do you carry this?”enquired one of the sanitary investigation officials in a voice that may or may not have been loud enough to be overheard in Romania..

did I pack those conference papers on terrorist networking? Or that academic report on radicalism? Shades of the McArthyism era sprang to mind.

There really is no easy answer to that line of questioning, so I resorted to shrugging my shoulders rather than doing a mime act on my behind. This did provide some amusement to fellow travellers, some of whom had abandoned their crossword puzzles and MP3 players to observe the scene.

Another official found a small hand carved wooden duck which was given to me as a gift by a conference in Norway. I had completely forgotten about that duck.

It was a beautiful duck, doubtless carved by rustic artists from an ancient Spruce tree on the shores of a remote exotic fjord. Someone had gone to the trouble of daubing it with art-nouveau yellow and blue circles, just like ducks aren’t.

The officials were intrigued. What is this? One asked, slowly turning it around like an antiques expert. Fellow passengers also seemed curious to know. After all, they had become part of this show.

They prodded that duck. They held it to the light, shook it, tapped it and meddled with its bits. “Are there drugs in here?”

I explained that it was just a duck. I then went on to show them the relevant conference programme and my talk on jurisdictional conflicts arising from the General Data Protection Regulation. You would think that investigatory people would have an opinion on that subject, but apparently not. They don’t make border officials like they used to.

After the duck controversy had been resolved, they discovered a bag of electrical peripherals – or “wiring”, as they described it. That is, three mobile phone chargers, the essential ethernet cable, a micro USB cable, remote drive, batteries and sundry other items necessary for the digitally connected traveller.

Thankfully there was enough sense among the posse to move on from an interrogation about explosives equipment.

This search went on for a further few minutes until the bags were exhausted of opportunity. What slightly annoyed me was that they didn’t even find the bag of sugar that I carry with me. They did, however, enjoy going through my documents and correspondence and loudly enquiring about particular aspects, such as a trip to Moscow and personal correspondence with a former UK Home Secretary. There is no requirement to log such observations.

The point of this diatribe is that border people need to learn some respect for people’s dignity and privacy. Codes of conduct that currently exist for pat-downs should be extended to bag searches to provide some assurance of personal rights. This applies in particular to searches on trains and buses, where the proximity of other travellers is intimate and close.

The UK government, as an example, employs a standard that requires bags to be checked in front of the traveller, but offers no guidance on how those items are checked. Nor does it offer advice on how officials should avoid humiliating searches. The codes of Canada and Australia are similarly vacant.

Yes, I understand that in the big scheme of things in privacy – or even in border privacy – this aspect might seem trivial, but it is often those more arcane elements of privacy that end up setting a broader standard for us all.

June 25, 2017 at 08:52PM
via The Privacy Surgeon

Australia wants to be able to read your encrypted messages

Australia wants to be able to read your encrypted messages
By Caleb Chen

Australia’s Attorney General Senator Brandis announced over the weekend that he would be leading the discussion on squeezing tech firms and forcing them to encryption backdoors in secure messaging apps at the next annual meeting of public security ministers and attorney generals from the Five Eyes countries (United States, Canada, United Kingdom, New Zealand, and Australia). Brandis announced his plan to seek greater power over encrypted messaging and the tech firms that provide it in a joint statement:

“I will raise the need to address ongoing challenges posed by terrorists and criminals using encryption. These discussions will focus on the need to cooperate with service providers to ensure reasonable assistance is provided to law enforcement and security agencies.”

It is still entirely unclear how these politicians would propose forcing tech firms to be able to decrypt messages without a backdoor – but it is clear that they will be discussing in earnest at the upcoming closed door meeting of these five countries’ security arms.

Australia to push tech companies for a way to read encrypted messages, continues to deny that such a thing is a backdoor

Beyond the conundrum of how to technically provide a way to decrypt encrypted messages without an encryption backdoor… What about citizens’ right to privacy? Earlier this month, as Australia’s plans to talk about encrypted messaging at the upcoming Five Eyes meeting was first being unveiled, Australia’s cyber security special advisor, Alastair MacGibbon, tried to justify the move by saying that:

“From time to time we do expect our privacy to be breached. From time to time you would expect a law enforcement agency to break into a private communication online.”

That is to say – The government is still actively trying to peddle the poisonous idea that privacy is not an absolute thing. Brandeis will likely find an ally in the United Kingdom, where Theresa May has called for censorship and encryption backdoors of their own. Russia is even attempting to ban Telegram, their homegrown encrypted messaging app. In sharp contrast, politicians in the Europe have been calling for “state-of-the-art,” end-to-end encryption and a clear lack of backdoors.

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

The post Australia wants to be able to read your encrypted messages appeared first on Privacy Online News.

June 26, 2017 at 02:50PM
via Privacy Online News

Private Internet Access shines the cat signal for net neutrality

Private Internet Access shines the cat signal for net neutrality
By Caleb Chen

Today, Private Internet Access is shining the cat signal with a full page ad in the New York Times to gain support for the Net Neutrality Day of Action that Fight for the Future and other organizations are is planning at Battle for the Net.


We, the people of the Internet, have stopped these draconian attempts to close our access to the open internet in the past, and we must do so again each time. Join us at the Internet Defense Leaguefor this and future actions.

Cat Signal shines in the New York Times

cat signal new york times

Continue reading“Private Internet Access shines the cat signal for net neutrality”

The post Private Internet Access shines the cat signal for net neutrality appeared first on Privacy Online News.

June 25, 2017 at 02:02AM
via Privacy Online News

Does US have right to data on overseas servers? We’re about to find out

Does US have right to data on overseas servers? We’re about to find out
By David Kravets

Enlarge (credit: Red Agenda)

The Justice Department on Friday petitioned the US Supreme Court to step into an international legal thicket, one that asks whether US search warrants extend to data stored on foreign servers. The US government says it has the legal right, with a valid court warrant, to reach into the world’s servers with the assistance of the tech sector, no matter where the data is stored.

The request for Supreme Court intervention concerns a 4-year-old legal battle between Microsoft and the US government over data stored on Dublin, Ireland servers. The US government has a valid warrant for the e-mail as part of a drug investigation. Microsoft balked at the warrant, and convinced a federal appeals court that US law does not apply to foreign data.

The government on Friday told the justices that US law allows it to get overseas data, and national security was at risk.

Read 17 remaining paragraphs | Comments

June 25, 2017 at 07:10AM
via Ars Technica UK