UK security forces claim to have reliable way to decrypt encrypted Whatsapp messages

UK security forces claim to have reliable way to decrypt encrypted Whatsapp messages
By Caleb Chen

Authorities in the UK have announced that they have uncovered the last Whatsapp message sent by the perpetrator of the Westminster attack. The news was first reported by The Independent, which wrote: “Details of the method used cannot be disclosed for security reasons, but sources said they now have the technical expertise to repeat the process in future.”

Are WhatsApp messages really protected and encrypted?

The UK authorities won’t reveal exactly how the supposedly encrypted WhatsApp message was unencrypted. We don’t know if the message was taken from the device’s RAM, from some sort of predictive text messaging cache, from an encryption backdoor, granted by divine intervention or a giant smurf, or given up by the encrypted Whatsapp message recipient’s device somehow – and we won’t. They simply won’t tell us for “security reasons.” All they would say is that the uncovering of the Whatsapp message came about as a result of “human and technical intelligence.”

They did question the recipient of the message “extensively” but they let him go after it was determined that he did not participate in the plot. Still, security forces were confident that they now know how to recover Whatsapp messages. Those that are concerned about Facebook and WhatsApp can and should leave both platforms. This is actually an opinion shared by Facebook. According to The Economic Times, Facebook India’s counsel K K Venugopal told the Indian Supreme Court:

“Those who find the new privacy policy irksome or violative of their fundamental rights, can quit. We’ve given full freedom to users to withdraw from Facebook and WhatsApp.”

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

The post UK security forces claim to have reliable way to decrypt encrypted Whatsapp messages appeared first on Privacy Online News.

April 30, 2017 at 04:46AM
via Privacy Online News

Pirate Bay Founder Launches Anonymous Domain Registration Service

Pirate Bay Founder Launches Anonymous Domain Registration Service
By Ernesto

In recent years, copyright holders have taken aim at the domain name industry, calling on players to take a more active approach against piracy.

One of the often heard complaints is that website owners use Whois masking services to ensure their privacy.

There are several companies dedicated to offering privacy to domain registrants and today, rightsholders will see a well-known adversary entering the market.

Former Pirate Bay spokesperson and co-founder Peter Sunde has just announced his latest venture. Keeping up his fight for privacy on the Internet, he’s launching a new company called Njalla, that helps site operators to shield their identities from prying eyes.

The name Njalla refers to the traditional hut that Sámi people use to keep predators at bay. It’s built on a tall stump of a tree or pole and is used to store food or other goods.

On the Internet, Njalla helps to keep people’s domain names private. While anonymizer services aren’t anything new, Sunde’s company takes a different approach compared to most of the competition.


With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust.

A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes.

TorrentFreak spoke to Peter Sunde who says that the service is needed to ensure that people can register domain names without having to worry about being exposed.

“Njalla is needed because we’re going the wrong way in society regarding people’s right to be anonymous. With social media pressuring us to be less anonymous and services being centralized, we need alternatives,” Sunde says.

The current domain privacy services aren’t really providing anonymity, Sunde believes, that’s why he decided to fill this gap.

“All key parts of the Internet need to have options for anonymity, and the domain name area is something which was never really protected. At best you can buy a domain name using ‘privacy by proxy’ services, which are aimed more at limiting spam than actually protecting your privacy.”

As co-founder of The Pirate Bay, Njalla might also get some pirate sites as customers. Since Njalla owns the domain names, this could lead to some pressure from rightsholders, but Sunde isn’t really worried about this.

“The domain name itself is not really what they’re after. They’re after the content that the domain name points to. So we’re never helping with anything that might infringe on anything anyhow, so it’s a non-question for us,” Sunde says.

For those who are interested, Njalla just opened its website for business. The company is registered with the fitting name 1337 LLC and is based in Nevis, a small island in the Caribbean Sea.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

April 19, 2017 at 04:20PM
via TorrentFreak

As Russian internet censorship grows, Twitter reportedly agrees to move some user data to servers in Russia

As Russian internet censorship grows, Twitter reportedly agrees to move some user data to servers in Russia
By Caleb Chen

Twitter has reportedly agreed to comply with Russia’s Big Brother law – which forces tech companies to store data on Russian soil. Russia’s Big Brother laws, passed in July of 2016, force companies like Twitter to store all of the personal user data they have on Russians, in Russia.  While Twitter declined to make any sort of official comment on the matter, a source close to Twitter told TechCrunch claimed that no guarantees had been made, though talks were ongoing. Roskamnadzor head Aleksander Zharov told RT:

“Twitter has formally confirmed in a letter that it will relocate bases with personal data of Russians to Russia’s servers.”

Twitter currently stores no user data in Russia. According to the Roskamnadzor, Twitter will have migrated servers by mid 2018 and will join Apple and Google in complying with Russia’s data localization laws.

Twitter is Russia’s Big Brother law’s newest victim, but not its only one

Russia even plans to enlist VPNs and proxies in their internet censorship war, and will block those services that do not acquiesce. It’s worth noting that Private Internet Access closed its servers in Russia, and doesn’t intend to return because of this change in legislation as well as other illegal actions by the Russian government. In July of 2016, Russia passed a series of laws which Edward Snowden referred to as “an unworkable, unjustifiable violation of rights.” The laws aren’t even popular with the ISPs and telcos that need to enforce them given that the burden of cost is all on them.

Around the world, companies that wish to service Russian internet users have had to make decisions on whether to store personal data about Russians in Russia to be in compliance with the new laws which would give up all personal information about their Russian users to the Russian government – something that happens by design under the Russian Big Brother laws. Some companies, like Microsoft’s Linkedin, have chosen to leave Russia, and have been added to the Roskamnadzor’s blacklist for that reason. Others, like Twitter, have chosen to acquiesce – potentially putting metadata about Russian activists on twitter under the direct control of the Russian government.

Like this article? Get notified by email when there is a new article or signup to receive the latest news in the fight for Privacy via the Online Privacy News RSS Feed.

The post As Russian internet censorship grows, Twitter reportedly agrees to move some user data to servers in Russia appeared first on Privacy Online News.

April 20, 2017 at 02:04PM
via Privacy Online News

The Bill of Rights at the Border: Fifth Amendment Protections for Account Passwords and Device Passcodes

The Bill of Rights at the Border: Fifth Amendment Protections for Account Passwords and Device Passcodes
By Stephanie Lacambra

This is the third and final installment in our series on the Constitution at the border. Today, we’ll focus on the Fifth Amendment and passwords. Click here for Part 1 on the First Amendment or Part 2 on the Fourth Amendment.

Lately, a big question on everyone’s mind has been: Do I have to give my password to customs agents?

As anyone who’s ever watched any cop show knows, the Fifth Amendment gives you the right to remain silent and to refuse to provide evidence against yourself – even at the border. If a CBP agent asks you a question, you can tell them you choose to remain silent and want to speak to an attorney, even if you don’t have one retained yet. That choice may not stop CBP agents from pressuring you to “voluntarily” talk to them, but they are supposed to stop questioning you once you ask for a lawyer. Also, beware that government agents are permitted to lie to you in order to convince you to waive your right to remain silent, but you can be criminally prosecuted if you lie to them.

CBP agents are unlikely to advise you that you have this choice because the government generally argues that suchwarnings are only required if you are taken into “custody” and subjected to a criminal prosecution. And at least one federal court of appeals has determined that secondary inspection – the separate interview area you get referred to if the CBP officer can’t readily verify your information at the initial port of entry – doesn’t qualify as “custody.” 

But you don’t have to be in custody or subject to a criminal prosecution before you choose to invoke your Fifth Amendment rights to remain silent or to object to being deprived of your property without due process of law. For example, the Second Circuit Court of Appeals has held that a person’s request for an attorney is enough to invoke the privilege against self-incrimination, even at the border.

And that privilege includes refusing to provide the password to your device. For example, in 2015, a Pennsylvania court held that you may properly invoke the Fifth Amendment privilege to avoid giving up your cell phone passcode – even to an employer’s phone – because your passcode is personal in nature and producing it requires you to speak or testify against yourself. 

Some courts have been less protective, overriding Fifth Amendment protections where the information sought is a so-called “foregone conclusion.” In 2012, a Colorado court ordered a defendant to provide the password to her laptop, only after the government had obtained a search warrant based on the defendant’s admission that there was specific content on her laptop and that the laptop belonged to her. On appeal, the Eleventh Circuit clarified that the government “must [first] show with some reasonable particularity that it seeks a certain file and is aware, based on other information, that . . . the file exists in some specified location” and that the individual has access to the desired file or is capable of decrypting it.

So, Fifth Amendment protections do apply at the border, and they protect your right to refuse to reveal your password in most circumstances. That said, individuals passing through the border sometimes choose to surrender their account information and passwords anyway, in order to avoid consequences like missing their flight, being made subject to more constrictive or prolonged detention, or being denied entry to the US.

As we have noted in our Digital Border Search Whitepaper, the consequences for refusing to provide your password(s) are different for different classes of individuals. If you are a U.S. citizen, CBP cannot detain you indefinitely as you have a right to re-enter the country. However, agents may escalate the encounter (for example, by detaining you for more time), or flag you for heightened screening during future border crossings. If you are a lawful permanent resident, agents may also raise complicated questions about your continued status as a resident. If you are a foreign visitor, agents might deny you entry to the country entirely.

But whatever your status, whether you choose to provide your passwords or not, border agents may decide to seize your digital devices. While CBP guidelines set a five-day deadline for agents to return detained devices unless a CBP supervisor approves a lengthier detention, in practice, device detentions commonly last many months.

As always, we want to hear from you if you experience harm or harassment from CBP for choosing to protect your digital data. We’re still collecting stories of border search abuses at:

We recommend that you review our pocket guides for Knowing Your Rights and Protecting Your Digital Data Privacy at the border for a general overview or take a look at our Border Search Whitepaper for a deeper dive into the potential issues and questions you may face.

And join EFF in calling for stronger Constitutional protection for your digital information by contacting Congress on this issue today.

April 19, 2017 at 07:35PM
via Deeplinks

EFF to California Supreme Court: Website Owners Have a First Amendment Right to Defend Content on Their Platform

EFF to California Supreme Court: Website Owners Have a First Amendment Right to Defend Content on Their Platform
By Jamie Williams and Karen Gullo

A bad review on Yelp is an anathema to a business. No one wants to get trashed online. But the First Amendment protects both the reviewer’s opinion and Yelp’s right to publish it. A California appeals court ran roughshod over the First Amendment when it ordered Yelp to comply with an injunction to take down speech without giving the website any opportunity to challenge the injunction’s factual basis. The case is on appeal to the California Supreme Court, and EFF filed an amicus brief asking the court to overturn the lower court’s dangerous holding.

The case, Hassell v. Bird, is procedurally complicated. A lawyer, Dawn Hassell, sued a former client, Ava Bird, for defamation in California state court over a negative Yelp review. Bird never responded to the lawsuit, so the trial court entered a default judgment against her. The court—at Hassell’s request—not only ordered Bird to remove her own reviews, but also ordered Yelp to remove them—even though Yelp was never named as a party to the suit. (If this kind of abuse of a default judgment sounds familiar, that’s not a coincidence; it seems to be increasingly common—and it’s a real threat to online speech.)

Yelp challenged the order, asserting that Hassell failed to prove that the post at issue was actually defamatory, that Yelp could not be held liable for the speech pursuant to the Communication Decency Act, 47 U.S.C. § 230 (“Section 230”), and that Yelp could not be compelled to take down the post as a non-party to the suit. The trial court rejected Yelp’s arguments and refused to recognize Yelp’s free speech rights as a content provider. The California Court of Appeal affirmed the trial court’s decision, holding that Yelp could be forced to remove the supposedly defamatory speech from its website without any opportunity to argue that the reviews were accurate or otherwise constitutionally protected.

This decision is frankly just wrong—and for multiple reasons. Neither court seemed to understand that the First Amendment protects not only authors and speakers, but also those who publish or distribute their words. Both courts completely precluded Yelp, a publisher of online content, from challenging whether the speech it was being ordered to take down was defamatory—i.e., whether the injunction to take down the speech could be justified. And the court of appeals ignored its special obligation, pursuant to California law, to conduct an “independent examination of the record” in First Amendment cases.

Both courts also seemed to completely ignore the U.S. Supreme Court’s clear holding that issuing an injunction against a non-party is a constitutionally-prohibited violation of due process.

EFF—along with the ACLU of Northern California and the Public Participation Project—urged the California Supreme Court to accept the case for review back in August 2016. The court agreed to review the case in September, and we just joined an amicus brief urging the court to overrule the problematic holding below. 

Our brief—drafted by Jeremy Rosen of Horvitz & Levy and joined by a host of other organizations dedicated to free speech—explains to the California Supreme Court that the First Amendment places a very high bar on speech-restricting injunctions. A default judgment simply cannot provide a sufficient factual basis for meeting that bar, and the injunction issued against Yelp in this case was improper. We also explained that the injunction violated clear Supreme Court case law and Yelp’s due process rights, and that the injunction violates Section 230, which prohibits courts from holding websites liable for the speech of third parties.

As Santa Clara University law school professor Eric Goldman noted in a blog post about the case, the appeals court’s decision opens up a host of opportunities for misuse and threatens to rip a “hole” in Section 230’s protections for online speech—protections that already seem to be weakening. If not overturned, as the already pervasive misuse of default judgments teaches, this case will surely lead to similar injunctions that infringe on publishers’ free speech rights without giving them any notice or opportunity to be heard. The California Supreme Court cannot allow this.

April 18, 2017 at 03:40PM
via Deeplinks

When Did You First Realize the Importance of Online Privacy?

When Did You First Realize the Importance of Online Privacy?
By rainey Reitman

mytubethumb play

mytubethumb play

Privacy info. This embed will serve content from

Was there a moment in your life when you had an awakening about the importance of digital privacy? 

Maybe your parents snooped around an email account when you forgot to log out. Maybe photos you thought were private ended up online. Maybe you didn’t land your dream job, and you suspect an old LiveJournal account still visible in search results of your name may be the culprit. Maybe you got hacked.

We’re collecting stories from people about the moment digital privacy first started mattering in their lives. Through this collection, we’re hoping to illustrate the varied, often deeply personal reasons that people care about digital privacy. This isn’t a dry policy issue; corporate data practices have lasting ramifications on people’s everyday lives. And the recent vote by Congress to allow companies like Comcast and Time Warner to have unfettered access to our browsing habits puts our privacy even more at risk.

We launched the project by sending reporter David Spark Sparks to the Security BSides B-Sides conference in San Francisco, where many fans of digital liberty often come to see EFF and others speakers discuss topics like security, privacy, and online freedom. In the video above, we collected some of those stories.

Want to add to the conversation? Post a blog post, article, tweet, or short video, and then share it on Twitter using the hashtag #privacystory. We’ll be collecting these, blogging about them and retweeting them to help spur a broader public conversation about the value of privacy in our digital world.

Special thanks to David Spark (@dspark) and Spark Media Solutions, with the support of Remediant, for the production of this video. Creative Commons music attribution to Ben Rama for the song “Binary Iteration.”

April 12, 2017 at 03:35PM
via Deeplinks

It’s “National Get a VPN Day” in Australia

It’s “National Get a VPN Day” in Australia
By Andy

For so many years, citizens have believed that what they do online is largely a private matter. Some continue to labor under the misconception that online events are somewhat transient but in many respects the Internet is becoming the network that never forgets.

In March 2015, Australia’s parliament passed legislation which requires all Internet service providers and telecoms companies to store their customers’ metadata. Despite cries from the public, the law swept into the books largely unhindered.

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (pdf) covers large swathes of data. When a subscriber uses the Internet, for example, telcos are required to log their account name, date, time and connection duration against the service they access.

Companies are also required to log location data, including where any communications begin and where they terminate. Fixed line, WiFi, and cell phone connections are all covered by the legislation, which scoops up data on everything from social networking activity to visits to file-sharing sites.

Considering the scale of the project, ISPs and other telcos were given a year to have systems installed to handle the huge quantities of data involved in spying on millions of Australians. That deadline ran out today, meaning that for the man in the street, online privacy is now a thing of the past. Or is it?

Australian privacy rights group Digital Rights Watch (DRW) think they can make a difference. A few hours ago they urged citizens to fight back against mass surveillance, declaring today, April 13, “National Get a VPN Day.”

“It’s important that we mark this date – and pause to remember that a detailed picture of the private lives of Australian citizens is being collected by telecommunication companies on behalf of the Government. Many interactions we have in the digital world are being collected and stored by our communications providers, all without adequate safeguards” says Digital Rights Watch Chair Tim Singleton Norton.

DRW notes that the growing uptake of VPN services among Australians is a sign that the public doesn’t appreciate being spied on. While that’s almost certainly the case, Aussies have a long history of VPN use for other purposes too.

For years, when Netflix wasn’t available locally, Australians bought the service from overseas territories, such as the United States. Then, when Netflix finally landed on local shores, people used VPNs to access the better content selections available on Netflix in other countries.

Then last year, following massive pressure from copyright holders, VPN services received yet another boost when the Federal Court handed down instructions for ISPs to block The Pirate Bay and several other pirate sites.

So, along with fighting geo-restriction and web blockades, ISP surveillance is now giving Aussies yet another reason to pick up a VPN, if they don’t have one already.

“That’s why we’ve declared today as a national day of action – we’re calling upon Australian citizens to educate themselves about the scale of this surveillance and take precautions accordingly,” DRW says.

“If the government wants to surveil its citizens, then we’ll do everything in our power to equip people to circumvent that surveillance. If it takes every Australian having to run their digital lives through a VPN for the government to recognise that, then so be it.”

In addition to launching a Twitter campaign (#GetaVPN), DRW has an advice page with links to sites and resources offering information on VPNs and their use. TF’s own VPN anonymity guide is featured along with other good resources.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

April 12, 2017 at 09:36AM
via TorrentFreak