Archive

Archive for April, 2012

Drone Authorizations in the US Include Police Departments

April 28, 2012 Leave a comment

Just to point out this interesting article by EFF about issued drone authorizations to public as well as private institutions in the US. There are no big surprises there with public institutions like DARPA or border patrol as well as many research institutions. Interestingly, a number of police departments are included in the list, suggesting that they already use, or are planning to use, drones in police work.

Advertisements

Alleged Hacker Caught Using Image GPS data

April 26, 2012 2 comments

Based on this image an alleged hacker was caught.

The FBI caught an alleged hacker of multiple government websites because he posted a picture of his girlfriend’s décolletage on Twitter (see picture on the right). Unfortunately, he seemed to forget that all iPhone photos include GPS information from where the photo was taken. And many picture-storage websites, like Flickr or Twitpic, retain this information. It seems like this is not the case with Facebook. I suppose they re-encode the images and do not include position information (at least not for users). Even though many people are aware of this, this case makes apparent how much private information we expose by just uploading an image. This stored information not only includes the GPS position but altitude, viewing direction (!) and of course the exact date and time. Here is an example of what information an iPhone image contains:

So if you are a hacker and want to tease the FBI, I would suggest making a screenshot of the picture before uploading it. Because screenshots do not include GPS coordinates (yet). I encourage you to try it out yourself by uploading a picture you took to Jefrey’s EXIF viewer.

Read more about GPS location in images at the EFF.

A Solution to Internet Snooping in the EU

April 23, 2012 Leave a comment

Starting from April 1st, the so called “Vorratsdatenspeicherung” (VDS, data retention) took effect in Austria (after being sued by the EU for non-compliance in 2010). Basically, this law requires telecommunication providers (telcos, ISPs) to store all communication data (though no content of calls and emails etc.) for six months. There is much controversy about this law and a growing opposition against it. But rather than writing about VDS, which has been discussed in numerous places before, I find it much more interesting to look at the situation in other countries.

Generally, the EU Data Retention Directive requires member states to store Internet information for at least six months. Some member states, such as France, Bulgaria and the Netherlands, already implemented the directive, some resisted and got sued by the EU, such as Sweden or Austria and implement it now. Germany implemented it 2008 but stopped in 2010 following a court ruling that stated that VDS is unconstitutional.

Further, most notably, in the UK there is currently a proposal for a bill making the rounds, which would allow somewhat of an extension to VDS. The big difference to Austria is that in the UK this bill would allow real-time government surveillance and surveillance without any warrant. For the time being, no content of any messages would be surveilled, but, as this article points out, in a time of crisis this is just a small step to take. This is especially interesting since the current UK government pledged in its coalition agreement that they would stop storage of Internet data without reason! But I would have been surprised if they actually stopped it. I find it rather surprising that they didn’t manage to pass such a bill well before the Olympics 2012 for which security and surveillance systems were upgraded significantly.

I believe that generally there is no reason why ISPs and telcos should not store connection data (not content). I would be surprised if they don’t do that already anyway. And I think it is okay to use this data in criminal investigations.

However, I do see a problem if this data can be accessed at any time, without any warrant and without explaining yourself to anyone. In Austria, police does need a warrant and is only allowed to access this data if the charge for the crime committed is over two years prison time. But this is not enough, there needs to be stricter regulation. I propose an external, independent institution (ideally directly elected) that controls police who access this data. In Austria, this might be the “Datenschutzkommission” (DSK, data protection agency). The police would regularly have to report, which data they accessed and, more importantly, why. This institution would have to have the authority and political independence to stop access and inform the public. This institution in return has to publish regular public reports on their work. Of course, this institution has to be adequately funded with enough people to check and regulate. This is something that is definitely not the fact right now at the DSK. I believe it is only fair to provide more financial ressources for this since these new regulations cost the telcos and ISPs significantly more money, which they will collect from their customers.

A true democracy can only work if for every power there is an opposition. This is an ancient concept and works in Parlament and between the different powers of the state. So if one institution has the power to surveil communication data, there should be an opposition to hold the balance. This is how it works in a democracy and I think this where all of us want to live.

%d bloggers like this: