Amazon has refused to hand over recordings from an Echo smart speaker to US police investigating a murder in Arkansas. Police issued a warrant to Amazon to turn over recordings and other information associated with the device.
Amazon twice declined to provide the police with the information they requested from the device, although it did provide account information and purchase history.
Although the Echo is known for having always-on microphones to enable its voice-controlled features, the vast majority of the recordings it makes are not saved for longer than the few seconds it takes to determine if a pre-set wake word (usually
Alexa ) has been said. Only if that wake word has been heard does the device's full complement of microphones come on and begin transmitting audio to Amazon.
However the police pursuit of the data suggests there is more of interest up for grabs than Amazon is admitting.
Amazon's reluctance to part with user information fits a familiar pattern. Tech companies often see law enforcement requests for data as invasive and damaging to an industry. It is clearly an issue for sales of a home microphone system if it is easy for
the authorities to grab recordings.
Other devices have also been good data sources for police investigations. Wristwatch-style Fitbit activity trackers have cropped up in a few cases eg for checking alibis against sleep patterns or activity.
A smart water meter has also been used in a murder case as evidence of a blood clean up operation,
No matter how much governments spout bollox about mass snooping being used onlt to detect the likes of terrorism, the authorities end up sharing the data with Tom, Dick and Harry for the most trivial of reasons
Signal, an encrypted messaging apt for mobile devices had its service blocked in Egypt and UAE.
Now Signal have responded by making a new release available to those territories that should make the censors thinks twice before reaching for the block option.
The new Signal release uses a technique known as domain fronting. Many popular services and CDNs, such as Google, Amazon Cloudfront, Amazon S3, Azure, CloudFlare, Fastly, and Akamai can be used to access Signal in ways that look indistinguishable from
other uncensored traffic. The idea is that to block the target traffic, the censor would also have to block those entire services. With enough large scale services acting as domain fronts, disabling Signal starts to look like disabling the internet. When
users in the two countries send a Signal message, it will look like a normal HTTPS request to www.google.com. To block Signal messages, these countries would also have to block all of google.com.
Signal , the messaging app that prides itself on circumventing government censorship, has a few new places where its flagship feature works. Last week it was Egypt, and now users in Cuba and Oman can send messages without fear of them being intercepted
and altered by lawmakers.
The European Court of Justice has passed judgement on several linked cases in Europe requiring that ISP retain extensive records of all phone and internet communications. This includes a challenge by Labour's Tom Watson. The court wrote in a press
The Members States may not impose a general obligation to retain data on providers of electronic
EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make provision, as a preventive measure, for targeted retention of that data solely for the purpose of fighting serious crime,
provided that such retention is, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the chosen duration of retention, limited to what is strictly necessary. Access of the national
authorities to the retained data must be subject to conditions, including prior review by an independent authority and the data being retained within the EU.
In today's judgment, the Court's answer is that EU law precludes national legislation that prescribes general and indiscriminate retention of data.
The Court confirms first that the national measures at issue fall within the scope of the directive. The protection of the confidentiality of electronic communications and related traffic data guaranteed by the directive, applies to the measures taken by
all persons other than users, whether by private persons or bodies, or by State bodies.
Next, the Court finds that while that directive enables Member States to restrict the scope of the obligation to ensure the confidentiality of communications and related traffic data, it cannot justify the exception to that obligation, and in particular
to the prohibition on storage of data laid down by that directive, becoming the rule.
Further, the Court states that, in accordance with its settled case-law, the protection of the fundamental right to respect for private life requires that derogations from the protection of personal data should apply only in so far as is strictly
necessary. The Court applies that case-law to the rules governing the retention of data and those governing access to the retained data.
The Court states that, with respect to retention, the retained data, taken as a whole, is liable to allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained.
The interference by national legislation that provides for the retention of traffic data and location data with that right must therefore be considered to be particularly serious. The fact that the data is retained without the users of electronic
communications services being informed of the fact is likely to cause the persons concerned to feel that their private lives are the subject of constant surveillance. Consequently, only the objective of fighting serious crime is capable of justifying
The Court states that legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security and is not restricted to, inter alia,
providing for retention of data pertaining to a particular time period and/or geographical area and/or a group of persons likely to be involved in a serious crime. Such national legislation therefore exceeds the limits of what is strictly necessary and
cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.
The Court makes clear however that the directive does not preclude national legislation from imposing a targeted retention of data for the purpose of fighting serious crime, provided that such retention of data is, with respect to the categories of data
to be retained, the means of communication affected, the persons concerned and the retention period adopted, limited to what is strictly necessary. The Court states that any national legislation to that effect must be clear and precise and must provide
for sufficient guarantees of the protection of data against risks of misuse. The legislation must indicate in what circumstances and under which conditions a data retention measure may, as a preventive measure, be adopted, thereby ensuring that the scope
of that measure is, in practice, actually limited to what is strictly necessary. In particular, such legislation must be based on objective evidence which makes it possible to identify the persons whose data is likely to reveal a link with serious
criminal offences, to contribute to fighting serious crime or to preventing a serious risk to public security.
As regards the access of the competent national authorities to the retained data, the Court confirms that the national legislation concerned cannot be limited to requiring that access should be for one of the objectives referred to in the directive, even
if that objective is to fight serious crime, but must also lay down the substantive and procedural conditions governing the access of the competent national authorities to the retained data. That legislation must be based on objective criteria in order
to define the circumstances and conditions under which the competent national authorities are to be granted access to the data. Access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals
suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime. However, in particular situations, where for example vital national security, defence or public security interests are
threatened by terrorist activities, access to the data of other persons might also be granted where there is objective evidence from which it can be inferred that that data might, in a specific case, make an effective contribution to combating such
Further, the Court considers that it is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by either a court or an independent body. In addition, the competent national authorities to whom
access to retained data has been granted must notify the persons concerned of that fact.
Given the quantity of retained data, the sensitivity of that data and the risk of unlawful access to it, the national legislation must make provision for that data to be retained within the EU and for the irreversible destruction of the data at the end
of the retention period.
The view of the authorities
David Anderson, the Independent Reviewer of Terrorism Legislation gives a lucid response outlining the government's case for
mass surveillance. However the official justification is easily summarised as it clearly assists in the detection of serious crime. He simply does not mention that the government having justified grabbing the data on grounds of serious crime detection,
will share it willy nilly with all sorts of government departments for their own convenience, way beyond the reasons set out in the official justification.
And when the authorities talk about their fight against 'serious' crime, recent governments have been updating legislation to redefine practically all crimes as 'serious' crimes. Eg possessing a single spliff may in practice be a trivial crime, but the
law on possession has a high maximum sentence that qualifies it as a 'serious' crime. It does not become trivial until it goes to court and the a trivia punishment has been handed down. So using mass snooping data would be easily justified to track down
trivial drug users.
The judgment relates to a case brought by Deputy Leader of the Labour Party, Tom Watson MP, over intrusive data retention powers. The ruling says that:
- Blanket data retention is not permissible
- Access to data must be authorised by an independent body
- Only data belonging to people who are suspected of serious crimes can be accessed
- Individuals need to be notified if their data is accessed.
At present, none of these conditions are met by UK law.
Open Rights Group intervened in the case together with Privacy International, arguing that the Data Retention and Investigatory Powers Act (DRIPA), rushed through parliament in 2014, was incompatible with EU law. While the Judgment
will no longer affect DRIPA, which expires at the end of 2016, it has major implications for the Investigatory Powers Act.
Executive Director Jim Killock said:
The CJEU has sent a clear message to the UK Government: blanket surveillance of our communications is intrusive and unacceptable in a democracy.
The Government knew this judgment was coming but Theresa May was determined to push through her snoopers' charter regardless. The Government must act quickly to re-write the IPA or be prepared to go to court again.
Data retention powers in the Investigatory Powers Act will come into effect on 30 Dec 2016. These mean that ISPs and mobile phone providers can be obliged to keep data about our communications, including a record of the websites we
visit and the apps we use. This data can be accessed by the police but also a wide range of organisations like the Food Standards Agency, the Health and Safety Executive and the Department of Health.
Online retailers in America will soon be required by law to disclose to state governments what purchases their customers have made.
The law seems to have been made up in US courts during a long-running legal case based around the jurisdiction of sales tax. An appeals court decision now requires out-of-state retailers to report to the Colorado state government the details of all
purchases, including what that purchase was and who bought it.
The US Supreme Court has refused to hear the case so the appeal court decision stands.
Colorado is not the only state pushing the requirement. Vermont will also make the same requirement three months after Colorado starts imposing the law. And other states including Alabama, South Dakota, Tennessee and Wyoming have approved similar rules.
The exec director of the American Catalog Mailers Association (ACMA), Hamilton Davison, is extremely concerned He said:
Consumers, particularly those who buy from catalogs and e-commerce merchants, put considerable trust in the businesses from which they make the most personal of purchases, he noted. This decision undermines this trust by requiring remote sellers to
report to state tax collectors on the buying habits of their customers, including health care products, apparel or other sensitive items.
The Council of the EU could undermine encryption as soon as December. It has been asking delegates from all EU countries to detail their national legislative position on encryption.
We've been down this road before. We know that encryption is critical to our right to privacy and to our own digital security. We need to come together once again and demand that our representatives protect these rights -- not undermine them in secret.
Act now to tell the Council of the EU to defend strong encryption!
Dear Slovak Presidency and Delegates to the Council of the EU:
According to the Presidency of the Council of the European Union, the Justice and Home Affairs Ministers will meet in December to discuss the issue of encryption. At that discussion, we urge you to protect our security, our economy, and our governments
by supporting the development and use of secure communications tools and technologies and rejecting calls for policies that would prevent or undermine the use of strong encryption.
Encryption tools, technologies, and services are essential to protect against harm and to shield our digital infrastructure and personal communications from unauthorized access. The ability to freely develop and use encryption provides the cornerstone
for today's EU economy. Economic growth in the digital age is powered by the ability to trust and authenticate our interactions and communication and conduct business securely both within and across borders.
The United Nations Special Rapporteur for freedom of expression has noted, encryption and anonymity, and the security concepts behind them, provide the privacy and security necessary for the exercise of the right to freedom of opinion and expression
in the digital age.
Recently, hundreds of organizations, companies, and individuals from more than 50 countries came together to make a global declaration in support of strong encryption. We stand with people from all over the world asking you not to break the encryption we
Among the many unpleasant things in the Investigatory Powers Act that was officially
signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.
As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and
allow the government to demand technical changes to software and systems.
Communications Service Providers (CSP) subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the
CSP to provide a technical capability on the new service.
As per the final wording of the law, comms providers on the receiving end of a technical capacity notice will be obliged to do various things on demand for government snoops -- such as disclosing details of any system upgrades and removing electronic protection
on encrypted communications.
Unless someone makes a challenge in Congress, new enhance snooping powers have been decreed for the US authorities.
Extra spying powers are set to be granted by Congressional inaction over an update to Rule 41 of the Federal Rules of Criminal Procedure. These changes will kick in on December 1.
The rule tweak, which was cleared by the Supreme Court in April, will allow the FBI to apply for a warrant to a nearby US judge to hack any suspect that's using Tor, a VPN, or some other anonymizing software to hide their whereabouts, in order to find
the target's true location.
Normally, if agents want to hack a PC, they have to ask a judge for a warrant in the jurisdiction where the machine is located. This is tricky if the location is obscured by technology. With the changes to Rule 41 in place, investigators can get a
warrant from any handy judge to deploy malware to find out where the suspect is based -- which could be anywhere in America or the world.
The rule change also allows the authorities to just obtain one warrant in case that cross multiple jurisdictions.
Kryptowire, a security firm, recently
several models of Android mobile devices that have preinstalled permanent software that serves as backdoor collecting sensitive personal data, including text messages, geolocations, contact lists, call logs, and transmits them to a server in Shanghai,
Without users' consent, the code can bypass Android's permission model. This could allow anyone interested in a mobile user's data -- from government officials to malicious hackers -- to execute remote commands with system privileges and even reprogram
The firmware was developed by Chinese company Shanghai ADUPS Technology Company. ADUPS confirmed the report with a bollox statement
claiming that it was somehow to do with identifying junk texts.
Kryptowire's research reveals that the collected information was protected with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. The data transmission occurred every 72 hours for text messages
and call log information, and every 24 hours for other personally identifiable information.
ADUPS also explained that the "accustomed" firmware was 'accidentally' built into 120,000 mobile products of one American phone manufacturer, BLU Products. After BLU raised the issue, ADUPS explained that the software was not designed for
American phones and deactivated the program on Blu phones.
The news has been widely reported in foreign media as ADUPS is among the largest FOTA (firmware over the air) providers in the world. The company provides a cloud platform for mobile device management to over 700 million active users in 200 countries,
which is equivalent to 70% of the global market share as it works closely with the world largest cheap mobile phone manufacturers ZTE and Huawei, both of which are based in China. In 2015 alone, Huawei sold more than 100 million smartphones.
Chinese netizens have not been surprised by the news. Reports about spyware preinstalled in Chinese mobile brands have circulated for many years among mainland and overseas Chinese speaking-communities. In 2014,
Hong Kong Android Magazine
reported that Xiaomi's smartphones designed for overseas markets were automatically connecting to an IP in Beijing and that all documents, SMS and phone logs, and video files downloaded were being transmitted to a Beijing server.
China's newly passed Cybersecurity Law has provided legal ground
for the smartphone's backdoor operation. The law requires "critical information infrastructure operators" to store users' "personal information and other important business data" in China.
In response to the news, many Chinese netizens are pointing out the abusive use of personal data and government surveillance has become the norm.
The Investigatory Powers Bill (IP Bill) has now been passed by both House of Parliament
and is expected to become law within the next few weeks.
Executive Director Jim Killock responded:
The passing of the IP Bill will have an impact that goes beyond the UK's shores. It is likely that other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance powers.
The IP Bill will put into statute the powers and capabilities revealed by Snowden as well as increasing surveillance by the police and other government departments. There will continue to be a lack of privacy protections for international data sharing
arrangements with the US. Parliament has also failed to address the implications of the technical integration of GCHQ and the NSA.
While parliamentarians have failed to limit these powers, the Courts may succeed. A ruling by the Court of Justice of the European Union, expected next year, may mean that parts of the Bill are shown to be unlawful and need to be amended.
ORG and others will continue to fight this draconian law.
About the IP Bill
In the wake of the Snowden revelations, three separate inquiries called for new surveillance laws in the UK. It was recognised that the Regulation of Investigatory Powers Act (RIPA) had failed to limit surveillance and allowed the creation of
surveillance programmes without parliamentary debate or assent. In response, the Government published the draft IP Bill in November 2015.
The IP Bill is a vast piece of legislation that will extend not limit surveillance in the UK. It will mean that:
Internet Service Providers could be obliged to store their customers' web browsing history for a year. The police and government departments will have unprecedented powers to access this data through a search engine that could be used for profiling.
The security services will continue to have powers to collect communications data in bulk.
The police and security services will have new hacking powers.
The security services can access and analyse public and private databases, even though the majority of data will be held about people who are not suspected of any crimes.
For more information about the Bill and what it means, visit ORG's campaign hub
The Investigatory Powers Bill is one step closer to becoming law after it was passed by the House of Lords yesterday.
Open Rights Group's Executive Director, Jim Killock, responded:
The UK is one step closer to having one of the most extreme surveillance laws ever passed in a democracy.
Despite attempts by the Lib Dems and Greens to restrain these draconian powers, the Bill is still a threat to the British public's right to privacy.
The IP Bill is a comprehensive surveillance law that was drafted after three inquiries highlighted flaws in existing legislation. However, the new Bill fails to restrain mass surveillance by the police and security services and even extends their powers.
Once passed, Internet Service Providers could be obliged to store their customers' web browsing history for a year. The police and government departments will have unprecedented powers to access this data through a search engine that could be used for
profiling. The Bill will also allow the security services to continue to collect communications data in bulk and could see Internet security weakened by allowing mass hacking.
AT&T developed a product for spying on all its customers and made millions selling it to warrantless cops
AT&T's secret Hemisphere product is a database of calls and call-records on all its customers, tracking their location, movements, and interactions -- this data was then sold in secret to American police forces for investigating crimes big and
small (even Medicare fraud), on the condition that they never reveal the program's existence.
The gag order that came with the data likely incentivized police officers to lie about their investigations at trial -- something we saw happen repeatedly in the case of Stingrays, whose use was also bound by secrecy demands from their manufacturers.
Because the data was sold by AT&T and not compelled by government, all of the Hemisphere surveillance was undertaken without a warrant or judicial review (indeed, it's likely judges were never told the true story of where the data being entered into
evidence by the police really came from -- again, something that routinely happened before the existence of Stingray surveillance was revealed).
The millions given to AT&T for its customers' data came from the federal government under the granting program that also allowed city and town police forces to buy military equipment for civilian policing needs. Cities paid up to a million dollars a
year for access to AT&T's customer records.
A statement of work from 2014 shows how hush-hush AT&T wants to keep Hemisphere:
The Government agency agrees not to use the data as evidence in any judicial or administrative proceedings unless there is no other available and admissible probative evidence.
But those charged with a crime are entitled to know the evidence against them come trial. Adam Schwartz, staff attorney for activist group Electronic Frontier Foundation, said that means AT&T may leave investigators no choice but to construct a false
investigative narrative to hide how they use Hemisphere if they plan to prosecute anyone.
EFF is suing the US government to reveal DoJ records on the use of Hemisphere data.
The UK government has introduced an amendment to the Investigatory Powers Bill currently going through Parliament, to make ensure that data
retention orders cannot require ISPs to collect and retain third party data. The Home Office had previously said that they didn't need powers to force ISPs to collect third party data, but until now refused to provide guarantees in law.
Third party data is defined as communications data (sender, receiver, date, time etc) for messages sent within a website as opposed to messages sent by more direct methods such as email. It is obviously a bit tricky for ISPs to try and decode what is
going on within websites as messaging data formats are generally proprietary, and in the general case, simply not de-cypherable by ISPs.
The Government will therefore snoop on messages sent, for example via Facebook, by demanding the communication details from Facebook themselves.
The German Parliament has passed a bill granting country's intelligence agencies wider powers.
The bill, aimed at reforming Germany's spy agency, the Bundesnachrichtendienst (BND), was adopted by legislators on Friday. MPs from the ruling Christian Democratic Union party (CDU), the Christian Social Union (CSU) and the Social Democrats (SPD) voted
in favor, while the majority of opposition lawmakers voted against it.
The latest bill comes in the wake of 2013 revelations by a former employee of the US National Security Agency (NSA), Edward Snowden. The leaked documentsrevealed that the BND acted on behalf of the NSA while spying at home and abroad, spurring outrage
among the German public and many local officials.
The bill grants the BND the right to monitor all the network data of all German telecommunication companies in the country. Prior to the new ruling, the spy agency was allowed to proceed with the notion only in 20 percent of the cases. Under the ruling,
the collected data will be stored for six months and can be shared with the foreign intelligence institutions.
The bill allows sharing information for anti-terrorist purposes and aiding the foreign missions of the German Army (Bundeswehr). Data regarding the security situation for German citizens abroad can be also shared with international spy agencies.
The bill also creates a few fine sounding oversight mechanisms but as no such watchdog has ever revealed anything about a mass snooping capability that has been in place for same time, then such commissioners or watchdogs, or whatever, can be safely
considered a waste of space.
The bill talks of 'disclosing' personal data to gas and electricity companies, yet there are no details about access limitations, data security, ethical use of data, nor of a trust framework to protect the privacy and security of citizens
In a bombshell
published today, Reuters is reporting that, in 2015, Yahoo complied with an order it received from the U.S. government to search all of its users' incoming emails, in real time.
There's still much that we don't know at this point, but if the report is accurate, it represents a new--and dangerous--expansion of the government's mass surveillance techniques.
This isn't the first time the U.S. government has been caught conducting unconstitutional mass surveillance of Internet communications in real time. The NSA's Upstream surveillance program--the program at the heart of our ongoing lawsuit
Jewel v. NSA
--bears some resemblance to the surveillance technique described in the Reuters report. In both cases, the government compels providers to scan the contents of communications as they pass through the providers' networks, searching the full contents of
the communications for targeted "selectors," such as email addresses, phone numbers, or malware "
Mass surveillance of Yahoo's emails is unconstitutional for the same reasons that it'sunconstitutional for the government to copy and search through vast amounts of communications passing through AT&T's network as part of Upstream. The sweeping
warrantless surveillance of millions of Yahoo users' communications described in the Reuters story flies in the face of the Fourth Amendment's prohibition against unreasonable searches. Surveillance like this is an example of "
" that the Fourth Amendment was directly intended to prevent. (Note that, as we've explained
, it is irrelevant that Yahoo itself conducted the searches since it was acting as an agent of the government.)
While illegal mass surveillance is sadly familiar, the Yahoo surveillance program represents some deeply troubling new twists.
First, this is the first public indication that the government has compelled a U.S.-based email provider--as opposed to an Internet-backbone provider--to conduct surveillance against all its customers in real time. In attempting to justify its
warrantless surveillance under Section 702 of the FISA Amendments Act--including Upstream and PRISM--the government has claimed that these programs only "target" foreigners
outside the U.S. and thus do not implicate American citizens' constitutional rights. Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving
millions of Yahoo users.
Second, the story explains that Yahoo had to build new capabilities to comply with the government's demands, and that new code may have, itself, opened up new security vulnerabilities for Yahoo and its users. We read about new data breaches and attempts
to compromise the security of Internet-connected systems on a seemingly daily basis. Yet this story is another example of how the government continues to take actions that have serious potential for collateral effects on everyday users.
We hope this story sparks further questions. For starters: is Yahoo the only company to be compelled to engage in this sort of mass surveillance? What legal authority does the government think can possibly justify such an invasion of privacy? The
government needs to give us those answers.
Google has placed a virtual assistant at the heart of its first voice-activated speaker system. The Home speaker lets artificial
intelligence tool be controlled without use of a touchscreen via an always on microhone. It rivals Amazon's Echo.
The virtual assistant can hold a conversation, in which one question or command builds on the last, rather than dealing with each request in isolation it draws on Google's Knowledge Graph database, which links together information about more 70 billion
facts, and has been in use for four years
However, the US company will have to overcome privacy concerns and convince users that chatting to a virtual assistant has advantages over using individual apps.
Users can, for example, ask for what films are playing at nearby cinemas, and then follow up the reply by saying: We want to bring the kids, to narrow down the selection. Brian Blau, from the consultancy Gartner explained further:
Having a conversation - one where you ask a question and then follow-on questions - is a much more natural way to interact, and you would think that would offer a better user experience. But we haven't had that type of system offered at the mass market
level before, so it's hard to say how well it actually do.
As well as getting answers to questions, the device can control internet-connected lights and other smart home products play music and other services such as setting timers and alarms, creating shopping lists and getting travel updates.
The $129 device is launching in the US next month, and is due to come to the UK next year.