Liberty News

TikTok says it will stop accessing clipboard content on iOS devices

A beta feature on iOS 14 showed what the app was up to

See article from theverge.com

 

Update: Others too!

29th June 2020. See article from arstechnica.com

TikTok and 53 other iOS apps still snoop your sensitive clipboard data Passwords, bitcoin addresses, and anything else in clipboards are free for the taking.

See article from arstechnica.com

 

Update: India bans 59 Chinese snooping apps

29th June 2020. See article from financialexpress.com

The Government of India on Monday banned 59 Chinese apps including TikTok and UC Browser which are prejudicial to sovereignty and integrity of India, defence of India, security of state and public order, news agency ANI reported. Majority of these apps were recently red-flagged by intelligence agencies over concerns that they were collecting user data and possibly also sending them outside of the country's borders.

Among the apps that have been banned are Tik Tok, Sharit, Kwai, UC Browser, Baidu map, Shein, clash of Kings, DU battery saver, Helo, Likee, YouCam makeup, Mi Community, CM Browsers, Virus Cleaner, Apus Browser, among others.

Three Republican senators introduced a bill this week to codify lawful access, a legal framework that would demand that device makers incorporate a backdoor to allow law enforcement to access nw weakly encrypted digital devices with signed court orders. The bill's authors are Senators Lindsey Graham, Tom Cotton and Marsha Blackburn. Cotton said in a statement:

Tech companies' increasing reliance on encryption has turned their platforms into a new, lawless playground of criminal activity. Criminals from child predators to terrorists are taking full advantage. This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet.

The bill appears to be a formal codification of what top judicial officials have sought for well over two decades: enhancing the government's ability to bust through now weakened encryption, which can make data on a cellphone or a computer almost unreadable to anyone who does not have the password to decrypt it.

Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society commented:

This is the full-frontal nuclear assault on encryption we've been fearing would come, but which no lawmaker previously had dared to put forth.

Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation, said:

This bill is simply blind to reality.  It is blind to the fact that as millions of us march in the streets and shelter in place, we've never been more dependent on secure communications and devices. It is blind to the expert consensus that there is no way to provide access to securely encrypted data without a backdoor, something that legislating a prize for a magical solution simply cannot change, he said.

The US government continues to have the right to snoop on internet users' browsing histories, as well and also internet search histories. A bill that would have stripped the government of its right to conduct the searches with no warrant failed in the Senate.

The bipartisan bill, an amendment to a surveillance authority first established under the 2001 Patriot Act, was sponsored by Oregon Democrat Ron Wyden, and Montana Republican Steve Daines. But the amendment required 60 votes to move forward, and the final Senate vote was 59-37 in favor.

Phuket is a holiday island in Thailand that is accessed by road via a single bridge to the mainland. In the name of coronavirus monitoring the Phuket authorities have introduced an horribly invasive computerised checkpoint on the bridge.

The check on people crossing the bridge will include a temperature check with a facial recognition detection system connected with the public health database. In the case detection of a traveller has contracted the Covid-19 virus, police will be alerted at the checkpoints along with National Emergency Notification Center staff.

But that is just the beginning of it. The Phuket Smart Check Point will also include scanning for suspect vehicles involved in crimes, and checking the traveller's criminal record.

The Check Point will also require travellers to register and supply personal information. This will be kept on record for subsequent crossings and will be used for unspecified analysis by the authorities, including for the suppression of crime.

The system comes with an app that can be used as a tracking device allowing authorities to see where your current location is in the province.

Google's sister company Side Walk Labs has abandoned its smart city development in Toronto citing the effects of coronavirus on the property market.

Chief executive Dan Doctoroff explained in a blog post:

It is with great personal sadness and disappointment that I share that Sidewalk Labs will no longer pursue the Quayside project.

For the last two-and-a-half years, we have been passionate about making Quayside happen -- indeed, we have invested time, people, and resources in Toronto, including opening a 30-person office on the waterfront. But as unprecedented economic uncertainty has set in around the world and in the Toronto real estate market, it has become too difficult to make the 12-acre project financially viable without sacrificing core parts of the plan we had developed together with Waterfront Toronto to build a truly inclusive, sustainable community. And so, after a great deal of deliberation, we concluded that it no longer made sense to proceed with the Quayside project, and let Waterfront Toronto know yesterday.

Both the state and commercial sector have a disgraceful record of respecting people's data privacy. From the state's viewpoint, surveillance data is way too valuable, for law enforcement, censorship and societal control, to allow people to have any avenue for privacy. Meanwhile commercial companies, notably Facebook, Google, credit reference agencies, and more or less any website that wants to earn a bit more money from advertising, have all abused people's data mercilessly. And then of course there are also the hackers, scammers and identity thieves that prey on any data they can steal.

And every one of these snoopers has been continually claiming that they can be trusted with your data. It doesn't matter how often their lies are found out, they continue to make the same claims.

It is little wonder then that a significant number of people are a little unwilling to sign up for Big Brother surveillance, however well intentioned, the state, and its commercial partners, simply can't be trusted.

Something that perhaps politicians are starting to realise in Australia. The government as been aggressively pushing its covid tracking app for a week or so, but has got nowhere near the required take up.

Australia's COVIDSafe app was launched on Sunday April 26. About a million people downloaded it within the first day, but that trailed off with only a tenth of that installing it by the end of the week. The current tally is that about 4 million people downloaded the app, out of a population of about 26 million.

The Federal Government has warned that millions more Australians need to download the app and has threatened that if they don't, then the lockdown won't be eased.

In fact opposition to the app has appeared even from the Australian panel of experts working to fight the pandemic.One of Australia's top advisers to the World Health Health Organisation refuses to download the app. University of NSW professor Mary-Louise McLaws said until she knew more about where the data it collected was stored and secured, she couldn't install it. In particular  she is concerned the personal data could be accessed through Amazon's servers under U.S. law.

The government has resorted to all but declaring the 40% threshold is necessary for pubs to open and life to go back to normal. Critics slammed this rhetoric as emotional blackmail, noting that it is hardly likely to win people over.

Of course one of the possible outcomes is that the authorities could go down the Chinese route and make the app more or less mandatory.

Big Brother Watch review reveals staggering incompetence in use of emergency powers and demands lockdown exit strategy

The civil liberties group's review of coronavirus emergency powers one month after they came into force finds:

• a new case of a teen wrongly convicted under Coronavirus Act and under powers for wrong country

• a " postcode lottery of pandemic law " as forces deliver "inconsistent, heavy-handed and sometimes incompetent" policing

• suspension of freedom of information relating to coronavirus policing

• new curbs on free speech online

• growing use of drones, ANPR, location tracking and warns of "a surveillance state in the UK of a scale never seen before"

An Oxford teenager who delivered money to his vulnerable mother was "wrongly convicted" under the emergency Coronavirus Act and under its Welsh provisions, according to civil liberties group Big Brother Watch. The group said it shows "staggering incompetence".

The case emerged in a Big Brother Watch review of the use of emergency powers a month after they came into force. The organisation protested that the Government's exit strategy from extreme restrictions is a "state secret" and urged for it to be made public.

The damning review, published today, identifies " an outbreak of inconsistent, heavy-handed and sometimes incompetent policing" including wrongful convictions, people being forced from their own gardens and driveways, and major discrepancies between forces in the number of penalty notices issued. Police " cannot maintain trust by swinging from public apology to public apology," the campaign group warned.

Zero tolerance

Thames Valley Police, which arrested the Oxford teenager before he was prosecuted under the Welsh emergency powers, ranked second among English police forces for issuing the most lockdown fines in the first 2.5 weeks, totalling 219.

Big Brother Watch's analysis shows that Lancashire Police issued vastly more lockdown fines than any other force in England at 380 which, proportional to population size, is 3.5 times as many as Thames Valley Police and 116 times more than Humberside Police, which issued the fewest fines at just 2.

Lancashire Police threatened on social media that its officers would take "a zero tolerance approach with those who ignore government guidance" days before the lockdown powers came into force.

Postcode lottery of pandemic law

The civil liberties group raised concerns of "senior police figures systematically rejecting legal advice" after several police forces appeared to oppose new guidance clarifying that people are allowed to drive a reasonable distance to exercise.

Dorset Police responded to the guidance with a statement claiming that allowing people to drive to exercise is "not within the spirit of what we are trying to achieve (...) regardless of whether it is 'lawful' or not." Big Brother Watch described the inconsistent policing it identified as creating a "postcode lottery of pandemic law".

Surveillance state

The use of ANPR, drone surveillance, mobile data tracking and citizen reporting could be normalised, the report warns, and result in " a surveillance state in the UK on a scale never seen before."

Concerns have been exacerbated by the "suspension" of freedom of information requests on coronavirus policing. Big Brother Watch uncovered a police strategy document which instructs forces to centralise and delay all freedom of information requests for transparency on policing of emergency powers until summer 2021.

NHSX, the digital arm of the NHS has been speaking to a parliamentary committee of its upcoming app to be used in the testing, tracking and contact tracing phase of dealing with coronavirus pandemic.

Apple and Google have developed their own contact tracing tools for apps that maximise privacy by keeping most of the key contacts detected via Bluetooth on people's phones. But it was a notable decision that was outlined today that the NHSX tracking app will not be using the Google/Apple system, and will instead be logging contact details with a central server.

However the NHSX app will be using much of the privacy language of the Google/Apple system coupled with the same anonymised contact data handling. Furthermore NHSX said it would be releasing the app code for public scrutiny to assure users that their data will be kept private.

But another key detail revealed was that NHSX was working with GCHQ to help out with security aspects of the app. One has to wonder if the purported privacy of the app is a bit of smokescreen when the GCHQ internet surveillance infrastructure can detect messages being sent to the central server.  The system will know the phone number doing the sending coupled with a pretty good estimate of the location.

But of course this more complete set of data will be extremely useful in combating the virus as it may give an indication of exactly where the virus is being transmitted.

It might be related information that the Big Brother Watch review of the emergency coronavirus legislation reveals that the government has written itself new powers to appoint a new set of people to oversee state internet surveillance. The report says:

On 26th March 2020, a new statutory instrument was made under the Coronavirus Act: The Investigatory Powers (Temporary Judicial Commissioners and Modification of Time Limits) Regulations 2020. This allows for the appointment of temporary Judicial Commissioners to approve authorities' use of investigatory powers including highly intrusive bulk powers. Subsequently, on 21st April, the Investigatory Powers Commissioner appointed 10 new temporary Judicial Commissioners (JCs).205

Presumably these new appointees will be compliant with changes required for the more extensive extraction of data from the tracking app.

If it sorts out the virus and lets the economy bounce back then maybe the ends justifies the means.

The Chinese government and the Chinese telecommunications companies such as Huawei under its control are proposing a New IP addressing system for the internet to replace TCP/IP. The New IP system includes top-down checks and balances and such features as a shut up command that would allow a central controller to stop packets from being received or sent by a target New IP address. The China led proposal was first unveiled at the International Telecommunications Union (ITU) meeting in September 2019. The associated power point presentation and formal proposal have been made available by Financial Times.

In it, the Chinese government and its state controlled telecommunications service and hardware providers (i.e. Huawei) make the case that TCP/IP is broken and won't scale for use in the future internet which will include things like holographs and space-terrestrial communications. China argues that these new technologies on the old system would require complex translators and increase the overall cost to society.

The New IP proposal admits that TCP/IP has achieved relatively good security. However, China feels that this is still far away from what we actually require in the future. If the security is admittedly relatively good, what could possibly be missing? Apparently, the answer to that question is trust. The proposal reads:

As universal connectivity develops, a better security and trust model need to be designed and deployed to provide a stable, trustworthy, and long-term environment for people to use.

Let's be clear: Trust should have no part in this. Especially this type of absolute trust in centralized institutions -- that have repeatedly proven to be unworthy of such trust -- which is exactly what China is trying to force down the internet world's throat. Let's not forget that China is the same country that already forces real name and identification to be tied to all internet or phone services and also runs a censorship campaign against the open internet so large that it's called the Great Firewall .

NATO report warns against China's New IP system and its proposed Splinternet

Oxford Information Labs (Oxil) has prepared a research report for the North Atlantic Treaty Organization (NATO) that does not look kindly on the New IP proposal or the breakneck pace that it is being rushed through the approval process. The report authors from Oxil spoke with and provided an advance copy of the NATO report to Infosecurity. Oxil summed up the problem with New IP concisely:

New IP would centralize control over the network into the hands of telecoms operators, all of which are either state run or state-controlled in China. So, internet infrastructure would become an arm of the Chinese state.

The New IP model also takes pot shots at current centralized parts of the internet, such as the Domain Name System (DNS), and offers Distributed Ledger Technology (DLT) solutions under the guise of promoting a Decentralized Internet Infrastructure (DII) to address them. While that may sound like the holy grail of blockchain technology and true decentralization that real public blockchain technologies such as Handshake provide, what is being proposed by China is absolutely not that. Oxil notes that the proposed DLTs would undoubtedly be under Chinese government control -- bringing about that call for trust again. Oxil explained to Infosecurity:

It is not uncommon for language of 'trust' to replace 'security' in Chinese DII-related discussions. This is concerning because it indicates that the principle of 'security by design' -- at least in the Western context -- is not being adopted in DII's development. In the long-term this could negatively impact cybersecurity globally.

It doesn't matter how distributed or decentralized parts of a protocol seem on the surface, if there is a centralized command at the top that can issue shut up commands to devices supposedly connected to an open internet -- said devices aren't actually connected to an open internet, are they.

China will move towards using New IP with or without ITU approval Huawei is apparently already building internet infrastructure that utilices New IP as opposed to TCP/IP with partner countries, likely in Africa. Besides that, the Chinese proposal for a more top-down controlled internet has also seen support from Russia, Saudi Arabia, and Iran. While Huawei claims that this is an open process, and is open to scientists and engineers worldwide to participate in and contribute to, the fact that nobody really knows what's going on besides those involved in the process is telling. Robert Clark writing for LightReading calls New IP Huawei's real threat to networking and describes the situation aptly:

Huawei's important additional role here is as the major supplier to telcos in many developing countries. It is these governments that are likely the biggest enthusiasts for a manageable Internet without being hectored by Western governments about openness and freedom. And Huawei staff are on hand to help them build it.

That is to say, Huawei is already going ahead and building New IP systems with shut up commands and all -- in effect creating the very network islands that they want to use as a reason that TCP/IP won't work. In reality, those seeking to expand network functionality to new types of devices and services such as holograms or satellite comms and more internet of things devices have all the incentive in the world to make something that works with the existing TCP/IP world. In contrast, China and other countries that do not want true freedom on the internet are all too eager to create a form of the internet that gives them ultimate, centralized control. That China is proffering this New IP model to the free world as an improvement should be expected, and thoroughly ignored and lambasted.

Update: Opposed by European internet industry

24th April 2020. See article from zdnet.com

Ripe is the Regional Internet Registry for Europe, the Middle East and parts of Central Asia. It allocates and registers blocks of Internet number resources to Internet service providers (ISPs) and other organisations. The RIPE NCC membership consists mainly of Internet service providers, telecommunication organisations and large corporations.

RIPE is opposing a proposal to remodel core internet protocols, a proposal backed by the Chinese government, Chinese telecoms, and Chinese networking equipment vendor Huawei.

Named New IP, this proposal consists of a revamped version of the TCP/IP standards to accommodate new technologies, a shutoff protocol to cut off misbehaving parts of the internet, and a new top-to-bottom governance model that centralizes the internet and puts it into the hands of a few crucial node operators.

The proposal received immediate criticism from the general public and privacy advocates due to its obvious attempt to hide internet censorship features behind a technical redesign of the TCP/IP protocol stack. Millions of eyebrows were raised when authoritarian countries like Iran, Russia, and Saudi Arabia expressed support for the proposal.

In a blog post this week, RIPE NCC, the regional Internet registry for Europe, West Asia, and the former USSR, formally expressed a public opinion against China New IP proposal. Marco Hogewoning, the current acting Manager Public Policy and Internet Governance at the RIPE NCC said:

Do we need New IP? I don't think we do. Although certain technical challenges exist with the current Internet model, I do not believe that we need a whole new architecture to address them.

Any endeavors to revamp internet protocols should be left to the Internet Engineering Task Force (IETF), the international body that has been in charge of defining internet standards for decades. Such issues should not be left to the ITU, which is the United Nation's telecommunications body, and an agency where political influence rules, rather than technically-sound arguments.

In addition, RIPE is also concerned with the attempt to change the internet's current decentralized nature.

The UK government is reportedly preparing to launch an app that will warn users if they are in close proximity to someone who has tested positive for coronavirus .

The contact-tracking app will be released just before the lockdown is lifted or in its immediate aftermath and will use short-range Bluetooth signals to detect other phones in close vicinity and then store a record of those contacts on the device.

If somebody tests positive for COVID-19, they will be able to upload those contacts, who can then be alerted via the app.

It is reported that will not generally be shared with a central authority, potentially easing concerns that the app could snitch up users to the police for going jogging twice a day, or spending the night at your girlfriend's place.

NHSX, the innovation arm of the UK's National Health Service, will reportedly appoint an ethics board to oversee the development of the app, with its board members set to be announced over the coming weeks. It is a bit alarming that the government is envisaging such a long development schedule, suggesting perhaps that the end to the lockdown will be months away.

The NHS is reportedly counting on the app being downloaded by more than 50% of the population.

Offsite Comment: The government must explain its approach to mobile contact tracing

7th April 2020. See article from openrightsgroup.org by Jim Killock

The idea is for some 60% of the population to use an app which will look for people with the same app to record proximity. This data is then stored centrally. Health officials then add data of people who have been positively tested for COVID-19. Finally, persons who may be at risk because of their proximity to someone with the virus are alerted to this and asked to self-isolate.

This approach is likely to work best late on, when people are out of the full lock down and meeting people more than they were. It may be a key part of the strategy to move us out of lockdown and for dealing with the disease for some time afterwards. At the current time, during lockdown, it would not be so useful, as people are avoiding risk altogether.

Of course, it will be a huge challenge to persuade perhaps 75% or more of smartphone users (80% of adults have a smartphone) to install such an app, and keep it running for however long it is needed. And there are limitations: for instance a window or a wall may protect you while the app produces a false positive for risky contact. The clinical efficicacy of any approach needs to be throughly evaluated, or any app will risk making matters worse.

Getting users to install and use an application like this, and share location information, creates huge privacy and personal risks. It is an enormous ask for people to trust such an app -- which explains why both the UK and EU are emphasising privacy in the communications we have heard, albeit the EU project is much more explicit. It has a website , which explains:

PEPP-PR was explicitly created to adhere to strong European privacy and data protection laws and principles. The idea is to make the technology available to as many countries, managers of infectious disease responses, and developers as quickly and as easily as possible. The technical mechanisms and standards provided by PEPP-PT fully protect privacy and leverage the possibilities and features of digital technology to maximize speed and real-time capability of any national pandemic response.

There are plenty of other questions that arise from this approach. The European project and the UK project share the same goals; the companies, institutions and governments involved must be talking with each other, but there is no sign of any UK involvement on the European project's website.

The European project has committed to producing its technology in the open, for the world to share, under a Mozilla licence. This is the only sane approach in this crisis: other countries may need this tool. It also builds trust as people can evaluate how the technology works.

We don't know if the UK will share technology with this project, or if it will develop its own. On the face of it, sharing technology and resources would appear to make sense. This needs clarifying. In any event, the UK should be working to produce open source, freely reusable technology.

We urgently need to know how the projects will work together. This is perhaps the most important question. People do, after all, move across borders; the European project places a strong emphasis on interoperability between national implementations. In the, UK at the Irish border, it would make no sense for systems lacking interoperability to exist in the North and Eire.

Thus the UK and Europe will need to work together. We need to know how they will do this.

We are in a crisis that demands we share resources and technology, but respect the privacy of millions of people as best as we can. These values could easily flip -- allowing unrestricted sharing of personal data but failing to share techologies.

The government has already made a number of communications mis-steps relating to data, including statements that implied data protection laws do not apply in a health crisis; using aggregate mobile data without explaining why and how this is done; and employing the surveillance company Palantir without explaining or stating that it would be kept away from further tasks involving personal data.

These errors may be understandable, but to promote a mobile contact tool using massive amounts of personal location data, that also relies on voluntary participation, the UK government will have to do much better. PEPP-PT is showing how transparency can be done; while it too is not yet at a point where we understand their full approach, it is at least making a serious effort to establish trust.

We need the UK government to get ahead, as Europe is doing, and explain its approach to this massive, population-wide project, as soon as possible.

Offsite Comment: The EU also has an app

 7th April 2020. See article from politico.eu

Years of efforts to safeguard personal data running headlong into calls for drastic actions to counter the pandemic.

 

Update: The Challenge of Proximity Apps For COVID-19 Contact Tracing

11th April 2020. See article from eff.org

The Challenge of Proximity Apps For COVID-19 Contact Tracing

Developers are rapidly coalescing around applications for proximity tracing, which measures Bluetooth signal strength to determine whether two smartphones were close enough together for their users to transmit the virus. In this approach, if one of the users becomes infected, others whose proximity has been logged by the app could find out, self-quarantine, and seek testing. Just today, Apple and Google announced joint application programming interfaces (APIs) using these principles that will be rolled out in iOS and Android in May. A number of similarly designed applications are now available or will launch soon.

Update: Confirmed

13th April 2020. See article from bbc.co.uk

 The UK has confirmed plans for an app that will warn users if they have recently been in close proximity to someone suspected to be infected with the coronavirus.

The health secretary Matt Hancock announced the move at the government's daily pandemic press briefing. He said the NHS was working closely with the world's leading tech companies on the initiative.

The BBC has learned that NHSX - the health service's digital innovation unit - will test a pre-release version of the software with families at a secure location in the North of England next week.

 

Update: Can your smartphone crack Covid?

14th April 2020. See article from unherd.com by Timandra Harkness

 I write constantly about the threat to privacy of letting our smartphones share data that reveals where we go, what we do, and who shares our personal space. And although these are exceptional circumstances, we should not stop valuing our privacy. Emergency measures have a habit of becoming the new normal. And information about who we've been close to could be of interest to all sorts of people, from blackmailers to over-enthusiastic police officers enforcing their own interpretation of necessary activities.

Update: NHS in standoff with Apple and Google over coronavirus tracing

17th April 2020.See article from theguardian.com

Tech firms place limitations on how tracing apps may work in effort to protect users' privacy