law enforcement

Smart home makers hoard your data, but won’t say if the police come for it

Posted by | Amazon, Apple, computer security, Facebook, Gadgets, Google, Government, hardware, Internet of Things, law enforcement, national security, privacy, Security, smart home devices, television, transparency report | No Comments

A decade ago, it was almost inconceivable that nearly every household item could be hooked up to the internet. These days, it’s near impossible to avoid a non-smart home gadget, and they’re vacuuming up a ton of new data that we’d never normally think about.

Thermostats know the temperature of your house, and smart cameras and sensors know when someone’s walking around your home. Smart assistants know what you’re asking for, and smart doorbells know who’s coming and going. And thanks to the cloud, that data is available to you from anywhere — you can check in on your pets from your phone or make sure your robot vacuum cleaned the house.

Because the data is stored or accessible by the smart home tech makers, law enforcement and government agencies have increasingly sought data from the companies to solve crimes.

And device makers won’t say if your smart home gadgets have been used to spy on you.

For years, tech companies have published transparency reports — a semi-regular disclosure of the number of demands or requests a company gets from the government for user data. Google was first in 2010. Other tech companies followed in the wake of Edward Snowden’s revelations that the government had enlisted tech companies’ aid in spying on their users. Even telcos, implicated in wiretapping and turning over Americans’ phone records, began to publish their figures to try to rebuild their reputations.

As the smart home revolution began to thrive, police saw new opportunities to obtain data where they hadn’t before. Police sought Echo data from Amazon to help solve a murder. Fitbit data was used to charge a 90-year old man with the murder of his stepdaughter. And recently, Nest was compelled to turn over surveillance footage that led to gang members pleading guilty to identity theft.

Yet, Nest — a division of Google — is the only major smart home device maker that has published how many data demands it receives.

As first noted by Forbes last week, Nest’s little-known transparency report doesn’t reveal much — only that it’s turned over user data about 300 times since mid-2015 on over 500 Nest users. Nest also said it hasn’t to date received a secret order for user data on national security grounds, such as in cases of investigating terrorism or espionage. Nest’s transparency report is woefully vague compared to some of the more detailed reports by Apple, Google and Microsoft, which break out their data requests by lawful request, by region and often by the kind of data the government demands.

As Forbes said, “a smart home is a surveilled home.” But at what scale?

We asked some of the most well-known smart home makers on the market if they plan to release a transparency report, or disclose the number of demands they receive for data from their smart home devices.

For the most part, we received fairly dismal responses.

What the big four tech giants said

Amazon did not respond to requests for comment when asked if it will break out the number of demands it receives for Echo data, but a spokesperson told me last year that while its reports include Echo data, it would not break out those figures.

Facebook said that its transparency report section will include “any requests related to Portal,” its new hardware screen with a camera and a microphone. Although the device is new, a spokesperson did not comment on if the company will break out the hardware figures separately.

Google pointed us to Nest’s transparency report but did not comment on its own efforts in the hardware space — notably its Google Home products.

And Apple said that there’s no need to break out its smart home figures — such as its HomePod — because there would be nothing to report. The company said user requests made to HomePod are given a random identifier that cannot be tied to a person.

What the smaller but notable smart home players said

August, a smart lock maker, said it “does not currently have a transparency report and we have never received any National Security Letters or orders for user content or non-content information under the Foreign Intelligence Surveillance Act (FISA),” but did not comment on the number of subpoenas, warrants and court orders it receives. “August does comply with all laws and when faced with a court order or warrant, we always analyze the request before responding,” a spokesperson said.

Roomba maker iRobot said it “has not received any demands from governments for customer data,” but wouldn’t say if it planned to issue a transparency report in the future.

Both Arlo, the former Netgear smart home division, and Signify, formerly Philips Lighting, said they do not have transparency reports. Arlo didn’t comment on its future plans, and Signify said it has no plans to publish one. 

Ring, a smart doorbell and security device maker, did not answer our questions on why it doesn’t have a transparency report, but said it “will not release user information without a valid and binding legal demand properly served on us” and that Ring “objects to overbroad or otherwise inappropriate demands as a matter of course.” When pressed, a spokesperson said it plans to release a transparency report in the future, but did not say when.

Spokespeople for Honeywell and Canary — both of which have smart home security products — did not comment by our deadline.

And, Samsung, a maker of smart sensors, trackers and internet-connected televisions and other appliances, did not respond to a request for comment.

Only Ecobee, a maker of smart switches and sensors, said it plans to publish its first transparency report “at the end of 2018.” A spokesperson confirmed that, “prior to 2018, Ecobee had not been requested nor required to disclose any data to government entities.”

All in all, that paints a fairly dire picture for anyone thinking that when the gadgets in your home aren’t working for you, they could be helping the government.

As helpful and useful as smart home gadgets can be, few fully understand the breadth of data that the devices collect — even when we’re not using them. Your smart TV may not have a camera to spy on you, but it knows what you’ve watched and when — which police used to secure a conviction of a sex offender. Even data from when a murder suspect pushed the button on his home alarm key fob was enough to help convict someone of murder.

Two years ago, former U.S. director of national intelligence James Clapper said the government was looking at smart home devices as a new foothold for intelligence agencies to conduct surveillance. And it’s only going to become more common as the number of internet-connected devices spread. Gartner said more than 20 billion devices will be connected to the internet by 2020.

As much as the chances are that the government is spying on you through your internet-connected camera in your living room or your thermostat are slim — it’s naive to think that it can’t.

But the smart home makers wouldn’t want you to know that. At least, most of them.

Powered by WPeMatico

Despite objection, Congress passes bill that lets U.S. authorities shoot down private drones

Posted by | american civil liberties union, automotive, Department of Homeland Security, Federal Aviation Administration, Gadgets, hardware, law enforcement, privacy, Security, senate, technology, unmanned aerial vehicles | No Comments

U.S. authorities will soon have the authority to shoot down private drones if they are considered a threat — a move decried by civil liberties and rights groups.

The Senate passed the FAA Reauthorization Act on Wednesday, months after an earlier House vote in April. The bill renews funding for the Federal Aviation Administration (FAA) until 2023, and includes several provisions designed to modernize U.S aviation rule — from making commercial flights more comfortable for passengers to including new provisions to act against privately owned drones.

But critics say the new authority that gives the government the right to “disrupt,” “exercise control,” or “seize or otherwise confiscate” drones that’s deemed a “credible threat” is dangerous and doesn’t include enough safeguards.

Federal authorities would not need to first obtain a warrant, which rights groups say that authority could be easily abused, making it possible for Homeland Security and the Justice Department and its various law enforcement and immigration agencies to shoot down anyone’s drone for any justifiable reason.

Drones, or unmanned aerial vehicles, have rocketed in popularity, by amateur pilots and explorers to journalists using drones to report from the skies. But there’s also been a growing threat from hapless hobbyists accidentally crashing a drone on the grounds of the White House to so-called Islamic State terrorists using drones on the battlefield.

Both the American Civil Liberties Union and the Electronic Frontier Foundation have denounced the bill.

“These provisions give the government virtually carte blanche to surveil, seize, or even shoot a drone out of the sky — whether owned by journalists or commercial entities — with no oversight or due process,” an ACLU spokesperson told TechCrunch. “They grant new powers to the Justice Department and the Department of Homeland Security to spy on Americans without a warrant,” and they “undermine the use of drones by journalists, which have enabled reporting on critical issues like hurricane damage and protests at Standing Rock.”

“Flying of drones can raise security and privacy concerns, and there may be situations where government action is needed to mitigate these threats,” the ACLU said in a previous blog post. “But this bill is the wrong approach.”

The EFF agreed, arguing the bill endangers the First and Fourth Amendment rights of freedom of speech and the protection from warrantless device seizures.

“If lawmakers want to give the government the power to hack or destroy private drones, then Congress and the public should have the opportunity to debate how best to provide adequate oversight and limit those powers to protect our right to use drones for journalism, activism, and recreation,” the EFF said.

Other privacy groups, including the Electronic Privacy Information Center, denounced the passing of the bill without “baseline privacy safeguards.”

The bill will go to the president’s desk, where it’s expected to be signed into law.

Powered by WPeMatico

iOS will soon disable USB connection if left locked for a week

Posted by | Apple, Gadgets, iOS, iPhone, law enforcement, Mobile, privacy, Security | No Comments

In a move seemingly designed specifically to frustrate law enforcement, Apple is adding a security feature to iOS that totally disables data being sent over USB if the device isn’t unlocked for a period of 7 days. This spoils many methods for exploiting that connection to coax information out of the device without the user’s consent.

The feature, called USB Restricted Mode, was first noticed by Elcomsoft researchers looking through the iOS 11.4 code. It disables USB data (it will still charge) if the phone is left locked for a week, re-enabling it if it’s unlocked normally.

Normally when an iPhone is plugged into another device, whether it’s the owner’s computer or another, there is an interchange of data where the phone and computer figure out if they recognize each other, if they’re authorized to send or back up data, and so on. This connection can be taken advantage of if the computer being connected to is attempting to break into the phone.

USB Restricted Mode is likely a response to the fact that iPhones seized by law enforcement or by malicious actors like thieves essentially will sit and wait patiently for this kind of software exploit to be applied to them. If an officer collects a phone during a case, but there are no known ways to force open the version of iOS it’s running, no problem: just stick it in evidence and wait until some security contractor sells the department a 0-day.

But what if, a week after that phone was taken, it shut down its own Lightning port’s ability to send or receive data or even recognize it’s connected to a computer? That would prevent the law from ever having the opportunity to attempt to break into the device unless they move with a quickness.

On the other hand, had its owner simply left the phone at home while on vacation, they could pick it up, put in their PIN and it’s like nothing ever happened. Like the very best security measures, adversaries will curse its name while users may not even know it exists. Really, this is one of those security features that seems obvious in retrospect and I would not be surprised if other phone makers copy it in short order.

Had this feature been in place a couple of years ago, it would have prevented that entire drama with the FBI. It milked its ongoing inability to access a target phone for months, reportedly concealing its own capabilities all the while, likely to make it a political issue and manipulate lawmakers into compelling Apple to help. That kind of grandstanding doesn’t work so well on a seven-day deadline.

It’s not a perfect solution, of course, but there are no perfect solutions in security. This may simply force all iPhone-related investigations to get high priority in courts, so that existing exploits can be applied legally within the seven-day limit (and, presumably, every few days thereafter). All the same, it should be a powerful barrier against the kind of eventual, potential access through undocumented exploits from third parties that seems to threaten even the latest models and OS versions.

Powered by WPeMatico

Seattle Police Department suspends its Twitch channel following Charleena Lyles controversy

Posted by | Gaming, Government, law enforcement, police, Seattle, TC, Twitch | No Comments

 Facing backlash on its handling of the officer-involved shooting death of Charleena Lyles, the Seattle Police Department will shut down its official Twitch channel. The department started experimenting with community outreach over the game streaming platform earlier this year. Read More

Powered by WPeMatico

Harvard Report Debunks Claim Surveillance Is “Going Dark”

Posted by | Edward Snowden, encryption, Gadgets, Government, harvard, Internet of Things, jonathan zittrain, law enforcement, national security, privacy, Security, surveillance, TC, Wearables | No Comments

Nest Since the 2013 Snowden disclosures revealed the extent of government surveillance programs it’s been a standard claim by intelligence agencies, seeking to justify their push for more powers, that their ability to track suspects using new technologies is under threat because of growing use of end-to-end encryption by technology companies. Read More

Powered by WPeMatico

Pressure In Congress Grows For GPS Tracking Reform After Supreme Court Passes On Cell Phone Case

Posted by | al franken, Congress, Government, GPS Tracking, law enforcement, Mobile, mobile phone, national security, privacy, Ron Wyden, supreme court, surveillance, TC | No Comments

capitol Senators and House representatives this week are calling on Congress to act on bills that would limit location tracking and phone surveillance after the Supreme Court decided not to hear a cell phone case earlier this week. The justices on Monday declined to review a federal court’s decision from earlier this year that police do not need a warrant to seize and search cell phone records… Read More

Powered by WPeMatico