Big Brother’s Still Watching

But mass surveillance is being reined in a bit, technology companies are fighting for our privacy

It happened yet again. This time hackers accessed the computer system of credit reporting agency Experian and stole personal information about some 15 million T-Mobile wireless customers and potential customers, The New York Times reported October 1. The information stolen from Experian servers included social security numbers, home addresses, birthdates and more.

As if to underline the topic’s importance, news of this latest data breach broke the day after the American Civil Liberties Union of Texas hosted its Privacy and Technology Conference at The University of Texas at Austin. The conference featured ACLU experts from Washington, D.C., and New York City, faculty from UT San Antonio and Texas A&M, the Electronic Frontier Foundation, the Texas Electronic Privacy Coalition, and private companies engaged in providing encryption (Merlin Cryption) and preventing computer fraud (ZapFraud).

While some of the speakers talked about our vulnerability to nefarious parties who seek to wreak havoc or make money by hacking the kind of personal information lost in the Experian breach, others talked about another kind of vulnerability: the loss of privacy through mass surveillance conducted by our own government.

The shift to mass surveillance

Alex Abdo, a staff attorney working on the ACLU’s Speech, Privacy, and Technology Project, argued that fighting governmental surveillance can be good for business and technology companies are now doing so.

Federal law enforcement agencies since the terrorist attacks of September 11, 2001—empowered by the USA PATRIOT Act signed into law barely six weeks later—secretly shifted from targeted surveillance initiated after suspects were identified, to the bulk collection of massive communications that could be stored and sifted later.

In addition, the FBI uses National Security Letters authorized by Section 215 of the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) to demand personal customer records from financial institutions, Internet service providers, and credit companies.

Letters issued under Section 215 require “the production of any tangible things (including books, records, papers, documents, and other items)” and come with gags to prevent a company from talking about them: “No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section.”

While a federal court must approve issuance of Section 215 letters, many courts did so without much questioning, conference speakers said. But some judges have been pushing back. A Washington Post article of April 24, 2014, reported “Low-level federal judges balking at law enforcement requests for electronic evidence.”

The basis for the push-back is the Fourth Amendment protection against unreasonable searches and seizures and the spreading judicial resistance to overly broad requests.

In addition to the powers granted under the Act, President George W. Bush further authorized intelligence gathering through executive orders. The ACLU challenged these orders in court after exposure by Seymour Hersh in a New York Times article in 2005, Abdo said. “But our clients could not prove they were monitored and so had no standing.”

“We spent the next five years not on the merits of legality but on whether our clients had standing to challenge the law,” Abdo said. The ACLU’s case won in lower courts was upheld by an appeals court but lost in a 5-4 decision of the U.S. Supreme Court in February 2013.

Instead of reforming such surveillance, Abdo said, it was codified.

Snowden disclosures changed everything

The Supreme Court decision came three months before the first disclosures about massive intelligence gathering were made public by former CIA employee and government contractor Edward Snowden in June 2013, Abdo said.

Those disclosures revealed that since 2006 Section 215 had been relied on to order telecommunications companies to turn over customer records on a daily basis, he said. The ACLU, a customer of Verizon, used the Snowden disclosures to gain legal standing. Congress and the courts got involved, and the program was ruled unlawful.

“These disclosures unsettled the public and created a market for privacy,” Abdo said, citing studies done by the Pew Research Center.

“That galvanized the industry and created an adversarial position with government against overreaching access to information storied by companies,” he said.

Has that led to better privacy?

“I think it has,” Abdo said.

Tech companies fighting back

“Companies have modified their policies. And major companies have sued to allow more disclosure of what they were asked to provide.”

Companies also disclosed the fact they were fighting requests for disclosures before turning information over to government, a costly battle given that they receive “tens of thousands of requests.”

“Pretty much every tech company now requires a warrant before releasing information,” Abdo said. Warrants require a higher degree of justification to get court approval.

Tech companies also use “canaries” in public reports to signal they have never received a Section 215 letter, Abdo said. “If they omit that statement in future reports it will reveal that they have received a Section 215 letter.”

Major U.S. tech companies and privacy organizations—which banded together as the Reform Government Surveillance coalition—published an open letter to President Obama, the NSA director and others demanding major changes in how the county conducts domestic surveillance programs, Business Insider reported March 25, 2015.

Section 215 amended

President Obama signed a four-year extension of the PATRIOT Act in May 2015 but parts of the Act expired. In June 2015, Section 215 was amended to “stop the NSA from continuing its mass phone data collection program. Instead, companies will retain the data and the NSA can obtain information about targeted individuals with permission from a federal court,” a Wikipedia article states.

Abdo said, “We are starting to see companies recognize that data is a liability and if they don’t need it, don’t store it. If you do need it, secure it (because) every hack has led to massive class-action lawsuits.”

Newest products most vulnerable

While massive data breaches like the one that hit Experian are increasingly common—and we as consumers can only hope that companies having our data are building better defenses against cyber attacks—consumers are nevertheless unwittingly aiding and abetting hackers. With little awareness of the risks, our penchant for the latest and greatest cars and appliances is leading us into perilous territory.

So-called “smart cars” (smart meaning Internet-connected cars, not the brand Smart) can be hacked and disabled by remote control. Samsung TVs with built-in webcams can be hacked to allow surreptitiously watching whoever is watching programs. Thermostats and refrigerators connected to the Internet can be hacked to gain access to routers and computers on the same networks.

Chris Soghoian, PhD, principal technology and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, detailed how researchers hacked a Jeep Cherokee’s Internet connection to wirelessly disable the vehicle’s transmission while the car was being driven at 50 mph—while the car’s windshield washers were splashing, the radio was blaring hip-hop full-blast, and the hackers’ images appeared on the car’s digital display. Then they disabled the brakes, leaving the SUV to drift into a ditch while the writer driving the vehicle pumped the brake pedal in vain.

Writer Andy Greenberg told the story in his Wired article of July 21, 2015. This hack was only a demonstration but it could’ve been made worse by killing the engine or, if the car were in reverse, taking control of the steering.

All the researchers needed to accomplish this hack was the car’s IP address, which they had a means of gaining.

The researchers shared the information with Jeep maker Chrysler and a patch was released, but it required manual implementation. Even “smart” cars can’t download a software patch over the Internet like we can for our computers and phones. So it’s likely that many of these cars will never be updated to prevent such hacks.

Soghoian said this demonstration triggered the recall of 1.4 million cars. (See Fiat Chrysler Automobiles recall notice issued July 24, 2015, which indicated owners would be provided a USB device they could use to upgrade their vehicle’s software.)

The researchers also published parts of the code they used in the demonstration, much to the dismay of the carmaker, but justified the help the code might provide to malicious hackers by stating it provided a means for peer review.

“It also sends a message: Automakers need to be held accountable for their vehicles’ digital security,” the article stated. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. … This might be the kind of software bug most likely to kill someone.”

Jeeps are not the only cars vulnerable to hacks. Every new General Motors vehicle comes equipped with OnStar services that provide automatic crash response, remote services, and the option to make the car a mobile Wi-Fi hotspot. But it took the manufacturer five years to fix the OnStar’s vulnerability to a hacker’s ability to fully take over control, Soghoian said.

“That’s a horror story of the ‘Internet of things,’ ” he said, referring to the “networking of physical objects embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.”

“We gone from having dumb devices that work in a predictable way to being vulnerable to software hacks,” he said.

Android phones not secure

“Android cell phones are not updated,” Soghoian said. “Google doesn’t have the capability to give you upgrades,” he said, “so most consumers don’t get regular updates.”

The result: “There is a smart phone security crisis,” he said, pointing to a July 27, 2015, article in the technology publication Ars Technica headlined “950 million Android phones can be hijacked by malicious text messages.”

One caveat: Android phones sold by Google under the Nexus brand and equipped with Google Play are regularly updated, but other brands making Android phones get software updates slowly, if ever, according to a CNET article published October 1, 2015.

Soghoian said the ACLU filed a complaint with the Federal Trade Commission over the vulnerability of Android phones coupled with the fact that consumers were locked into two-year contracts, but the FTC took no action.

Let the buyer beware

Don’t look to lawmakers to help, Soghoian said. Congress is doing nothing about this problem. “We’re on our own right now and it will be a long time before Washington wakes up to these security problems,” he said.

An exception to that neglect among legislators is that Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have introduced automotive security legislation, the Security and Privacy in Your Car Act.

So what can we do in the meantime?

Regularly update the software on your cell phone, which may be remotely activated and used to eavesdrop on nearby conversations, as detailed in a CNET article nine years ago, when the FBI was authorized by a court and used that technique to surveil a suspected criminal.

Prevent electronic peeping by putting a sticker over your webcams.

“Think twice about buying a smart TV,” Soghoian advised, and instead buy devices like Apple TV or Roku to connect your television to Internet services.

If you have a smart refrigerator or thermostat, then it should be put on a “quarantined” wireless network that is separate from—and cannot connect to—your computers.

It’s a business problem

Soghoian said that manufacturers have a problem with business models that require providing ongoing services, as in regular software updates that prevent security breaches, but which provide no revenue for that support. As examples, he noted that Google no longer supports TVs made before 2012 and Microsoft no longer supports its aged Windows XP operating system.

Smart cars need updates but companies do not profit from providing them, he said.

“It’s not a technical problem, it’s a business problem,” Soghoian said. “Our relationship with manufacturers doesn’t go forward. The companies we send a check to every month are the companies that can afford to update systems; they have resources and business incentives.”

Companies put computers in devices but they don’t think of themselves as tech companies so they don’t make security a priority.

“With power comes responsibilities,” he said. “Companies have huge power but have not accepted responsibility.”