Big Brother’s Still Watching

HomeFederal GovernmentBig Brother’s Still Watching

But mass surveillance is being reined in a bit, technology companies are fighting for our privacy

It happened yet again. This time hackers accessed the computer system of credit reporting agency Experian and stole personal information about some 15 million T-Mobile wireless customers and potential customers, The New York Times reported October 1. The information stolen from Experian servers included social security numbers, home addresses, birthdates and more.

As if to underline the topic’s importance, news of this latest data breach broke the day after the American Civil Liberties Union of Texas hosted its Privacy and Technology Conference at The University of Texas at Austin. The conference featured ACLU experts from Washington, D.C., and New York City, faculty from UT San Antonio and Texas A&M, the Electronic Frontier Foundation, the Texas Electronic Privacy Coalition, and private companies engaged in providing encryption (Merlin Cryption) and preventing computer fraud (ZapFraud).

While some of the speakers talked about our vulnerability to nefarious parties who seek to wreak havoc or make money by hacking the kind of personal information lost in the Experian breach, others talked about another kind of vulnerability: the loss of privacy through mass surveillance conducted by our own government.

The shift to mass surveillance

Alex Abdo
Alex Abdo

Alex Abdo, a staff attorney working on the ACLU’s Speech, Privacy, and Technology Project, argued that fighting governmental surveillance can be good for business and technology companies are now doing so.

Federal law enforcement agencies since the terrorist attacks of September 11, 2001—empowered by the USA PATRIOT Act signed into law barely six weeks later—secretly shifted from targeted surveillance initiated after suspects were identified, to the bulk collection of massive communications that could be stored and sifted later.

In addition, the FBI uses National Security Letters authorized by Section 215 of the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act) to demand personal customer records from financial institutions, Internet service providers, and credit companies.

Letters issued under Section 215 require “the production of any tangible things (including books, records, papers, documents, and other items)” and come with gags to prevent a company from talking about them: “No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section.”

While a federal court must approve issuance of Section 215 letters, many courts did so without much questioning, conference speakers said. But some judges have been pushing back. A Washington Post article of April 24, 2014, reported “Low-level federal judges balking at law enforcement requests for electronic evidence.”

The basis for the push-back is the Fourth Amendment protection against unreasonable searches and seizures and the spreading judicial resistance to overly broad requests.

In addition to the powers granted under the Act, President George W. Bush further authorized intelligence gathering through executive orders. The ACLU challenged these orders in court after exposure by Seymour Hersh in a New York Times article in 2005, Abdo said. “But our clients could not prove they were monitored and so had no standing.”

“We spent the next five years not on the merits of legality but on whether our clients had standing to challenge the law,” Abdo said. The ACLU’s case won in lower courts was upheld by an appeals court but lost in a 5-4 decision of the U.S. Supreme Court in February 2013.

Instead of reforming such surveillance, Abdo said, it was codified.

Snowden disclosures changed everything

The Supreme Court decision came three months before the first disclosures about massive intelligence gathering were made public by former CIA employee and government contractor Edward Snowden in June 2013, Abdo said.

Those disclosures revealed that since 2006 Section 215 had been relied on to order telecommunications companies to turn over customer records on a daily basis, he said. The ACLU, a customer of Verizon, used the Snowden disclosures to gain legal standing. Congress and the courts got involved, and the program was ruled unlawful.

“These disclosures unsettled the public and created a market for privacy,” Abdo said, citing studies done by the Pew Research Center.

“That galvanized the industry and created an adversarial position with government against overreaching access to information storied by companies,” he said.

Has that led to better privacy?

“I think it has,” Abdo said.

Tech companies fighting back

“Companies have modified their policies. And major companies have sued to allow more disclosure of what they were asked to provide.”

Companies also disclosed the fact they were fighting requests for disclosures before turning information over to government, a costly battle given that they receive “tens of thousands of requests.”

“Pretty much every tech company now requires a warrant before releasing information,” Abdo said. Warrants require a higher degree of justification to get court approval.

Tech companies also use “canaries” in public reports to signal they have never received a Section 215 letter, Abdo said. “If they omit that statement in future reports it will reveal that they have received a Section 215 letter.”

Major U.S. tech companies and privacy organizations—which banded together as the Reform Government Surveillance coalition—published an open letter to President Obama, the NSA director and others demanding major changes in how the county conducts domestic surveillance programs, Business Insider reported March 25, 2015.

Section 215 amended

President Obama signed a four-year extension of the PATRIOT Act in May 2015 but parts of the Act expired. In June 2015, Section 215 was amended to “stop the NSA from continuing its mass phone data collection program. Instead, companies will retain the data and the NSA can obtain information about targeted individuals with permission from a federal court,” a Wikipedia article states.

Abdo said, “We are starting to see companies recognize that data is a liability and if they don’t need it, don’t store it. If you do need it, secure it (because) every hack has led to massive class-action lawsuits.”

Newest products most vulnerable

While massive data breaches like the one that hit Experian are increasingly common—and we as consumers can only hope that companies having our data are building better defenses against cyber attacks—consumers are nevertheless unwittingly aiding and abetting hackers. With little awareness of the risks, our penchant for the latest and greatest cars and appliances is leading us into perilous territory.

So-called “smart cars” (smart meaning Internet-connected cars, not the brand Smart) can be hacked and disabled by remote control. Samsung TVs with built-in webcams can be hacked to allow surreptitiously watching whoever is watching programs. Thermostats and refrigerators connected to the Internet can be hacked to gain access to routers and computers on the same networks.

Chris Soghoian
Chris Soghoian

Chris Soghoian, PhD, principal technology and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, detailed how researchers hacked a Jeep Cherokee’s Internet connection to wirelessly disable the vehicle’s transmission while the car was being driven at 50 mph—while the car’s windshield washers were splashing, the radio was blaring hip-hop full-blast, and the hackers’ images appeared on the car’s digital display. Then they disabled the brakes, leaving the SUV to drift into a ditch while the writer driving the vehicle pumped the brake pedal in vain.

Writer Andy Greenberg told the story in his Wired article of July 21, 2015. This hack was only a demonstration but it could’ve been made worse by killing the engine or, if the car were in reverse, taking control of the steering.

All the researchers needed to accomplish this hack was the car’s IP address, which they had a means of gaining.

The researchers shared the information with Jeep maker Chrysler and a patch was released, but it required manual implementation. Even “smart” cars can’t download a software patch over the Internet like we can for our computers and phones. So it’s likely that many of these cars will never be updated to prevent such hacks.

Soghoian said this demonstration triggered the recall of 1.4 million cars. (See Fiat Chrysler Automobiles recall notice issued July 24, 2015, which indicated owners would be provided a USB device they could use to upgrade their vehicle’s software.)

The researchers also published parts of the code they used in the demonstration, much to the dismay of the carmaker, but justified the help the code might provide to malicious hackers by stating it provided a means for peer review.

“It also sends a message: Automakers need to be held accountable for their vehicles’ digital security,” the article stated. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers. … This might be the kind of software bug most likely to kill someone.”

Jeeps are not the only cars vulnerable to hacks. Every new General Motors vehicle comes equipped with OnStar services that provide automatic crash response, remote services, and the option to make the car a mobile Wi-Fi hotspot. But it took the manufacturer five years to fix the OnStar’s vulnerability to a hacker’s ability to fully take over control, Soghoian said.

“That’s a horror story of the ‘Internet of things,’ ” he said, referring to the “networking of physical objects embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data.”

“We gone from having dumb devices that work in a predictable way to being vulnerable to software hacks,” he said.

Android phones not secure

“Android cell phones are not updated,” Soghoian said. “Google doesn’t have the capability to give you upgrades,” he said, “so most consumers don’t get regular updates.”

The result: “There is a smart phone security crisis,” he said, pointing to a July 27, 2015, article in the technology publication Ars Technica headlined “950 million Android phones can be hijacked by malicious text messages.”

One caveat: Android phones sold by Google under the Nexus brand and equipped with Google Play are regularly updated, but other brands making Android phones get software updates slowly, if ever, according to a CNET article published October 1, 2015.

Soghoian said the ACLU filed a complaint with the Federal Trade Commission over the vulnerability of Android phones coupled with the fact that consumers were locked into two-year contracts, but the FTC took no action.

Let the buyer beware

Don’t look to lawmakers to help, Soghoian said. Congress is doing nothing about this problem. “We’re on our own right now and it will be a long time before Washington wakes up to these security problems,” he said.

An exception to that neglect among legislators is that Senators Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) have introduced automotive security legislation, the Security and Privacy in Your Car Act.

So what can we do in the meantime?

Regularly update the software on your cell phone, which may be remotely activated and used to eavesdrop on nearby conversations, as detailed in a CNET article nine years ago, when the FBI was authorized by a court and used that technique to surveil a suspected criminal.

Prevent electronic peeping by putting a sticker over your webcams.

“Think twice about buying a smart TV,” Soghoian advised, and instead buy devices like Apple TV or Roku to connect your television to Internet services.

If you have a smart refrigerator or thermostat, then it should be put on a “quarantined” wireless network that is separate from—and cannot connect to—your computers.

It’s a business problem

Soghoian said that manufacturers have a problem with business models that require providing ongoing services, as in regular software updates that prevent security breaches, but which provide no revenue for that support. As examples, he noted that Google no longer supports TVs made before 2012 and Microsoft no longer supports its aged Windows XP operating system.

Smart cars need updates but companies do not profit from providing them, he said.

“It’s not a technical problem, it’s a business problem,” Soghoian said. “Our relationship with manufacturers doesn’t go forward. The companies we send a check to every month are the companies that can afford to update systems; they have resources and business incentives.”

Companies put computers in devices but they don’t think of themselves as tech companies so they don’t make security a priority.

“With power comes responsibilities,” he said. “Companies have huge power but have not accepted responsibility.”

Congratulations. It looks like you’re the type of person who reads to the end of articles. Now that you’re informed on this topic we want your feedback.

Related Content

Patient Privacy Sacrificed as State Agency Sells Data

Posted Sunday September 26, 2010 4:49pm
Updated Thursday September 30, 2010 11:06am
Hospital Patient Privacy Sacrificed as
State Agency Sells or Gives Away Data

Technology Used by For-Profit Companies
Strips Away Inadequate Layers of Security

Investigative Report by Suzanne Batchelor
© The Austin Bulldog 2010

Maybe you, like so many others, couldn't get away on vacation this summer. Never mind. If you were a patient in a Texas hospital in the past ten years, the intimate details of your hospital stay made the trip for you. This could be your souvenir: “My hospital story went to Colorado, Arizona, California, New Jersey, Ohio, Tennessee, Washington, D.C., Dallas, Texas, and maybe my employer, and all I got was—heck, not even a T-shirt.”

Let’s say your spouse suffered a heart attack three years ago, was successfully treated at a Texas hospital, and today gratefully eats a Mediterranean diet. You might be surprised to learn that the intimate details of that hospital stay—not just the diagnosis, surgeries, and who paid the bill, but your spouse’s date of birth, gender, and address—were sold by the Texas Department of State Health Services (DSHS). The detailed story of that hospital stay now sits in computers across the country.

The data about hospital inpatients that DSHS collects and distributes is invaluable in public-health and medical research, such as a study of children with asthma in the Rio Grande Valley. But just as often it is non-physicians who use, sell, and re-sell hospital-patient data again and again, generating profit and imperiling personal privacy.

The same patient-data files are sold or given to trade groups, lobbyists, businesses, and even anonymous downloaders. All without your consent.

Broadband Access Sure Way to Spur Economic Growth

Posted Wednesday June 30, 2010 8:31am

Broadband Internet Is a Sure Way
to Help Spur Economic Growth

But Do All Texans Have Access?
Commentary by Luisa Handem Piette

Luisa Handem PietteThe long-awaited broadband map of Texas was released to the public on June 16—well over a year since the American Recovery and Reinvestment Act of 2009 (Stimulus Package) was signed into law, with $7.2 billion in funds earmarked for broadband expansion. The map boasts the use of new interactive broadband mapping platform, BroadbandStat, which allows a street-level view of broadband availability. It also provides the ability to continually enhance and upgrade the data, and gives users the ability to search by address and see the type of technologies used in their service areas, as well as their choice of providers and costs.

The Texas broadband map was created by Connected Texas, a subsidiary of Connected Nation, a 501(c)(3) nonprofit based in Washington, D.C., that was hired a year ago by the Texas Department of Agriculture and the Public Utility Commission of Texas.

A fundamental requirement for the distribution of stimulus funds has been the determination of need and the geographical location of those who lack broadband access, particularly in rural and remote communities. Connected Texas says that the Texas broadband map—which includes data from 123 state providers—indicates that 3.5 percent of Texas households, approximately 257,000 residences, mostly in rural regions, do not have access to home broadband service. This, says Texas Agriculture Commissioner Todd Staples, hinders opportunities for business development and access to telemedicine, higher education and e-government.

Broadband mapping errors

The much-anticipated findings are, at best, inaccurate and, in the worst case scenario, may be deceptive, due to multiple errors. One of the problems the map presents is that, in some instances, it shows coverage where there is none, and lack of coverage where there has been broadband presence for quite some time. Another difficulty the map presents is that it indicates wireless presence where there has never been any known provider, as is the case in Hood and Somervell counties.



What's really going on in government?

Keep up with the best investigative reporting in Austin.

Donate to the Bulldog

Our critical accountability journalism wouldn't be possible without the generous donations of hundreds of Austinites. Join them and become a supporter today!