Companies Are Selling Cops Access To Personal Data Harvested From Malicious Hacking And Data Breaches
Furnished content.
There's a new way for cops to get information about suspects and it involves people who've already been victimized by criminal acts and/or careless handling of personal data by corporations. As Joseph Cox reports for Motherboard, law enforcement agencies are using third-party services to gain access to personal info derived from data breaches.Hackers break into websites, steal information, and then publish that data all the time, with other hackers or scammers then using it for their own ends. But breached data now has another customer: law enforcement.Some companies are selling government agencies access to data stolen from websites in the hope that it can generate investigative leads, with the data including passwords, email addresses, IP addresses, and more. This is what SpyCloud offers to government agencies: one-stop shopping for a wealth of personal data -- including login info and passwords -- that agencies can't find anywhere else. SpyCloud says it's "empowering" investigators by giving them data they can "use against criminals."That sounds very noble, but most of what's obtained from data breaches and malicious hacking is information about non-criminals. And it's unclear under what authority law enforcement agencies are searching SpyCloud's collection of data. Using a third party like SpyCloud allows law enforcement to bypass judicial review of warrants and subpoenas, which are normally used to obtain information directly from relevant companies once investigators have the reasonable suspicion needed to move ahead with this step. This new method of collecting information ignores all of that to give investigators a stock pond for fishing expeditions.Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, told Motherboard in an email, "it's disturbing that law enforcement can simply buy their way into obtaining vast amounts of account information, even passwords, without having to obtain any legal process.""Normally, if the police want to find out, say, what IP address is associated with a particular online account, they do have to serve legal process on the service provider. This is an end-run around the usual legal processes. We impose those requirements on law enforcement for good reason," she added. Tons of info is served up by SpyCloud, including email accounts, IP addresses, passwords, user names, and phone numbers. This may streamline things for investigators, but law enforcement isn't supposed to be easy. It's supposed to be reined in by checks and balances. SpyCloud says the hell with all of that, allowing agencies to get everything in one place without having to check with a judge first.This stash could also give investigators a head-start when attempting to crack encrypted devices. Password reuse is common and a data storehouse full of passwords linked to suspects could give cops a way to crack open devices without having to worry too much about the Fifth Amendment. The Fourth Amendment, however, could prove more problematic. But the data obtained via SpyCloud is pretty much tailored for parallel construction, allowing investigators to get the info they want before working backwards to paper over the data's origin with subpoenas and warrants asking companies to provide information investigators already have.SpyCloud itself poses an additional risk for everyone. Gathering up data from breaches and malicious hacking and putting it all in one place makes SpyCloud an attractive option for law enforcement agencies. It also makes it a very tempting target for criminals, who would also like a one-stop shop for personal info and passwords.And then there's the problem of abuse, both by government employees and SpyCloud's own staff. This is an inevitability. Law enforcement's access is already somewhat abusive, as it appears to be occurring in a legal vacuum and involves the personal data of thousands (or millions) of non-suspects. But the potential for greater abuse -- the use of the data to collect information about anyone an officer has a non-professional interest in -- is omnipresent.Finally, SpyCloud and its government users can't even argue these are all public domain records that anyone can access simply by tracking down publicly posted stashes obtained from hacking and data breaches. SpyCloud is compiling data from sources that aren't publicly available and selling this to cop shops as well.[Co-founder Dave] Endler said that SpyCloud has a human intelligence team, whose work involves "developing relationships with sock puppets, alternate personas" to obtain data. Endler said SpyCloud also cracks passwords; datasets often only contain a hash, or a cryptographic fingerprint of a user's password. Once cracked, an investigator can see what a user's real password was; perhaps a useful clue in linking together accounts that share a password. A lot of what's in this stash SpyCloud is cultivating and selling are third-party records. But in the legal sense, third-party records stand outside the Fourth Amendment's protection when they're obtained directly from the third party collecting them. Another party offering access to third-party records belonging to others isn't the kind of "third party" this doctrine pertains to. What courts will make of this is unknown. But law enforcement agencies already purchase third-party data from middlemen, suggesting these entities are aware they're operating in an area untouched by precedent and are willing to do things they probably shouldn't just because no judge has told them that they can't.
Read more here
posted at: 12:00am on 15-Jul-2020
path: /Policy | permalink | edit (requires password)
Google Finally Gets Around To Banning Ads For Stalkerware
Furnished content.
Stalkerware is one of those things that most people never would have considered when technologies were being developed, but which in hindsight come off as practically inevitable. These apps, often times named as if they would be chiefly marketed to parents trying to keep tabs on their kids, but which instead are also specifically advertised as ways to stalk current romantic partners and exes, are all different flavors of creepily allowing a person to snoop on the location and activities of an unsuspecting other person. The whole concept is so obviously evil that it's a wonder why any platform would allow these apps to be sold in the first place, and yet it was only in 2019 that Google managed to ban them from its app store.Antivirus company Avast said Wednesday that it's found seven stalkerware apps available on Android's market. In all, they had been installed more than 130,000 times. Google removed four of the apps after Avast reported the privacy violations on Tuesday, and removed the last three on Wednesday. Google said its policy prohibits commercial spyware apps and encourages people to report any apps that violate its standards. Since then, Google has regularly had to purge new creepy entrants into the stalking marketplace, but it has done its best to keep up. Because, as Google stated in its policy above, such apps are prohibited on the app store.But not in Google's advertisements, apparently, at least up until this past week.In an ad policy update this week, Google said that beginning August 11 it will prohibit ads for products or services marketed for secretly tracking or monitoring someone. This includes, but is not limited to:Spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent; promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying. Credit where it's due: Google's change in policy is good. And, given the massive ecosystem that is Google's advertising system, it's easy to imagine how the company might not have been initially prepared for the review and purges necessary to keep these sorts of ads off its platform.But the truth is that's a massively weak caveat, given the nature of these ads. Reading Google's description of the types of ads that are newly banned, it practically yanks the follow up question out of your mouth: Wait, why did you ever allow ads for this sort of thing in the first place? As the Gizmodo post notes, Google has been aware of just how big a problem stalkerware has been on its platforms since at least 2018, and almost certainly before. How has this possibly taken this long?
Read more here
posted at: 12:00am on 15-Jul-2020
path: /Policy | permalink | edit (requires password)
|
|