October 6, 2022

Posts Comments

Archives for April 2016

Apple Encryption Saga and Beyond: What U.S. Courts Can Learn from Canadian Caselaw

April 21, 2016 by

It has been said that privacy is “at risk of becoming a real human right.” The exponential increase of personal information in the hands of organizations, particularly sensitive data, creates a significant rise in the perils accompanying formerly negligible privacy incidents. At one time considered too intangible to merit even token compensation, risks of harm to privacy interests have become so ubiquitous in the past three years that they require special attention.

Legal and social changes have for their part also increased potential privacy liability for private and public entities when they promise – and fail – to guard our personal data (think Ashley Madison…). First among those changes has been the emergence of a “privacy culture” — a process bolstered by the trickle-down effect of the Julia Angwin’s investigative series titled “What They Know,” and the heightened attention that the mainstream media now attaches to privacy incidents. Second, courts in various common law jurisdictions are beginning to recognize intangible privacy harms and have been increasingly willing to certify class action lawsuits for privacy infringements that previously would have been summarily dismissed without hesitation.

Prior to 2012, it was difficult to find examples of judicially recognized losses arising from privacy breaches. Since then however, the legal environment in common law jurisdictions and in Canada in particular has changed dramatically. Claims related to privacy mishaps are now commonplace, and there has been an exponential multiplication in the number of matters involving inadvertent communication or improper disposal of personal data, portable devices, and cloud computing.
[Read more…]

Filed Under: Privacy & Security

The Defend Trade Secrets Act and Whistleblowers

April 20, 2016 by

As Freedom to Tinker readers know, I’ve been an active opponent of the federal Defend Trade Secrets Act (DTSA). Though my position on the DTSA remains unchanged, I was both surprised and pleased to see that the revised Defend Trade Secrets Act now includes a narrow, but potentially useful, provision intended to protect whistleblowers from trade secret misappropriation actions.

As attendees at yesterday’s wonderful CITP talk by Bart Gellman were fortunate to hear, whistleblowing remains a critical but imperfect tool of public access to the internal operations of our institutions, from corporations to government. Trade secrecy operates in the opposite direction, and has the robust ability to thwart regulation, limit public accountability, and criminalize whistleblowing. I’ve regularly called trade secrecy the most powerful intellectual property law (IP) tool of information control, as it prevents not just use of, but access to and even knowledge about the very existence of information. Indeed, it surpasses other IP law in that power by a wide margin. Thus, if the DTSA is moving forward, the inclusion of even a limited whistleblower exception in the DTSA is a good thing.

Nonetheless, it is very important to recognize what this provision won’t achieve. As written, the provision prevents liability under federal and state trade secret law for “the disclosure of a trade secret that … is made … in confidence to a Federal, State, or local government official, either directly or indirectly, or to an attorney; and … solely for the purpose of reporting or investigating a suspected violation of law; or … is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal.” Thus, as written, the provision does not appear to immunize sharing trade secret information with the press or the public at large. As Gellman’s work has shown, the press is often the first and only avenue for access to critical information about our public and private black boxes.

[Read more…]

Filed Under: National Security & Surveillance Tagged With: , , , ,

Internet Voting? Really?

April 18, 2016 by

Recently I gave a TEDx talk—I spoke at the local Princeton University TEDx event.  My topic was voting: America’s voting systems in the 19th and 20th century, and should we vote using the Internet?  You can see the talk here:

 

Internet Voting? Really?

 

Filed Under: Other Topics

On distracted driving and required phone searches

April 15, 2016 by

A recent Arstechnica article discussed several U.S. states that are considering adding a “roadside textalyzer” that operates analogously to roadside Breathalyzer tests. In the same way that alcohol and drugs can impair a driver’s ability to navigate the road, so can paying attention to your phone rather than the world beyond. Many states “require” drivers to consent to Breathalyzer tests, where that “requirement” boils down to serious penalties if the driver declines. Vendors like Cellebrite are pushing for analogous requirements, for which they just happen to sell products.
[Read more…]

Filed Under: Privacy & Security Tagged With: , , , , ,

Gone In Six Characters: Short URLs Considered Harmful for Cloud Services

April 14, 2016 by

[This is a guest post by Vitaly Shmatikov, professor at Cornell Tech and once upon a time my adviser at the University of Texas at Austin. — Arvind Narayanan.]

TL;DR: short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force.  Our scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.  We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.

URL shorteners such as bit.ly and goo.gl perform a straightforward task: they turn long URLs into short ones, consisting of a domain name followed by a 5-, 6-, or 7-character token.  This simple convenience feature turns out to have an unintended consequence.  The tokens are so short that the entire set of URLs can be scanned by brute force.  The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.

Today, we are releasing our study, 18 months in the making, of what URL shortening means for the security and privacy of cloud services.  We did not perform a comprehensive scan of all short URLs (as our analysis shows, such a scan would have been within the capabilities of a more powerful adversary), but we sampled enough to discover interesting information and draw important conclusions.  Our study focused on two cloud services that directly integrate URL shortening: Microsoft OneDrive cloud storage (formerly known as SkyDrive) and Google Maps.  In both cases, whenever a user wants to share a link to a document, folder, or map with another user, the service offers to generate a short URL – which, as we show, unintentionally makes the original URL public.
[Read more…]

Filed Under: Privacy & Security Tagged With: ,