April 17, 2014

avatar

New Research: Cheating on Exams with Smartwatches

A Belgian university recently banned all watches from exams due to the possibility of smartwatches being used to cheat. Similarly, some standardized tests in the U.S. like the GRE have banned all digital watches. These policies seems prudent, since today’s smartwatches could be used to smuggle in notes or even access websites during the test. However, their potential use for cheating goes much farther than that.

As part of my undergrad research at the University of Michigan, I’ve recently been focusing on the security and privacy implications of wearable devices, including how smartwatches might be used for cheating in an exam. Surprisingly, while there’s been interest in the security implications of wearable devices, the focus within the research community has been on how these devices might be attacked rather than on how these devices challenge existing social assumptions.

[Read more...]

avatar

Your TV is spying on you, and what you can do about it

A recent UK observer with a packet sniffer noticed that his LG “smart” TV was sending all his viewing habits back to an LG server. This included filenames from an external USB disk. Add this atop observations that Samsung’s 2012-era “smart” TVs were riddled with security holes. (No word yet on the 2013 edition.)

What’s going on here? Mostly it’s just incompetence. Somebody thought it was a good idea to build these TVs with all these features and nobody ever said “maybe we need some security people on the design team to make sure we don’t have a problem”, much less “maybe all this data flowing from the TV to us constitutes a massive violation of our customers’ privacy that will land us in legal hot water.” The deep issue here is that it’s relatively easy to build something that works, but it’s significantly harder to build something that’s secure and respects privacy.
[Read more...]

avatar

51% foreign test doesn’t protect Americans

One of the notable claims we have heard, in light of the Verizon / PRISM revelations, is that data extraction measures are calibrated to make sure that 51% or more of affected individuals are non-U.S. persons. As a U.S. person, I don’t find this at all reassuring. To see why, let’s think about the underlying statistics.
[Read more...]

avatar

Twenty-First Century Eavesdropping

Yesterday’s revelations about widespread government data collection led me to re-read my nine-post series on “Twenty-First Century Eavesdropping” from back in 2006. I was surprised to see how closely that discussion fit the current facts.

Links to the 2006 posts: 1, 2, 3, 4, 5, 6, 7, 8, 9

avatar

Drones over Princeton: A Goofy Video About a Serious Issue

Last week, privacy attorney Grayson Barber brought her “drone” to CITP in order to do a demo at her talk, “Drones Are Like Flying Computers.” Grayson discussed the many serious legal issues raised by drones (you can watch the video of her presentation here). But her drone takes great video, so I couldn’t resist making a somewhat silly video from the footage that she took during the demo.


(watch the video directly here)

avatar

Are genomes “anonymous data”?

Recently researchers showed that an unknown person’s genome (i.e., the genetic information stored in their DNA) can often be linked to their identity. The researchers used the genome plus some publicly available information to link this information. Just as interesting as the result itself is the way that people talked about it. As an example, here’s the opening paragraph of Gina Kolata’s New York Times story:

The genetic data posted online seemed perfectly anonymous — strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had no part in the study — identifying nearly 50 people.

Why would a genome “seem[] perfectly anonymous”? The genome is almost certainly unique to one person. So at the very least, the genome is a pseudonym. But of course the genome is also correlated with all sorts of physical characteristics of the person that are visible. And police use DNA evidence (parts of a genome) to identify people all the time. That’s hardly anonymous.
[Read more...]

avatar

How the Nokia Browser Decrypts SSL Traffic: A “Man in the Client”

Over the past couple of days there has been some press coverage over security researcher Guarang Pandya’s report that the browser on his Nokia phone was sending all of his traffic to Nokia proxy servers, including his HTTPS traffic. The disturbing part of his report was evidence that Nokia is not just proxying, but actually decrypting the HTTPS traffic. Nokia replied with a statement (in the comments section of Pandya’s blog post, and to several news outlets):

We take the privacy and security of our consumers and their data very seriously. The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans. Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.

Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.

We aim to be completely transparent on privacy practices. As part of our policy of continuous improvement we will review the information provided in the mobile client in case this can be improved.

You can find out more about Nokia’s privacy practices at http://www.nokia.com/privacy.

So, it turns out that Pandya was correct: Nokia is decrypting SSL traffic in their proxy servers. This is not disclosed in their privacy policy, and the somewhat vague assurance of things being done “in a secure manner” is not entirely comforting. Beyond that, the statement gave some other interesting clues. One clue was that this is a feature of the Nokia Xpress Browser, an app that is available for the popular Nokia Lumia phones that run Windows Phone 8. These phones are available from the major US carriers, whereas Pandya’s phone (the Asha) is mostly sold abroad. So I tracked down a Lumia phone, installed Nokia Xpress, and did my own investigation. Results after the jump.

[Read more...]

avatar

Predictions for 2013

After a year’s hiatus, our annual predictions post is back! As usual, these predictions reflect the results of brainstorming among many affiliates and friends of the blog, so you should not attribute any prediction to any individual (including me–I’m just the scribe). Without further ado, the tech policy predictions for 2013:

[Read more...]

avatar

End-to-End Encrypted GMail? Not So Easy

Last week Julian Sanchez urged Google to offer end-to-end encryption for GMail, so that your messages would be known to you and your browser (and your email correspondents) but not to Google itself. Julian explained why this would be a positive step for users and, arguably, for Google itself. Let’s talk about what would be required to make it happen.

We have had standards for end-to-end email encryption for a long time: PGP since at least 1996 and S/MIME since at least 2002. In these systems, each user has a private key that they use to encrypt and digitally sign their email. If two people know each other’s public keys, they can exchange email securely without the network, or even their email services, being able to read or tamper with the messages. This feature has long been supported in desktop email clients. What would we need to make it work for a cloud email service like GMail?
[Read more...]

avatar

Smart Campaigns, Meet Smart Voters

Zeynep pointed to her New York Times op-ed, “Beware the Smart Campaign,” about political campaigns collecting and exploiting detailed information about individual voters. Given the emerging conventional wisdom that the Obama campaign’s technological superiority played an important role in the President’s re-election, we should expect more aggressive attempts to micro-target voters by both parties in future election cycles. Let’s talk about how voters might respond.
[Read more...]