CAT | cellular
Engineers at Golden Frog recently discovered that Cricket wireless was automatically disabling their email encryption.
It is not at all clear why they were doing this, but we do know how. When an email client attempts to make a secure connection to a server, it sends a STARTTLS command. If the server never sees the STARTTLS, then it assumes you just wanted an insecure connection. (more…)
Since it was introduced, Apple has had the ability to decrypt the contents if iPhones and other iOS devices when asked to do so (with a warrant).
Apple recently announced that with iOS 8 Apple will no longer be able to do so. Predictably, there has been a roar of outrage from many in law enforcement. [[Insert my usual rant about how recent trends in technology have been massively in favor of law enforcement here]].
This is really about much more than keeping out law enforcement, and I applaud Apple for (finally) taking this step. They have realized what was for Anonymizer a foundational truth. If data is stored and available, it will get out. If Apple has the ability to decrypt phones, then the keys are available within Apple. They could be taken, compromised, compelled, or simply brute forced by opponents unknown. This is why Anonymizer has never kept data on user activity.
Only by ensuring that they can not do so can Apple provide actual security to it customers against the full range of threats, potentially least of which is US law enforcement.
When you think your phone is connected to your wireless provider, you might actually be connected to a rogue tower set up to capture your data.
Such devices have been demonstrated at the Black Hat security conference and a law enforcement fake tower called “Stingray” has been known for some time. Recently sophisticated secure phones have been able to detect these fake towers and people are starting to map them. Popular Science covered it here, and here.
There is very little transparency around law enforcement or US Intelligence use of such devices, so the could just as easily be operated by foreign intelligence services, criminals, or hackers. If we had strong end to end encryption there would be little to worry about, but many Internet connections and all phone calls are vulnerable to this attack.
In a unanimous decision, the Supreme Court ruled that police must obtain a warrant before searching suspect’s cellphone. Before this, cellphones were treated just like anything else a suspect might carry, including wallet, keys, address book, or various other “pocket litter”.
Police are generally allowed to search suspects for weapons and to prevent the distraction of evidence. Because of the massive amount of storage on a modern smartphone, and its direct connection into so many other stores of data and communications, the court felt that the contents of these devices was qualitatively different and deserving of greater protection.
It is important to remember that the police can still take the phone, and that they can then get a warrant to search it if there is probable cause. They are simply prevented from searching it without the warrant, possibly in the hope (but not expectation) of finding evidence.
This decision may lay the groundwork for according similar protections to cloud stored data, which once would have been kept in the home in hard copy. Law enforcement officials claim that technology is making life easier for criminals and harder for law enforcement. I find that hard to believe and have not seen any really good studies of the matter. If you have, please let me know!
It strikes me that the routine preservation of emails and other communications, along with the massive use of server logged communications from text messages to social media, actually makes things much easier for law enforcement on the whole.
The fact that the decision was unanimous suggests that we may be entering a period of re-evaluating outdated precedents from the pre-internet era.
Some key quotes from the decision:
- Regarding treating phones like other pocket litter – “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon,”
- On the impact on law enforcement – “Privacy comes at a cost.”
- “Cell phones differ in both a quantitative and a qualita- tive sense from other objects that might be kept on an arrestee’s person. The term “cell phone” is itself mislead- ing shorthand; many of these devices are in fact minicom- puters that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, librar- ies, diaries, albums, televisions, maps, or newspapers.”
- “The scope of the privacy interests at stake is further com- plicated by the fact that the data viewed on many modern cell phones may in fact be stored on a remote server. Thus, a search may extend well beyond papers and effects in the physical proximity of an ar- restee, a concern that the United States recognizes but cannot defini- tively foreclose.”
- “Our answer to the question of what police must do before searching a cellphone seized incident to an arrest is accordingly simple—get a warrant,”
Some Excellent Articles for further reading:
Note: In the picture above, the policeman is actually just using his own cellphone.
The city of Chicago is getting ready to deploy several monitoring stations on light poles along Michigan Avenue. In addition to collecting environmental information like sound volume, light intensity, and air quality, the devices will also count people by detecting wireless signals from passing mobile devices.
The system is designed to only count devices without capturing unique identifiers. While this may be true, it would certainly be easy to change in the future with only a tiny tweak to the software.
This set up looks similar to the tracking trashcans I discussed last year.
Capturing this kind of data is inevitable, and would be invisible if the city had not announced its intentions. The key will be to ensure appropriate protections for collected information, whoever does the collecting. It is refreshing that all of the data captured as part of this project will be published immediately. Assuming nothing is held back that will give a clear sense of exactly what kinds of information can be extrapolated from the raw data.i
Additionally architectural changes like the random MAC addresses in iOS 8 can significantly improve privacy in the face for such monitoring and tracking.