Thanks to David Brin for linking to this article in reason.com about the debate over arresting people for recording active duty police officers. In general the specific law being broken is about making audio recordings without the concent of all parties.

As a privacy advocate, I find this situation puts me in an uncomfortable situation. On the one hand there is concern about the privacy interests of the police officers. On the other hand, this is one of the only ways of demonstrating police abuse or other bad actions. It also acts to balance the playing field where the police are already routinely recording most interactions through the use of dashboard cameras.

The origin of the term surveilance is the latin from sur- “over” + veiller “to watch,”. It implies that surveillance is about being watched by those in power (above).

Sousveillance is a term that has been coined recently to describe participant recording, or recording from “below”. That feels like a very different thing that should be fine as long as it is not hidden. Especially in circumstances where there is not a clear expectation of privacy.

I guess my solution to the conundrum would be to state that there should be no expectation of privacy on the part of authorities from recording when they are exercising those authorities. The citizens being interacted with would have a possible privacy expectation with respect to recording third parties however.

I am very interested in feedback and other thoughts on this one.

There has been a lot of media coverage of the threats of Saudi Arabia and the UAE to shut down BlackBerry connectivity in their countries unless RIM (the maker of BlackBerry) introduces a back door so they can monitor communications.

I have been following this story closely, but wanted to wait until I had all the facts before blogging about it. At this point I don’t think I am going to get the whole story. The statements I am seeing are absolutely contradictory and the whole thing is getting really fishy.

UAE/SA say that they need to be able to access BlackBerry communications, but they can’t.

RIM says that their technology makes interception impossible because the communications are encrypted end to end between the BES server (located at the users place of business) and the handset. RIM claims not to have access to the decryption keys.

Third parties claim that RIM has arrangements with other countries (including the US and Russia) which allows such access.

RIM responds that this is false and that they don’t have this ability.

It looks like RIM and UAE/SA will come to an agreement while both continue to claim that they have not compromised their positions.

The moral of this story is that you should not trust security you can not fully analyze yourself. Anonymizer Universal uses strongly encrypted L2TP VPN technology to secure your information so even if your telecommunications provider is cooperating with surveillance they still can’t read the contents of your messages.

Unfortunately Anonymizer Universal does not support BlackBerry yet, but iPhone, Windows, and Mac users are protected.

Privacy Digest reports on a new White House proposal to extend the powers of FBI “national security letters” to include gathering of “electronic communication transactional records”. While this may appear to be a small change, the potential impact is huge.

These records include all the header information from emails: To:, From:, Time, and often Subject:.

It may also include a list of the full URLs that you visit.

While it does not include the contents of the messages, this level of detail is often more than enough to discover social networks, relationships, intentions, plans, political affiliations, and more.

The real problem is that there are no checks and balances on national security letters. They are issued by FBI offices on their own authority without review by a judge. Historically, self restraint in the face of this kind of power has never worked well. While judges approve the vast majority of subpoenas and search warrants in a timely manor, they can reject egregious cases and the mere fact of their review causes law enforcement to be more restrained in their use.

From the Privacy Digest article:

The use of the national security letters to obtain personal data on Americans has prompted concern. The Justice Department issued 192,500 national security letters from 2003 to 2006, according to a 2008 inspector general report, which did not indicate how many were demands for Internet records. A 2007 IG report found numerous possible violations of FBI regulations, including the issuance of NSLs without having an approved investigation to justify the request. In two cases, the report found, agents used NSLs to request content information “not permitted by the [surveillance] statute.”

The European Parliament appears to be trying to create a regulation to require search engine companies to retain total information about their user’s searches for a period of years. If you are in the EU area, I strongly encourage you to reach out to fight this.

Declaration29: “A group of members of European Parliament is collecting signatures for a Written Declaration that reads: ‘The European Parliament [...] Asks the Council and the Commission to implement Directive 2006/24/EC and extend it to search engines in order to tackle online child pornography and sex offending rapidly and effectively’.

The Data Retention Directive 2006/24/EC requires that details on every telephone call, text message, e-mail and Internet connection be recorded for months, for the entire population, in the absence of any suspicion. As to what is wrong with data retention please refer to DRletter. The Written Declaration even wants to extend data retention to search engines, meaning that your search terms could be tracked for months back.

The proposed declaration has been signed by 371 MEPs (list of names here) – and thus reached the 368 members needed to pass it. Many MEPs signed because of the title of the document (‘setting up a European early warning system (EWS) for paedophiles and sex offenders’), not knowing that they are endorsing blanket data retention as well. More than 30 MEPs decided to withdraw their signature, one even on the day of adoption.”

Cnet (among others) reports on Google’s interception of personal information from open WiFi nodes, including passwords and e-mail.

Clearly it was poor practice for Google to be capturing and recording such information as they drove around, but the real news should be that the information was there to be captured. The intent of the monitoring of WiFi seems to be collecting the locations of WiFi base stations to improve enhanced GPS location services. This works by having your device upload a list of all the WiFi base stations it can see (along with signal strength) which the service then looks up in a database to determine your location. This requires the service to have a database of the physical location of an enormous number of WiFi base stations.

To do this, all Google would have needed to capture was the hardware address of each device. Instead they captured some of the actual data being sent back and forth as well.

It turns out that this is incredibly easy. With many of the WiFi chipsets built in to personal computers, laptops and USB adapters, one can easily download free software that will start intercepting open WiFi traffic with a single click.

The shocking news should not be that Google accidentally got this information but that anyone with bad intent could do it to you. Anonymizer will soon be releasing a video we did a few weeks back showing how someone could take control of your Facebook account using an open WiFi and almost no technical expertise at all.

If the connection between you and a website, email server, or other service is un-encrypted, then anyone near you can intercept it if you are using an open WiFi.

To be clear, open WiFi means that the underlying connection is un-encrypted. Many public WiFi sites have a login page. This is to manage usage, and provides no security to you at all.

If you get a connection before you type in a password, especially if you see a web page before you type a password, then you should assume you are on an insecure connection and therefor vulnerable.