All posts in “Privacy”

UK to give police new powers to ground drones

The UK government has announced it will introduce draft legislation in the spring aimed at preventing unsafe or criminal use of drones.

Last year it ran a public consultation that recommended addressing safety, security and privacy challenges around drone technology.

Among the measures planned for the forthcoming Drone Bill plus secondary legislation amendments the government has planned are new powers for police to order an operator to ground a drone if it’s deemed necessary.

Police will also be able to seize drone parts to prove it has been used to commit a criminal offense, the government said yesterday.

It had already announced its intention to set out a registration plan for drones weighting 250 grams or more. Yesterday it reiterated that the incoming legislative changes will mean drone owners are required to register their devices.

They will also have to sit safety awareness tests, as well as being required to use certain apps — “so they can access the information needed to make sure any planned flight can be made safely and legally”.

In a statement, aviation minister Baroness Sugg said: “Drones have great potential and we want to do everything possible to harness the benefits of this technology as it develops. But if we are to realize the full potential of this incredibly exciting technology, we have to take steps to stop illegal use of these devices and address safety and privacy concerns.”

“Do not take this lightly — if you use a drone to invade people’s privacy or engage in disruptive behaviour, you could face serious criminal charges,” added assistant chief constable Serena Kennedy, the National Police Chiefs’ Council Lead for Criminal Misuse of Drones, in another supporting statement.

While the UK currently has a Drone Code intended to encourage drone operators to fly safely and responsibly, there have still been multiple reports of near misses between drones and aircraft — and the government clearly feels the code needs to be backed up by new laws and powers.

Yesterday it said it is considering whether to ban drones from flying near airports or above 400 feet — noting these measures could form part of the new regulations.

Safety research it published this summer found that drones weighing 400 grams or more can damage the windscreens of helicopters.

It added that it is also continuing to work “closely” with drone manufacturers to use geofencing technology to prevent drones from entering restricted zones — such as military sites.

Another problematic use of drone tech that has emerged is for smuggling contraband over prison walls. Although it’s not yet clear whether the government wants prisons tp be included in the ‘no fly zones’ manufacturers bake into devices.

“These new laws strike a balance, to allow the vast majority of drone users to continue flying safely and responsibly, while also paving the way for drone technology to revolutionise businesses and public services,” added Sugg.

Also commenting in a statement, Tim Johnson, policy director at the Civil Aviation Authority, said: “Drones can bring economic and workplace safety benefits but to achieve those we need everyone flying a drone now to do so safely. We welcome plans to increase drone operator training, safety awareness and the creation of no-fly zones.”

At the same time as announcing incoming drone regulations draft, the government revealed it’s funding a drone innovation project which launches today — inviting UK cities to get involved in R&D focused on using the tech to transform critical services, such as emergency health services and organ transport, essential infrastructure assessment and repair, and parcel delivery and logistics.

Up to five cities will be able to gain government support for carrying out some drone R&D as part of what it’s dubbed The Flying High Challenge.

The project is being run by Nesta in partnership with the Innovate UK government agency.

Android devices seen covertly sending location data to Google

An investigation by Quartz has revealed that Android devices send cell tower location data to Google even if the user has disabled location services for apps in their device settings.

Quartz also said it observed location data being sent even if devices had been reset to factory default settings. Android devices with a cellular data or a wi-fi connection were seen to send the data to Google each time they came within range of a new cell tower — including devices with no SIM cards installed (these offloaded the location data via wi-fi, where available).

It says there is currently no way for Android users to prevent their location data from being sent to ad targeting giant Google — short of removing SIMs from their devices and disabling wi-fi (or else leaving the devices inside a faraday cage).

After raising its findings with Google, Quartz reports that a company spokesperson told it the cell tower location data harvesting has been going on for the past 11 months, and that cell tower addresses were included in information sent to the system it uses to manage push notifications and messages on Android devices.

The spokesperson further claimed the location data was never used or stored. And Google added that it intends to end the practice by the end of November, having had the location tracking issue flagged to it by Quartz.

“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”

Whatever the reason Google was experimenting with harvesting Android users’ location info, it’s another troubling instance of the company slurping up sensitive user data without making people explicitly aware it’s doing so — let alone giving users controls to opt out of another major invasion of their privacy.

Back in October, for example, a number of Google Home Mini devices were shown to have malfunctioned and been persistently recording audio in the background in their owners’ homes, instead of only waking up when a specific trigger word was used.

After that snafu gained press attention, Google said it would remove the touch top function on the device — blaming that hardware for a malfunction that had triggered near continuous recording of users’ domestic goings on. As it’s now blaming engineering experimentation for Android covertly harvesting location data.

Location data is highly sensitive personal data from which much can be inferred about a person’s life and lifestyle, especially given the rule for mobile devices is to accompany the user wherever they go. And while cell tower location data isn’t necessarily hugely precise, triangulation of multiple cell towers can be used to calculate a more exact location.

So even if message speed and performance could be enhanced by the Android OS knowing a user’s cell tower location, Google should at least be asking people to opt in to that location-tracking enhancement and/or providing them with a way to opt out.

Google’s privacy policy does include the following section on “location information” (below) which states that users of “Google services” may have their location data collected, including cell tower data — though the linked examples Google uses refer to specific Google apps, like Google Maps, rather than to the Android OS itself; while the linked example on wi-fi access points and cell towers talks only in terms of location data being collected for users who have enabled Google’s Location Services (not persistently, because you are using the Android OS):

When you use Google services, we may collect and process information about your actual location. We use various technologies to determine location, including IP address, GPS, and other sensors that may, for example, provide Google with information on nearby devices, Wi-Fi access points and cell towers.

According to Quartz’s findings, the location tracking did not appear limited to particular Android phones or tablets. It says Google was apparently collecting cell tower data from all modern Android devices.

It further cites a source familiar with the matter specifying that the cell tower addresses were being sent to Google after an early 2017 change to the Firebase Cloud Messaging service that’s owned by Google and runs on Android phones by default.

While this is notable as an instance of Google itself, Android’s platform controller, apparently caught covertly tracking users’ location via the OS, this time last year a range of budget Android smartphones sold in the US were found to be secretly sending personal data to a third party company based in China — including information about users’ locations.

Albeit in that case the culprit was commercial firmware pre-installed on the devices, rather than the Android OS itself, as here.

Germany bans kids’ smartwatches that can be used for eavesdropping

A German regulator has banned domestic sales of children’s smartwatches that have a listening function — warning that parents have been using the devices to secretly eavesdrop on teachers at their kids’ school.

In an announcement on Friday, the Federal Network Agency telecoms watchdog said it had already taken action against some online sellers. The target group for the smartwatches are children between the ages of 5 and 12 years.

“Via an app, parents can use such children’s watches to listen unnoticed to the child’s environment and they are to be regarded as an unauthorized transmitting system,” said Jochen Homann, president of the Federal Network Agency in a statement. “According to our research, parents’ watches are also used to listen to teachers in the classroom.”

Back in February, the same federal agency banned sales of an Internet connected doll — called My Friend Cayla — in the country where it’s illegal to manufacture, sell or possess surveillance devices disguised as another object.

On Friday the agency warned there are a large number of providers in the German market that are offering smartwatches for children which contain a listening function, often referred to as a “baby monitor” or “monitor function” in the companion app.

The app owner is able to silently call the device via such functions and listen unnoticed to the conversations of the watch wearer and others in their vicinity — an act of covert surveillance that is illegal in Germany.

The agency has instructed parents to destroy any devices they have bought, and asked schools to be on the look out for smartwatches being used by children — and to request destruction of listening devices they identify.

The Federal Network Agency is not the only European body concerned about risks posed by children’s connected toys, nor specifically by kids smartwatches. Last month the Norwegian Consumer Council put out a report about children’s smartwatches, raising concerns about security flaws, privacy concerns, and risks posed by what they described as unreliable features.

While this month a UK consumer rights group also raised concerns about poorly secured IoT toys which it said could enable strangers to talk to children. The group also called for devices with known security flaws to be banned from sale.

The latest ban may increase pressure for the European Commission to consider whether European Union-wide regulation is needed for Internet connected toys. Back in February, the commissioner for justice, consumers and gender equality, expressed concern, telling the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.”

Authorities serve Apple a warrant for Texas shooter’s iPhone

Two weeks ago today, 26 people were killed by a gunman at First Baptist Church in Sutherland Springs, Texas. Two phones were discovered at the scene: older push-button LG and what local news described as a “blood spattered” Apple iPhone SE. Now local law enforcement has served Apple with a search warrant in order to retrieve information from the smartphone.

The news has echoes of a recent spat between Apple and the FBI over a mass shooting in San Bernadino, California, in late 2015. Apple appears to have been proactive this time around. The Tuesday following the murders, the FBI held a press conference noting the existence of one of two phones, without revealing the make, as it didn’t want to “tell every bad guy out there what phone to buy.”

Shortly after The Washington Post reported that the mystery handset was indeed an iPhone, Apple reached out to law enforcement, offering technical assistance in getting onto the device. The company, it seems, could have provided help early on, without much legal wrangling or more software controversial backdoors.

For one thing, as morbid as it may be, TouchID (unlike FaceID, apparently) can be used to unlock a phone even after the owner of a fingerprint has died. In spite of issuing a warrant dated November 9 (two days after the press conference), however, an Apple spokesperson has since confirmed with TechCrunch that as of this writing, law enforcement has yet to contact the company for technical assistance in helping unlock the device.

The offer is likely still on the table, if law enforcement is willing to accept. Apple no doubt would like to be in a position of assisting in uncovering a potential motive or other useful information without having to employee the encryption-breaking tactics that were asked of the company in the wake of San Bernadino. After that event, Tim Cook issued an open letter, stating,

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

In that case, the FBI ultimately withdrew its court order, after discovering an alternative method for unlocking the device. Given the assistance Apple could potentially offer up, having to create an exploitable backdoor could perhaps be avoided once again.

Super creepy Thanksgiving study comes with extra helping of smartphone surveillance

It’s that time of the year again when Americans come together with friends and relatives to share a hearty meal and not think about the world falling apart around them. Or, alternatively, to argue about the different politicians responsible for the crumbling state of our society and planet

What Thanksgiving revelers might not realize, however, is that the precise geographic details of their communal experience are being recorded, analyzed, and monetized by a combination of smartphone apps and a little known San Francisco-based company by the name of SafeGraph.

And it’s super creepy. 

The study, which aimed to quantify just how much “politically divided families shortened Thanksgiving dinners” (reportedly 20 to 30 minutes last year, for what it’s worth), is an interesting if somewhat bemusing snapshot of a divided America. But that’s not what we’re here to talk about. Rather, it’s how the study authors went about coming to their eventual conclusion that deserves further consideration. 

In order to figure out if Americans were cutting their Turkey Day meals short, researchers first needed to determine just how long individuals spent at holiday dinners both in 2015 and 2016 (you know, for comparison purposes). To do this, they hooked up with SafeGraph — a company that bills itself as “unlocking the world’s most powerful data so that machines and humans can answer society’s toughest questions” (like the length of Turkey dinners, for example). 

It’s the next part that will freak you out. Figuring out meal durations comes down to knowing if a person ate at home or a family member’s spot, and how long that person stayed at Uncle Billy’s before getting fed up with his bullshit and bouncing out. To pull that off, study authors M. Keith Chen and Ryne Rohla needed a lot of location data. Enter SafeGraph. 

“The [location tracking] data consist of ‘pings’, each of which identify the location (latitude and longitude) of a particular smartphone at a moment in time,” explains the study. “Safegraph tracks the location of more than 10 million Americans’ smartphones, and our core analysis focusses on the more than 17 trillion pings SafeGraph collected in the continental United States in November of 2016.”

OK, there’s a lot to unpack here, so let’s take this one step at a time. First, researchers were able to obtain the latitude and longitude of potentially millions of Americans’ smartphones via their San Francisco-based friends. Second, there were more than 17 trillion so-called pings made available to them from last November alone. That means this data is being recorded near constantly. 

But wait, it gets weirder. Just how, exactly, did SafeGraph get its hands on all this data? A look at the company’s privacy policy provides some insight. 

“We obtain information from trusted third-party data partners such as mobile application developers, through APIs and other delivery methods,” the company notes. “The data collection and use is governed by the privacy policy and legal terms of the data collector and the website using the data; it is not governed by SafeGraph. The information we collect includes data regarding a device’s precise geographic location, as well as other mobile identifiers such as Apple IDFAs and Google Android IDs, and other information about users and their devices.”

In other words, SafeGraph obtains your precise location via the apps on your smartphone. And, with 17 trillion pings from November 2016 alone, the company has a lot of data to work with. So much so, in fact, that researchers can use it to determine how long your Thanksgiving dinner was and whether or not it was at your place or someone else’s. 

Imagine what other factoids about your daily habits could be gleaned from the same precise location data. 

And just what specific apps is SafeGraph getting this info from? We reached out to the company in an attempt to find out, and will update this when and if we hear back. 

In the meantime, however, this should serve as a stark reminder that you frequently don’t control what smartphone apps do with your data — or who they sell it to — and that if you want to keep the details of your contentious Thanksgiving dinner to yourself, well, maybe considering turning off location services on your cellphone. 

Https%3a%2f%2fblueprint api uploaders%2fdistribution thumb%2fimage%2f82586%2ff7a1eda3 f82d 475d 9236 4c64b475f4c8