Liberty News

Amazon has refused to hand over recordings from an Echo smart speaker to US police investigating a murder in Arkansas. Police issued a warrant to Amazon to turn over recordings and other information associated with the device.

Amazon twice declined to provide the police with the information they requested from the device, although it did provide account information and purchase history.

Although the Echo is known for having always-on microphones to enable its voice-controlled features, the vast majority of the recordings it makes are not saved for longer than the few seconds it takes to determine if a pre-set wake word (usually Alexa ) has been said. Only if that wake word has been heard does the device's full complement of microphones come on and begin transmitting audio to Amazon.

However the police pursuit of the data suggests there is more of interest up for grabs than Amazon is admitting.

Amazon's reluctance to part with user information fits a familiar pattern. Tech companies often see law enforcement requests for data as invasive and damaging to an industry. It is clearly an issue for sales of a home microphone system if it is easy for the authorities to grab recordings.

Other devices have also been good data sources for police investigations. Wristwatch-style Fitbit activity trackers have cropped up in a few cases eg for checking alibis against sleep patterns or activity.

A smart water meter has also been used in a murder case as evidence of a blood clean up operation,

Welcome snoopers!

The police, NHS and the tax man will now be able to hack into your phones and check your browsing history after the Snoopers' Charter was passed by Parliament last week.

The bill, officially called the Investigatory Powers Bill, forces electronic data to be stored by internet providers for 12 months, which can be subsequently collected by law enforcement.

Now a blogger has created a list of all the people who will be able to request to view your internet history. And the snoopers are...

• Metropolitan police force
• City of London police force
• Police forces maintained under section 2 of the Police Act 1996
• Police Service of Scotland
• Police Service of Northern Ireland
• British Transport Police
• Ministry of Defence Police
• Royal Navy Police
• Royal Military Police
• Royal Air Force Police
• Security Service
• Secret Intelligence Service
• GCHQ
• Ministry of Defence
• Department of Health
• Home Office
• Ministry of Justice
• National Crime Agency
• HM Revenue & Customs
• Department for Transport
• Department for Work and Pensions
• NHS trusts and foundation trusts in England that provide ambulance services
• Common Services Agency for the Scottish Health Service
• Competition and Markets Authority
• Criminal Cases Review Commission
• Department for Communities in Northern Ireland
• Department for the Economy in Northern Ireland
• Department of Justice in Northern Ireland
• Financial Conduct Authority
• Fire and rescue authorities under the Fire and Rescue Services Act 2004
• Food Standards Agency
• Food Standards Scotland
• Gambling Commission
• Gangmasters and Labour Abuse Authority
• Health and Safety Executive
• Independent Police Complaints Commissioner
• Information Commissioner
• NHS Business Services Authority
• Northern Ireland Ambulance Service Health and Social Care Trust
• Northern Ireland Fire and Rescue Service Board
• Northern Ireland Health and Social Care Regional Business Services Organisation
• Office of Communications
• Office of the Police Ombudsman for Northern Ireland
• Police Investigations and Review Commissioner
• Scottish Ambulance Service Board
• Scottish Criminal Cases Review Commission
• Serious Fraud Office
• Welsh Ambulance Services National Health Service Trust

Unless someone makes a challenge in Congress, new enhance snooping powers have been decreed for the US authorities.

Extra spying powers are set to be granted by Congressional inaction over an update to Rule 41 of the Federal Rules of Criminal Procedure. These changes will kick in on December 1.

The rule tweak, which was cleared by the Supreme Court in April, will allow the FBI to apply for a warrant to a nearby US judge to hack any suspect that's using Tor, a VPN, or some other anonymizing software to hide their whereabouts, in order to find the target's true location.

Normally, if agents want to hack a PC, they have to ask a judge for a warrant in the jurisdiction where the machine is located. This is tricky if the location is obscured by technology. With the changes to Rule 41 in place, investigators can get a warrant from any handy judge to deploy malware to find out where the suspect is based -- which could be anywhere in America or the world.

The rule change also allows the authorities to just obtain one warrant in case that cross multiple jurisdictions.

Kryptowire, a security firm, recently identified several models of Android mobile devices that have preinstalled permanent software that serves as backdoor collecting sensitive personal data, including text messages, geolocations, contact lists, call logs, and transmits them to a server in Shanghai, China.

Without users' consent, the code can bypass Android's permission model. This could allow anyone interested in a mobile user's data -- from government officials to malicious hackers -- to execute remote commands with system privileges and even reprogram the devices.

The firmware was developed by Chinese company Shanghai ADUPS Technology Company. ADUPS confirmed the report with a bollox statement claiming that it was somehow to do with identifying junk texts.

Kryptowire's research reveals that the collected information was protected with multiple layers of encryption and then transmitted over secure web protocols to a server located in Shanghai. The data transmission occurred every 72 hours for text messages and call log information, and every 24 hours for other personally identifiable information.

ADUPS also explained that the "accustomed" firmware was 'accidentally' built into 120,000 mobile products of one American phone manufacturer, BLU Products. After BLU raised the issue, ADUPS explained that the software was not designed for American phones and deactivated the program on Blu phones.

The news has been widely reported in foreign media as ADUPS is among the largest FOTA (firmware over the air) providers in the world. The company provides a cloud platform for mobile device management to over 700 million active users in 200 countries, which is equivalent to 70% of the global market share as it works closely with the world largest cheap mobile phone manufacturers ZTE and Huawei, both of which are based in China. In 2015 alone, Huawei sold more than 100 million smartphones.

Chinese netizens have not been surprised by the news. Reports about spyware preinstalled in Chinese mobile brands have circulated for many years among mainland and overseas Chinese speaking-communities. In 2014, Hong Kong Android Magazine reported that Xiaomi's smartphones designed for overseas markets were automatically connecting to an IP in Beijing and that all documents, SMS and phone logs, and video files downloaded were being transmitted to a Beijing server.

In 2015, Germany-based security company G-Data also found out that at least 26 Android mobile brands had preinstalled spyware in their smartphones. The three biggest Chinese smartphone manufacturers, Xiaomi, Huawei and Lenovo were all listed.

China's newly passed Cybersecurity Law has provided legal ground for the smartphone's backdoor operation. The law requires "critical information infrastructure operators" to store users' "personal information and other important business data" in China.

In response to the news, many Chinese netizens are pointing out the abusive use of personal data and government surveillance has become the norm.

The Investigatory Powers Bill (IP Bill) has now been passed by both House of Parliament and is expected to become law within the next few weeks.

Executive Director Jim Killock responded:

The passing of the IP Bill will have an impact that goes beyond the UK's shores. It is likely that other countries, including authoritarian regimes with poor human rights records, will use this law to justify their own intrusive surveillance powers.

The IP Bill will put into statute the powers and capabilities revealed by Snowden as well as increasing surveillance by the police and other government departments. There will continue to be a lack of privacy protections for international data sharing arrangements with the US. Parliament has also failed to address the implications of the technical integration of GCHQ and the NSA.

While parliamentarians have failed to limit these powers, the Courts may succeed. A ruling by the Court of Justice of the European Union, expected next year, may mean that parts of the Bill are shown to be unlawful and need to be amended.

ORG and others will continue to fight this draconian law.

About the IP Bill

In the wake of the Snowden revelations, three separate inquiries called for new surveillance laws in the UK. It was recognised that the Regulation of Investigatory Powers Act (RIPA) had failed to limit surveillance and allowed the creation of surveillance programmes without parliamentary debate or assent. In response, the Government published the draft IP Bill in November 2015.

The IP Bill is a vast piece of legislation that will extend not limit surveillance in the UK. It will mean that:

• Internet Service Providers could be obliged to store their customers' web browsing history for a year. The police and government departments will have unprecedented powers to access this data through a search engine that could be used for profiling.
• The security services will continue to have powers to collect communications data in bulk.
• The police and security services will have new hacking powers.
• The security services can access and analyse public and private databases, even though the majority of data will be held about people who are not suspected of any crimes.

For more information about the Bill and what it means, visit ORG's campaign hub .

The Investigatory Powers Bill is one step closer to becoming law after it was passed by the House of Lords yesterday.

Open Rights Group's Executive Director, Jim Killock, responded:

The UK is one step closer to having one of the most extreme surveillance laws ever passed in a democracy.

Despite attempts by the Lib Dems and Greens to restrain these draconian powers, the Bill is still a threat to the British public's right to privacy.

The IP Bill is a comprehensive surveillance law that was drafted after three inquiries highlighted flaws in existing legislation. However, the new Bill fails to restrain mass surveillance by the police and security services and even extends their powers. Once passed, Internet Service Providers could be obliged to store their customers' web browsing history for a year. The police and government departments will have unprecedented powers to access this data through a search engine that could be used for profiling. The Bill will also allow the security services to continue to collect communications data in bulk and could see Internet security weakened by allowing mass hacking.

ORG's concerns are outlined here .

The IP Bill will now return to the House of Commons for a final vote.

AT&T developed a product for spying on all its customers and made millions selling it to warrantless cops

AT&T's secret Hemisphere product is a database of calls and call-records on all its customers, tracking their location, movements, and interactions -- this data was then sold in secret to American police forces for investigating crimes big and small (even Medicare fraud), on the condition that they never reveal the program's existence.

The gag order that came with the data likely incentivized police officers to lie about their investigations at trial -- something we saw happen repeatedly in the case of Stingrays, whose use was also bound by secrecy demands from their manufacturers. Because the data was sold by AT&T and not compelled by government, all of the Hemisphere surveillance was undertaken without a warrant or judicial review (indeed, it's likely judges were never told the true story of where the data being entered into evidence by the police really came from -- again, something that routinely happened before the existence of Stingray surveillance was revealed).

The millions given to AT&T for its customers' data came from the federal government under the granting program that also allowed city and town police forces to buy military equipment for civilian policing needs. Cities paid up to a million dollars a year for access to AT&T's customer records.

A statement of work from 2014 shows how hush-hush AT&T wants to keep Hemisphere:

The Government agency agrees not to use the data as evidence in any judicial or administrative proceedings unless there is no other available and admissible probative evidence.

But those charged with a crime are entitled to know the evidence against them come trial. Adam Schwartz, staff attorney for activist group Electronic Frontier Foundation, said that means AT&T may leave investigators no choice but to construct a false investigative narrative to hide how they use Hemisphere if they plan to prosecute anyone.

EFF is suing the US government to reveal DoJ records on the use of Hemisphere data.

The UK government has introduced an amendment to the Investigatory Powers Bill currently going through Parliament, to make ensure that data retention orders cannot require ISPs to collect and retain third party data. The Home Office had previously said that they didn't need powers to force ISPs to collect third party data, but until now refused to provide guarantees in law.

Third party data is defined as communications data (sender, receiver, date, time etc) for messages sent within a website as opposed to messages sent by more direct methods such as email. It is obviously a bit tricky for ISPs to try and decode what is going on within websites as messaging data formats are generally proprietary, and in the general case, simply not de-cypherable by ISPs.

The Government will therefore snoop on messages sent, for example via Facebook, by demanding the communication details from Facebook themselves.

The German Parliament has passed a bill granting country's intelligence agencies wider powers.

The bill, aimed at reforming Germany's spy agency, the Bundesnachrichtendienst (BND), was adopted by legislators on Friday. MPs from the ruling Christian Democratic Union party (CDU), the Christian Social Union (CSU) and the Social Democrats (SPD) voted in favor, while the majority of opposition lawmakers voted against it.

The latest bill comes in the wake of 2013 revelations by a former employee of the US National Security Agency (NSA), Edward Snowden. The leaked documentsrevealed that the BND acted on behalf of the NSA while spying at home and abroad, spurring outrage among the German public and many local officials.

The bill grants the BND the right to monitor all the network data of all German telecommunication companies in the country. Prior to the new ruling, the spy agency was allowed to proceed with the notion only in 20 percent of the cases. Under the ruling, the collected data will be stored for six months and can be shared with the foreign intelligence institutions.

The bill allows sharing information for anti-terrorist purposes and aiding the foreign missions of the German Army (Bundeswehr). Data regarding the security situation for German citizens abroad can be also shared with international spy agencies.

The bill also creates a few fine sounding oversight mechanisms but as no such watchdog has ever revealed anything about a mass snooping capability that has been in place for same time, then such commissioners or watchdogs, or whatever, can be safely considered a waste of space.

In a bombshell published today, Reuters is reporting that, in 2015, Yahoo complied with an order it received from the U.S. government to search all of its users' incoming emails, in real time.

There's still much that we don't know at this point, but if the report is accurate, it represents a new--and dangerous--expansion of the government's mass surveillance techniques.

This isn't the first time the U.S. government has been caught conducting unconstitutional mass surveillance of Internet communications in real time. The NSA's Upstream surveillance program--the program at the heart of our ongoing lawsuit Jewel v. NSA --bears some resemblance to the surveillance technique described in the Reuters report. In both cases, the government compels providers to scan the contents of communications as they pass through the providers' networks, searching the full contents of the communications for targeted "selectors," such as email addresses, phone numbers, or malware " cybersignatures ."

Mass surveillance of Yahoo's emails is unconstitutional for the same reasons that it'sunconstitutional for the government to copy and search through vast amounts of communications passing through AT&T's network as part of Upstream. The sweeping warrantless surveillance of millions of Yahoo users' communications described in the Reuters story flies in the face of the Fourth Amendment's prohibition against unreasonable searches. Surveillance like this is an example of " general warrants " that the Fourth Amendment was directly intended to prevent. (Note that, as we've explained before , it is irrelevant that Yahoo itself conducted the searches since it was acting as an agent of the government.)

While illegal mass surveillance is sadly familiar, the Yahoo surveillance program represents some deeply troubling new twists.

First, this is the first public indication that the government has compelled a U.S.-based email provider--as opposed to an Internet-backbone provider--to conduct surveillance against all its customers in real time. In attempting to justify its warrantless surveillance under Section 702 of the FISA Amendments Act--including Upstream and PRISM--the government has claimed that these programs only "target" foreigners outside the U.S. and thus do not implicate American citizens' constitutional rights. Here, however, the government seems to have dispensed with that dubious facade by intentionally engaging in mass surveillance of purely domestic communications involving millions of Yahoo users.

Second, the story explains that Yahoo had to build new capabilities to comply with the government's demands, and that new code may have, itself, opened up new security vulnerabilities for Yahoo and its users. We read about new data breaches and attempts to compromise the security of Internet-connected systems on a seemingly daily basis. Yet this story is another example of how the government continues to take actions that have serious potential for collateral effects on everyday users.

We hope this story sparks further questions. For starters: is Yahoo the only company to be compelled to engage in this sort of mass surveillance? What legal authority does the government think can possibly justify such an invasion of privacy? The government needs to give us those answers.

Google has placed a virtual assistant at the heart of its first voice-activated speaker system. The Home speaker lets artificial intelligence tool be controlled without use of a touchscreen via an always on microhone. It rivals Amazon's Echo.

The virtual assistant can hold a conversation, in which one question or command builds on the last, rather than dealing with each request in isolation it draws on Google's Knowledge Graph database, which links together information about more 70 billion facts, and has been in use for four years

However, the US company will have to overcome privacy concerns and convince users that chatting to a virtual assistant has advantages over using individual apps.

Users can, for example, ask for what films are playing at nearby cinemas, and then follow up the reply by saying: We want to bring the kids, to narrow down the selection. Brian Blau, from the consultancy Gartner explained further:

Having a conversation - one where you ask a question and then follow-on questions - is a much more natural way to interact, and you would think that would offer a better user experience. But we haven't had that type of system offered at the mass market level before, so it's hard to say how well it actually do.

As well as getting answers to questions, the device can control internet-connected lights and other smart home products play music and other services such as setting timers and alarms, creating shopping lists and getting travel updates.

The $129 device is launching in the US next month, and is due to come to the UK next year.