Privacy groups demand Google disclose details on geofence warrants

/in /by

By Alfred Ng – cnet.com | Tues. Dec. 8, 2020 |

Over the last three years, Google has received a surge in geofence warrant requests — a type of request that allows police to gather information on devices in a certain region. The company has also been complying with keyword warrants, which gives police information on anyone who’s looked up specific phrases on the search engine. But the public doesn’t know exactly how often this happens — and 60 civil rights and privacy advocacy groups want to change that.

In a letter sent to Google CEO Sundar Pichai on Tuesday, a coalition of 60 groups — including the Surveillance Technology Oversight Project, the Electronic Frontier Foundation, Fight for the Future and the Open Technology Institute — requested that the company start providing monthly data on how many geofence and keyword warrants it receives.

Google releases a transparency report every six months, detailing government requests for user information, but it doesn’t break down what types of requests they are. These requests can range from police asking for a specific suspect’s emails with probable cause to a dragnet request that turns innocent people into suspects.

A man riding his bicycle near the scene of a burglary in Florida suddenly found himself a potential suspect because he’d been caught up in a geofence warrant request in March 2019, and he only learned about it nine months later.

A federal judge ruled in Illinois that geofence warrants violate the Fourth Amendment, and it’s also being challenged in Virginia and could potentially be outlawed in New York.

warrant-geofence.png
A geofence warrant issued in 2019 looking for people within 150 meters of a bank robbery.

United States v. Chatrie

Since 2017, police have increased how often they send geofence warrant requests to Google, rising 75-fold in just two years. The only reason that data is available is because of Google’s amicus curiae brief in the Virginia court case.

“Currently, Google lumps these invasive court orders in with standard warrants, but geofence and keyword warrants pose a much more potent threat,” Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, said. “A single one of these orders can track every person at a protest, a house of worship, or a medical facility. With more transparency, we can amplify efforts to outlaw these sweeping search warrants.”

While other companies track location data and have also received geofence warrant requests, Google receives the lion’s share of these demands because of its location history feature and its Sensorvault database.

Google didn’t immediately respond to a request for comment.

At the Big Tech antitrust hearing in July, Rep. Kelly Armstrong, a Republican from North Dakota, questioned Pichai about geofence warrants, telling the Google CEO that people “would be terrified to know that law enforcement could grab general warrants and get everyone’s information everywhere.”

Pichai replied that Armstrong’s concerns are why Google issues transparency reports for Congress to have oversight, but didn’t disclose that its reports don’t specify how many requests it receives are geofence warrants.

Without that information, civil rights groups and privacy advocates said it’s difficult to push for any regulations or reform on geofence warrants.

“By providing this semiannual breakdown of requests, tracking the growth of these abusive tactics over time, you’ll provide us and other civil society organizations vital ammunition in the fight for privacy,” the letter said.

Read the original article at cnet.com HERE.

 

Supreme Court Hears Oral Argument in Its First Computer Fraud and Abuse Act (CFAA) Case

/in /by

By Jeffrey D. Neuburger – National Law Review | Tues. Dec. 1, 2020 |

On November 30, 2020, the Supreme Court held oral argument in its first case interpreting the “unauthorized access” provision of the Computer Fraud and Abuse Act (CFAA). The CFAA in part prohibits knowingly accessing a computer “without authorization” or “exceeding authorized access” to a computer and thereby obtaining information and causing a “loss” under the statute. The case concerns an appeal of an Eleventh Circuit decision affirming the conviction of a police officer for violating the CFAA for accessing a police license plate database he was authorized to use but used instead for non-law enforcement purposes. (See U.S. v. Van Buren, 940 F. 3d 1192 (11th Cir. 2019), pet. for cert. granted Van Buren v. U.S., No. 19-783 (Apr. 20, 2020)). The issue presented is: “Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.”

The defendant Van Buren argued that he is innocent because he accessed only databases that he was authorized to use, even though he did so for an inappropriate reason.  He contended that the CFAA was being interpreted too broadly and that such a precedent could subject individuals to criminal liability merely for violating corporate computer use policies. During oral argument, Van Buren’s counsel suggested that such a wide interpretation of the CFAA was turning the statute into a “sweeping Internet police mandate” and that the Court shouldn’t construe a statute “simply on the assumption the government will use it responsibly.”  In rebuttal, the Government countered that Van Buren’s misuse of access for personal gain was the type of “serious breaches of trust by insiders” that statutory language is designed to cover.

The CFAA does not define “authorization” (but courts have generally interpreted it to mean to access a computer with sanction or permission), but the Act defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” 18 U.S.C. § 1030(e)(6). As we explained in our last post on the emerging CFAA issue, in the criminal context circuit courts are split on how to interpret the “unauthorized access” or “exceeding unauthorized access” provisions with respect to accessing a database with an improper purpose or against posted policies.

Although it is a criminal case, the Supreme Court has the opportunity to clarify the meaning of “exceeds authorized access” under the CFAA and perhaps bring more legal certainty to “unauthorized access” claims advanced against entities engaged in unwanted data scraping.  Interestingly, during oral argument, there was an exchange between the the Deputy Solicitor General arguing on behalf of the Government and Chief Justice Roberts that touched on what “authorization” means with respect to public websites:

CHIEF JUSTICE ROBERTS: Mr. Feigin, is your friend correct that everyone who violates a website’s terms of service or a workplace computer use policy is violating the CFAA?

FEIGIN: Absolutely not, Your Honor. […] First of all, on the public website, that is not a system that requires authorization. It’s not one that uses required credentials that reflect some specific individualized consideration.

CHIEF JUSTICE ROBERTS: Okay. Then limit my — my question to any computer system where you have to, you know, log on.

FEIGIN: So, Your Honor, I don’t think all log –all systems that require you to log in would be authorization-based systems because what Congress was driving at here are inside –­

­CHIEF JUSTICE ROBERTS: All right. Well, then every — every system that has a password.

FEIGIN: No, Your Honor, and let me explain why. What Congress was aiming at here were people who were  specifically trusted, people akin to employees, the kind of person you — that had actually been specifically  considered and individually authorized.

While prognosticating on how the Court will rule based on the tone and substance of the oral argument is an inexact science, it appeared that that the Justices encountered some difficulty parsing the ambiguity in the statute surrounding “authorization.”  Indeed, as Justice Alito commented: “Well, I find this a very difficult case to decide based on the briefs that we’ve received,” even adding that “I don’t really understand the potential scope of this statute, without having an idea about exactly what all of those terms mean.”  Thus, we will simply have to wait until next year to see how the Supreme Court interprets “exceeding authorized access.”

Final Thoughts

When first enacted in 1984 the CFAA was originally directed at serious “hacking” activities into government networks, inspired by the pre-digital era movie War Games, where a teenager hacks into the U.S. military missile system NORAD and nearly starts a global thermonuclear war while playing a simulated game with the computer (“Shall we play a game?).  But, we live in a different world now and the CFAA has also changed. Over the past three decades, Congress has expanded the statute and added a civil right of action, and technology and the way we store and access data have become more advanced.  As a result, the language of the CFAA is susceptible to broader application and has been brought to bear in many contexts beyond traditional outside hacking scenarios. With the Van Buren case, the Supreme Court has the opportunity to rule on the contours of “unauthorized access” and thus bring some clarity beyond the criminal context. However, criminal convictions present different equities than civil cases, and it remains to be seen if the Court’s opinion will resolve questions surrounding civil liability that we’ve been seeing in many scraping disputes, including the ongoing hiQ dispute (which itself is before the Supreme Court on a petition for cert.).

Read the original article at TheRegister.com HERE.

 

U.S. Appeals Court OKs use of Third-Party App Data to Track Down Suspected Child Molester

/in /by

By Michael Moline | Thurs. 25 Nov 2020 |

Homeland Security agents did not violate an accused child molester’s Fourth Amendment rights by using information he provided to messaging-app companies to learn his identity and where he lived, a federal appeal court ruled Wednesday.

A three-judge panel of the U.S. Court of Appeals for the 11th Circuit ruled unanimously that a U.S. Supreme Court precedent heavily restricting use of cellphone tower-locating information to learn whether a suspect had been near a crime scene did not apply in this case.

That’s because the agents used the information from third-party apps only to learn the suspect’s email addresses and internet protocol addresses. Those, in turn, led the agents to the suspect’s parents’ home, where he was living.

“Neither kind of information is more than incidentally associated with cellphones. Many kinds of devices access wireless internet networks: computers, tablets, gaming consoles, household appliances, and more. And each of those devices has an internet protocol address,” Chief Judge William Pryor wrote.

“We cannot conclude that internet protocol addresses are cellphone records when they are a feature of every electronic device that connects to the internet. Some individuals may use cell phones to send and receive emails, but it strains credulity to say that use transforms email addresses into cellphone records.”

The court, which presides over appeals originating in Florida, Alabama, and Georgia, upheld the conviction and life sentence given to Port St. Lucie man, whose identity the Phoenix isn’t reporting because his victims allegedly included family members who are minors.

Also on the panel were judges Frank Hull and Stanley Marcus.

The court record shows that the man had been charged in 2012 with promoting a sexual performance by a child, possessing child pornography, and lewd behavior but was allowed to plead guilty to felony child neglect.

He was charged again in 2016 after his daughter reported that he was molesting her but the court let him retain custody and he continued the abuse and collected child pornography while awaiting prosecution, the records say.

The charges at issue in Wednesday’s ruling arose in 2017 after the parents of a 9-year-old North Carolina girl discovered that she was being groomed by someone via the SayHi messaging app. Agents who examined her phone found his picture and that that person also had an account on a similar app, Kik.

That’s a domestic company that provided the man’s email address and recently used internet protocol addresses.

Comcast subscriber records led the agents to the man’s parents’ house, where his driver’s license data indicated he lived. A judge issued a warrant, and a search revealed “years’ worth of videos of [him] sexually abusing his daughters, along with thousands of images and videos of child pornography [he] had downloaded from the internet, plus archived messages in which [he] shared child pornography with others and solicited nude images and videos from young girls,” Pryor wrote.

The man argued the search was improper under Carpenter v. United States, in which the Supreme Court suppressed evidence involving cell tower location data that placed a suspect in the vicinity of robberies in Detroit. Cell companies typically retain the data and are becoming increasingly sophisticated at using them to pinpoint the location of users.

The Fourth Amendment protects people against unreasonable searches and seizures, but there’s no expectation of privacy involving information voluntarily turned over to third parties. However, the justices ruled that customers do not voluntarily turn over their location information to their cellphone providers.

As the 11th Circuit panel noted, the high court concluded that “carrying a cell phone is ‘indispensable to participation in modern society,’ cellphones generate cell-site location information ‘without any affirmative act on the part of the user,’ and users have no way to stop data collection other than making the phone useless by disconnecting it from the network.”

But that wasn’t an issue in this case, Pryor wrote. The precedent “applies only to some cell site-location information, not to ordinary business records like email addresses and internet protocol addresses,” he added.

“[The man] affirmatively and voluntarily acted to download Kik onto his phone and to create an account on the app. He conveyed his internet protocol address and email address to a third party when he logged into Kik. And he did so voluntarily, affirmatively acting to open the app and log in, and without taking available steps to avoid disclosing his internet protocol address.”

Read the original article at TheRegister.com HERE.

New lawsuit: Why do Android phones mysteriously exchange 260MB a month with Google via cellular data when they’re not even in use?

/in /by

Ad giant sued after mobile allowances eaten by hidden transfers

By Thomas Claburn in San Francisco | Sat 14 Nov 2020 |

Google on Thursday was sued for allegedly stealing Android users’ cellular data allowances through unapproved, undisclosed transmissions to the web giant’s servers.

The lawsuit, Taylor et al v. Google [PDF], was filed in a US federal district court in San Jose on behalf of four plaintiffs based in Illinois, Iowa, and Wisconsin in the hope the case will be certified by a judge as a class action.

The complaint contends that Google is using Android users’ limited cellular data allowances without permission to transmit information about those individuals that’s unrelated to their use of Google services.

Data sent over Wi-Fi is not at issue, nor is data sent over a cellular connection in the absence of Wi-Fi when an Android user has chosen to use a network-connected application. What concerns the plaintiffs is data sent to Google’s servers that isn’t the result of deliberate interaction with a mobile device – we’re talking passive or background data transfers via cell network, here.

“Google designed and implemented its Android operating system and apps to extract and transmit large volumes of information between Plaintiffs’ cellular devices and Google using Plaintiffs’ cellular data allowances,” the complaint claims. “Google’s misappropriation of Plaintiffs’ cellular data allowances through passive transfers occurs in the background, does not result from Plaintiffs’ direct engagement with Google’s apps and properties on their devices, and happens without Plaintiffs’ consent.”

Android users have to accept four agreements to participate in the Google ecosystem: Terms of Service; the Privacy Policy; the Managed Google Play Agreement; and the Google Play Terms of Service. None of these, the court filing contends, disclose that Google spends users’ cellular data allowances for these background transfers.

To support the allegations, the plaintiff’s counsel tested a new Samsung Galaxy S7 phone running Android, with a signed-in Google Account and default setting, and found that when left idle, without a Wi-Fi connection, the phone “sent and received 8.88 MB/day of data, with 94 per cent of those communications occurring between Google and the device.”

The device, stationary, with all apps closed, transferred data to Google about 16 times an hour, or about 389 times in 24 hours. Assuming even half of that data is outgoing, Google would receive about 4.4MB per day or 130MB per month in this manner per device subject to the same test conditions.

Putting worries of what could be in that data to one side, based on an average price of $8 per GB of data in the US, that 130MB works out to about $1 lost to Google data gathering per month – if the device is disconnected from Wi-Fi the entire time and does all its passive transmission over a cellular connection.

An iPhone with Apple’s Safari browser open in the background transmits only about a tenth of that amount to Apple, according to the complaint.

Much of the transmitted data, it’s claimed, are log files that record network availability, open apps, and operating system metrics. Google could have delayed transmitting these files until a Wi-Fi connection was available, but chose instead to spend users’ cell data so it could gather data at all hours.

Vanderbilt University Professor Douglas C. Schmidt performed a similar study in 2018 – except that the Chrome browser was open – and found that Android devices made 900 passive transfers in 24 hours.

Under active use, Android devices transfer about 11.6MB of data to Google servers daily, or 350MB per month, it’s claimed, which is about half the amount transferred by an iPhone.

The complaint charges that Google conducts these undisclosed data transfers to further its advertising business, sending “tokens” that identify users for targeted advertising and preload ads that generate revenue even if they’re never displayed.

“Users often never view these pre-loaded ads, even though their cellular data was already consumed to download the ads from Google,” the legal filing claims. “And because these pre-loads can count as ad impressions, Google is paid for transmitting the ads.”

The Register asked Google to respond to the lawsuit’s allegations. It declined to comment.

We also asked Marc Goldberg, Chief Revenue Officer at ad analytics biz Method Media Intelligence whether preloaded ads ever get counted as billable events when not shown.

“Yes they could be,” Goldberg said in an email to The Register. “It is important for advertisers to understand their billable event. What are they paying for? Auction won? Ads Served? Ads rendered? These simple questions need to be asked and understood.”

The lawsuit seeks to recover the fair market value of the co-opted cellular data and the “reasonable value of the cellular data used by Google to extract and deliver information that benefited Google,” dating back years to whenever this practice began. ®

Read the original article at TheRegister.com HERE.

5G Network: 4 Hacks to Find Cell Tower Locations

/in /by

By Prince Kapoor | Oct 13, 2020 |

As you must have noticed, with the introduction of the 5G network there are a lot of new wireless networks being added to locations and service centers.

While it is completely your choice on what type of smartphone or wireless network you want to use, before making that choise an important factor to look at is the cell tower locations.

With a knowledge of cell tower locations, you can figure out what kind of network provider you should be using, along with whether 5G or 4G networks are available in your area or not.

But have you ever thought about how you can actually find out about cell tower locations?

If you said no, then this article will help you out. We’ll look at four amazing hacks to find cell tower locations. These hacks are pretty straightforward to use and find the information you want.

 

Why You May Need to Know Cell Tower Locations:

Among the reasons why knowing the location of cell towers is useful include:

You would be able to know about the kind of services you can expect from a service provider.

You can carry out a signal strength test and speed tests too with info about cell tower locations.

 

Hacks to Find Cell Tower Locations

Here is the list of hacks to find cell tower locations efficiently:

  1. Use a Cell Tower Location Map

The first option in the list of best hacks to find cell tower locations is using a cell tower locator map, which will let you know about nearby cell towers and signal strengths quickly.

 Many such applications are available in the market. For example, one of the top web-based cell tower location map applications is Profone Cell Tower Location.

 With an application/website like Profone, you will know about network locations and best possible signal results. You just need to visit the official website and search for your carrier name. By looking at your location, you would get useful network details and other results.

 

  1. Service Provider Nearest Cell Tower

 This hack is perhaps the easiest and most reliable method to know about network service providers cell tower locations, which is by directly visiting their nearest cell tower.

 Visit the service provider’s cell tower and ask whether there are other nearby cell tower locations. In so doing, you can learn about the signal strength and what kind of services you can expect from there.

 Although every network provider offers different services from their cell towers, some will provide you with a complete coverage type map for your cell tower locations along with the signal strength and other such details that can be very useful and insightful.

 

  1. Smartphone Applications

There are many smartphone apps that can gather information about network operators’ signal strength.

With such apps, you usually only need to add your location and the service provider’s name. Within seconds of doing so, you then get all the details related to cell tower locations nearby.

You can download these applications to your smartphone based on platforms, such as Android or iOS.

 

  1. Field Test Mode

In case you want to find out about the cell tower locations and signal strength for your smartphone, there are ways to get such details within your smartphone based on your device platform.

For iPhone devices, tap on the LTE services option and then move to Serving Cell Measure. There you will find information about cell tower location and signal strength.

For Android devices, visit Settings and then move to About Phone. From About Phone, go to Network or SIM Status settings. Under the signal strength option, you should find information about the nearby Cell tower locations and strength.

 

There you have it—four of the best and easiest hacks you can use to find details about cell tower locations in an area.

Pick any of these hacks and use them to easily and reliably find details about cell tower locations.

Read the original article at WebWriterSpotlight.com HERE.