Stretching back as far as 2012, Facebook has been storing the passwords of hundreds of millions of users unencrypted, in plaintext.
And those passwords were searchable by Facebook staff…
ICE has been wanting full access to the billions of license plate records stored in ALPR databases for years. The DHS first floated the idea more than five years ago. It was reined in briefly in response to public backlash and Congressional criticism, but the idea of a national ALPR database was never truly killed off.
ICE was the agency sending out quote requests for a national database access. A few minimal protections were put in place, but all that was holding ICE back was logistics. The contract was finalized at the beginning of last year, hooking ICE up with ALPR records gathered by the hundreds of plate readers operated by local law enforcement agencies. Now, all that third party work is paying off.
More than 80 law enforcement agencies in the US have agreed to share with US Immigration and Customs Enforcement (Ice) license plate information that supports its arrests and deportation efforts, according to the American Civil Liberties Union (ACLU), which obtained a trove of internal agency records.
The documents acquired by the ACLU show that Ice obtained access to a database with license plate information collected in dozens of counties across the United States – data that helped the agency to track people’s locations in real time. Emails revealed that police have also informally given driver information to immigration officers requesting those details in communications that the ACLU said appeared to violate local laws and Ice’s own privacy rules.
When the agency takes the formal, contracted path to ALPR data, it’s running through two third parties: Vigilant, the leading manufacturer of plate readers, and Thomson Reuters, a multimedia conglomerate that has added data brokering to its portfolio of journalistic endeavors.
The original proposal limited ICE’s access to the 50 biggest metropolitan areas. That’s a lot of ground already, but the agreement allows local law enforcement in other areas to give ICE permission to browse their end of the Vigilant database. Not that it ultimately matters. Vigilant doesn’t seem to worry too much about siloing off data. Most law enforcement agencies are sharing data with lots of other agencies already, so intermingling is an inevitability.
It also appears there’s no expiration data on a lot of the data ICE is accessing. According to the documents, over 9,000 ICE agents have access to years a plate/location data, allowing them to reconstruct people’s movements over a long period of time.
Whatever restrictions exist on ICE’s access to Vigilant databases are easily avoided.
Emails showed that a police detective in Orange county, California, repeatedly conducted database searches in response to requests from an Ice specialist in criminal investigations. The two appear to have worked together frequently over several years, with the Ice employee providing details of the immigration investigations (such as information from a target’s Facebook page) and the local detective responding with license plate information.
“I am here for ya. :),” the detective wrote in one email to Ice, which included a report. In another exchange, after the Ice officer said “hate to ask” for more reports, the detective responded: “Come on, you don’t really hate to ask.. :).”
As the ACLU points out, these informal requests allow ICE to bypass the internal processes that are supposed to ensure access to this wealth of plate/location data is justified. The communications contained in these documents show ICE repeatedly ignoring these requirements.
At this point, everything will have to be fixed in post. Cops have been utilizing plate readers for years and Vigilant has been storing the billions of plate records generated every year for just as long. The DHS never needed to build a national license plate/location database. One was being built while it put on its little charade about respecting rights and citizens’ freedom to move around the country without being surveilled.
The ACLU is demanding legislators enact more privacy protections for this data and engage in some actual oversight, but that ship has been sailing for years. ICE’s access was an inevitability. It enacted privacy protections just so it could ignore them by asking local law enforcement to perform database searches. And it was all sold to the public with assurances ALPR tech would hunt down car thieves, kidnappers, and violent criminals. In reality, it’s being used to track people who’ve overstayed their visas.
Permalink | Comments | Email This Story
Techdirt.
Without even mentioning targeted hacks, malware will often spy on computer … Advertisement Oversight is a piece of software for Mac that monitors your Mac’s mic and webcam and then lets …
mac hacker – read more
Despite unanimous warnings from experts that it was a really bad idea, the Australian government went ahead and passed its law enabling compelled access to encrypted devices and communications. Apparently, the powers have already been used. Because of the way the Australian government rammed the legislation through without proper scrutiny, the country’s Parliamentary Joint Committee on Intelligence and Security has commenced a review of the new law. That’s the good news. The bad news is that Andrew Hastie, the Chair of the Committee, still thinks fairy tales are true:
I note with the House the concerns raised by some stakeholders in the tech sector about these laws, including in today’s press. I welcome the ongoing contribution from these stakeholders as the committee continues its review. I note, however, that the legislation as passed prohibits the creation of so-called back doors. Companies cannot be required to create systemic weaknesses in their encrypted products or be required to build a decryption capability.
Sure, whatever, Andrew. One of the stakeholders that has made a submission to the Committee is Mozilla, which is worried by one aspect in particular (pdf):
Due to ambiguous language in [the compelled access law], one could interpret the law to allow Australian authorities to target employees of a Designated Communications Provider (DCP) rather than serving an order on the DCP itself through its General Counsel or an otherwise designated official for process. It is easy to imagine how Australian authorities could abuse their powers and the penalties of this law to coerce an employee of a DCP to compromise the security of the systems and products they develop or maintain.
As Tim Cushing explained in his December post when the compelled access law was approved, that would put employees in an impossible position. They would be forced by the authorities to put backdoors of some kind in a product, but it had to be accomplished in secret. Moreover, they risked five years in prison if any of their colleagues noticed, which they probably would, since unauthorized changes to code would naturally be spotted and challenged. Because of that ridiculous situation, Mozilla warns it would have to take drastic action:
this potential would force DCP’s [like Mozilla] to treat Australia-based employees as potential insider threats, introducing another vector for compromise that could undermine trust in critical products and incentivizing companies to move critical roles to other localities.
What’s true for Mozilla, is true for every foreign software company: in order to protect the integrity of their code, they would be forced to regard every Australian coder as a security risk, and downgrade their access to the code accordingly. The difficulties of managing that kind of situation will probably force software companies to pull out of Australia completely. It will also have a big impact on the trustworthiness of any code produced in the country. In fact, that’s already a problem, as another submission to the Parliamentary Joint Committee makes clear. It comes from one of the leading Australian software companies, FastMail, which provides hosted email services to 40,000 companies around the world. It says that “we have seen existing customers leave, and potential customers go elsewhere, citing this bill as the reason for their choice.” Like Mozilla, FastMail is worried about the impossible position of employees (pdf), who may be coerced by the Australian authorities into weakening the company’s code:
Our staff have expressed concerns that they may be forced to attempt to secretly add back doors or security holes in our service — actions that would be just cause for dismissal — and be unable to tell us why they have made these changes.
…
This is not just a matter of looking after our own staff’s mental health, it also makes it harder for Australians looking to work for overseas companies if there is any risk that they will be compelled to act against their employer’s interests.
The comments of these two organizations show clearly the practical problems of this ill-thought-out legislation. They also confirm that bringing in this kind of law is one of the quickest ways to undermine the local software industry, and increase dependence on foreign companies that are less likely to comply with demands to insert backdoors in their code. If the Australian government cares about those consequences, or indeed about the online safety of its citizens, it would do well to heed the words that conclude Mozilla’s submission to the review:
This law represents an unprecedented and unchecked threat to the privacy and security of users in Australia and abroad. We urge the Committee and the Australian Parliament to move swiftly to remedy the significant harms posed by this legislation. Ultimately, the best course of action is to repeal this law and start afresh with a proper, public consultation.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Permalink | Comments | Email This Story
Techdirt.