Tag Archive for: Collection

Google misled Android users about location data collection – Security


Google misrepresented to consumers what privacy settings do in its Android mobile operating system, the Federal Court has found in a world-first case brought by the Australian Competition and Consumer Commission.

ACCC was able to show that unlike what Google claimed, turning off the Location History setting in Android did not stop the collection, storage and use of consumers’ personally identifiable location data.

Another Android setting, Web & App Activity, that was turned on by default, meant that people’s location data was collected, which was misleading for customers.

“Between January 2017 and December 2018, consumers were led to believe that ‘Location History’ was the only account setting that affected the collection of their personal location data, when that was simply not true,” ACCC chair Rod Sims said.

“Companies that collect information must explain their settings clearly and transparently so consumers are not misled. Consumers should not be kept in the dark when it comes to the collection of their personal location data,” he added.

Furthermore, users who tried to opt out of Location History collection were not told between 9 March 2017 and 29 November 2018 that leaving Web & App Activity on meant Google would continue to harvest location data on Android devices. 

Location data is used by Google for several services like its Maps app, but also for targetted advertising.

Data already collected can be deleted through users Google accounts.

ACCC began proceedings against Google in October 2019.

The watchdog is now seeking yet to be determined monetary penalties for Google, along with an order requiring the global tech giant to publish a notice that better explains the location data settings.

Source…

Iranian Hackers Targeted International Conference Attendees for Intelligence Collection


Microsoft says Iranian hackers targeted high profile international conference attendees for intelligence collection purposes. The company reported that the Iranian advanced persistent threat (APT) group impersonated conference organizers and sent fake invitations using spoofed emails.

Microsoft has tracked the threat actor since 2013, accusing it of targeting journalists, political dissidents, activists, defense industry workers, prominent Iranians living abroad, and others in the Middle East.

The group has also targeted politicians, including U.S. presidential hopefuls. Microsoft reported that several high-ranking officials’ accounts were compromised.

Iranian hackers on intelligence collection mission

The hacking attempts implicated Iranian hackers identified as Phosphorus, APT35, or Charming Kitten.  Microsoft’s security chief, Tom Burt, confirmed that “Phosphorus is engaging in these attacks for intelligence collection purposes.”

The hackers targeted over 100 high profile individuals expected to attend the Munich Security Conference and Think 20 Summit in Germany and Saudi Arabia.

Attendees of the Munich Security Conference details include Canadian Prime Minister Justin Trudeau, French President Emmanuel Macron, the U.S. Secretary of State Mike Pompeo, and Speaker Nancy Pelosi (D-Calif.). It’s unclear whether the Iranian hackers targeted any of these individuals.

Microsoft disclosed that the attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their home countries. However, the company did not disclose the nationalities of the affected individuals during the intelligence collection campaign.

Phosphorus also attempted to dupe former government officials, policy experts, and academics in its intelligence collection efforts.

Microsoft noted that the Iranian hackers crafted the emails “in perfect English” to dupe the high-profile individuals.

The hackers provided details such as the available remote sessions and travel logistics. The attackers would then trick the victims into entering their login details into a fake login…

Source…

Oversight Report Says DEA Ran Multiple Bulk Data Collection Programs With Zero Legal Clearance

The NSA isn’t the only collector of bulk phone records. The NSA may not even be doing this anymore, but for a long time, it was not only the NSA’s bread-and-butter, but the DEA’s as well.

The DEA has run multiple bulk records collections for more than 20 years, given the green light by our current Attorney General, William Barr, who also ran the DOJ back in 1992. These not only targeted calls placed to “drug nexus” countries, but purchase records as well. “Nexus” is a slippery word — one the NSA takes advantage of as well. US law enforcement considers almost anywhere in or out of the country to be a “drug nexus,” which gives it the suspicion it needs to pull over drivers on interstate highways or rifle through their belongings at airports looking for drugs cash.

Using this flimsy connective tissue and a bunch of subpoenas, the DEA approached private companies and demanded vast amounts of third party records. Some of these details were exposed when the DEA’s “Hemisphere” documents were published. Six years after Ed Snowden let the world know the NSA was collecting phone records in bulk, the Inspector General of the DOJ has finally released a report [PDF] on the DEA’s bulk collections.

According to the IG report, the DEA ran three bulk collection programs. Program A collected bulk telephone records on calls from the US to “drug nexus” countries. These were obtained with “non-target-specific” subpoenas directly from the service provider. Like the NSA, the DEA wanted metadata about these calls, like date, time, and duration.

Program B did pretty much the same thing: non-targeted subpoenas were handed to “selected vendors” to gather data on purchases, which were then cross-referenced with the DEA’s bulk records database to (finally!) identify targets to investigate. (What purchases? According to Charlie Savage of the New York Times, the DEA is tracking purchases of money counting machines. This is probably information the DEA didn’t want the public to have, but a redaction failure caught by Savage exposed the intent of this collection program.)

That instruction, it said, “was intended to protect the program’s sources and methods; criminals would obtain money counters by other means if they knew that the D.E.A. collected this data.”

Program C resembled the modified Section 215 program — the one that appears to never have gotten off the ground following the USA Freedom Act reforms. Non-targeted subpoenas were handed to telcos, which then searched their own databases to find connections that might be of interest to the DEA, handing it only the results of these restricted searches, rather than dumping everything into the DEA’s data stores.

There’s a similar thread holding all of these programs together: they weren’t strictly legal.

Our review found that the DEA (and the Department with respect to Program A, Collection 1) failed to conduct a comprehensive legal analysis of the DEA’s use of its administrative subpoena authority to collect or exploit bulk data before initiating or participating in any of the three programs. We found this failure troubling with respect to Program A, Collection 1 and Program B because these programs involved a uniquely expansive use of Section 876(a) authority to collect data in bulk without making a prior finding that the records were, in the language of that statutory provision enabling DEA’s subpoena authority, “relevant or material” to any specific defined investigation.

Several published court decisions have clearly suggested potential challenges to the validity of the DEA’s use of its statutory subpoena power in this expansive, non-targeted manner. We also found the absence of a robust legal review troubling because the DEA utilized the bulk data collected by means of Program A, Collection 1 and Program B subpoenas on an unknown number of occasions in support of investigations by non-DEA federal agencies that had no apparent connection to specific drug investigations. This utilization raised significant legal questions because the DEA had amassed the Program A, Collection 1 and Program B bulk data collections under its statutory authority, in 21 U.S.C. § 876(a), to require the production of data that was “relevant or material” to a drug investigation.

We found that Program C raised different kinds of challenging legal issues that the DEA also failed to fully assess. We found that the DEA failed to formalize a complete and adequate legal assessment regarding its use of Program C to obtain reports and other advanced analytical information to ensure such use was lawful and appropriate under its administrative subpoena authority, 21 U.S.C. § 876(a), and the Electronic Communications Privacy Act, 18 U.S.C. § 2703(c)(2).

These legal problems were compounded by the DEA’s careless approach to the few legal boundaries it chose to respect. The DEA used untargeted subpoenas that failed to show the records had relevance to active drug investigations. What little there was in place to vet subpoenas prior to issuance consisted of a pull-down menu that only listed kinds of sources (confidential informant, other ongoing investigation, etc.). Nothing specified exactly why the records requested were being sought. The DEA’s sole backstop for auditing its subpoenas was nothing more than confirming the pulldown menu of vague sources had actually been used when filling in the boilerplate. The DEA allowed agents to shrug their way into hundreds or thousands of records at a time using nothing more than this:

In practice, the DEA typically did not require more “particularization” than a single conclusory sentence, and did not explicitly require the documentation or certification that the request was relevant to a drug investigation…

Then there’s the DEA’s massive data retention problem. However indiscriminate the collection process was, the retention/deletion “process” was even worse.

We also found that the DEA failed to establish any policies on storage or retention of the Program B bulk data at any time before or during the operation of that program. Although Program B is no longer active, the DEA has failed to develop a final disposition plan regarding tens of thousands of records of purchases that reside on DEA servers.

The IG has a few problems with the DEA’s parallel construction, but it doesn’t really have a problem with parallel construction itself. It doesn’t consider hiding the origin of evidence “inappropriate,” but it does draw the line at hiding this from everyone involved in a prosecution.

[P]arallel construction should not be used to prevent prosecutors from fully assessing their discovery and disclosure obligations in criminal cases.

However, most the DOJ IG’s sympathies fall on the side of the prosecution, which should surprise no one.

While the DEA has denied misusing parallel construction in this manner, we found some troubling statements in the DEA’s training materials and other documents, including that Program A investigative products cannot be shared with prosecutors. Such statements appear to be in tension with Department policy on a federal prosecutor’s “duty to search” for discoverable information from all members of the “prosecution team,” which typically includes federal law enforcement officers who participated in the investigation of the defendant.

This doesn’t leave much consideration for defendants, who are forced to fight blind when challenging evidence used against them.

There are recommendations, but they’re not of much use since two of three programs are pretty much dead. The bulk collection of purchase data (Program B) was killed in 2014, following the Snowden leaks. Program C operates pretty much like the modified Section 215 collection — with telcos searching and storing records, rather than dumping them into the DEA’s databases. Program A was also modified shortly after the Snowden leaks began, with a heavier emphasis on ensuring subpoenas were linked to ongoing drug investigations.

It will probably be several years before we see a follow-up report on the DEA’s bulk collections. As the IG notes, the DEA did everything it could to stonewall this investigation.

For a substantial period after we initiated this review, the DEA took many actions that hindered the OIG’s access to information available to it that the OIG was plainly authorized to obtain under the Inspector General Act.

These actions included failing to produce or delaying the production of relevant and responsive materials without any compelling or sufficient basis.

[…]

Further, the OIG discovered many highly relevant documents, which had not been produced, only after learning about them in witness interviews. This latter issue was particularly significant with respect to the dearth of documents containing legal reviews of programs in our review, which the DEA failed to produce to the OIG until a witness identified their existence to us. The DEA’s actions significantly delayed our review and were wholly inconsistent with the requirements of the Inspector General Act.

This tracks with the Inspector General’s problems with multiple DOJ agencies over the past several years. The FBI and DEA blow off investigations, refuse to produce documents, and do as little as possible to ensure their oversight can actually do any overseeing.

As the report notes, the programs were never on solid legal ground. It points out the programs were brought to life under AG Barr, who never bothered to ask for a legal opinion from the DOJ’s Office of Legal Counsel before setting them in motion. The FBI had concerns about these programs when the DEA offered it access, but those questions went unanswered. The last time the legal questions were thoroughly discussed was in 1999, seven years after the programs went into effect.

Between 1999 and the 2013 Snowden leaks, only a single memo discussing the potential legal pitfalls of these bulk collections was issued. The single conclusion drawn was that the public should never be allowed to find out about these collections. And for the most part we didn’t — not until years after the fact. Good job… I guess.

Two decades and no definitive legal clearance. The only blip in the data stream was the unscheduled leaking of NSA documents. Without Snowden, these programs would likely still be running unaltered — hoovering up millions of phone records with zero reasonable suspicion.

Permalink | Comments | Email This Story

Techdirt.

The NSA Appears To Have Shut Down Its Bulk Collection Of Phone Records

The program considered so “essential” NSA defenders said it couldn’t even be slightly modified is apparently no longer in use. During a recent Lawfare podcast, national security advisor Luke Murry dropped a bit of a bombshell. Charlie Savage summarizes Murry’s comments:

The National Security Agency has quietly shut down a system that analyzes logs of Americans’ domestic calls and texts, according to a senior Republican congressional aide, halting a program that has touched off disputes about privacy and the rule of law since the Sept. 11 attacks.

[…]

Mr. Murry brought up the pending expiration of the Freedom Act, but then disclosed that the Trump administration “hasn’t actually been using it for the past six months.”

“I’m actually not certain that the administration will want to start that back up,” Mr. Murry said.

Murry is referring to the Section 215 bulk data collection. Exposed by the Snowden leaks, Section 215 was modified by the USA Freedom Act, which went into effect June 2015. The biggest modification was where the records were stored. The NSA could no longer collect all phone records from providers and search through the data at its leisure. Instead, it had to provide telcos with lists of targeted numbers. The data remained in the hands of service providers, with the NSA only having access to suspicion-supported phone records.

The alterations to the Section 215 program resulted in the NSA purging a bunch of records that didn’t fit the new parameters. The NSA finally let go of a few of its haystacks, conveniently destroying records integral to multiple lawsuits against the agency. The USA Freedom Act modifications — combined with the NSA’s long history of abusing its collection authorities — seem to have made it impossible for the NSA to continue utilizing its phone records collection program.

The bulk records collection is now in the hands of telcos, resulting in a slimmed-down dataset the NSA didn’t seem particularly enthused to have. Apparently the program is as useless as critics have said it is. The NSA has gone at least six months without asking for data via this authority. This program is due for renewal at the end of this year, but the comments made to Lawfare suggest the NSA may be content to let it expire.

Marcy Wheeler suggests a few underlying motivations for the NSA’s abandonment of the Section 215 collection — and one might be the Supreme Court’s extension of Fourth Amendment protections to cell site location info.

[This] suggests that the problem with the records may not be the volume or the content turned over, but some problem created either by the specific language of the law or (more likely) the House Report on it or by the Carpenter decision. Carpenter came out on June 22, so technically after the NSA claims to have started deleting records on May 23. It also may be that the the NSA realized something was non-compliant with its collection just as it was submitting the 6th set of 180-day applications, and didn’t want to admit to the FISC that it had been breaking the law (which is precisely what happened in 2011 when the government deleted all its PRTT records).

Wheeler says the NSA may have been asking for location data as well to better track the phones it targeted. The IC may have seen the writing on the third-party wall following the Supreme Court’s oral arguments in November 2017. This may account for its plug-pulling a month ahead of the decision’s release.

Or it may be something far less respectful of the Constitution. It could be the NSA has found another way to collect this same data without having to run it by the newly-adversarial FISA court. As Wheeler points out, Section 215 may have been restricted but the powers granted by Executive Order 12333 continue to expand.

Whatever the real motivation, it appears the domestic surveillance program that never prevented a terrorist attack will continue to never prevent terrorist attacks. The upside is we may not be throwing any more tax dollars at a national security program that adds nothing to our nation’s security.

Permalink | Comments | Email This Story

Techdirt.