Table of Contents
Legislative Landscape
Top court rules Canadians have privacy interest in online anonymity
The Supreme Court of Canada ruled this month that law enforcement agencies (LEAs) require a warrant in order to compel Internet Service Providers (ISPs) to disclose basic customer information like their name and address. While the court stated their unanimous decision did not amount to a “right to anonymity”, several Canadian privacy advocates applauded the court’s conclusion that users have a reasonable expectation of privacy with regard to their Internet activities. The ruling threw several controversial Canadian legislative bills into question. Bill C-13, for example, would provide legal immunity to telecom companies for voluntarily providing customer data to law enforcement, and second, Bill S-4, an amendment to Canada’s data privacy legislation, would make it legally permissible for organizations to disclose personal information to third parties without consent in order to investigate a contractual breach or possible violation of any law.
US Supreme Court says warrant needed to search mobile phones
The US Supreme Court unanimously ruled in late June that US law enforcement agencies (LEAs) now generally require a warrant to search the cell phone of an arrested individual. Making their case, government lawyers had justified such searches as analogous to reading the diary or looking at photos present on an arrestee’s person. However, the court found that the troves of sensitive personal data accessible on many people’s phones are significantly distinct from any physical artifacts present in an arrestee’s immediate physical vicinity, and worthy of heightened protections. Civil liberties groups generally responded positively to the ruling. The American Civil Liberties Union stated the law “entered a new world”, that recognizes people’s “expectations of (digital) privacy”. The Electronic Frontier Foundation called the ruling a “groundbreaking” decision that paves the way for contesting other forms of “electronic searches and surveillance”, perhaps including, as privacy scholar Daniel Solove wrote, a re-evaluation of the Supreme Court’s “third party doctrine”. That doctrine, “one of the worst,” according to Solove, holds that once data is known to a third party, there is no reasonable expectation of privacy for that data.
American tech giants argue data stored internationally is not under US authority
Microsoft, supported by other US-based multinational corporations, is challenging a US search warrant seeking access to emails stored in its Ireland-based data centre. The tech giant argued that complying with the warrant would violate international law and hurt US leadership in the global technology market, particularly in the wake of the perceived US tech industry’s complicity in the mass surveillance programme exposed by Edward Snowden. Instead, Microsoft recommends that US law enforcement agencies seek access to data held in foreign jurisdictions through the existing Mutual Legal Assistance Treaty (MLAT) system. Since Microsoft began its legal challenge last year, Verizon, AT&T, Apple, and Cisco have submitted arguments to the court in support of Microsoft’s case. The Electronic Frontier Foundation also filed a brief in support of Microsoft, arguing that Microsoft’s act of selecting and copying data from Ireland to the United States amounts to a “seizure” taking place abroad, which an MLAT order can authorize, not a US search warrant.
BC Provincial Court rules Google must delete search results globally
Following in the footsteps of last month’s European Court of Justice ruling on “the right to be forgotten”, the Supreme Court of British Columbia ordered Google to globally remove from its search index every link to the website of a company found guilty of trademark infringement. While the EU ruling compels search engines to remove links from indexes hosted on European domains, the British Columbia ruling orders the removal of links hosted on each of Google’s international search indexes. The ruling, based on Canadian law, asserts an authority over websites made available globally, to users under a wide variety of legal regimes, a fact which Google argues may result in legal conflicts elsewhere. The ruling was viewed by critics to be a huge judicial overreach, ignorant of jurisdictional issues and of the precedent it could set regarding global censorship. Google says it will appeal the ruling.
Social Media Monitoring
UK spy boss justifies mass collection of UK citizen social media content
Compelled by a 2013 legal claim filed by Privacy International and other human rights groups, the director general of the UK Office for Security and Counter-Terrorism Charles Farr provided a justification for the mass collection of Internet communications content of British citizens by UK spy agency GCHQ. In his reply, Mr. Farr stated that because data transits from Britain to a foreign country during the use of Internet services such as Google and Facebook, such data can be classified as “external communications” — the category of communications UK spy agencies are legally permitted to snoop on. On the other hand, “internal communications” occur when data remains within British networks, which can only be read by an actual person through a government-issued warrant. When asked by the New York Times for an opinion on the disclosure, Google stated it provides user data to governments “only in accordance with the law” and following a review by their legal team. The Guardian newspaper quoted other civil society groups, with a representative for Liberty calling Farr’s justification “flimsy”, and a senior director at Amnesty International stating that Britons “should be alarmed” by the “industrial-scale” surveillance.
Facebook ad profiling now leveraging web browsing history
Facebook is now incorporating the browsing history of its users in the ad profiles it uses to personalize advertisements displayed on the social media platform. The social media giant’s ubiquitous ‘like’ button, its social login, clear GIFs, and other features embedded on a huge number of web pages have long been used to collect browsing behaviour, which Facebook is now using to infer people’s interests for ad profiling. Along with this announcement, Facebook promised to introduce additional controls for users to edit their ad profiles on the site and also linked to a service hosted by the Digital Advertising Alliance that lets people opt-out of receiving ads targeted using browser history. However, such an opt-out does not prevent ad companies like Facebook from continuing their practice of collecting browsing history, it only prevents companies from serving tailored ads. Facebook also stated it is ignoring “Do Not Track” HTTP request headers sent to it by web browsers, claiming there to be no industry consensus on complying with the contested web standard.
Mobile Privacy & Security
iOS MAC address randomization feature targets Wi-Fi tracking industry
Apple reportedly has a new feature in its upcoming mobile operating system release that will affect a common method for tracking people’s locations. The upcoming feature is said to regularly randomize a phone’s MAC address, the unique string that identifies a device on a network. If a phone has WiFi enabled, its MAC address is sent to every WiFi network in a phone’s range, even if the user never connects to them. When roaming around areas with a dense set of WiFi networks, such as retail stores or shopping malls, the same MAC address will be sent to a large number of those networks. Organizations that track people’s geolocation use this data by obtaining MAC addresses associated with location and time information from a set of WiFi networks. Once data from a significant number of networks is aggregated, it can be used to accurately monitor a person’s movement. This data is often used by retailers to improve store layouts, and analytics companies that can provide organizations with information about customers come from, and where they go after visiting a specified location. Tracking using this methodology will be made more difficult following Apple’s move.
Researchers find thousands of Android apps insecurely storing authentication keys
Researchers from Columbia University released a report describing their detection of a large security oversight present in thousands of Android mobile applications available in the Google Play store. These applications were storing secret keys and access tokens directly in the installed application operating on a user’s device. Used to connect to and interact with third party resources, such keys and tokens are intended to be known only to the application provider itself — not to individual installations. However, the observed practice makes it possible for an attacker to decompile the affected application source code and steal any stored keys. For example, authentication keys used to connect to Amazon Web Services, if enough were stolen, could enable an attacker to create a botnet of virtual servers, while compromised OAuth tokens could enable an attacker to post to potentially millions of Facebook users’ profiles. The study authors attributed this oversight to developers being unaware of the security threats, the perceived convenience of storing such information in the application itself, and the existence of API documentation that encouraged the practice. The researchers made their detection tool, PlayDrone, available to Google to help the company proactively detect these issues, and informed affected companies like Amazon, Facebook, Twitter, and AirBnb of the issue.