IoT lessons from mobile: digital property

June 1, 2016

This has been a tough week for privacy advocates. On Monday, the Intercept brings news that the 4th Circuit Court of Appeals rules that obtaining location data from a cell phone company doesn't require a warrant; today, the Verge reports agencies are filing warrants seeking phone location data so precise it can track you down to a specific building. Some agencies even have a manual to assist with filing practices.

Since this isn't a mobile technology blog or a law blog, you might ask why I would bother covering that news. With an emerging field like IoT, it's critical to understand the domain, from both in a technical and law approach. Mobile is a connected technology just like IoT, so there are lessons to be learned, whether from similar tech or precedents.

For the 4th Circuit case, it's an example of the interpretation of the third party doctrine. I've warned previously about being judicious concerning your data and who can access it. Maintaining presumption of innocence, most people caught in a drag net like that would probably want evidence in the form of location data supporting their innocence; as an aside, this is why dash cams are popular in some countries.

But the point is not how this data may benefit you; the point is if access to it should be granted without your consent. We have protections in place for other instances of your property, like needing a warrant to access your home or a locked car trunk. So why is it different for your data and phone companies? Nicholas Weaver sums it up: it all depends on a company's willingness to fight subpoenas; there are no legal protections for your digital property.

Victory for security and privacy

May 27, 2016

Short update: in the most important news for security this week, Reuters reports the Burr-Feinstein proposal will not continue in this year's Congress. Great news, but if SOPA/PIPA transformation into IPAA is any indicator, we can expect to see a different form of the proposal in the future.

Who owns your data and when

May 13, 2016

This piece from the Atlantic will make you consider not to whom you're giving you're data, but with whom it may eventually reside. From the article:

If a...company can’t legally sell off its data, then it may just sell itself in order to cut its losses. Among the post-crash rubble, the principal value that a potential buyer might see in snapping up the company is its data. It’s like an acquisition hire, but for a huge and detailed dataset.

I agree that the best way to protect your personal data is not to provide it. More than once I've heard people offer justifications for providing personal data to a company simply because, they "trust them."

That's fantastic to have a service provider/company that you trust, but that rationalization presupposes the company and its policies are persistent. I'm not on every social media platform, but there's not one that didn't have at least one update to its privacy policy or terms of service. What's more likely is the company you're providing your data is aiming to be acquired by a larger company, whose privacy policies may not be in line with the original for which you signed up. And with most companies opting to collect as much data as possible and decide what to do with it later, at some point, your data could be in the hands of someone with whom you didn't intend to share it.

Security challenges of IoT

May 9, 2016

At a recent panel discussion, EFF hits the nail on the head with the IoT and security. A quote from EFF's Nate Cardozo:

“If the data is there you’re going to have to protect it. One way of protecting it, of course, is to not collect it in the first place... That’s a great way of keeping all of that content secure.”

Mr. Cardozo's further discusses the security issues of industries who have never had to deal with security in the past, namely the medical device industry. There's genuine concern over securing data for connected devices, but perhaps a more urgent concern — especially for the medical device industry — is ransomware in IoT devices. It’s one thing to have your health data stolen, it’s another to have a connected pacemaker, for example, held for ransom.

Continuing with Mr. Cardozo’s comment on the benefits of a zero knowledge model, there are more than a few industries and devices that would benefit from non-connection solution until either 1) the industry becomes more security-savvy or 2) IoT security becomes standardized.

Explainer: Rule 41 and its dangers

April 30, 2016

The EFF brings news of an innocuous-sounding — yet Orwellian — Rule 41. The proposal has two main segments; from the article:

The first part of this change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one's location.

The second part...would grant authorization to a judge to issue a search warrant for...infiltrating computers that may be part of a botnet. This means victims of malware could find themselves doubly infiltrated: their computers infected with malware and used to contribute to a botnet, and then government agents given free rein to remotely access their computers as part of the investigation.

This means that any judge in the US — perhaps one with a history of granting warrants without much consideration of evidence — can issue a search warrant for any computer in the world, regardless of jurisdiction. Combine that with the language of the second segment, and this is effectively a rubber-stamp to intrude every connected device on the planet with a single warrant.

Congress has until December 1 of this year to block these changes to Rule 41. See EFF’s write up for an in-depth on the the legal ramifications.

Site search

Categories

Tags

Posts by date