EFF in the News
On Wednesday, Motherboard showed how powerful off-the-shelf, $170 spyware really is. For a day, I used a piece of software on my phone to surreptitiously collect GPS location data, intercept phone calls, and silently steal photos. What can potential victims of this type of surveillance do to check if they're being monitored? What are some of the best practices to keep in mind to make installing the malware harder? And what can those who are certainly being spied on do? Unfortunately, this is actually one of the harder information security threats to reliably give advice for. "The threat model against this is very complicated because you don't know really how much private space the abuse victim has," Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, told Motherboard.
On three occasions this week, I asked a FlexiSpy salesperson a simple question: If I wanted to, could I use their spyware to snoop on my wife's cellphone without her knowing? The answer each time was yes. When asked if it was legal, they responded with a canned disclaimer explaining it was necessary to get the permission of the target. Nate Cardozo, the Electronic Frontier Foundation's senior counsel: "He's offering to be an accomplice to violating the Wiretap act. Under a American law he'd be guilty of a Wiretap violation." FlexiSpy hadn't responded for further questions about the legality of its operations.
“If we move into a society where we’re required to use biometrics to identify ourselves, and that information is compromised, anyone can impersonate us,” says Jennifer Lynch, senior staff attorney for the Electronic Frontier Foundation. “Biometrics are not like a Social Security or credit card number. You can’t change your fingerprints.”
Watchdog groups that keep tabs on digital privacy rights are concerned that U.S. Customs and Border Patrol agents are searching the phones and other digital devices of international travelers at border checkpoints in U.S. airports. The American Civil Liberties Union and the Electronic Frontier Foundation both say they have noticed an uptick in complaints about searches of digital devices by border agents.The increase has become most noticeable in the last month, said Adam Schwartz, a senior staff lawyer at the Electronic Frontier Foundation. "We are concerned that a bad practice that has existed under past presidents has gotten worse in quantity under the new president," Schwartz said.
It's clear that Facebook played a big role in mobilizing people to participate in the global Women's March last month. And now researchers have determined just how much of an impact the social network had.According to a study from researchers at the University of Maryland, almost 70% of people who attended the D.C. march heard about it on Facebook. Meanwhile, 61% from friends and family. "There are definitely elements of planning activism that you want to keep off Facebook, especially if you're planning some sort of civil disobedience," Galperin told CNNTech. "[But] in getting the word out, it is unrealistic to tell people not to use Facebook for this purpose."
BART is considering a policy that would balance security interests and privacy rights. The BART Surveillance & Community Safety Act would require its Board of Directors to grant specific approval for each new surveillance device after listening to public comment and conduct yearly reviews of their use. Misuse, or ineffectiveness, would require the board to alter or stop the use of the technology. San Francisco’s Electronic Frontier Foundation, a nonprofit civil rights organization that focuses on the digital world, is working with BART to develop the proposed policy. “Public safety requires trust between government and the communities served,” Adam Schwartz, the foundation’s senior staff attorney, said in a letter to BART directors.
Chairman Lamar Smith (R-Texas) and oversight subcommittee Chairman Darin LaHood (R-Ill.) sent a letter to EPA Inspector General Arthur Elkins on Tuesday asking him to investigate “a group of approximately a dozen career EPA officials … using an encrypted messaging application, Signal, to discuss potential strategies against any attempts by newly appointed political officials to redirect the EPA’s priorities.” Not all communications between employees count as federal records. According to a National Archives Bulletin, records are only created while “conducting business” and federal employees are legally allowed to have personal accounts outside the federal records system. “At some point, you have to let employees have a personal life,” said Ernesto Falcon, legislative director for the Electronic Frontier Foundation.
It’s worth noting, though, that unlike other secure messaging apps, like standard-bearer Signal, Confide’s encryption is closed source and proprietary, meaning no one outside the company knows what’s going on under the hood of the app. “One key is always, do you make code publicly available that’s been audited where features have been inspected by the security community so that it can arrive at some consensus,” says Electronic Frontier Foundation legal fellow Aaron Mackey. “My understanding with Confide, at least right now, is that it’s not clear whether that’s occurred.”
Can agents force you to unlock your phone or laptop? No. But they can ask you to comply voluntarily and make the experience rather uncomfortable if you resist. Travelers must decide how much trouble they’re willing to put up with.Travelers who are not citizens could have further problems, especially if they’re flying into the United States. While citizens are guaranteed re-entry, foreign nationals could be denied entry, and the law isn’t clear on permanent residents, said Sophia Cope, a staff lawyer for the Electronic Frontier Foundation, a nonprofit organization that defends civil liberties in the digital age.
While you can delete your Facebook account or leave your Fitbit at home if you’re going somewhere you’d rather not be tracked, you can’t simply turn off your pacemaker. Not only does deactivating a pacemaker require a doctor, in some cases doctors actually refuse. What happens when privacy violations are committed by devices inside of us, devices that we can’t just turn off via settings? “EFF is concerned that as technology advances, the erosion of individual privacy in personally identifiable health information increases,” Stephanie Lacambra, the Electronic Frontier Foundation’s criminal defense attorney, said.