The stories you want. The opinions that matter.
No, thanks

Cellphone Companies Will Share Your Location Data – Just Not With You

by Megha Rajagopalan, ProPublica.

6/27/2012: This post has been corrected. Cellphone companies hold onto your location information for years and routinely provide it to police and, in anonymized form, to outside companies.

 

As they note in their privacy policies, Verizon, Sprint, AT&T, and T-Mobile all analyze your information to send you targeted ads for their own services or from outside companies. At least tens ofthousands of times a year, they also hand cellphone location information to the FBI or police officers who have a court order.

But ProPublica discovered that there’s one person cell phone companies will not share your location information with: You.

We asked three ProPublica staffers and one friend to request their own geo-location data from the four largest cellphone providers. All four companies refused to provide it.

Here’s how they responded:

Verizon

On releasing location data to you: “Verizon Wireless will release a subscriber’s location information to law enforcement with that subscriber’s written consent. These requests must come to Verizon Wireless through law enforcement; so we would provide info on your account to law enforcement — with your consent — but not directly to you.”

On responding to requests from law enforcement: ” Unless a customer consents to the release of information or law enforcement certifies that there is an emergency involving danger of death or serious physical injury, Verizon Wireless does not release information to law enforcement without appropriate legal process.” A spokesman said being more specific would “require us to share proprietary information.”

Sprint

On releasing location data to you: “We do not normally release this information to customers for privacy reasons because call detail records contain all calls made or received, including calls where numbers are ‘blocked.’ Because of an FCC rule requiring that we not disclose ‘blocked’ numbers, we only release this information to a customer when we receive a valid legal demand for it.”

On responding to requests from law enforcement: “If the government is seeking “basic subscriber information” (defined in 18 USC sec. 2701, et seq) it can obtain that information by issuing a subpoena. If the government is seeking Sprint records relating to our customers that go beyond “basic subscriber information” then the government must furnish Sprint with a court order based on specific and articulable facts. If the government is seeking customer’s content then it must obtain a warrant based on probable cause.”

AT&T

On releasing location data to you: “Giving customers location data for their wireless phones is not a service we provide.”

On responding to requests from law enforcement: “We do share data with law enforcement as part of a valid legal process – for example, a court order or a subpoena.”

T-Mobile

On releasing location data to you: “No comment.”

On responding to requests from law enforcement: “For law enforcement agencies, we release customer information only when compelled or permitted under existing laws. This includes, but is not limited to, circumstances under which there is a declaration from law enforcement of an exigent circumstance, as well as other valid legal process, such as subpoenas, search warrants, and court orders.”

—-

As location tracking by cell phone companies becomes increasingly accurate and widespread, the question of who your location data actually belongs to remains unresolved. Privacy activists in the U.S. say the law has not kept pace with developing technology and argue for more stringent privacy standards for cell phone companies. As Matt Blaze, a University of Pennsylvania professor put it, “all of the rules are in a state of enormous uncertainty and flux.”

The Obama administration has maintained that mobile phone users have “no reasonable expectation of privacy.” The administration has argued against more stringent standards for police and the FBI to obtain location data.

The FBI also says data collected by cell phones is not necessarily accurate enough to pose much of a threat to your privacy — for instance, in a strip mall, cell phone records may not show whether you are in a coffee shop or the apartment next door.

But that is quickly changing. Blaze said as the number of mobile phones continues to rise, cell phone companies are now installing thousands of small boxes known as microcells in crowded places like parking garages and shopping malls to enable them to provide better service. Microcells, he said, also enable the phone companies to record highly precise location data. While your phone is on, he said, it is constantly recording your location.

T-Mobile, Sprint, Verizon and AT&T all refused to disclose how many requests from law enforcement they receive.

Our idea to test whether cellphone companies will give users their own location data came from a German politician who successfully obtained his data last year from Deutsche Telekom. Consumers in Europe have greater protections.

Correction (6/27/2012): This story has been corrected after we mistakenly repeated T-Mobile’s comment as Sprint’s response. We have also updated the story to include an additional response from AT&T.

 

Remember Stuxnet? Why The U.S. Is Still Vulnerable

Remember Stuxnet? Why The U.S. Is Still Vulnerable

by Megha Rajagopalan,ProPublica

 

Last week, the Department of Homeland Security revealed a rash of cyber attacks on natural gas pipeline companies. Just as with previous cyber attacks on infrastructure, there was no known physical damage. But security experts worry it may only be a matter of time.

Efforts to protect pipelines and other critical systems have been halting despite broad agreement that they’re vulnerable to viruses like Stuxnet — the mysterious worm that caused havoc to Iran’s nuclear program two years ago.

The Frankenstein-like virus infected a type of industrial controller that is ubiquitous — used around the world on everything from pipelines to the electric grid.

Experts say manufacturers haven’t fixed security flaws in these essential but obscure devices.

Why hasn’t more been done? Here’s why Stuxnet remains a top national security risk.

Q. What is Stuxnet, anyway?

Stuxnet first made headlines when it burrowed into computers that controlled uranium centrifuges in Iran’s renegade nuclear program. Its self-replicating computer code is usually transmitted on flash drives anyone can stick into a computer. Once activated, the virus made Iran’s centrifuges spin out of control while making technicians think everything was working normally — think of a scene in a bank heist movie where the robbers loop old security camera footage while they sneak into the vault.

Q. Who created it?

Whoever knows the answer to this isn’t telling — but if cybersecurity researchers, the Iranian government and vocal Internet users are to be believed, the two prime suspects are the U.S. and Israeli governments.

Q. How does it work?

Stuxnet seeks out little gray computers called programmable logic controllers, or PLCs. The size and shape of a carton of cigarettes, PLCs are used in industrial settings from pretzel factories to nuclear power plants. Unfortunately, security researchers say the password requirements for the devices are often weak, creating openings that Stuxnet (or other viruses) can exploit. Siemens made the PLCs that ran Iran’s centrifuges; other makers include Modicon and Allen Bradley. Once introduced via computers running Microsoft Windows, Stuxnet looks for a PLC it can control.

Q. How big is the problem?

Millions of PLCs are in use all over the world, and Siemens is one of the top five vendors.

Q. After Iran, did Siemens fix its devices?

Siemens released a software tool for users to detect and remove the Stuxnet virus, and encourages its customers to install fixes Microsoft put out for its Windows system soon after the Iran attack became public (most PLCs are programmed from computers running Windows.) It is also planning to release a new piece of hardware for its PLCs, called a communications processor, to make them more secure — though it’s unclear whether the new processor will fix the specific problems Stuxnet exploited. Meanwhile, the firm acknowledges its PLCs remain vulnerable — in a statement to ProPublica, Siemens said it was impossible to guard against every possible attack.

Q. Is Siemens alone?

Logic controllers made by other companies also have flaws, as researchers from NSS labs, a security research firm, have pointed out. Researchers at a consulting firm called Digital Bond drew more attention to the problem earlier this year when they released code targeting commonly used PLCs using some of Stuxnet’s techniques. A key vulnerability is password strength — PLCs connected to corporate networks or the Internet are frequently left wide open, Digital Bond CEO Dale Peterson says.

Q. What makes these systems so tough to protect?

Like any computer product, industrial control systems have bugs that programmers can’t foresee. Government officials and security researchers say critical systems should never be connected to the Internet — though they frequently are. But having Internet access is convenient and saves money for companies that operate water, power, transit and other systems.

Q. Is cost an issue?

System manufacturers are reluctant to patch older versions of their products, government and private sector researchers said. Utility companies and other operators don’t want to shell out money to replace systems that seem to be working fine. Dan Auerbach of the Electronic Frontier Foundation, formerly a security engineer at Google, says the pressure on tech companies to quickly release products sometimes trumps security. “There’s an incentive problem,” he said.

Q. What’s the government doing?

The Department of Energy and the Department of Homeland Security’s Computer Emergency Readiness Team, or CERT, work with infrastructure owners, operators and vendors to prevent and respond to cyber threats. Researchers at government-funded labs also assess threats and recommend fixes. But government agencies cannot — and do not attempt to — compel systems vendors to fix bugs.

The only national cybersecurity regulation is a set of eight standards approved by the Federal Energy Regulatory Commission — but these only apply to producers of high-voltage electricity. A Department of Energy audit last year concluded the standards were weak and not well implemented.

Q. So is Congress weighing in?

Cybersecurity has been a much-debated issue. Leading bills, including the Cyber Intelligence Sharing and Protection Act, would enable government and the private sector to share more threat information. But while CISPA and other bills give the Department of Homeland Security and other agencies more power to monitor problems, they all take voluntary approaches.

“Some of my colleagues have said nothing will change until something really bad happens,” said Peterson, whose consulting firm exposed vulnerabilities. “I’m hoping that’s not true.”

Q. What does the Obama administration want?

The White House has called for legislation that encourages private companies to notify government agencies after they’ve faced cyber intrusions, and recommends private companies secure their own systems against hackers. But the White House stops short of calling for mandatory cybersecurity standards for the private sector.

 

Is CISPA SOPA 2.0? We Explain The Cybersecurity Bill

by Megha Rajagopalan, ProPublica

 

The Cyber Intelligence Sharing and Protection Act, up for debate in the House of Representatives today, has privacy activists, tech companies, security wonks and the Obama administration all jousting about what it means — not only for security but Internet privacy and intellectual property.  Backers expect CISPA to pass, unlike SOPA, the Stop Online Piracy Act that melted down amid controversy earlier this year.

Here’s a rundown on the debate and what CISPA could mean for Internet users.

What exactly is CISPA?

The act, sponsored Rep. Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md., would make it easier for private corporations and U.S. agencies, including military and intelligence, to share information related to “cyber threats.” In theory, this would enable the government and companies to keep up-to-date on security risks and protect themselves more efficiently. CISPA would amend the National Security Act of 1947, which currently contains no reference to cyber security.  Companies wouldn’t be required to share any data. They would just be allowed to do so.

Why should I care?

CISPA could enable companies like Facebook and Twitter, as well as Internet service providers, to share your personal information with the National Security Agency and the CIA, as long as that information is deemed to pertain to a cyber threat or to national security.

How does the bill define “cyber threat”?

The most recent version of the bill defines it as information “pertaining to a vulnerability of” a system or network — a definition that opponents have criticized as too broad. Rep. Adam Schiff, D-Calif., has proposed an amendment that narrows the definition. The bill has gained key support with the addition of the amendment.

When can data can be shared?

Rep. Rogers said the amended version of the bill would only enable companies and intelligence agencies to share information related to 1) cyber security purposes; 2) investigation and prosecution of cyber security crimes; 3) protection of individuals from death and bodily harm; 4) child pornography; or 5) protection of the national security of the United States.

Why are privacy activists upset about CISPA?

Privacy activists like the American Civil Liberties Union and the Electronic Frontier Foundation contend CISPA isn’t specific enough about just what constitutes a “cyber threat.” They say it enables Internet companies and service providers to hand over sensitive user information to intelligence agencies without enough oversight from the civilian side of government. Finally, they say it does not explicitly require Internet companies to remove identifying information about users before sharing.  Opponents contend, for instance, that Facebook or Twitter could share user messages with the NSA or FBI without redacting the user’s name or personal details.

CISPA also protects the private sector from liability even if they share private user information, as long as that information is deemed to have been shared for cybersecurity or national security purposes. Even though sharing is voluntary and not required under the law, privacy activists say the legal immunity CISPA provides would make it easy for the government to pressure Internet companies to give up user data.

What kind of information can be shared?

Private companies and government agencies can share any information that pertains to a “cyber threat” or that would endanger national security. That could include user information, emails, and direct messages. Companies would be allowed to share with each other as well as the government. The government is not allowed to proactively search company-provided information for purposes unrelated to cyber security, but opponents say this would be tough to enforce. The bill does not place any explicit limit on how long that information can be kept, though Schiff’s amendment would require the government to destroy data unrelated to cyber security. Several proposed amendments would limit the amount and kinds of information that can be shared, but it remains to be seen which — if any — will be adopted.

Is CISPA basically SOPA 2.0?

No, it’s very different.

SOPA was about intellectual property; CISPA is about cyber security, but opponents believe both bills have the potential to trample constitutional rights. The comparisons to SOPA stem from language in an earlier version of CISPA that referenced intellectual property. That wording was removed early on in response to mounting criticism. SOPA would have strengthened copyright laws, barring search engines and other websites from linking to sites that violated intellectual property regulations. That prompted a First Amendment concern from critics that it would give government the power to block websites wholesale, trampling free speech. CISPA’s liability shield, on the other hand, has sparked a concern based on the Fourth Amendment, which protects against unreasonable search and seizure. Opponents contend the law would make it too easy for private companies and the intelligence community to spy on users in the name of cyber security.

Why are some of the tech companies that protested SOPA, like Facebook and Microsoft, now supporting this bill?

CISPA gives Internet companies the ability to share threat information with intelligence agencies and receive information back from them, an ability they say would enable them to deal with cyber threats more effectively. It does not compel them to protect users’ privacy (though a variety of proposed amendments aim to add more stringent privacy protections). Companies could not be held liable for divulging a user’s identity or data to the government if the information relates to a “cyber threat.”

What’s the Obama administration’s take?

The White House is backing a Senate bill proposed by Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman, I-Conn., and has threatened to veto CISPA. Officials cite a lack of personal privacy protections. They say CISPA would enable military and intelligence agencies to take on a policing role on the internet, which the administration points out is a civilian sphere.

What is CISPA’s path forward in Congress?

A vote is set for Friday. CISPA has accumulated more than 100 cosponsors and will most likely pass the House. “This isn’t about scrambling to meet 218 votes, we are well past that,” co-sponsor Rogers said during a conference call with reporters. But the Senate is a different story — there, it must compete with the Lieberman cyber security bill and one from Sen. John McCain, R-Ariz.

Would CISPA really make us more secure?

It’s unclear.

Some cyber security specialists note that neither CISPA nor other cyber security bills in Congress would compel companies to update software, hire outside specialists or take other measures to preemptively secure themselves against hackers and other threats. CISPA’s backers respond that the bill would forestall a “digital Pearl Harbor,” allowing a freer flow of information for a quicker and more effective response to hackers by both the government and the private sector.