Εναντίον του Google Analytics στρέφονται οι γερμανικές υπηρεσίες προστασίας δεδομένων

Associated Press

Βερολίνο

Παράνομη θεωρούν οι γερμανικές υπηρεσίες προστασίας προσωπικών δεδομένων τη χρήση του Google Analytics, της υπηρεσίας που παρουσιάζει τα «δημογραφικά χαρακτηριστικά» των επισκεπτών ιστοσελίδων.

Το Google Analytics χρησιμοποιείται για τη δημιουργία «προφίλ» των επισκεπτών συγκεκριμένων ιστοσελίδων, εξακριβώνοντας όχι μόνο το πόσοι και από πού είναι οι επισκέπτες τους, αλλά και το «διαδικτυακό» ιστορικό τους. Έτσι, ο ιδιοκτήτης της ιστοσελίδας ή ο όποιος ενδιαφερόμενος μπορεί να σχηματίσει μία εικόνα των επισκεπτών της και των προτιμήσεών τους.

Οι γερμανικές υπηρεσίες προστασίας προσωπικών δεδομένων όμως, τόσο σε ομοσπονδιακό επίπεδο όσο και σε διάφορα κρατίδια, θεωρούν ότι η χρήση του Google Analytics αντιτίθεται στο γερμανικό δίκαιο.

Σύμφωνα με την εφημερίδα Zeit, περίπου το 13% των γερμανικών ιστοσελίδων χρησιμοποιούν την υπηρεσία -ανάμεσά τους φαρμακευτικές εταιρείες, πολιτικά κόμματα και ΜΜΕ. Μεταξύ άλλων, το νομικό πρόβλημα δημιουργείται από το κατά πόσον η διεύθυνση IP, η «προσωπική υπογραφή» του κάθε υπολογιστή στο διαδίκτυο, αποτελεί δεδομένο «προσωπικώς συσχετίσιμο». Οι γερμανικές υπηρεσίες θεωρούν πως αυτό συμβαίνει ενώ η Google το βλέπει διαφορετικά, αλλά φαίνεται ότι και η γερμανική νομολογία παρουσιάζεται εξίσου αμφίσημη.

Οι υπηρεσίες φοβούνται ότι η Google θα μπορούσε να δημιουργήσει «προφίλ» εκατομμυρίων χρηστών του διαδικτύου, τα οποία θα συμπεριλαμβάνουν τα ενδιαφέροντά τους, τις συνήθειες ζωής τους, την καταναλωτική τους συμπεριφορά και τις πολιτικές ή ακόμη και σεξουαλικές προτιμήσεις τους.

Οι χρήστες, τονίζουν σύμφωνα με το δημοσίευμα οι γερμανικές υπηρεσίες, δεν έχουν τη δυνατότητα να επιλέξουν ενεργητικά τη μη υπαγωγή τους στο λογισμικό (opt-out), χωρίς το οποίο «δεν στέκει τίποτα». Εξίσου ενοχλημένες παρουσιάζονται οι υπηρεσίες με το γεγονός ότι τα προσωπικά δεδομένα μπορούν να γίνουν αντικείμενο επεξεργασίας από εταιρείες ή φορείες επί αμερικανικού εδάφους.

Η Google υποστηρίζει ότι η επεξεργασία των δεδομένων στις ΗΠΑ καλύπτεται απολύτως από τη συμφωνία «Safe Harbour» μεταξύ Ευρώπης και Ουάσιγκτον, ενώ θεωρεί περιττό το «opt-out» καθώς οι χρήστες μπορούν «να απενεργοποιήσουν τα cookies».

Ethics leaks spur House bill banning P2P apps on .gov PCs

Over the past year, there have been several embarrassing incidents where private government documents have leaked because employees didn't know how to properly configure P2P client software. For the US House of Representatives, the last straw came when ethics documents were leaked. A bill has been introduced to ban the use of P2P apps by federal employees.

Peer-to-peer filesharing applications have been wildly popular, especially among those interested in accessing pirated software, music, and media. But not everyone who operates a P2P client knows how to properly configure the software, and some clients may share entire directories unless explicitly directed not to. Apparently, some government employees have exhibited this sort of carelessness, as private and secret government documents have shown up on P2P networks. Now, at least one Congressman has had enough, and has introduced a bill that would ban the use of P2P software by government employees.

The Congressman in question is Edolphus Towns of New York, who chairs the Committee on Oversight and Government Reform. In a statement announcing the bill's introduction, Towns highlights a number of embarrassing incidents in which sensitive government files showed up on P2P networks. These include schematics for the Presidential helicopter and the location of a first-family safe house, as well as the financial records of a Supreme Court Justice.

But the cynic would suggest that the real spur to action was the leak of a whole series of documents related to ethics investigations of Towns' fellow House members, which he also cited in the announcement. This included a full list of ongoing investigations and details on a number of them. The committee that suffered the leak issued a statement (PDF) at the end of October which indicated that P2P software was involved in the leak, so this appears to involve a relatively quick response.

The bill itself, termed the Secure Federal File Sharing Act, calls on the Director of the Office of Management and Budget to issue guidance on the use of P2P software, and provides the Director some guidance on what it should be: P2P software will be banned on government-owned computers. The OMB Director will have 90 days to come up with rules for government workers and contractors that have access to documents at home. Procedures will also be put in place for government agencies that have legitimate need for P2P software, in order to grant them exceptions.

By 180 days after the bill's passage, the OMB will have to specify procedures to detect and purge P2P use from within the government's networks. After the procedures are in place, the OMB will need to provide Congress with an annual report detailing all the exemptions that are in place.

Although it's tempting to snicker at the ethics leaks being the primary event that spurred Congress to action, it wouldn't be at all surprising if some of the complaints that leaked are the result of misunderstandings or political disagreements; all of them will almost certainly be used (and abused) in future political campaigns. In any case, the other leaks are certainly more severe, and there's no reason to think that the average government employee is ever going to be more technically savvy or security-literate than the general computer using population, so the law addresses a real issue.

Given that P2P software does have a number of legitimate uses, however, blanket restrictions and a formal approval process may turn out to be a hindrance. Assuming the bill passes, the real challenge is likely to be crafting a quick and effective exemption process.

By John Timmer

In Venezuela criminals use Facebook to research targets. Cops use it too — but not always for scrupulous purposes.

In Venezuela criminals use Facebook to research targets. Cops use it too — but not always for scrupulous purposes.

CARACAS, Venezuela — It has taken Venezuela by storm, but it seems that Facebook and other social networking sites also come with their perils.

Police here revealed that a pair of students at a private university in Caracas had been robbing their virtual friends’ homes using information they had compiled using Facebook.

Police raided the apartment of one of two students who, working in tandem with another couple, had been using Facebook to befriend classmates. They then used the information their new “friends” posted on their profiles to find out where they lived, what they owned and when they were not at home.

"They observe the families’ movements, they study the residencies — the comings and goings, the security measures," said Wilmer Flores Trosel, director of the CICPC, Venezuela’s eqivalent of the FBI.

Security analysts in Venezuela say it is becoming increasingly frequent for criminals to use social networking sites such as Facebook, Twitter, Sonico and Hi5 as a source of information for house robberies, fraud and kidnappings.

And it's not just the criminals capitalizing on this online data source, the police too are using it, to go after both hard-core criminals and political protesters. In a country with little tolerance for dissent, many fear the government has designs on controlling these sites. And the crimes aided by Facebook, might give them cause to do just that.

“There's a certain amount of intelligence work involved in kidnapping that Facebook makes easier,” said Roberto Briceno Leon, director of the Venezuelan Observatory of Violence. “Before, what did kidnappers do? They could spend months checking accounts, studying a person's daily movements in order to be able to plan the kidnapping. That implies an investment. Now, Facebook makes that easier.”

Briceno Leon said that even an innocent photograph of a user’s home could reveal valuable information about security systems that could be used to plan robberies or kidnappings.

Leon's Venezuelan Observatory of Violence did a survey and they estimate that there were between 8,000 and 9,000 kidnappings in Venezuela in 2008. The official figure for last year was 554 but most kidnappings go unreported because victims' families prefer not to involve the police as they are often involved in the kidnappings.

Venezuelans are no strangers to crime. Murder rates have reached record highs in recent years and they have been a part of daily life since the late 1980s. Banks take elaborate precautions to avoid fraud. Making a simple withdrawal can involve heavy scrutiny and a customer often has to be photographed and fingerprinted before the money is released.

But Venezuelans are not similarly cautious when it comes to the personal details they publicize on social networks. There are 435,992 users signed up to three "Venezuela" pages on Facebook, and Facebook is used widely in the country for party invitations and political protests.

Briceno Leon said that social networking sites offer the illusion of safety but what may seem like an innocent confession often opens up a window into the private life of an individual.

“People feel intimate and safe, they don't feel like they are on the street,” he said. “That's why people cease to take precautions.”

Facebook is also a tool used by Venezuelan police — though not always effectively. Carlos Graffe, a student from Valencia, a city 75 miles west of Caracas, said the prosecutor’s office put out a warrant for his arrest after he was identified through a photo on Facebook as one of several protesters who are accused of inciting violence during a protest march in Caracas in August.

Graffe and his lawyer claim it’s a case of mistaken identity: The television footage that shows protesters dismantling police barriers during the march shows a different person than the one identified in the Facebook photograph. What’s more, the person in the Facebook photograph is in fact his cousin, also called Carlos Graffe.

Opposition figures claim the Venezuelan government ultimately wants to control social networking sites, which have become an important tool for organizing protests and marches.

Thousands of Venezuelans protested the closing down of local radio station CNB by posting messages on the Twitter account #freemediave. An editorial piece in the state-run Bolivarian News Agency then accused Twitter of becoming a “new channel for creating terror” by spreading disinformation in a campaign orchestrated by the Venezuelan ultra-right.

Government critics claim the government is pushing its own forms of disinformation. In July, Diosdado Cabello, the minister for public works, aired the idea of passing all of Venezuela’s internet traffic through the servers of Cantv, the state-run telecommunications company. Critics say the move would allow the government to control communication on social networking sites during protests.

Social networking sites are a threat to the government that fears that it cannot control the partisanship of sites such as Facebook, said Carlos Delgado, a media analyst at the Andres Bello Catholic University in Caracas. He said the government’s move to control Venezuela’s servers is an attempt to “consolidate its communicational hegemony.”

Criminal Charges

This is Rodney Bradford. A few days ago, Facebook saved his 19-yo life. Facebook, and his status plea demanding the immediate consumption of one of the basic food groups every human being needs to properly function in the morning: Pancakes. [via gizmodo]

Rodney was arrested on October 18 as a suspect in two crimes. He declared himself innocent and Robert Reuland—his defense lawyer—found the key to free him: "Where's my pancakes?"

That seemingly inconsequential Facebook status update proved crucial when the Californian company confirmed that someone wrote it from his father's Harlem apartment computer, using Rodney's user and password at around the time of the alleged crime: Saturday October 17, 11:49am.

Of course, you can argue that anyone with Rodney's password could have written the status update, while the 19-yo went on to commit two crimes, but his defense lawyer and the district attorney disagree:

A spokesman for Brooklyn's District Attorney said the Facebook update served as the confirmation of the other alibis, namely Rodney's father and stepmother, who declared he was at their Harlem home at the time.
The most interesting thing in this case, however, is that this seems to be the first time in which social networking has been used to save the ass of someone, rather than nailing a really stupid thief.

AP+IMPACT%3A+Framed+for+Child+Porn+_+by+a+PC+Virus+-+ABC+News

AP+IMPACT%3A+Framed+for+Child+Porn+_+by+a+PC+Virus+-+ABC+News

Pirates get a taste of Microsoft COFEE

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) software, which helps law enforcement officials grab data from password protected or encrypted sources, has leaked.

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) has made it into the hands of pirates, and their virtual ships are distributing it quickly for everyone to get a taste. The COFEE application uses common digital forensics tools to help law enforcement officials at the scene of a crime gather volatile evidence of live computer activity that would otherwise be lost in a traditional offline forensic analysis. In other words, it lets officers grab data from password-protected or encrypted sources. That means you can now break the law twice over: download the software and then use it to steal information from other people's computers.

Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer. The forensics tool is approximately 15MB in size and works best with Windows XP. Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7. Here's the official description of COFEE:

With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation.

Microsoft first revealed the tool back in April 2008, so we have to say that the software giant did quite a good job keeping it away from pirates for over two years (that has to be some kind of record for Redmond). In April 2009, Microsoft announced that it will aid global law enforcement in fighting cybercrime by providing its COFEE tool free of charge to International Criminal Police Organization's (Interpol) Global Security Initiative (GSI), a project that addresses international security challenges, and the participating 187 countries. Now though, the valuable tool is available to more than just government crime fighting bodies, and we can't say we're comfortable with the possible implications.

Secure computers aren’t so secure

Even well-defended computers can leak shocking amounts of private data. MIT researchers seek out exotic attacks in order to shut them down

You may update your antivirus software religiously, immediately download all new Windows security patches, and refuse to click any e-mail links ostensibly sent by your bank, but even if your computer is running exactly the way it’s supposed to, a motivated attacker can still glean a shocking amount of private information from it. The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.

In 2005, Eran Tromer, now a postdoc at CIS, and colleagues at the Weizmann Institute in Rehovot, Israel, showed that without any breach of security in the ordinary sense, a seemingly harmless computer program could eavesdrop on other programs and steal the type of secret cryptographic key used by one of the most common Internet encryption schemes. Armed with the key, an attacker could steal a computer user’s credit card number, bank account password — whatever the encryption scheme was invoked to protect.

Computer operating systems are supposed to prevent any given program from looking at the data stored by another. But when two programs are running at the same time, they sometimes end up sharing the same cache — a small allotment of high-speed memory where the operating system stores frequently used information. Tromer and his colleagues showed that simply by measuring how long it took to store data at a number of different cache locations, a malicious program could determine how frequently a cryptographic system was using those same locations. “The memory access patterns — that is, which memory addresses are accessed — are heavily influenced by the specific secret key being used in that operation,” Tromer says. “We demonstrated a concise and efficient procedure for learning the secret keys given just this crude information about the memory access patterns.” Complete extraction of the private key, Tromer says, “takes merely seconds, and the measurements that are needed, of the actual cryptographic process being attacked, can be carried out in milliseconds.”

The encryption system that Tromer was attacking, called AES, was particularly vulnerable because it used tables of precalculated values as a computational short cut, so that encoding and decoding messages wouldn’t be prohibitively time consuming. Since Tromer and his colleagues published their results, Intel has added hardware support for AES to its chips, so that Internet encryption software won’t have to rely on such “lookup tables.”

In a statement, Intel told the MIT News Office that its decision “was mainly motivated by the performance/efficiency benefits achieved,” but that “in addition, there is a potential security benefit since these new instructions can mitigate the possibility of software side channel attacks on AES that have been described in research papers, including those discovered by Tromer, Percival, and Bernstein.”

“I think it’s fair to say that it’s a direct response to the cache-timing attacks against AES,” Pankaj Rohatgi, director of hardware security at the data security firm Cryptography Research, says of Intel’s move.

Together with CIS cofounder Ron Rivest and CSAIL’s Saman Amarasinghe, Tromer is trying to develop further techniques for thwarting cache attacks by disrupting the correlations between encryption keys and memory access patterns. A couple weeks ago, at the Association for Computing Machinery’s Symposium on Operating Systems Principles, the researchers announced that they had a “proof-of-concept prototype” of a defense system, but they plan to continue testing and refining it before publishing any papers.

Tromer has also been investigating whether cloud computing — the subcontracting of computational tasks to networked servers maintained by companies like Amazon and Google — is susceptible to cache attacks. Many web sites rely on cloud computing to handle sudden surges in their popularity: renting added server space for a few hours at a time can be much cheaper than maintaining large banks of proprietary servers that frequently stand idle.

The word “cloud” is supposed to suggest that this vast agglomeration of computing power is amorphous and constantly shifting, but Tromer and colleagues at the University of California, San Diego, were able to load their eavesdropping software onto precisely the same servers that were hosting websites they’d targeted in advance. In part, their approach involved spreading their software across a number of servers, then assailing a targeted website with traffic. By spying on the caches of the servers hosting their software, they could determine which were also trying to keep pace with their fake traffic spikes. Once they’d identified the target site’s servers, they could use cache monitoring to try to steal secrets.

“Imagine a stock broker that specializes in a specific company,” Tromer says. “If you observe that his virtual machine is particularly active, that could be valuable information. Or you may want to know how popular your competitors’ website is. We’ve actually demonstrated that we can very robustly estimate web server popularity.”

“This has sparked the imagination of both the research community and industry,” Rohatgi says. “I interact with a lot of people in industry, and when they say, ‘Give me the technical basis for this,’ I point to [Tromer and colleagues’] papers.”

Finally, Tromer is continuing work he began as a graduate student, on the use of a “hundred-dollar commodity microphone” to record the very sounds emitted by a computer and analyze them for information about cryptographic keys. So far, Tromer hasn’t been able to demonstrate complete key extraction, but he believes he’s getting close.

Any information at all about a computer’s internal workings “is actually fairly damaging,” Rohatgi says. “In some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.”

Larry Hardesty, MIT News Office

Phishing