Advanced Search
Content Type: Advocacy
We are responding to the UK Government's consultation to expand its powers around Technical Capabilities Notices and National Security Notices.
Background
Following Edward Snowden's revelations about the illegal and expansive secret powers of the US and UK intelligence agencies, the UK Government took the opportunity to, rather than reflect on what powers are proportionate in the modern era, to expand its arsenal of surveillance powers.
One of the powers it added was the ability to issue…
Content Type: Long Read
What if your boss was an algorithm? What would you do if your employer suddenly fired you or reduced your pay without telling you why? And without being willing to give you a reason when you ask for one?
This is not science fiction or some far-fetched reality. Millions of people worldwide are working in the gig economy sector for companies like Uber, Deliveroo, Bolt, Just Eat… And this could be the future of work for people working outside the gig economy, as surveillance technologies are…
Content Type: Video
Update: Pa has since won a settlement from UberPlease note the views expressed in the video are interviewee's own and do not necessarily reflect the views of PI.Pa used to work for Uber. After some time, Uber started asking him to submit a picture of himself to the platform to confirm it was indeed him who had completed the job. However, with time, the frequency of the requests increased. In the beginning, the requests for a picture only happened once a week, but as time went by Pa told us that…
Content Type: News & Analysis
Today, the UK High Court has quashed a decision by the Investigatory Powers Tribunal (IPT) and held that section 5 of the Intelligence Services Act (ISA) 1994 does not permit the issue of general warrants to authorise property interference and certain forms of computer hacking.
The Court referred to cases dating back to the 18th century, which demonstrate the common law’s insistence that the Government cannot search private premises without lawful authority even in the national security…
Content Type: Press release
Today, the UK High Court has quashed a decision by the Investigatory Powers Tribunal (IPT), and ruled that section 5 of the Intelligence Services Act (ISA) 1994 does not permit the issuing of general warrants to authorise property interference and certain forms of computer hacking.
The Court referred to cases dating back to the 18th century, which demonstrate the common law’s insistence that the Government cannot search private premises without lawful authority even in the context of national…
Content Type: News & Analysis
Samsung has announced that the company will commit to providing major software updates for three generations of the Android operating system, but only for its flagship models: the S10, S20, Note 10 and Note 20.
From our reading of the available information, this means that these models will be getting support, including the latest operating system, features and security updates, for three years (as new Android operating systems are released every year).
While this is welcome news, it only…
Content Type: Examples
Many of the steps suggested in a draft programme for China-style mass surveillance in the US are being promoted and implemented as part of the government’s response to the pandemic, perhaps due to the overlap of membership between the National Security Commission on Artificial Intelligence, the body that drafted the programme, and the advisory task forces charged with guiding the government’s plans to reopen the economy. The draft, obtained by EPIC in a FOIA request, is aimed at ensuring that…
Content Type: Examples
Academics have disclosed today a new vulnerability in the Bluetooth wireless protocol, broadly used to interconnect modern devices, such as smartphones, tablets, laptops, and smart IoT devices.
The vulnerability, codenamed BIAS (Bluetooth Impersonation AttackS), impacts the classic version of the Bluetooth protocol, also known as Basic Rate / Enhanced Data Rate, Bluetooth BR/EDR, or just Bluetooth Classic.
The BIAS attack
The BIAS security flaw resides in how devices handle the link key,…
Content Type: Long Read
This week saw the release of a coronavirus tracking app within the United Kingdom, initially to be trialled in the Isle of Wight. Privacy International has been following this closely, along with other ‘track and trace’ apps like those seen in over 30 other countries.
The UK’s app is no different. It is a small part of a public health response to this pandemic. As with all the other apps, it is vital that it be integrated with a comprehensive healthcare response, prioritise people, and…
Content Type: News & Analysis
A few weeks ago, its name would probably have been unknown to you. Amidst the covid-19 crisis and the lockdown it caused, Zoom has suddenly become the go-to tool for video chat and conference calling, whether it’s a business meeting, a drink with friends, or a much needed moment with your family. This intense rise in use has been financially good to the company, but it also came with a hefty toll on its image and serious scrutiny on its privacy and security practices.
While Zoom already had a…
Content Type: Examples
The whistleblower said they were unable to find any legitimate reason for the high volume of the requests for location information. “There is no other explanation, no other technical reason to do this. Saudi Arabia is weaponising mobile technologies,” the whistleblower claimed.
The data leaked by the whistleblower was also seen by telecommunications and security experts, who confirmed they too believed it was indicative of a surveillance campaign by Saudi Arabia.
The data shows requests for…
Content Type: Examples
Bluetooth utilizes a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices. The ECDH key pair consists of a private and a public key, and the public keys are exchanged to produce a shared pairing key. The devices must also agree on the elliptic curve parameters being used. Previous work on the "Invalid Curve Attack" showed that the ECDH parameters are not always validated before being used in computing the resulted…
Content Type: Examples
“The BlueBorne attack vector requires no user interaction, is compatible to all software versions, and does not require any preconditions or configurations aside of the Bluetooth being active,” warned the researchers.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” they added.
“This means a Bluetooth connection can be established without pairing the devices at all.…
Content Type: Examples
An engineering and computer science professor and his team from The Ohio State University discovered a design flaw in low-powered Bluetooth devices that leaves them susceptible to hacking.
Zhiqiang Lin, associate professor of computer science and engineering at the university, found the commonly used Bluetooth Low Energy devices, such as fitness trackers and smart speakers, are vulnerable when they communicate with their associated apps on the owner’s mobile phone.
"There is a fundamental…
Content Type: Explainer
In a scramble to track, and thereby stem the flow of, new cases of Covid-19, Governments around the world are rushing to track the locations of their populace. One way to do this is to write a smartphone app which uses Bluetooth technology, and encourage (or mandate) that individuals download and use the app. We have seen such examples in Singapore and emerging plans in the UK.
Apps that use Bluetooth are just one way to track location. There are several different technologies in a smartphone…
Content Type: Long Read
The pressing need to fix our cybersecurity (mis)understandings
Despite all the efforts made so far by different, cybersecurity remains a disputed concept. Some states are still approving cybersecurity laws as an excuse to increase their surveillance powers. Despite cybersecurity and cybercrime being different concepts, the confusion between them and the broad application of criminal statutes is still leading to the criminalise legitimate behaviour.
All of this represents a sizable challenge…
Content Type: Long Read
[Photo credit: Images Money]
The global counter-terrorism agenda is driven by a group of powerful governments and industry with a vested political and economic interest in pushing for security solutions that increasingly rely on surveillance technologies at the expenses of human rights.
To facilitate the adoption of these measures, a plethora of bodies, groups and networks of governments and other interested private stakeholders develop norms, standards and ‘good practices’ which often end up…
Content Type: Long Read
In this piece we examine mobile phone extraction, relying on publicly available information and Privacy International’s experience from conducting mobile phone extraction using a Cellebrite UFED Touch 2. We welcome input from experts in the field. This is a rapidly developing area. Just as new security features are announced for phones, so too new methods to extract data are found.
[All references can be found in the pdf version below.]
General explanation of mobile phone…
Content Type: News & Analysis
A new UK Times report claims that “WhatsApp, Facebook and other social media platforms will be forced to disclose encrypted messages from suspected terrorists, paedophiles and other serious criminals under a new treaty between the UK and the US.”
Several other media outlets have followed up on the report, with headlines such as “UK and US set to sign treaty allowing UK police ‘back door’ access to WhatsApp and other ‘end to end encrypted’ messaging platforms”.
While the…
Content Type: Examples
The Lumi by Pampers nappies will track a child's urine (not bowel movements) and comes with an app that helps you "Track just about everything". The activity sensor that is placed on the nappy also tracks a baby's sleep.
Concerns over security and privacy have been raised, given baby monitors can be susceptible to hackers and any app that holds personal information could potentially expose that information.
Experts say the concept could be helpful to some parents but that there…
Content Type: Long Read
Details of case:
R (on the application of Privacy International) (Appellant) v Investigatory Powers Tribunal and others (Respondents)
[2019] UKSC 22
15 May 2019
The judgment
What two questions was the Supreme Court asked to answer?
Whether section 67(8) of RIPA 2000 “ousts” the supervisory jurisdiction of the High Court to quash a judgment of the Investigatory Powers Tribunal for error of law?
Whether, and, if so, in accordance with what principles, Parliament may by…
Content Type: Examples
In August 2018, banks and merchants had begun tracking the physical movements users make with input devices - keyboard, mouse, finger swipes - to aid in blocking automated attacks and suspicious transactions. In some cases, however, sites are amassing tens of millions of identifying "behavioural biometrics" profiles. Users can't tell when the data is being collected. With passwords and other personal information used to secure financial accounts under constant threat from data breaches, this…
Content Type: Examples
In October 2018, researcher Johannes Eichstaedt led a project to study how the words people use on social media reflect their underlying psychological state. Working with 1,200 patients at a Philadelphia emergency department, 114 of whom had a depression diagnosis, Eichstaedt's group studied their EMRs and up to seven years of their Facebook posts. Matching every person with a depressive diagnosis with five who did not, to mimic the distribution of depression in the population at large, from…
Content Type: Examples
In 2018, economists Marianne Bertrand and Emir Kamenica at the University of Chicago Booth School of Business showed that national divisions are so entrenched that details of what Americans buy, do, and watch can be used to predict, sometimes with more than 90% accuracy, their politics, race, income, education, and gender. In a paper published by the National Bureau of Economic Research, the economists taught machine algorithms to detect patterns in decades of responses to three long-running…
Content Type: Examples
In 2017, Britain's' two biggest supermarkets, Tesco and Sainsbury's, which jointly cover 45% of the UK's grocery market, announced they would offer discounts on car and home insurance based on customers' shopping habits. For example, based on data from its Nectar card loyalty scheme, Sainsbury's associates reliable, predictable patterns of visits to stores with safer and more cautious driving, and therefore offers those individuals cheaper insurance. For some products, Sainsbury's also mines…
Content Type: Examples
In 2018, based on an analysis of 270,000 purchases between October 2015 and December 2016 on a German ecommerce site that sells furniture on credit, researchers at the National Bureau of Economic Research found that variables such as the type of device could be used to estimate the likelihood that a purchaser would default. The difference in rates of default between users of iOS and Android was about the same as the difference between a median FICO credit score and the 80th percentile of FICO…
Content Type: News & Analysis
Campaigners are today calling for urgent action to allow Palestinians to develop an independent telecommunications infrastructure following the release of a report detailing how the Israeli government exerts its existing control to rule and monitor the online lives of Palestinian people.
‘Connection Interrupted’, produced by Privacy International partner organisation 7amleh, describes how the Israeli government restricts key telecommunications infrastructure in Palestine,…
Content Type: Examples
In July 2018, Dutch researcher Foeke Postma discovered that Polar, the manufacturer of the world's first wireless heart rate monitor manufacturer, was exposing the heart rates, routes, dates, times, duration, and pace of exercises performed by individuals at military sites and at their homes via its social platform, Polar Flow. Polar placed these individuals at particular risk by showing all the exercises a particular individual has completed since 2014 on a single global map. Postma was able…
Content Type: Examples
In June 2018, Uber filed a US patent application for technology intended to help the company identify drunk riders by comparing data from new ride requests to past requests made by the same user. Conclusions drawn from data such as the number of typos or the angle at which the rider is holding the phone would determine which, if any, driver they were matched with. What plans the company may have for the technology is unknown; however, critics expressed concerns that it could deter prospective…
Content Type: Examples
In April 2018, the Austrian cabinet agreed on legislation that required asylum seekers would be forced to hand over their mobile devices to allow authorities to check their identities and origins. If they have been found to have entered another EU country first, under the Dublin regulation, they can be sent back there. The number of asylum seekers has dropped substantially since 2016, when measures were taken to close the Balkan route. The bill, which must pass Parliament, also allows the…