The Danger of Biometrics for Personal Use – Limited Legal Protection October 17, 2016Posted by Chris Mark in Uncategorized.
Tags: 4th amendment, 5th amendment, biometrics, Breach, Chris Mark, Data, fingerprint, hack, privacy, security
1 comment so far
I have never been a proponent of using Biometrics and have frequently made jokes about not wanting “the man” to have my finger prints. Well, it looks like my position may have been well founded.
Recently, it was reported in Forbes.com that on May 29th, 2016 the US Government had filed a motion for the court to require residence in a Lancaster, California home to provide their fingerprints to open an iPhone. More disturbingly, the motion called for: “authorization to depress the fingerprints and thumbprints of every person who is located at the SUBJECT PREMISES during the execution of the search and who is reasonably believed by law enforcement to be the user of a fingerprint sensor-enabled device that is located at the SUBJECT PREMISES and falls within the scope of the warrant.” In short, they didn’t just want the finger prints they wanted to force the residents to actually ‘use their finger’ to open the phone. The warrant was not available to the public, nor were other documents related to the case. Like many people, I asked “how can the courts do this?” It would seem to me like an invasion of privacy (among other things). Marina Medvin of Medvin law said: ““They want the ability to get a warrant on the assumption that they will learn more after they have a warrant. “Essentially, they are seeking to have the ability to convince people to comply by providing their fingerprints to law enforcement under the color of law – because of the fact that they already have a warrant. They want to leverage this warrant to induce compliance by people they decide are suspects later on. This would be an unbelievably audacious abuse of power if it were permitted.” Unfortunately, it was indeed permitted.
Is it legal? According to the article in Forbes:
“In past interpretations of the Fifth Amendment, suspects have not been compelled to hand over their passcode as it could amount to self-incrimination, but the same protections have not been afforded for people’s body data even if the eventual effect is the same. Citing a Supreme Court decision in Schmerber v. California, a 1966 case in which the police took a suspect’s blood without his consent, the government said self-incrimination protections would not apply to the use of a person’s “body as evidence when it may be material.”
It also cited Holt v. United States, a 1910 case, and United States v. Dionisio, a 1973 case, though it did point to more recent cases, including Virginia v. Baust, where the defendant was compelled to provide his fingerprint to unlock a device (though Baust did provide his biometric data, it failed to open the iPhone; after 48 hours of not using Touch ID or a reboot Apple asks for the code to be re-entered.).
As for the Fourth, the feds said protections against unreasonable searches did not stand up when “the taking of fingerprints is supported by reasonable suspicion,” citing 1985′s Hayes v. Florida. Other cases, dated well before the advent of smartphones, were used to justify any brief detention that would arise from forcing someone to open their device with a fingerprint.”
We do know that the warrant was served. It does appear that you cannot be forced to give up a passcode as it could amount to Self Incrimination under the 5th Amendment however you do not have the same protections for biometrics. This is another instance where the law has not kept pace with technology. For this reason, and others I will not use biometrics for personal security.
Tags: Cloud, CyberGhost, data breach, hack, Microsoft, OneDrive, privacy, security, VPN, WIFI, Windows 10
1 comment so far
Below is a guest post from CyberGhost on how to increase privacy on Windows 10. This is very timely and great advice!. I have upgraded to Windows 10 and really think it is a huge upgrade over Windows 8/8.1 but (there is always a but) there are some serious privacy concerns. (SERIOUS) Thanks to CyberGhost’s Silvana Demeter for providing this valuable info! BTW…I am very familiar with CyberGhost really like their products. Check them out!
“On July 29, Microsoft has released its new operating system, Windows 10, available globally in 190 countries. The new version offers new features and completes different gaps. Windows 10 is fluid and fast and its new browser Microsoft Edge might win back a lot of users being super-fast.
Some privacy related concerns appear though, one possible problem being that data such as contacts, calendar, mail, messages are transferred to Microsoft’s servers, creating a more detailed user’s profile. Another feature that is infringing one’s privacy is the advertising ID assigned to individuals that are later targeted with specifically tailored ads. Even encrypting the hard drive won’t make an improvement to the privacy since the keys are stored by default on OneDrive. These new settings and features are aimed at increasing productivity, as they make apps and operating system smarter.
In order to improve the future experience of its users, Microsoft uploads data on their servers. As stated in the Terms of Service, Microsoft has the right to share this data whenever it “has a good faith belief doing so is necessary to: 1.comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies; 2.protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone; 3.operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or 4.protect the rights or property of Microsoft, including enforcing the terms governing the use of the services.”
In addition, all these settings are ON by default and will remain enabled if not unchecked while installing or upgrading to Windows 10.
All the data used by the Microsoft account (@live.com, @outlook.com, @msn.com – necessary for most of the new features) is scanned by Microsoft’s services. The location or even the talks with Cortana (searches, reminders, notes, and actions) are also processed by Microsoft’s services: “We also share data with Microsoft-controlled affiliates and subsidiaries; with vendors working on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to maintain the security of our services; and to protect the rights or property of Microsoft.”
How to increase privacy on Windows 10
The Privacy settings can be managed by searching the term privacy in the start menu and most of the modules that send data to Microsoft can be disabled.
Below are some important features that can be changed to obtain more privacy:
- Disable advertiser ID: open the settings and search for “advertising;” open “Choose if apps can use your advertising ID” and disable the first option: “Let apps use my advertising ID for experiences across apps”
- Disable “…info about how I write” so that the text one types and writes with a stylus is not sent to Microsoft servers
- Disabling the Advertising ID in the “Privacy Settings.”
o “Let apps use my Advertising ID…” -> OFF
o “Send Microsoft info about how I write..” -> OFF
o “Location” -> OFF
- Speech, Inking, & typing: If all options are cleared, Cortana will also be disabled
Another new feature introduced by Windows 10 is “Wi-Fi Sense” – a feature that syncs all Wi-Fi passwords to the cloud and shares them with the contact list. Through this functionality, the PC will be able to exchange passwords and automatically connect to WIFI, even to unprotected hotspots. The “Wi-Fi Sense” feature can be disabled by accessing Settings, “Wi-Fi” and then “Change Wi-Fi Settings.” Lucian Crisan, Head of Support and QA at CyberGhost VPN and former Microsoft employee recommends this change in order to avoid man-in-the-middle attacks and phishing attempts.”
Getting into Information Assurance Careers June 2, 2015Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, CIPP, CISSP, Consulting, cybersecurity, InfoSec, privacy, SANS
1 comment so far
I have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested. In 2001, I landed in InfoSec by pure luck and I have never looked back. It is an amazing field and a great career path. First..for some marketing. According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year. In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them. In short, it is a very high demand field.
InfoSec? CyberSecurity? Information Assurance? WHAT?
It is even confusing to me sometimes. At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data. This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization). While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.
What types of Jobs are Out There? (more…)
Chris Mark @ AT&Ts #ChatDPD talking about Privacy July 8, 2014Posted by Chris Mark in Uncategorized.
Tags: #ChatDPD, AT&T, business, Chris Mark, privacy, security, small
add a comment
Join AT&T tomorrow (July 9th) at 3pm Eastern for an AT&T Small Business Twitter discussion where we will be answering questions related to privacy. You can tweet your questions in real time or follow us in real time at: https://twitter.com/hashtag/chatdpd?f=realtime I look forward to catching up on Twitter!
Tags: cybercrime, cybersecurity, data protection, data security, online privacy, privacy, VPN
add a comment
This article is written by Christopher Reynolds, head of business development at IVPN – a VPN service, and EFF member, dedicated to protecting users’ online privacy. I don’t often allow guest posts but Mr. Reynolds and IVPN have done a great job of providing valuable info. Certainly worth taking a look!
Online privacy is coming under increasing attack from governments around the world. Legislation such as CISPA in the US, the CCDP in the UK and Australia’s data retention proposals, have generated real worry among privacy-conscious internet users over our law enforcement’s desire to increase their powers of surveillance to unprecedented levels. This culture of fear is driving more and more people toward commercial Virtual Private Networks (VPNs), which promise to protect user data and offer online anonymity. But choosing a VPN that actually protects privacy is not straightforward. In this blog post I will go over the key issues you must consider before signing up to any VPN service.
The biggest issue when it comes to using a VPN in order to protect your privacy is data retention. Government surveillance is primarily facilitated by the data retention policies of your ISP. In Europe your ISP’s data retention policy is mandated by the EU Data Retention Directive, which forces all European ISPs to retain users’ personal information for between 6 months and 2 years after the user leaves the ISP’s service. This data includes web logs, which essentially means a record of every website you’ve visited and the times you visited them. The data your ISP holds won’t typically contain email logs – despite popular perception- unless you use your ISPs own email service. But it will include which third party email services you use and when you’ve used them. (more…)