Category Archives: Privacy

Law Enforcement v. End-to-End Encryption

In a post-Snowden world, there has been relatively more awareness and interest in the right to privacy regarding digital communications; and in knowing when the government can snoop-in on personal conversations. A majority of the communications taking place today are digital and involve two crucial processes i.e. encryption and decryption. Encryption (which is conversion of information into a code) happens when a message/call is initiated. At the same time, decryption (conversion of code back into useful information) happens when the message/call is received by the recipient. There are multiple nuances in this process; both in the technological aspect and the legal aspect.

For quite a while now, WhatsApp chat pages show the message – “Messages and chats are now protected with end-to-end encryption.”. The end-to-end encryption or E2EE (first used in program called Pretty Good Privacy, by Phil Zimmermann in 1991) is a form of encryption that makes it improbable if not impossible to intercept a private conversation. Traditionally, there are 3 instances when a conversation can be intercepted – firstly, from the device of the sender before encryption, secondly, when the information code in is transmission and thirdly from the device of the recipient after decryption.

The two ends i.e. the sender and the recipient, stay vulnerable to unwanted physical access or hacking but it’s the second instance where majority of the snooping takes place. It is here that E2EE becomes useful, for tech companies to bypass court orders and in extension protect user data. E2EE in the simplest of terms means that two people communicating are the only ones who have the specific keys to decrypt each other’s messages and any other person who intercepts such data will have nothing but an unintelligible code. While most communication apps or telecommunication providers have the decryption keys in their own servers; which grant them the ability to see or hear any conversation that passes through their servers, E2EE eliminates this obstacle by giving the keys to both individuals and not the service provider. Imagine the system as that of a letter-box, anyone can put in the messages and lock it (public key) but only the intended recipient has the key to unlock his messages.

This effective bypassing of the service providers has both pros and cons to it. On one hand, it allows for greater freedom for expression of opinions and beliefs without the fear of any sanctions, while on the other hand it stops the governments from carrying out intelligence activities vital for national security. The government, in ensuring the safety of its citizens, does covert operations such as surveillance which enables them to intercept vital communications between suspects; which may lead to stopping of terrorist threat. The importance of such can be gauged from the fact that the latest attack in London included secure-device (encryption) communications between the terrorists and also that ISIS issued instructions for its followers on how to communicate through encrypted apps to plan attacks.

Privacy however is not the only lens through which encryption can be seen in a global setting, for example, promotion and use of E2EE is seen as a human rights issue, as it furthers individual privacy and freedom of expression, which are two rights contained in the International Covenant on Civil and Political Rights (ICCPR). Yet UN reports like “The Right to Privacy in a Digital Age” and “The Promotion and Protection of the Right to Freedom of Opinion and Expression” expound on the idea that judicially ordered decryption is not violative of human rights and has laid down a three part test to limit when a government can restrict encryption.

There is an intense debate about the curbing of powers of law enforcement authorities to gather information through court notices from service provider companies. This debate gained public light after the incident in Brazil, where Facebook had its assets frozen subsequent to its non-compliance of a court order to provide WhatsApp conversational information of a bank robbery gang; which Facebook couldn’t have provided even if it wanted to, as it had no means to do so after enabling E2EE. This incident coupled by Apple’s refusal to the FBI to decrypt the iPhone of the San Bernardino shooter and install a backdoor in their operating system for use by law enforcement, have prompted the UK government to take the issue one step further by enacting a new legislation for surveillance through equipment interference.

The intelligence gathering aspect of E2EE is marred with internal conflictions in the state itself as the state needs such encryption tools to secure its own data but also resents it, as it makes public surveillance harder. Hence, while promoting stronger encryption programs for state use, they limit their citizen’s ability to do so. While certain states like Germany encourage public use of E2EE to avert the covert intelligence gathering abilities of the FIVE EYES countries.

Another facet of this issue is the restrictions in commercial and export area; profit driven tech companies in order to boost sales promote E2EE (more popularity, more sales) and oppose state-imposed rules as this would mean that they can import or build only those applications which allow third party access. Since, every state strives for stronger encryption tools to protect their own data and deal with upcoming security threats, there is state imposed regulations on selling such technology by tech companies to certain states for the purposes of national security and foreign policy goals.

A hypothetical solution to this problem of law enforcement and national security versus privacy can be the innovation of an internal system within the system of such service providing companies like WhatsApp. The internal system, when established would compare every number that tries to send a message with a blacklist (The numbers law enforcement wants to track with judicial approval). When a blacklisted number tries to send a message, the server can stop the E2EE services for the said number from that point onwards and the collected information can be stored in a separate database which can only be accessed by the company’s department handling judicial obligations.

Technology has and will continue to benefit us in ways that cannot be counted, but unaccountable use of such is also capable of great harm. The need for security more than privacy might result in a paradigm shift against rigid privacy laws as is prima facie seen in lawmakers of Florida after the Orlando attacks. It is the cooperation of law and technology together that will result in swifter disbursal of justice and achieve a balance between privacy security and public safety. The adoption of a system such as the one suggested above might be the first step to strike that balance between privacy and safety.

Cashless Societies: Causes for Concern

cashless_society-infographic

 Source: CNN

The idea of a cashless society, i.e., ‘a civilization holding money, but without its most distinctive material representation – cash’, is said to have originated in the late 1960s. The transition to go cashless had been slow and steady, but it is now increasing at a rapid pace this last decade. As technology evolves, the shift from a cash reliant to a cashless society is becoming more apparent. At least in the urban society, using ‘contactless payments’ or ‘non-cash money’ is not unheard of. It has been reported that not only did the first debit card possibly hit the markets in the mid-1960s but that in 1990, debit cards were used in about 300 million transactions, showing the rise of the same in today’s society. Before welcoming this change with open arms, we must take care that we do not ignore the security and privacy concerns, some of which will be addressed in this article.

As we are transitioning from a cash-reliant society to a [quasi] cashless society, there are some fears about phones being hacked or stolen, or reliance placed on devices which require batteries or internet – what if either is not available? However, conversely, our cash or wallets could be stolen, destroyed in a matter of seconds, could be misplaced, etc. The only difference is the medium of transaction.

Fear is a factor which inhibits change, however these fears are usually not unfounded. In the year 2014, Target, the second-largest discount store retailer in the United States was hacked and up to 70 million customers were hit by a data breach. Furthermore, 2 years later, it was reported that roughly 3.2 million debit cards were compromised in India, affecting several banks such as SBI, ICICI, HDFC, etc.

Nevertheless, as earlier pointed out, just as financial details present online can be stolen, so can paper money. With each transaction taking place online, the fears of online fraud are present, however Guri Melby of Liberal (Venstre) party noted, “The opportunity for crime and fraud does not depend on what type of payment methods we have in society.” A mere shift in the means of trade will not eliminate such crimes. It is here that I must clarify that a cashless society could be in various forms and degrees, be it debit/credit cards, NFC payments, digital currencies such as bitcoin or even mobile transactions such as M-Pesa.

Bruce Schneier, cyber security expert and author of best seller, Data and Goliath, notes that the importance of privacy lies in protection from abuse of power. A hegemony of the authorities over our information – details [and means] of our every transaction – provides absolute power to the authorities and thus a much higher scope for abuse. Daniel Solove, further notes that abuse of power by the Government could lead to distortion of data; however, even if we believe the government to be benevolent, we must consider that data breaches and hack could (and do) occur.

Cash brings with it the double-edged sword of an anonymity that digital transactions do not provide. A completely cashless society might seem attractive in that each transaction can be traced and therefore possibly result in reduction of tax evasion or illicit and illegal activities; however, though that crime might cease to exist in that form, it could always evolve and manifest itself in some other form online.

One of the concerns raised in this regard is that the government could indefinitely hold or be in possession of our transaction history. This seems to be an innocent trade-off for the ease and convenience it provides. The issue that arises however, as Domagoj Sajter notes, is that every single citizen has become a potential criminal and a terrorist to the government, worthy of continuous and perpetual monitoring. The citizens become latent culprits whose guilt is implied, only waiting to be recorded and proven. The principle of innocent till proven guilty vanishes in the mind of the government.

Furthermore, a completely cashless society places power with the Government with no checks and balances of the same. Advanced technology could disable funding of mass actions, extensive protests and large-scale civil disobediences, all of which are important traits of democratic processes. It is pertinent to remember that Martin Luther King Jr. was tracked by the FBI. Providing the government with more ease in curtailing democratic processes leads to a more autocratic governance.

Consider the following: an individual finds out that the Government or one of its agencies is committing a crime against humanity, and she reports it to the public. Not only could her personal life be excavated to find faults but any support that she would receive in terms of money (in a cashless society) could possibly be blocked by the Government. Minor faults could be listed and propaganda could be spread to discredit her point or deviate the masses’ attention. By controlling the economy, they could wring the arms of the media and force them to not focus on or to ignore the issues raised by her.

Michael Snyder also raises an important point about erasure of autonomy in a cashless society, “Just imagine a world where you could not buy, sell, get a job or open a bank account without participating in ‘the system’”. It need not start with forcing people to opt-in, simply providing benefits in some form could indirectly give people no choice but to opt-in. The Supreme Court of India has noted multiple times that the Aadhar Card cannot be made compulsory (a biometric identity card). However, the Aadhar card has been made mandatory to avail EPF Pension Schemes, LPG Benefits and even for IIT JEE 2017. The Government of India is even mulling making Aadhaar number mandatory for filing of income tax (I-T) and link all bank accounts to the unique identity number by the end of this financial year. The government is concurrently working on developing a common mobile phone app that can be used by shopkeepers and merchants for receiving Aadhaar-enabled payments, bypassing credit and debit cards and further moving to cashless transactions. The Aadhaar-enabled payment system (AEPS) is a biometric way of making payments, using only the fingerprint linked to Aadhaar. These are all part of the measures taken by the Indian government to brute force the Indian economy into a cashless form.

Policing of the citizen is not a purely hypothetical scenario; it has already taken place in the past. In 2010, a blockade was imposed by Bank of America, VISA, MasterCard and PayPal on WikiLeaks. In 2014, Eden Alexander started a crowdfunding campaign hoping to cover her medical expenses, but later, the campaign was shut down and the payments were frozen; the cause being that she was a porn actress. We must also take into account the empowerment that cash provides; consider an individual saving cash from their alcoholic or abusive spouse, or the individual who stuffs spare notes under her mattress for years because it gives her a sense of autonomy. We should take care that in seeking development, we do not disempower the downtrodden, but lift them up with us.

The idea of a cashless society is no longer strange, with multiple corporations and even countries having expressed their interest in going cashless. Harvard economist and former chief economist of the IMF, Kenneth Rogoff in his Case Against Cash argues that a less-cash society [in contradistinction to a cash-less society] could possibly reduce economic crime, he suggests in the same article that this could be executed by a gradual phasing out of larger notes. A cashless or less-cash society is inevitable. In Sweden, cash transactions made up barely 2% of the value of all payments made. The question thus is not about when [it will happen] but what are the safeguards we set up to protect our rights.

For further reading:

1] Melissa Farmer: Data Security In A Cashless Society

https://www.academia.edu/12799515/Data_Security_In_A_Cashless_Society

2] David Naylor, Matthew K. Mukerjee and Peter Steenkiste: Balancing Accountability and Privacy in the Network

https://www.cs.cmu.edu/~dnaylor/APIP.pdf

3] Who would actually benefit from a Cashless Society?

https://geopolitics.co/2016/01/30/who-would-benefit-from-a-cashless-society/

4] Anne Bouverot: Banking the unbanked: The mobile money revolution

http://edition.cnn.com/2014/11/06/opinion/banking-the-unbanked-mobile-money/index.html

5] Kenneth Rogoff: Costs and benefits to phasing out paper currency

http://scholar.harvard.edu/files/rogoff/files/c13431.pdf

Encryption and the extent of privacy

Ed. Note.: This post, by Benjamin Vanlalvena, is a part of the NALSAR Tech Law Forum Editorial Test 2016.

A background of the issue

On December 2, 2015, 14 people were killed and 22 were seriously injured in a terrorist attack at the Inland Regional Center in San Bernardino, California, which consisted of a mass shooting and an attempted bombing. The FBI announced on February 9, 2016 that it was unable to unlock the iPhone used by one of the shooters, Farook. The FBI initially asked the NSA to break into the iPhone but their issue was not resolved, and therefore asked Apple to create a version of the phone’s operating system to disable the security features on that phone.

Apple however refused which led to the Department of Justice applying to a United States Magistrate judge who issued a court order requiring Apple to create and provide the requested software and was given until 26th February, 2016 to respond to the order. Apple however announced their intention to oppose the order. The Department of Justice in response filed a new application to compel Apple to comply with the order. It was revealed that they had discussed methods to access the data in January however, a mistake by the investigating agencies ruled out that method. On March 28, the FBI announced that they had unlocked the phone and withdrew the suit.

The dilemma

Privacy is a recognised fundamental right under Article 17 of the International Covenant for Civil and Political Rights and Article 12 of the Universal Declaration of Human Rights.

Encryption is a process through which one encodes or secures a message or data to make the content readable only by an authorized party or by someone who has the decryption key. Apple claims that it does not perform data extractions as the ‘files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess.’ This, according to the FBI Director, James Comey, is a cause for concern as it means that even with a court order, the contents inside the device of all kinds of criminals would not be accessible. Having a backdoor or ‘golden key’, though slightly different [though not totally] from mass surveillance, as agencies herein would be having the capability to access data stored in the devices as compared to a constant monitoring of data. It’s no longer a matter of constant surveillance but the potentiality of other non-governmental persons gaining access through some illegitimate means. The major contention is that there is an assumption either that those who have access to the key are ‘good people’, who have our interests in mind or that the backdoor would only be accessible by the government. The Washington Post reported that the FBI had (after failing to get Apple to comply) paid professional hackers to assist them in cracking the San Bernardino terrorist’s phone. This itself is a cause of concern as it is proof of vulnerabilities existing in our phones which are seemingly secure.

A data that is encrypted cannot be considered to be totally secure if there is some party which has a means to bypass said encryption. The FBI’s request is therefore problematic as it gives it a backdoor to the data which would be a vulnerability which effects all users. One should bear in mind that the trade of such ‘zero-day vulnerabilities’ is not something unheard of and the NSA or FBI having such tools which keep our data secure is problematic as such tools could be end up in the hands of hackers or leaked. One of the most hard hitting points raised is the issue of national interest, that terrorists or paedophiles use encryption and that it is a “safe space” for them. However, a creation of a backdoor according to the former NSA chief, Michael Hayden, would  be futile as terrorists would be making their own apps based on open-source software, the presence of a backdoor would simply make innocent persons less secure and vulnerable to people who would be taking advantage of such backdoors.

While the intention of the agencies might be good or in the interests of the public, one should keep in mind that once a backdoor is provided, not only is this a dangerous precedent but the dangers of such an encryption leaking an effecting the lives of common persons is huge.

For more information, visit:

https://tcf.org/content/commentary/weve-apple-encryption-debate-nothing-new/

https://www.aclu.org/feature/community-control-over-police-surveillance

https://www.ctc.usma.edu/posts/how-terrorists-use-encryption

https://www.youtube.com/watch?v=peAkiNu8mHY

https://www.youtube.com/watch?v=DZz86r-AGjI

GCHQ Mass Surveillance in Violation of Human Rights

For the first time since the Investigatory Powers Tribunal’s (IPT) establishment in 2000, a complaint against a UK intelligence agency has been upheld. The IPT, which oversees Britain’s secret agencies, is one of its most secretive and deferential courts. In a judgment last week, the IPT announced that the intelligence-sharing rules between the United States National Security Agency (NSA) and its British equivalent Government Communications Headquarters (GCHQ) governing the exchange of information collected through ‘mass surveillance of internet communications’ were against UK human rights law.

The tribunal ruled that “the regime governing the soliciting, receiving, storing and transmitting by UK authorities of private communications of individuals located in the UK, which have been obtained by US authorities … contravened Articles 8 or 10 [of the European Convention of Human Rights]”. Article 8 of the European Convention on Human Rights (ECHR) confers the right to respect for private and family life and Article 10 of the ECHR confers the right to freedom of expression.

The security agency’s access to information obtained by the United States National Security Agency (NSA) was held to be illegal for at least the last seven years, beginning with the introduction of the PRISM intercept programme in 2007.

In this case, UK’s mass surveillance techniques were challenged by Human Rights groups including Liberty and Privacy International with concerns regarding the information acquiring practices of the GCHQ and the NSA having been raised.

Contesting the significance of the decision, a GCHQ spokesperson stated the IPT’s decision as affecting only a small area of its information collection regime. And this claim, sadly, rings true.  The tribunal in this judgment upheld the legality of the current intelligence sharing operation between the US and the UK, having noted that the UK’s bulk interception regime contains adequate procedural safeguards, thus following the court’s assertion of the lawfulness of the intelligence sharing programme in a previous judgment in December 2014. It is only the previous procedures that have been declared illegal, though that admittedly covers a considerable span.Some of the secrecy surrounding the regime having been declared unlawful some amount of details regarding the rules, processes and safeguards in the regime has been, by necessity, brought brought into the public domain.

The extent of the information sharing operation was revealed from documents provided by NSA whistleblower Edward Snowden. While most of the outrage generated by Snowden’s released documents has been focused on the NSA, the GCHQ has reportedly been even more flagrant in its activities.

The GCHQ has long sought protection in the nature of its activities. However, the ruling, in what is arguably the most crucial step, suggests that an increase in public understanding and knowledge regarding the work carried out by the GHCQ will now be needed. In their defence, the agencies make a distinction between intrusive “mass surveillance”, which they insist they don’t indulge in, and “bulk interception” of electronic communications, which they deem necessary in pursuit of terrorist or criminal activity. The legal director for Liberty, one of the plaintiffs, claimed that by keeping the public in the dark about its programmes, the GCHQ acted in violation of human rights and the disclosure of its activities forced by the claimants deemed them lawful.

However, the dissatisfaction with the tribunal’s belief that the limited safeguards are an adequate protection of citizens’ privacy in relation to the unfettered power the GCHQ possesses over private communications is likely to culminate in an appeal before the European Court of Human Rights.

‘Skirting’ the Law, Part I

(Image Source: https://flic.kr/p/6LUL9s)
This is the first in a two-part series by Deepthi Bavirisetty on the law on upskirt photography in USA, Japan and India. Deepthi is a 4th Year Law student at the National University of Juridical Sciences (NUJS), Calcutta. She is extremely interested in the intersection between gender and technology. She has previously authored a paper on Revenge Porn.

 ‘Upskirt’ photography, as the term suggests, refers to the voyeuristic practice of covertly taking pictures of women under their clothing without their consent or knowledge. These pictures, labeled ‘creepshots’, are generally pictures of a woman’s private areas. They are then widely disseminated via the internet, infamously through sites such as Reddit and 4chan.

In 2014, the legality of upskirt photography was brought into question before the US Courts across three different jurisdictions –Washington DC, Massachusetts and Texas. The first part of this post addresses the American perspective on the issue. It seeks to illustrate how America would rather err on the side of caution and permit the morally reprehensible acts of upskirt photography than curtail free speech. The second portion of the post looks into the Japanese perspective on creepshots, which is the polar opposite. Japan prioritizes women’s safety above free speech concerns. This portion of the post also looks into the curious phenomenon of cellphone manufacturers taking law into their own hands to regulate upskirt photography. I argue that this is a classic example of Lessig’s adage ‘code is law, law is code’. I conclude by extrapolating where India lies on the legal spectrum with regard to regulating upskirt photography. Continue reading ‘Skirting’ the Law, Part I

‘Skirting’ the Law, Part II

(Image Source: https://flic.kr/p/6LUL9s)
This is the second in a two-part series by Deepthi Bavirisetty on the law of upskirt photography in USA, Japan and India – this part deals with Japan and India. The first part is available here.

Japan

1. Anti-Nuisance Ordinance

Japan has enacted an Anti Nuisance Ordinance to curtail upskirt photography or “panchira” as it is locally called. In 2008, the Japanese Supreme Court punished a man under this ordinance. The man was found to have taken 11 pictures of the woman’s butt/hip region. It is to be noted that the woman in the photograph was wearing all her clothes. Subsequently, in 2011 a man was arrested for taking pictures of a fully clothed woman sleeping on a train. Continue reading ‘Skirting’ the Law, Part II

Facebook’s Acquisitions: A Before and After Comparison of Privacy

For Facebook, it has never been about the profit, but the users. The social network has spent more than $22 billion on acquisitions, which includes $19 billion on WhatsApp exclusively! That is 2000 times the annual revenue of WhatsApp! Other popular acquisitions include Instagram ($1 billion), Oculus ($ 2 billion) and Atlas ($100 million). With recent psychological experiments conducted by Facebook on its unsuspecting users coming to surface, it becomes imperative to understand how our information is being collected, stored or used. In this blog post, I have tried to analyze the privacy policies (before and after) of three of Facebook’s major acquisitions – Instagram, Moves and WhatsApp.

Continue reading Facebook’s Acquisitions: A Before and After Comparison of Privacy

Privacy on Facebook: An Absolute Prerequisite

[Image Source: http://flic.kr/p/86Q3gF]

Social networking websites have taken the Internet by storm in today’s organic society. One such website, Facebook, with over a billion users has often been referred to as the ‘third largest country’ of the world. The rise of Facebook to soaring heights can be credited to first, the intensive monitoring of its users which enables the company to provide them tailor made services, targeted advertising and second, of course to Metcalfe’s Law, which in common parlance means that the more users there are on a social networking site, the more attractive it will be to people who are contemplating joining. In this blog post, I have tried to analyze Facebook’s privacy policies along the lines of the National Privacy Principles. These principles have been comprehensively dealt with by Justice A.P. Shah in his ‘Report on Privacy’, published by the Planning Commission of India. They also closely tie to Organization for Economic Co-operation and Development (OECD)’s Privacy Principles and European Union’s Data Protection Directives.

Continue reading Privacy on Facebook: An Absolute Prerequisite

Apple Watch, Google GLASS, and Other Wearables: A Privacy Nightmare?

A_Google_Glass_wearer

(Image Source: http://goo.gl/oA6W42)

This post talks about the new challenges that are faced by the legal system with the coming of the new wearable technology that is available to the public. Practical situations are examined and the law is scrutinized with respect to the changes required to bring it up to speed.

Continue reading Apple Watch, Google GLASS, and Other Wearables: A Privacy Nightmare?

Of Facebook and Privacy – Part I: The Constitutional and Tortuous Facets

(Image Source: opensource.com, https://flic.kr/p/84VZAr)

The following post by Samyak Sibasish is the first in a series of posts analysing the effects of Social Media, specifically Facebook, on Privacy. This post focuses on the constitutional and tortuous dimensions of the issue, while the next one will focus on the contractual aspects of it. Samyak is a 3rd year student at NUJS, Kolkata. Apart from being interested in cricket and politics, he spends his time on reading on law and justice systems, more specifically caste. Additionally, being a social media freak, he likes to research on the curious myriad ways the world of social media interacts with the laws that govern it.

Of late, it has been confirmed by media that Facebook has seen a meteoric rise in its number of users over the past decade and if bracketed as a nation, it can be the fourth most populated nation in the world. It is but pertinent to examine how protected is users’ privacy on a social networking forum like Facebook. Continue reading Of Facebook and Privacy – Part I: The Constitutional and Tortuous Facets