Archive for August, 2013

The Face Scan Arrives

WASHINGTON — THE future of technological surveillance is fast approaching — and we are doing far too little to prepare ourselves.

Last week, thanks in part to documents that I and the Electronic Privacy Information Center obtained under the Freedom of Information Act, the American public learned that the Department of Homeland Security is making considerable progress on a computerized tool called the Biometric Optical Surveillance System. The system, if completed, will use video cameras to scan people in public (or will be fed images of people from other sources) and then identify individuals by their faces, presumably by cross-referencing databases of driver’s license photos, mug shots or other facial images cataloged by name.

While this sort of technology may have benefits for law enforcement (recall that the suspects in the Boston Marathon bombings were identified with help from camera footage), it also invites abuse. Imagine how easy it would be, in a society increasingly videotaped and monitored on closed-circuit television, for the authorities to identify antiwar protesters or Tea Party marchers and open dossiers on them, or for officials to track the public movements of ex-lovers or rivals. “Mission creep” often turns crime-fighting programs into instruments of abuse.

At the moment, there is little to no regulation or legal oversight of technologies like the Biometric Optical Surveillance System. We need to implement safeguards to protect our civil liberties — in particular, our expectation of some degree of anonymity in public.

The Department of Homeland Security is not the only agency developing facial-surveillance capacities. The Federal Bureau of Investigation has spent more than $1 billion on its Next Generation Identification program, which includes facial-recognition technology. This technology is expected to be deployed as early as next year and to contain at least 12 million searchable photos. The bureau has partnerships with at least seven states that give the agency access to facial-recognition-enabled databases of driver’s license photos.

State agencies are also participating in this technological revolution, though not yet using video cameras. On Monday, Ohio’s attorney general, Mike DeWine, confirmed reports that law enforcement officers in his state, without public notice, had deployed facial-recognition software on its driver’s license photo database, ostensibly to identify criminal suspects.

A total of 37 states have enabled facial-recognition software to search driver’s license photos, and only 11 have protections in place to limit access to such technologies by the authorities.

Defenders of this technology will say that no one has a legitimate expectation of privacy in public. But as surveillance technology improves, the distinction between public spaces and private spaces becomes less meaningful. There is a vast difference between a law enforcement officer’s sifting through thousands of hours of video footage in search of a person of interest, and his using software to instantly locate that person anywhere, at any time.

A person in public may have no reasonable expectation of privacy at any given moment, but he certainly has a reasonable expectation that the totality of his movements will not be effortlessly tracked and analyzed by law enforcement without probable cause. Such tracking, as the federal appellate judge Douglas H. Ginsburg once ruled, impermissibly “reveals an intimate picture of the subject’s life that he expects no one to have — short perhaps of his wife.”

Before the advent of these new technologies, time and effort created effective barriers to surveillance abuse. But those barriers are now being removed. They must be rebuilt in the law.

Two policies are necessary. First, facial-recognition databases should be populated only with images of known terrorists and convicted felons. Driver’s license photos and other images of “ordinary” people should never be included in a facial-recognition database without the knowledge and consent of the public.

Second, access to databases should be limited and monitored. Officers should be given access only after a court grants a warrant. The access should be tracked and audited. The authorities should have to publicly report what databases are being mined and provide aggregate numbers on how often they are used.

We cannot leave it to law enforcement agencies to determine, behind closed doors, how these databases are used. With the right safeguards, facial-recognition technology can be employed effectively without sacrificing essential liberties.

View Source

The Glendale Unified School District in Southern California outsources keeping tabs on troublemakers as well as identifying kids in trouble. At least these are its justifications.

Safety has rather become the mantra of authorities over the last few years.

Government exists, so we’re told, to keep the people safe. As opposed to, say, happy, employed, strong, proud or free.

A school district in Southern California is also committed to the safety of its kids. And, given that social media sites are where kids are at these days, it’s decided to keep tabs on every single public post its kids are making.

Naturally, the Glendale Unified School District doesn’t have the time to do this itself. So it’s hired an outside company to do its tab-keeping for it.

As CBS Los Angeles reports, the district chose Geo Listening, a company that specializes in following kids’ Facebook, Twitter, Instagram, and YouTube feeds.

“The whole purpose is student safety,” the district’s superintendent Richard Sheehan told CBS.

So now every single piece of social blurting is now being watched by Big Geo.

Sheehan explained that the system works by looking for keywords. He gave examples of how potentially suicidal kids have been the subject of interventions thanks to the system.

Some, though, might feel a touch chilled by his description of the system’s breadth.

“We do monitor on and off campus, but we do pay attention during school hours. We do pay more attention to the school computers,” he said.

In legal terms, any public posting is fair game. The Geo Listening Web site helpfully explains: “The students we can help are already asking for you. All of the individual posts we monitor on social media networks are already made public by the students themselves. Therefore, no privacy is violated.”

Every single public posting made by every one of the district’s 13,000 students is being monitored, although the company insists it doesn’t peek at “privatized pages, SMS, MMS, email, phone calls, voicemails.”

Geo Listening says that its role is to provide “timely” information, so that a school can act, whether it’s a case of bullying, potential self-harm, vandalism, substance abuse or truancy.

However, the company is surely able to build up a huge trove of information about all individuals which, at least theoretically, might prove to be valuable (to someone) in the future.

What lazy, neurotic employer wouldn’t love to know if a potential hire was a school bully a few years ago? Might the employer be able to contact the school district and demand a record of all social media activity that took place in a potential employee’s youth?

When kids grow up, there will be parts of their lives they want to erase. Yet here will be records that keep that past alive.

The twin-pronged fork of surveillance is currently being examined for the potential of its worth.

The problem is that, ultimately, there are no guarantees — be it Google, the NSA or Geo Listening — about what information is actually being collected and how it might be used.

Why do you think that kids (and Wall Street) are so enamored with Snapchat?

View Source

Scamming Nuns Con Artist Gets His Due

There’s no limit to how low con artists will go to swindle victims out of their money—often targeting the elderly, the terminally ill, homeowners on the brink of losing their homes, even the lonely looking for companionship online.

Here’s another category of victims to add to that list: members of religious communities who spend their lives tending to the sick and the poor.

Earlier this month, a New Jersey man was sentenced to 18 years in prison for defrauding members of the Puerto Rico-based Dominican Sisters of the Rosary of Fatima and others of more than a million dollars. He was also ordered to pay $1 million in restitution to his victims.

The scheme began back in 2009, when Adriano Sotomayor—born in Puerto Rico—obtained names and telephone numbers of certain Roman Catholic nuns and priests on the island…including an elderly nun from the Sisters of Fatima. Claiming to be a New Jersey priest, he called and said a deceased member of his parish community had named her the beneficiary of a $2.1 million estate. Sotomayor also told the nun that before receiving her funds, she had to wire money to the company handling the will—a New Jersey-based business called Flex Account—to cover various taxes, processing, and legal fees.

Of course, none of it was true. There was no deceased parishioner, no will, and no company called Flex Account. It was simply a con man working an angle. Unfortunately, it was believable enough to the nun, and the Sisters of Fatima thought they could use the money from the will to develop a religious community in Haiti.

There was just one problem…the nun had little money of her own and couldn’t afford all the advance fees. So she borrowed money from Sisters of Fatima members, family, and friends in Puerto Rico and Pennsylvania (where the sisters also had a presence), then wired the money—per Sotomayor’s instructions—to various locations in the Atlantic City area. Many of the transfers went to casinos—Sotomayor was known to be a gambler—and were picked up by individuals working for him. And the nun gave the wiring instructions to her acquaintances willing to loan her money; they in turn sent their shares to those same places.

Turns out, it wasn’t enough. Soon, Sotomayor began telling the nun that there were problems with the will, including a legal challenge by the deceased’s son, and additional money was needed to avoid lawsuits. He threatened her with media attention and law enforcement action if she didn’t send more money.

In an effort to expand the scheme even further, Sotomayor contacted individuals who had already wired money on behalf of the nun and told them if they sent additional money, they could get a portion of the will proceeds themselves.

But eventually the FBI—after receiving a complaint about a possible fraud scheme victimizing nuns and others—was able to uncover the breadth of the scheme and identified Adriano Sotomayor as the man behind it. Though he fled the day after being indicted, the FBI captured him in Las Vegas.

The most important lesson to be learned from this case? Do your homework before parting with your hard-earned money. See our sidebar for tips on how to avoid becoming a victim of fraud.

View Source

The New York Times is working to make its website available again for all readers after it was disrupted by a group calling itself the Syrian Electronic Army in an exploit that also affected Twitter Inc.

The group disrupted traffic to the websites by hacking yesterday into registration-services provider Melbourne IT Ltd. (MLB), which handles the online addresses of nytimes.com and twitter.co.uk, according to Tony Smith, a spokesman for the Melbourne-based company. The Times instructed readers who can’t access its home page to go to an alternate site.

Some users initially reported being redirected to the Syrian group’s sites. Many were simply unable to access the pages at all. The Syrian Electronic Army, which backs the country’s president, Bashar al-Assad, has also claimed responsibility for hacking the Washington Post this month and the Financial Times in early May, redirecting readers to its own websites and videos.

“The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems,” Smith wrote in an e-mail. He said the login information was obtained through phishing, a technique used to obtain private data by imitating legitimate websites.

It may take time before all users can get normal access to the newspaper’s site, Smith said. Times employees have been instructed to use caution when sending sensitive e-mails, the newspaper said.

Caching Quirk

A quirk in the way that domain information is updated across the Internet has meant that the Times website is still inaccessible to many users today even though the site is functioning normally. Many corporations and browsers on personal computers cache domain data for 24 hours to speed up connections, preventing access to the news site until those caches are cleared.

On its website, Twitter said its domain registration provider “experienced an issue in which it appears DNS records for various organizations were modified,” including the twimg.com domain it uses to host images. The original domain record for that site has since been restored, and no user information was affected, it said. While Twitter’s site operated normally, twitter.co.uk was inaccessible for some users.

The Huffington Post, owned by AOL Inc. (AOL), also experienced a hack attempt and “minimal disruption of service,” said Rhoades Alderson, a spokesman for the online publisher. The site was working normally today, he said.

AP Hack

Unidentified hackers hijacked the Associated Press Twitter account in April, sending stock markets down 1 percent in a matter of seconds by posting a false claim of an attack on the White House. The fake message — saying that President Barack Obama had been injured after his residence was bombed — followed repeated attempts by hackers to gain access to AP reporters’ passwords, the news agency said in a report. While the Syrian Electronic Army claimed responsibility for the intrusion, that couldn’t be confirmed, the AP said.

The Times has been increasingly focusing on its website for growth as the industry reels from a print-advertising slump. Digital subscribers to the Times and its international edition increased 35 percent to 699,000 at the end of the last quarter. The company averaged about 14 new paying online readers every hour from the beginning of January to the end of June.

On Aug. 14, the newspaper’s website and e-mail systems crashed for more than two hours because of an internal malfunction with its servers.

New York Times Co. dropped 1.4 percent to $11.42 at 12:52 p.m. in New York. The shares had gained 36 percent this year through yesterday.

View Source

Handcuffs didn’t stop a man, who had just been arrested, from making off with a Chicago Police squad last week, authorities say.

The incident happened around 12:45 p.m., after police arrested 42-year-old Marquette Fisher during a traffic stop in the 4100 block of West Adams Street, said Chicago Police Officer Ron Gaines, a department spokesman.

While he was handcuffed in the backseat of a squad car, he managed to get his hands in front of him, jumped into the front seat and drove off, Gaines said. He left the car a short distance away and was later arrested.

Fisher, of the 1400 block of South Cicero Avenue, was charged with possession of a stolen law enforcement vehicle and aggravated fleeing, Gaines said. He was also charged on misdemeanor counts of escaping from police, obstructing his identification and unauthorized theft.

Fisher was also picked up on an outstanding warrant and cited for driving on a suspended license and failing to stop at a stop sign.

Court information was not available early Sunday.

View Source

The recent death of 14-year-old Hannah Smith, who took her own life after apparently enduring months of online bullying, has raised questions about the online safety of children and young people. Ask.fm – the question-and-answer website at the centre of the controversy – has promised new measures to protect users. But what role should schools play? Esafety is already a part of the curriculum in both England and Wales, but are schools taking the issue seriously enough? And do teachers know enough about the social networking platforms their pupils are using?

Amy James, 15, student at Easten high school, Cardiff

Schools don’t do enough to help people who are being bullied, even when it’s happening in real life. I know a lot of people who are bullied online and keep quiet about it. They think that there’s no point in telling teachers because nothing will be done. And lots of people are also scared to use the “report” buttons on Facebook because they worry that it’ll get out that they’ve reported someone. We don’t have proper lessons looking at social media at school but if we did, it might help people who are experiencing bullying. People need to be taught about the effect that cyberbullying can have.

Carol Phillips, student support officer and child protection at Crickhowell high school in Powys, Wales

Schools only have students for five hours a day, so there’s limited time for classes on internet safety. Parents have them for much longer and it’s parents who are buying them the phones and software, often without understanding how it all works.

I can’t tell you how many times I’ve heard of a parent or a sibling, with parental knowledge, putting a child on Facebook when they are below the age of 13. Of course you can’t monitor your children all the time, but there are steps you can take, including controls and filters, or looking at the PEGI age rating that appears on games.

Reem Jaafar, 15, mentor for Bullies Out charity

I experienced online bullying – it was part of a wider pattern of bullying that spilled over onto Facebook. I was receiving messages with nasty comments or rumours that weren’t true. We’ve had some lessons about it at school: one this year about Ask.fm, and last year we had talks about Facebook and Twitter where they said that you should tell a teacher if you’re being bullied online. But it’s really difficult to speak out when it’s actually happening to you. It took me a long time – a year – to finally say something. When I did, my teachers were helpful though.

Nadimur Rahman, assistant head and IT teacher at a secondary school in Sutton

We have so many issues with kids putting stuff on Facebook, Twitter, Instagram – you name it. Often when we call parents in and explain what has happened, they have no idea what their son or daughter has been doing.

It’s not their fault – parents aren’t to blame, it’s up to the government to make sure the right information is imparted to parents. Social media is taught as part of the IT curriculum – the problem is that the government is moving away from IT and pushing computer science instead, which focuses far more on technical things like programming.

Kim Thomas, mother of 14-year-old Beth, Hertfordshire
It’s hard to monitor what kids are doing online now they all have iPhones and iPads. I’m Facebook friends with my daughter, so I can see what’s she doing on there, but I only found out yesterday that she has an Ask.fm profile. I don’t know what she does on Twitter because she has three or four different accounts.

My daughter has experienced some nastiness on Facebook in the past – not a huge amount, but a continuation of some bullying that was happening at her old school.

She is given classes on social media at school, but the problem is that the kids are ahead of the teachers. The one thing schools could do is make sure that young people are aware that if they do bully others online, there will be repercussions.

Paul Luxmoore, Dane Court grammar school, Broadstairs, Kent
The new forms of media are fantastic and can be of huge benefit to young people. But it is quite shocking to see how they can be abused – and that’s something all schools need to take seriously. The type of bullying that takes place on new media can be different. Girls, for example, might be persuaded by a boy to take photos of themselves naked. This then gets shared around a friendship group, which is hugely upsetting for the victim. We have a policy of excluding – though not permanently – students who do this type of thing.

Schools need to have very strict rules, and they need to make it clear to pupils that there will be repercussions. You could take the view that if it’s happening outside school then it’s not a matter for teachers, but I believe that if it affects children’s behaviour and attainment in school, it needs to be dealt with.

Liz Watson, head of Beat Bullying
Esafety has been a part of recent curriculum changes, which means schools are already doing more. But as well as educating students about how to use social media, they also need to deal effectively with cyberbullying when it does occur. While many schools do have anti-bullying policies, these tend to focus on face-to-face abuse. Schools need to update these and work with governors, parents and students to raise awareness.

View Source

Seems like everything gets hacked these days. Baby monitors. White House employees’ personal email. Toilets.

If it’s connected to the Internet, it seems at least a little vulnerable.

But surely we can trust that workhorse selfie-generator, the iSight webcam built into the top bezel of Mac laptops. Or… Maybe not. Yesterday, security researchers Steve Glass and Christopher Soghoian were passing around a National Security Administration factsheet with a little bit of advice for Mac users on how to “harden” their computers to attacks.

Among the tips, we find the following suggestion: “Disable Integrated iSight and Sound Input.”

“The best way to disable an integrated iSight camera is to have an Apple-certified technician remove it,” the NSA writes (emphasis added). Then, you might try “placing opaque tape over the camera” or try the software-only method of removing one of the components of Quicktime’s files. And if the NSA doesn’t trust a particular piece of hardware can’t be used for surveillance, it’s probably safe to assume an average user shouldn’t either.

View Source

When Google filed its S-1 form in April 2004 before its stock market flotation, it revealed that not only was it already very profitable – making $105m (£67m) on $1bn revenue in 2003 – but also it had invested hundreds of millions of dollars in building a network of servers around the world.

Onlookers quickly realised there were hundreds of thousands of servers – and Google was making them itself from spare parts. It was at that time the third-largest server manufacturer in the US. But it didn’t sell a single one.

The cost of building a “cloud service” like Google’s has only gone up: in its latest results, it revealed that it invested $1.6bn on data centres just in the three months from April to June. That’s now become Google’s typical spending – $4bn a year – on the systems that it uses to index the web, answer searches, serve adverts, handle email, store photographs and provide maps and Street View photos.

And it’s far from alone. Globally, spending on data centres will hit $143bn this year, according to the research group Gartner, and $149bn next year, continuing a slow but steady growth. The cause? “Big data”, as companies try to cope with a growing flood of information about their business and others’, as well as the rush to enable “cloud computing” – so that data can be accessed from anywhere you have an internet connection.

Handling “big data” for millions of people generally involves billion-dollar cheques. That was the price Apple spent on its third data centre – in Malden, North Carolina – covering 500,000 sq ft (4.65 hectares) and cooled by water from nearby rivers.

It’s not alone: Google, Facebook, US phone company AT&T and services company Wipro also have centres there, attracted by cheap electricity and plenty of space in the rural state; one centre can cover as much space and use as much electricity as a small town. They are power-hungry and data-hungry. The servers needed to process the data have to be arranged in racks, with cooling air forced over them; storage is arranged in racks of hard drives which are set up in the expectation that some will fail, but be replaced. The data enters and exits via thick fibre-optic cables routed through the floor.

Yet two things you’ll rarely find in data centres are people or light. Many operate as “lights-out” systems, because the machines don’t need to be watched; they can be remotely monitored. But that need to make data move quickly means it’s important to build data centres near to their users. Hence Google built one near Dublin covering 4.45 hectares (11 acres) and costing €75m. Unusually, it’s air-cooled.

Even so, building data centres is increasingly becoming a tussle between access to space, and rapidity of connection. Ahead of the 2012 London Olympics, some IT administrators in the financial centres of Canary Wharf in east London fretted that they wouldn’t be able to get enough electricity to power their new centres – which had to be located close to dealing-room floors in order not to give up precious milliseconds of valuable trading time. Some considered briefly moving out of London – but relented and now benefit from the extra power sources installed to deal with them.

View Source

A new X-ray system of innovative optical processing technology will allow soldiers to identify potential bombs from the safety of their vehicles, providing a potentially powerful weapon against insurgents’ signature weapon, the IED.

Although IED attacks in Afghanistan reached a high in 2011 of 16,000 that has been sustained through the first half of 2013, casualties and injuries have been dramatically reduced to nearly half from 2011 to 2012. Yet, IEDs still remain the largest threat to deployed troops and their use on a global scale appears to be on the rise, according to the Department of Defense. The devices are a problem the Pentagon has spent billions of dollars to combat since the start of the Iraq insurgency.

Unveiled last month in London, Raytheon UK‘s Soteria vehicle-mounted system is the latest solution offered by the defense industry. Soteria, named after the Greek goddess of safety, provides high-definition IED detection, which allows personnel to remain in the safety of their vehicle while being able to detect, confirm and diagnose threats from a significant stand-off distance.

The sophisticated roof-mounted sensor scans ahead of the vehicle and feeds the shape, size, orientation and exact location of hidden IEDs to an in-vehicle display. Soteria is also equipped with ground vibration monitoring capabilities in the front of the vehicle, making it best suited to lead convoys according to Raytheon.

In simulation, Soteria was able to locate and classify the most difficult to detect of explosive devices, including those with low and zero metal content, says Raytheon.

“The system can be applied to a wide range of scenarios including minefield clearance, which remains a significant menace in various world regions, as well as in other operations such as disaster relief,” said Bob Delorge, chief executive of Raytheon UK, in a statement.

The stand-off IED and suicide bomber detection systems market has ballooned in recent years from $250 million in 2009 to a projected $1.5 billion in 2014.

Despite the significance of the threat, a solution to the problem has remained elusive for the Department of Defense and the defense industry.

The Joint Improvised Explosive Device Defeat Organization (JIEDDO) has gone from a 12-person Army task force founded in 2006 to a 1,900 person, $21 billion juggernaut with little to show for it (except for these ray guns).

Last month, Special Inspector General for Afghanistan Reconstruction (SIGAR) John F. Sopko reported that the Department of Defense awarded $32 million in contracts for thousands of anti-IED systems, called culvert denial systems, but that hundreds were improperly installed or not installed at all.

“This case shows so clearly that fraud can kill in Afghanistan,” said Sopko in a statement. “We will find out if contracting officers did not do their job and if that proves to be true and Americans have died, we will hold those individuals responsible.”

View Source

For several years, the National Security Agency unlawfully gathered tens of thousands of e-mails and other electronic communications between Americans as part of a now-revised collection method, according to a 2011 secret court opinion.

The redacted 85-page opinion, which was declassified by U.S. intelligence officials on Wednesday, states that, based on NSA estimates, the spy agency may have been collecting as many as 56,000 “wholly domestic” communications each year.

In a strongly worded opinion, the chief judge of the Foreign Intelligence Surveillance Court expressed consternation at what he saw as a pattern of misleading statements by the government and hinted that the NSA possibly violated a criminal law against spying on Americans.

“For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe,” John D. Bates, then the surveillance court’s chief judge, wrote in his Oct. 3, 2011, opinion.

The court, which meets in secret, oversees the Foreign Intelligence Surveillance Act, the law authorizing such surveillance in the United States. It has been criticized by some as a “rubber stamp” for the government, but the opinion makes clear the court does not see itself that way.

Bates’s frustration with the government’s lack of candor extended beyond the program at issue to other NSA surveillance efforts.

“The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program,” Bates wrote in a scathing footnote.

The Washington Post reported last week that the court had ruled the collection method unconstitutional. The declassified opinion sheds new light on the volume of Americans’ communications that were obtained by the NSA and the nature of the violations, as well as the FISA court’s interpretation of the program.

The release marks the first time the government has disclosed a FISA court opinion in response to a Freedom of Information Act lawsuit. The lawsuit was brought a year ago by the Electronic Frontier Foundation, a privacy group.

“It’s unfortunate it took a year of litigation and the most significant leak in American history to finally get them to release this opinion,” said foundation staff attorney Mark Rumold, “but I’m happy that the administration is beginning to take this debate seriously.”

The pressure to release the opinion was heightened by a series of recent revelations about government surveillance based on documents leaked to The Washington Post and Britain’s Guardian newspaper by former NSA contractor Edward Snowden.

Over the past 21 / 2 months, those revelations have reignited a national debate on the balance between privacy and security, and President Obama has promised to assuage concerns about government overreach, in part through more transparency.

Read More