privacy

Carrier IQ proves (again) the need for completely open mobile phones

According to the Register and many other sources online, an Android app developer has reported conclusive proof that millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration.

The only way to avoid such attacks to one’s privacy are mobile phones are systems that are built from the ground up to provide truly private conversations and to be completely transparent to their end users as the TFF Transparent Telematics system.

Telex, an anti-censorship technology and a possible component of UVT

Telex is (quoting from New Tool Keeps Censors in the Dark): "a scheme that makes it harder for censors to block communications, by taking traffic that's destined for restricted sites and disguising it as traffic meant for popular, uncensored sites."

The Telex system has two major components: "stations" at dozens of Internet service providers (ISPs) and a software client that runs on the computers or smartphones of end users.

The clients make outgoing connections to non blocked websites, encrypting the traffic in the same way that an e-commerce or online banking site does. The identity of the site to which they really want to connect is then encoded using steganography in a special string, or "tag," that's embedded in the encrypted request. A Telex station at an ISP can examine incoming traffic and detect the presence of these tags, providing it has the right encryption key. The tag would be indistinguishable from random gibberish without the key.

When the Telex station detects an incoming request that includes a tag, it redirects that connection to the site specified in the encrypted message.

The Telex protocol may then be used in the User Verifiable Telematics (UVT) system to give its end users an anonymous, not interceptable way to connect from their smartphones to the anonymous blogs and discussion forums hosted by the same providers of their UVT terminals.

GPLv3 is great to promote open innovation, but not enough to protect our constitutional communication rights

(this is a summary of some of the reasons why TFF Founder Rufo Guerreschi and others started the UVT project)

A lot of great work has been done in promotion and branding of GNU GPLv3. However, I think GPLv3 cannot promise freedoms in digital communications to ordinary users, and adequately protect their constitutional communication rights while using telematics communications.

Even a very wide deployment of GPLv3 software and its adoption - through lots of very easy to use online services and apps - by many end users would still not provide those end users with effective means to verify the levels of security, privacy and authentication of those services, because they would have no means to verify that:

  • the code they are using on some website is effectively the same code that, thanks to the GPLv3 license, they could download from that same website
  • there is no other malicious software running on the same server
  • in general, the hardware on which that software runs has not been compromised
  • all that GPLv3 code is regularly tested, to maintain consistent levels of security, privacy and authentication

Of course, nothing of all this is a critique to the GPL or to the FSF (which has other goals than solve the general problems above): these are not problems that any license could solve. However, this doesn't change the fact that, today, it has become extremely difficult for an ordinary person to enjoy the freedoms promote by FSF. It is not a problem of demand but of supply. There are no tools and practices that are accessible to the ordinary person who cares about his or her freedom, not even for the most sensitive parts of their computing or communications.

There is a large demand, and need, for that. People in regimes with decent judiciary systems should have access to basic digital communications in a way that:

  • it is not controlled by any private corporation, nor by any single system administrator or anyone else
  • does not run on proprietary and/or unsafe hardware and software environments
  • it is legal

The last point is crucial for quick and large scale building and adoption (even from people without software hacking skills) of such secure and privacy-friendly communication systems. In practice, it means that such systems should be built and work in ways that still allow lawful interceptions and compliance with the EU data retenction directive and similar laws, but in ways that also make abuse of those laws, as well as violations of your privacy by private parties (e.g. business competitors...) impossible.

If we could bring out a service and device like that, active citizens could communicate with adequate privacy and security, while lawful interceptions, authorized by Courts after getting evidence of their needs, would still be possible.

In other words, the availabily of such integrated services and devices for peaceful and democratic political activists, would make it politically difficult for governments to:

  • further promote the "privacy is bad" meme that is now being aggressively promoted and would prepare the way for laws that make all encrypted communications illegal
  • make secret deals for large scale privacy violations with telecom networks operators and providers, as there would be no single organization of that kind, that could stipulate or enforce such deals.

All this is why we conceived User Verified Telematics (UVT). UVT aims to:

- provide and effectively guarantee levels of authentication, security and privacy that are legal, very very high AND inherently, openly verifiable by everyone

  • make possible the activation of lawful interception procedures only after a Court order and in presence of a suitable number of randomly selected users, to prevent abuses (but WITHOT disclosing to anyone the identity of the intercepted users!)

Obscuracam, a smartphone app for visual privacy

Obscuracam logo The goal of ObscuraCam for Android, developed by the SecureSmartCam project, is to to design and develop a new type of smartphone camera app that makes it simple for the user to respect the visual privacy, anonymity and consent of the subjects they photograph or record, while also enhancing their own ability to control the personally identifiable data stored inside that photo or video.

ObscuraCam doesn't set out to replace training and/or best practices, but rather to introduce these concepts to a wider activist audience, as well as to raise awareness and generate discussion around the idea of "visual privacy."

 To try ObscuraCam or know more about the project, please read:

Report confirms basic assumptions of the Telematics Freedom Foundation

According to a recent analysis from Matt Blaze, the 2010 U.S. Wiretap Report released last month provides official, essential confirmation of the assumption at the basis of several Telematics Freedom Foundation (TFF) activities.

In the report, defined "the most complete public picture of wiretapping as practiced in the US by federal and state law enforcement agencies", there are two interesting facts, according to Blaze: discouraging the incorporation of basic security technology in ICT infrastructures meant that the computers, phones, and other gadgets remained exposed to other criminals who might want to illegally exploit the very same surveillance techniques that the government hoped to preserve for itself.

However, the report says, despite dire predictions to the contrary, the open availability of cryptography has done little to hinder law enforcement's ability to conduct investigations. Even when they encountered encrypted communications, law enforcement officials have adapted their methods in order to get their work done, with one comforting result: widespread encryption, rather than shutting down police wiretaps, has actually pushed them in a more reliable and accountable direction... legal wiretap evidence is now much more reliable and illegal cellular intercepts are now much harder to perform.

This is exactly the principle inspiring TFF projects like User Verifiable Telematics: to provide systems that give all citizens the greatest possible guarantees that their communications will remain private and that only law enforcement officials will be able, within the limits set by law and with full accountability, to intercept them.