Jul 282014

Rebekah Kearn reports:

Apple uses the “location service” function on iPhones to spy on customers and give their private information to third parties, including the federal government, a class action claims in Federal Court.

Lead plaintiff Chen Ma sued Apple on behalf of roughly 100 million iPhone users, claiming Apple violated their privacy.

“In or around September 2012, Apple released iPhone 4 which contains an iOS operating system software that enables iPhone 4 to track its users’ whereabouts down to every minute, record the duration that users stay at any given geographical point, and periodically transmit these data stored on the users’ devices to Apple’s database for future references,” according to the July 24 complaint.

Read more on Courthouse News.

Jul 282014

Reuters reports:

Personal data including text messages, contact lists and photos can be extracted from iPhones through previously unpublicized techniques by Apple Inc employees, the company acknowledged this week.

The same techniques to circumvent backup encryption could be used by law enforcement or others with access to the “trusted” computers to which the devices have been connected, according to the security expert who prompted Apple’s admission.

Read more on Huffington Post.

Thanks to Joe Cadillic for this link.

Update: earlier today, Jonathan Zdziarski posted the following to Pastebin:

Personal information that came off com.apple.mobile.file_relay unencrypted
(bypassing backup encryption) from my iPhone 5C 7.1.2. Your mileage may vary.

NOTE: These are raw sqlite3 databases, which means that deleted records can
often be carved from these files

- Accounts database: List of email, social, and other accounts configured
- AddressBook database: Contact lists, phone numbers, addresses, etc.
- AddressBook images: Photos associated with contacts
- Calendar database: User’s calendar, events, alarms, and so on
- Notes database: All of the users notes as stored in the Notes application
- SMS/MMS/iMessage database:
- Database of all correspondence from “Messages” applicatio
- SMS attachments (photos or other attachments)
- SMS drafts (texts the user typed but did not sent)
- Emergency alerts received
- Voicemail database: All voicemail metadata
- Voicemail audio files: The actual audio of voicemails left for the user
- Envelope index: User’s email envelope data (message metadata, but no content)


- Camera / Video Roll (all photos / videos still on the device reel)
- User photo album (photo album as synced from desktop)
- Thumbnails cache (database of thumbnails of photo album and camera reel)
- I didn’t have any music stored, but IIRC that comes off too


- GeoLocation history (timestamp, lat/long, altitude, accuracy, speed, course)
- Contents of the clipboard (pasteboard)
- User’s last known longitude / latitude (separate cache from GeoLocation)
- Map tiles database (including tile identifiers)
- Screenshots of last user activity in:
- App Store
- Camera (intentionally blurred, but with clear saved roll preview)
- FaceTime (including screenshot of call history)
- Maps (including current position, last route, whatever on screen last)
- Calendar (open to my current day’s events at the time)
- Notes (last note I was viewing, or list of all notes)
- Mobile Phone (recent calls, contacts, or whatever was last on screen)
- Photo Album app (last album / photo viewed / album list)
- Messages (last thread or view of all messages)
- iTunes app
- Preferences
- App store resources cache (images, etc)
- iTunes cached resources (album covers, etc.)


- Metadata disk image of entire user partition (minus actual file content)
- Keyboard typing cache
- Application install logs
- iCloud genstore (some cached copies of iCloud data)
- MobileAssets, including copies of kernel cache, iBSS, and other system files
- List of all installed applications (both third party and system)
- Mobile gestalt
- Device activation record
- All pairing records (including escrow bags) for other trusted machines
- Data ark
- Application preferences
- Application crash logs
- Baseband, iCloud, and other system logs
- Caches of urls to viewed audio and video media kept temporarily in /tmp
- Lockdown logs; what hosts have connected when, SIM/network status

Also, when accessing house_arrest service, data-protection can be unlocked
and send all files from Documents, Library, Caches, Preferences, etc. from all
third party applications installed on the device (no access controls, so user
can download stateful information containing personal caches, conversations,
databases, OAuth tokens, private content, and sometimes even passwords)

Jul 282014

The Information Commissioner’s Office (ICO) has served Reactiv Media Limited, with a £50,000 fine after an investigation discovered they had made unsolicited calls to hundreds of people who had registered with the Telephone Preference Service (TPS), violating the Privacy and Electronic Communications Regulations (PECR).
View a PDF of the Reactiv Media Limited monetary penalty notice

Good for the ICO!

Jul 272014

Steve Orr reports:

In a crime-fighting tactic that sets civil libertarians’ teeth on edge, police in Monroe County and other urban counties across New York state are collecting and archiving tens of millions of records that track vehicle movement.

The records are stored in a series of loosely connected secure computer servers, accessible directly or indirectly by police from one end of New York to the other and by federal Homeland Security officials.

Each of the records, which are gathered by license plate cameras mounted on police cars or at fixed locations, includes a photograph and the time and place that a particular vehicle was imaged. Strung together, the records can paint a picture of where a person has traveled — whether to the scene of a crime, a doctor’s office or to church.

Read more on WGRZ.

Jul 262014

Steven Caponi and Elizabeth Sloan of Blank Rome LLP write:

On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice. The new law is effective on January 1, 2015.

The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …” By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit. Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.

Read more on JDSupra.

Jul 262014

Hannah Jane Parkinson reports:

Tech tycoon Kim Dotcom has told the Guardian that “governments want to engage in mass surveillance and have total citizen control”, before a crowd fundraising event for the Mana Internet party, the political party he founded to contest New Zealand’s September 20 elections.

Dotcom also reiterated his promise that five days before the election, the world will “witness a moment of truth” at an event alongside Glenn Greenwald, the former Guardian journalist who broke the NSA revelations with Edward Snowden. “We’re about to make history”, he said.

Read more on The Guardian.


Jul 262014

Stephen Rex Brown reports:

Sen. Chuck Schumer said Friday he has introduced legislation to provide law enforcement around the country with tracking devices that parents can voluntarily place on their autistic child.

The device could be a bracelet or sewn into pants and hopefully prevent a replay of last year’s Avonte Oquendo tragedy, in which a 14-year-old autistic boy died after wandering out of school.

Read more on NY Daily News.

And although it may surprise some readers, I think this type of tracking is not only okay, but helpful – as long as it continues to be voluntary on the parents’ part.