Why I care when people with ‘something to hide’ are hacked

privacy

“Privacy” by Melanie Feuerer used under a Creative Commons Attribution 2.0 United States License

By Spocko

It’s all about the Privacy.

Do some people deserve it less than others? Who decides?

Online Cheating Site AshleyMadison Hacked
— Brian Krebs, @briankrebs Krebs on Security July 19, 2015

When people who are supposed to protect someone’s privacy fail, what should their responsibility be following the failure? How do you make “someone whole,” as they say in the insurance biz, following a privacy breach?

Hacks of OPM databases compromised 22.1 million people, federal authorities say — Ellen Nakashima, @nakashimae, The Washington Post, July 9, 2015

What are the valid reasons someone’s privacy is violated? National Security? Public safety? Potential violence? Donating to the wrong cause? Who gets permission? Who oversees this?

“I don’t care if the government listens to me, I don’t have anything to hide. If you don’t have anything to hide, what are you worried about?”

— US citizen comment I read in response to Snowden revelations

Are there standards and regulations that organizations should meet? Who enforces them? What are the penalties if they don’t? (more…)

Obama Administration Expanded Warrantless Surveillance to Target ‘Malicious Cyber Activity’

Defense Department Photo

Documents from NSA whistleblower Edward Snowden show warrantless surveillance was expanded by President Barack Obama’s administration to target “malicious cyber activity.”

After Congress legalized the warrantless wiretapping with the FISA Amendments Act in 2008, non-US citizens could be targeted abroad. The administration developed a new policy for cybersecurity and took steps that would make the difference between a spy and criminal nearly non-existent.

According to a report from the New York Times and ProPublica, the White House National Security Council decided in May 2009 that “reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical.”

The NSA proposed that the government use the warrantless surveillance program for cybersecurity about the same time.

In May and July 2012, the Justice Department signed off on searches of “cybersignatures” and Internet addresses. The approval was tied to previously granted authority to spy on foreign governments obtained from the Foreign Intelligence Surveillance Court. However, the NSA soon grew frustrated with the limits this imposed on them.

“That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power,” the report indicates. “That rule, the NSA soon complained, left a ‘huge collection gap against cyberthreats to the nation’ because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.”

Before the year was over, the NSA pressed the secret surveillance court for permission to use the warrantless wiretapping program for “cybersecurity purposes.”

As this happened, the FBI’s authority to target Internet data and use it for its criminal and “national security” investigations expanded.

…[T]he FBI in 2011 had obtained a new kind of wiretap order from the secret surveillance court for cybersecurity investigations, permitting it to target Internet data flowing to or from specific Internet addresses linked to certain governments.

To carry out the orders, the FBI negotiated in 2012 to use the NSA’s system for monitoring Internet traffic crossing “chokepoints operated by U.S. providers through which international communications enter and leave the United States,” according to a 2012 NSA document. The NSA would send the intercepted traffic to the bureau’s “cyberdata repository” in Quantico, Virginia…

The newly claimed authority is but another example of an expansion of executive power the Obama administration arrogated to itself without any public debate whatsoever. (more…)

Sales Exec Fired for Refusing to Install 24/7 Tracking App on Smartphone, Sues Company


Myrna Arias, a sales executive who lives in Kern County, California, is suing Intermex, a wire-transfer company, for wrongful termination, claiming that she was fired for refusing to install a tracking app on her smartphone that would monitor her off-hours location.

According to a Courthouse News Service report that describes the lawsuit, Intermex recruited Ms. Arias while she was working for Netspend, a money-transfer competitor. She requested that Intermex allow her to continue work with Netspend in order to maintain health benefits during a new-hire waiting period, and Intermex agreed. A couple of months into her new employment, her boss, Intermex’s regional vice president of sales John Stubits, told Arias and other employees that they would have to download an app from Xora onto their smartphones that “contained a global positioning system function which tracked the exact location of the person possessing the smartphones on which it was installed.” When she refused, she was fired. Intermex then called Netspend and informed them of her overlapping employment- and Netspend fired her as well. Courthouse News Service explains:

Arias says in her complaint that she researched the app and asked Stubits if Intermex would be tracking her whereabouts when she was off the clock.
“Stubits admitted that employees would be monitored while off duty and bragged that he knew how fast she was driving at specific moments ever since she had installed the app on her phone,” Arias says in her complaint. “Plaintiff expressed that she had no problem with the app’s GPS function during work hours, but she objected to the monitoring of her location during non-work hours and complained to Stubits that this was an invasion of her privacy. She likened the app to a prisoner’s ankle bracelet and informed Stubits that his actions were illegal. Stubits replied that she should tolerate the illegal intrusion because Intermex was paying plaintiff more than NetSpend.”
Stubits also told Arias she had to keep her phone on “24/7″ to assist clients, and “scolded” her when she uninstalled the app to protect her privacy, the complaint adds.
Arias says Intermex fired her a few weeks later

/snip/

Arias objected to the app because there was no way to turn it off when she was at home. Even if she shut down the app on her phone, it would still be running in the background, Glick said.
“She found it very offensive that they were treating her like a felon,” she added. “She was not underperforming, so there was no reason to monitor her.”
To make matters worse, Glick said, Intermex was so angry at her objection to the app that it went “above and beyond a normal wrongful termination and interfered with her ability to earn a livelihood.”
Arias says in her complaint that Robert Lisy, Intermex’s president and CEO, “telephoned John Nelson, vice president of NetSpend, and informed Nelson that plaintiff had been disloyal to NetSpend and was employed by Intermex. As a result of Lisy’s intentional and malicious interference with plaintiff’s contract with NetSpend, NetSpend fired plaintiff promptly. NetSpend specifically cited Lisy’s phone call as the reason for the decision to terminate plaintiff,” the complaint states.

Ms. Arias’s lawsuit claims violation of the right to privacy and California labor laws, unfair business practices, and wrongful termination in violation of public policy.

Should companies be allowed to track workers’ movements on and off the clock with smartphone apps?