InfoAdvocate

Today’s Washingon Post has an A1 story about Facebook Application privacy:

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information — home town, schools attended, employment history — and can use the data in ways that could harm or annoy use.

I’ve previously blogged on the privacy issues of Facebook Apps such as the civil liberties problems when law enforcement agencies create Facebook apps.

It’s good to see this issue gaining mainstream attention, because it means that people will start thinking differently about threats to privacy online. EPIC recently testified at a hearing on spyware. The testimony included social networking applications as a possible vector for spyware.

People at the hearing talked about the need to have any legislation in this area not be technology dependent. The bill being discussed, S. 1625, included some language that was focused on PCs, but ignored other threats. The bill had sections making unlawful certain behavior. It used language like “caus[ing] the installation on [a] computer of software that” did several prohibited things, like improperly collect information or display too many popups. But that language is focused on the idea that people keep their data on their computer. With social networking, people are keeping their data online, with social networking services. This data should also be protected from new types of spyware, and we should think of improper data collection from social network services in the same way we think about improper data collection from our home computers.

Bookmark to

Today I got to CFP 2008: Technology Policy ‘08 conference. Tomorrow I’ll be presenting on what could be a hopeful new direction in spyware policy. I’ll be speaking on the stalker spyware complaint EPIC filed earlier this year.

In this digital age, spyware is used by employers and parents, as well as stalkers and perpetrators of abuse. This workshop will discuss whether anti spyware policy and technology is appropriately tailored to spyware uses in the social context of abuse: misusing power and control. The essence of spyware is to spy, to monitor, to watch someone – all without their knowledge. How do we identify and respond to harmful, inappropriate use? What are the challenges faced by policymakers and antispyware technology providers when dealing with abusive uses of spyware? This workshop will explore the varying opinions on spyware policy and practice as it intersects with privacy and safety.

Other program topics that look interesting include network neutrality, reputation systems, and social networks. The whole program is here.

Bookmark to

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their costumers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Bookmark to

I would guess that there are several companies in the business of selling what is basically “over the counter” or consumer grade spyware for the beginner level user. Depending on how this suit turns out, they will have to start being careful about how they promote their wares, and how they instruct their customers in using them:

Caught Snooping, Husband Sues Spy Software Vendor
By Ryan Singel

An Ohio man facing a lawsuit from his wife’s friend for intercepting her emails using spyware on a household computer filed suit Friday against the spyware maker, arguing the company’s ads failed to warn him that using it to monitor his family, including his wife, would violate state and federal laws.

As I previously blogged, intercepting communications can expose you to large civil liabilities.

Bookmark to

A friend emailed this NYT article:

Tell-All PCs and Phones Transforming Divorce
By BRAD STONE
The age-old business of breaking up has taken a decidedly Orwellian turn, with digital evidence like e-mail messages, traces of Web site visits and mobile telephone records now permeating many contentious divorce cases.

Spurned lovers steal each other’s BlackBerrys. Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.

The article also mentions using GPS to track spouse; the ethical issues some spouses have when they decide to spy; and how the person spied upon can find it “particularly disturbing.”

In the legal issues, though, the article seems to be lacking. The only consideration is the admissability of the evidence: whether it can be seen by the divorce court. Furthermore, the entire article seems to gloss over the difference between the use of electronic evidence gained via discovery — the legitimate, court supervised method of gaining records from the other side — and the surreptitious access to information that is the use of spyware and unauthorized access to devices.

The legal issues are serious. The Electronic Communications Privacy Act (ECPA) governs interception of electronic communications. Intercepting an electronic communication can land you jail for five years. 18 USC 2511(4). You can also be sued civilly, being responsible for attorney’s fees and minimum damages of $10,000. Besides interception, accessing stored communications is regulated by the Stored Communications Act. Accessing someone’s stored communications can be punished by up to a year in jail. 18 USC 2702. And it can also expose you to suits of a minimum of $1000 plus attorneys fees. 18 USC 2707.

But under both of these, the issues can get tricky if the computer is shared between people, or if people have previously shared their passwords with each other. It’s no surprise that a reporter talking to divorce lawyers didn’t go into wiretap laws. But at least they should not have mixed up the very legitimate accessing of stored information during a lawsuit with spousal espionage and stalking.

Bookmark to