Categories
Shared

Google Hands Feds 1,500 Phone Locations In Unprecedented ‘Geofence’ Search

According to Forbes, Google has sent 1,494 device identifiers to the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) to help them investigate arsons carried out across Milwaukee, Wisconsin, throughout 2018 and 2019. “The requests, outlined in two search warrants obtained by Forbes, demanded to know which specific Google customers were located in areas covering 29,387 square meters (or 3 hectares) during a total of nine hours for the four separate incidents,” the report says. “Unbeknownst to many Google users, if they have ‘location history’ turned on, their whereabouts are stored by the tech giant in a database called SensorVault.” From the report:

To investigators, this kind of “geofence” demand is useful, allowing them to go through the data trove provided by Google, look for devices of interest such as a known suspect’s phone and ask for more personal information on the user of that mobile. But it’s also the kind of search that’s been making pro-privacy folk anxious over the last year. Such data grabs, also referred to as “reverse location searches,” see the police give Google a timeframe and an area on Google Maps within which to find every Google user within. Google then looks through its SensorVault database of user locations, taken from devices running the tech giant’s services like Google Maps or anything that requires the “location history” feature be turned on. The police then look through the list, decide which devices are of interest to the investigation and ask for subscriber information that includes more detailed data such as name, email address, when they signed up to Google services and which ones they used.

It’s unclear whether or not Google handed over any identifying information, but to Jerome Greco, a public defender in the Digital Forensics Unit of the Legal Aid Society, it’s a sign that geofence warrants are overly broad and endanger user privacy. “The number of phones identified in that area shows two key points,” he tells Forbes. “One, it demonstrates a sample of how many people’s minute-by-minute movements Google is precisely tracking. “Two, it shows the unconstitutional nature of reverse location search warrants because they inherently invade the privacy of numerous people, who everyone agrees are unconnected to the crime being investigated, for the mere possibility that it may help identify a suspect.”For what it’s worth, Forbes did obtain a search warrant that indicates Google is trying to fight back against overly broad government requests, “but still appears to be handing over innocent people’s information as well as legitimate suspect data.”

As found on: https://tech.slashdot.org/story/19/12/12/2139212/google-hands-feds-1500-phone-locations-in-unprecedented-geofence-search

Categories
Shared

It’s Way Too Easy To Get a .gov Domain Name

Brian Krebs:

Many readers probably believe they can trust links and emails coming from U.S. federal government domain names, or else assume there are at least more stringent verification requirements involved in obtaining a .gov domain versus a commercial one ending in .com or .org. But a recent experience suggests this trust may be severely misplaced, and that it is relatively straightforward for anyone to obtain their very own .gov domain. Earlier this month, KrebsOnSecurity received an email from a researcher who said he got a .gov domain simply by filling out and emailing an online form, grabbing some letterhead off the homepage of a small U.S. town that only has a “.us” domain name, and impersonating the town’s mayor in the application.

“I used a fake Google Voice number and fake Gmail address,” said the source, who asked to remain anonymous for this story but who said he did it mainly as a thought experiment. “The only thing that was real was the mayor’s name.” The email from this source was sent from exeterri[.]gov, a domain registered on Nov. 14 that at the time displayed the same content as the .us domain it was impersonating — town.exeter.ri.us — which belongs to the town of Exeter, Rhode Island (the impostor domain is no longer resolving). “I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source continued. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

As found on Slashdot

Categories
Shared

Democrats Propose Sweeping Online Privacy Laws

mspohr quotes a report from The Guardian:

Top Democrats on Tuesday proposed tough new privacy laws to rein in the U.S.’s tech companies after a series of scandals that have shaken confidence in the companies and exposed the personal data of millions of consumers. The effort, led by Senator Maria Cantwell, the top Democrat on the Senate commerce, science and transportation committee, aims to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” The Consumer Online Privacy Rights Act (Copra) comes after a series of failed attempts to rein in the tech giants in the U.S.

The act resembles Europe’s sweeping General Data Protection Regulation (GDPR) legislation, passed in 2016. It would force tech companies to disclose the personal information they have collected, delete or correct inaccurate or incomplete information and allow consumers to block the sale of their information. The bill’s sponsors are all Democrats and include presidential candidate Senator Amy Klobuchar. “Companies continue to profit off of the personal data they collect from Americans, but they leave consumers completely in the dark about how their personal information is being used,” she said. “It’s time for Congress to pass comprehensive privacy legislation.”