Confidential Data Leaving on Workers Mobile Devices – Under-30-Year-Olds Don’t Care

A security cable attached to a Kensington Security Slot

More than half of employees admit to storing, sharing and working on corporate documents on their personal devices-and this number is growing.

If you think your BYOD policy telling employees that they can’t put sensitive data on their personal smartphones, laptops and tablets is keeping your company safe, think again. Few office workers are actually aware of their company’s BYOD policy.

These are the alarming findings from a recent survey of 4,000 office workers in the United States and United Kingdom, conducted by market researcher Ipsos Mori and commissioned by cloud collaboration platform provider Huddle.

The survey found that 73 percent of respondents in the United States are downloading personal software and apps onto corporate-owned tablets.

Now for the kicker: The security problem is only going to get worse as millennials flood the workplace. That’s because millennials, especially on the younger side of the generation, don’t really care about security or the stress it causes the IT department; they just want BYOD without restrictions.

The survey calls 18- to 24-year-olds the “gourmet chefs of security breach,” because they play loose with corporate documents. That’s not good, given that millennials will make up the majority of your workforce by 2015, according to the U.S.

Had a Denied Warranty Claim at the Apple Store for iPhone or iPod With “Water Damage”?

This past April, Apple agreed to the terms of a US$53 million class-action settlement stemming from Apple’s warranty practices regarding water damage on older-generation iPhones and iPod touches.

Both the iPhone and iPod touch contain Liquid Contact Indicators which change color when they come into contact with water. The crux of the issue, however, is that these Liquid Contact Indicators were also prone to change color in humid environments.

To qualify for a cash refund, you must: (a) be a United States resident; (b) Apple denied warranty coverage for your iPhone on or before December 31, 2009, OR for your iPod touch on or before June 30, 2010; (c) when it was submitted to Apple for warranty coverage, your iPhone or iPod touch was covered either by its original one-year limited warranty or by an AppleCare Protection Plan; and (d) Apple denied warranty coverage because Apple stated that your iPhone or iPod touch had been damaged by liquid.

The chart below is instructive, but note that the amounts are subject to change depending on how many folks actually file claims.

The NSA Should Start Following These Simple Legal Rules

Headquarters of the NSA at Fort Meade, Marylan...

Cray X-MP/24 (serial no. 115) used by NSA

Summarized from an extensive article put together from the EFF.  You can read it here.

While we still believe that the best first step is a modern Church Committee, an independent, public investigation and accounting of the government’s surveillance programs that affect Americans, members of Congress seem determined to try to enact fixes now.

…In short, there’s much Congress can and should do here, but we also need to be on the lookout for phony measures dressed as reform that either don’t fix things or take us backwards.

…At all times, a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service) must be specified in the context of an investigation.

…Clarification that if one identified person is under investigation, the NSA does not have the authority to run analysis of call records on persons “two hops” or “three hops” away from that person without a separate court authorization.

…Congress should also state firmly that the fact of third party involvement should be irrelevant to a person’s “reasonable expectation of privacy,” as this may assist the courts when considering Fourth Amendment implications.

…Confirm the NSA must obtain a specific, probable cause warrant to seize or search Americans’ communications when they are picked up via a FISA court order or otherwise even if the American is not the “target” of the order.

…Ensure that the protections of American law, including standing to sue to challenge violations of law, apply to all data accessed by the NSA in the United States, even if the data is about a non-U.S. person.

…The NSA has claimed at various times that the legal protections do not start until a human reviews the information or when it is “processed” or otherwise prepared for human review, thus excluding any legal protections against collection, storing and even apparently many kinds of analysis done by computers.

…The government has tried to use the state secrets privilege to dismiss EFF’s multiple lawsuits challenging the NSA, as well as those of many others, despite the fact there are hundreds of pages of public evidence documenting unconstitutional actions.

…A “compromise” has recently been floated by several members of Congress that instead of the NSA holding onto phone records for five years, the phone companies should do it themselves, without limiting NSA access capabilities.

…This has not yet been floated, as far as we know, but any effort to reform the law in light of the NSA surveillance must not itself require that communications companies increase the surveillance capabilities of their systems. The FBI has been secretly lobbying for years for an update to Communications Assistance for Law Enforcement Act (CALEA), which would essentially force large internet companies to build a backdoor into their systems so the feds could more easily get real-time access to communications. Given the level of distrust users have had with Internet companies after their involvement in the PRISM program with the NSA, this bill should be permanently shelved, instead of being part of any sort of compromise reform bill relating to the NSA.

What We Should Be Doing to Reform Our NSA Datagathering

The seal of the U.S. National Security Agency....

Patriot Act and FISA Amendments Act Reform

Stop Bulk Collection. The starting point for NSA reform would be a definitive statement that court orders for bulk collection of information are not allowed and indeed are illegal. At all times, a specific person or specific identifier (like a phone number or email address) or a reasonable, small and well-cabined category (like a group on the terrorist list or member of a foreign spy service) must be specified in the context of an investigation. And a category like: “all records of all Verizon customers,” is neither reasonable, small nor well-cabined.

Limits on Hops. Clarification that if one identified person is under investigation, the NSA does not have the authority to run analysis of call records on persons “two hops” or “three hops”away from that person without a separate court authorization.

Metadata Protection. Information about communications, also called metadata or noncontent, requires probable cause warrants issued by a court (or the equivalent) whenever it reveals previously nonpublic information about or comprising your communications. This includes revealing your identity if it is not public, what websites you visit and information you read, who you communicate with, when, from where, and for how long. Public metadata information, such as information about Facebook wall posts, public tweets and followers or information available in telephone books or similar resources should not be included in this requirement. This is also contained in the International Principles on the Application of Human Rights to Communications Surveillance that applies international human rights principles to the digital age that EFF and hundreds of NGOs around the world have recently endorsed.

Location InformationMetadata about your location, including cell phone GPS data, IP addresses and cell tower information should also require a probable cause warrant. The NSAclaims the legal authority to collect this information on Americans in mass quantities as well, but claims they do not do so, but Senator Wyden indicates that this might not be the whole story.

—Congressional Disfavor of Third-Party or Business Records Doctrine. Eliminate the so-called third-party or business records doctrine. The fact that communications or communications records are held, collected or generated by third parties should be irrelevant to their protection under privacy statutes. Congress should also state firmly that the fact of third party involvement should be irrelevant to a person’s “reasonable expectation of privacy,” as this may assist the courts when considering Fourth Amendment implications.

—Americans Protected Even if Communicating with a “Target.” Confirm the NSA must obtain a specific, probable cause warrant to seize or search Americans’ communications when they are picked up via a FISA court order or otherwise even if the American is not the “target” of the order. Often while the “target” of orders are foreign, American communications are vacuumed up and able to be searched thereafter without a warrant.

—U.S. Law Protects All Data in the U.S. Ensure that the protections of American law, including standing to sue to challenge violations of law, apply to all data accessed by the NSA in the United States, even if the data is about a non-U.S. person. This can help American businesses by assuring foreigners that they may use U.S.-based communications services without discrimination and will enjoy the same rights as U.S. persons when the government comes knocking.

Legal Protections Start with Any Government Access. Confirmation that the legal protections start when the government has any access to the information under the Wiretap Act, FISA and other laws. The NSA has claimed at various times that the legal protections do not start until a human reviews the information or when it is “processed” or otherwise prepared for human review, thus excluding any legal protections against collection, storing and even apparently many kinds of analysis done by computers. This gamesmanship should end.

—Seizures or Searches Done With Technological Assistance Still Count. Confirm that seizures and searches done by computers are “seizures and searches” for purposes of the Fourth Amendment and search and seizure laws. Again the government seems to be taking the position that only human review counts, and that’s not sensible, right or sufficiently protective of Americans. The use of technology to do what humans used to do, only faster, more efficiently and likely more accurately, shouldn’t change the level of protections that Americans enjoy in their communications and communications records.

—Information Gathered for National Security Purposes Cannot be Used for Other Purposes. Completely unsurprisingly, news is now starting to come out about use of the NSA collected information for ordinary criminal prosecutions completely unrelated to national security or terrorism. Congress must make this illegal and grant standing and severe sanctions to anyone whose data is misused in this way.

Confirm Public, Adversarial, Federal Court Role

State Secrets Reform. State Secrets reform that resembles the late Sen. Kennedy’s proposal from 2008. The government has tried to use the state secrets privilege to dismiss EFF’s multiple lawsuits challenging the NSA, as well as those of many others, despite the fact there are hundreds of pages of public evidence documenting unconstitutional actions.

—Public, Adversarial Courts Must Determine if Surveillance is lawful. Confirmation that federal courts are clearly allowed to hear challenges to illegal surveillance, no matter if the government considers it “classified” or not. Security procedures like those outlined in 50 U.S.C. 1806(f) may apply, but the courts must always be able to determine whether the surveillance was lawful.

—Standing. Standing must be granted for those who have a well-founded fear of surveillance in language that will fix the problem that was identified by the Supreme Court in Clapper v. Amnesty.

Reform Sovereign Immunity. Remove sovereign immunity provisions in the FISA Amendments Act to more clearly allow plaintiffs to stop unconstitutional programs, obtain injunctions and seek damages free of the FTCA.

—Confirm FISA Procedures for National Security Evidence. Confirm that 1806(f) plainly applies to all claims for illegal surveillance, not just FISA ones and including constitutional ones. 1806(f) is a provision in FISA that overrides the state secrets privilege.

PHONY “REFORMS” TO RESIST

Just as important as ensuring good reforms is resisting phony or bad ones. Here are a couple that we will be watching for as the debate continues.

—Data Retention. A “compromise” has recently been floated by several members of Congress that instead of the NSA holding onto phone records for five years, the phone companies should do it themselves, without limiting NSA access capabilities. Even NSA critics like Sen. Mark Udall have suggested this be a solution. The US currently has no data retention laws, but companies often keep information on customers for months or years at a time. Creating logs as a way to “solve” the NSA’s access problem is no solution—indeed it ignores the problem that the NSA has bulk access in the first place.

Congress has tried to pass flawed data retention legislation before, most recently by SOPA author Rep. Lamar Smith, but it was abandoned after protest from the Internet community that it would violate users privacy. Data retention laws create a honeypot of sensitive data available to malicious hackers, or accidental disclosures. But most importantly, the problem isn’t that the NSA has custody of the information, it’s that it has access to the information in bulk. Shifting custody without limiting access does nothing.

—CALEA II or Internet Backdoors. This has not yet been floated, as far as we know, but any effort to reform the law in light of the NSA surveillance must not itself require that communications companies increase the surveillance capabilities of their systems. The FBI has been secretly lobbying for years for an update to Communications Assistance for Law Enforcement Act (CALEA), which would essentially force large internet companies to build a backdoor into their systems so the feds could more easily get real-time access to communications. Given the level of distrust users have had with Internet companies after their involvement in the PRISM program with the NSA, this bill should be permanently shelved, instead of being part of any sort of compromise reform bill relating to the NSA. As we’ve explained before, this bill would not only make Internet communications less private, it would inhibit innovation and make the Internet less secure as well.


This article is reproduced from Electronic Frontier Foundation under Creative Commons license

Phil Zimmerman, Security Expert and Author of PGP, Gives A Primer On Encryption

Phil Zimmerman discusses PGP and his latest Secure Phone and Texting Company, Silent Circle.  What concerns should you have?  What requirements are there for using encryption?

What is the NSA doing with PRISM, and how does it affect us?

Zimmerman Part 1 

Part 2