Connect with us


Abortion surveillance: in a post-Roe world, could an internet search lead to an arrest? | Abortion

Voice Of EU



A leaked draft opinion suggesting the US supreme court may overturn the landmark abortion rights decision Roe v Wade has renewed concerns over the ways US law enforcement could ask tech companies to hand over Americans’ data if they were to prosecute individuals getting or providing abortion services.

Tech firms and data brokers already collect, store and often sell years’ worth of information on their users. There are few federal regulations that protect such data, making the information, which includes data on location, internet searches, and communication history, extremely valuable and easily accessible to law enforcement.

That data could also make it easy for law enforcement to track down people searching for information on or seeking abortions in states where the practice would get criminalized, heightening the need for data privacy regulation, healthy individual “digital security hygiene” and better company data retention policies.

“The biggest harms are going to be that all of this data that is being collected about location, people’s health, menstrual health and pregnancies is going to be now used to find and prosecute people who may be seeking these services or who may not even be seeking these services,” Cooper Quintin, a senior staff technologist at digital rights group Electronic Frontier Foundation, said. “I’m concerned that all this data that’s already out there that’s already been collected and is just sitting in data silos is going to be used for mass prosecutions, mass arrests and do real significant harm.”

While there are steps individual users can take to protect themselves and minimize the data they are handing over to companies that can be requested by law enforcement, Quintin says the decisions companies make when it comes to user data could have far-reaching implications.

“There’s a 100% parallel to climate change – it gets framed a lot as an individual consumer issue when it’s really up to corporations and institutions that are doing the most damage and need to do the most work to solve it,” he said.

How police could search for abortion seekers

The digital security concerns around abortion are already playing out in several US states. “Even though abortion is still legal today in all 50 states, the reality is that many people in this country already live in a post-Roe world and dozens of people have been criminalized for their pregnancy outcomes,” Elizabeth Ling, a senior helpline counsel at the reproductive legal hotline If/When/How.

As a result, many people opt for a “self-managed” abortion where they get pills mailed to them rather than going into local clinics, Ling said. The internet has made self-managed abortion options more accessible to those seeking legal and safe abortion routes outside a medical setting. But it has also created a digital footprint that makes an individual’s effort to seek abortion much more easily tracked.

Already, information such as a person’s internet search for abortion pills has been used in cases dealing with miscarriages and pregnancy termination. “If Roe is overturned, the need to self-manage abortion is certainly going to increase and the surveillance of people seeking abortion care will be at an all-time high,” she said.

Today, there are several avenues law enforcement can use to access user data. Agencies can simply access your phone, whether at the border or through a subpoena. Law enforcement and government agencies can also buy user information through data brokers, companies such as Lexis Nexis, Equifax and X Mode, that collect, buy and sell user information. Or they can issue subpoenas and warrants to tech companies requesting the data those companies have collected.

Different types of law enforcement requests to tech companies yield different types of user information. In some cases, tech companies can only turn over an individual’s subscriber information in response to certain subpoenas. But there are also broader warrants that law enforcement is increasingly using that can capture a wide net of consumers’ information, such as geofence warrants and keyword search warrants.

In both these cases, law enforcement asks a tech company for information on any and all the devices that meet certain conditions. In the case of geofence warrants, police seek all the devices that are in a certain place at a certain time. For keyword search warrants, police seek all the information for devices that search for a certain term on the internet.

Police have used geofence warrants, for instance, to get a list of people who had been near an alleged crime scene at the approximate time that it occurred. Already, people have come forward about being suspected or arrested for a crime they didn’t commit simply for being in the wrong place at the wrong time. A keyword search warrant that seeks the device information for all of those who’ve searched for an abortion pill or a geofence warrant that seeks everyone who was in or around a Planned Parenthood, for instance, is not out of the realm of reality in a post-Roe world. These can all be used to gain access to information on, and potentially criminalize, people who are searching for or researching abortions, Quintin said.

While there are a few steps consumers can take to try to limit the information they’re sharing with companies that can then end up in the hands of law enforcement, companies have the most power to protect users, he said. “First, I would really love for companies to stop working with data brokers, and stop selling location data to these data brokers,” he said. But the most important thing companies can do is to reduce the amount of data they store on their users, especially since they may not have the power or ability to refuse a legal request like a court-ordered subpoena.

“Any company that doesn’t want to be responsible for the massive amount of harm that’s going to come from this needs to start taking concrete steps to data minimization right now,” Quintin said. “So data brokers, stop holding on to any data that’s not absolutely necessary. Companies, make it easy for your customers to actually delete their data.”

Quintin also said companies need to encrypt any customer data that they do store in a way that only allows consumers to decrypt it. “But that’s a technological challenge that not every company is willing to face, although I would argue that they should, especially companies dealing with women’s health.”

How to practice ‘digital security hygiene’

While the lion’s share of the responsibility falls to the corporations that profit from the sale of data, experts say there’s still quite a bit individuals can do to practice good “digital security hygiene”.

“Understandably, people may be concerned about how their efforts to learn about their legal rights and options for ending a pregnancy in order to make the best decision for themselves may be used against them as evidence,” Ling said. “People can go to the Repro Legal Helpline’s resource on internet safety to learn about steps they can take, such as using a VPN, secure messaging apps like Signal, or prevent others from seeing their search history if they are sharing a device.”

In addition to consulting EFF’s surveillance survival guide, Quintin said people providing or seeking abortions should consider leaving their phones behind or if they can’t do that then turning their phone and location services off. “Those are reasonable steps to take if you think that the thing you’re doing is going to be criminalized,” he said. He also said that people should have the disappearing messages feature turned on when they use services like WhatsApp and Signal and to use Tor browsers to avoid having their web browser history tracked and saved.

Abortion providers have a more intense threat model because they are in danger of physical attacks, but they can take the same steps as individuals, he said. “It’s the same principle of data minimization: leave as little data behind as you possibly can.”

While there are not many secure appointment booking software options abortion clinics and providers can use, Quintin said he suspects “that is something that every provider is thinking really hard about right now.”

Source link


US offers $10m reward for info on five Conti ransomware members

Voice Of EU



Rewards for Justice shared a photo of someone it claims to be an associate of the ransomware gang and is offering a reward to identify him and four others.

The US Department of State is offering a $10m reward for any information on five malicious cyber actors who are believed to be high-ranking members of the Conti ransomware gang.

The US has been offering rewards for information on this ransomware gang since May, including a $5m reward for any intel that leads to the arrest of anyone conspiring or attempting to participate in a Conti attack.

Yesterday (11 August), the department’s Rewards for Justice programme shared an alleged photo of an associate of the ransomware gang. The department said on Twitter that it is “trying to put a name to the face” and believes the individual is the hacker known as “Target”.

Illustration showing an image of a man with four figures next to it. A reward offer for information on the Conti ransomware gang.

A request for information by the Rewards for Justice programme. Image: US Department of State/Rewards for Justice

Conti, also known as Wizard Spider, has been linked to a group believed to be based near St Petersburg, Russia. The US has labelled it a “Russian government-linked ransomware-as-a-service (RaaS) group”.

The group’s malware is believed to be responsible for more than 1,000 ransomware operations targeting critical infrastructure around the world, from law enforcement agencies to emergency medical services and dispatch centres.

In May 2021, the Conti group was behind the HSE ransomware incident that saw more than 80pc of the IT infrastructure of healthcare services across Ireland impacted. It was said to be the most serious cyberattack ever to hit the State’s critical infrastructure.

The US Department of State previously said the Conti ransomware variant is the “costliest strain of ransomware” ever documented. The FBI estimates that, as of January 2022, there had been more than 1,000 victims of attacks associated with Conti ransomware, with victim payouts exceeding $150m.

When Russia began its invasion of Ukraine earlier this year, the Conti group declared its allegiance to the Russian government. Shortly after, a Ukrainian researcher took the cybersecurity world by storm after publishing more than 60,000 internal messages of the ransomware gang.

Raj Samani, chief scientist at cybersecurity firm Rapid7, said the latest reward offer is just “the tip of the iceberg as enforcement agencies make “considerable strides” through public-private collaboration to hold cybercriminals to account.

“Announcing a reward and revealing the details of Conti members sends a message to would-be criminals that cybercrime is anything but risk-free,” said Samani.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading


Meditation app Calm sacks one-fifth of staff | Meditation

Voice Of EU



The US-based meditation app Calm has laid off 20% of its workforce, becoming the latest US tech startup to announce job cuts.

The firm’s boss, David Ko, said the company, which has now axed about 90 people from its 400-person staff, was “not immune” to the economic climate. “In building out our strategic and financial plan, we revisited the investment thesis behind every project and it became clear that we need to make changes,” he said in a memo to staff.

“I can assure you that this was not an easy decision, but it is especially difficult for a company like ours whose mission is focused on workplace mental health and wellness.”

The Calm app, founded in 2012, offers guided meditation and bedtime stories for people of all ages. It received a surge of downloads triggered by the 2020 Covid lockdowns. By the end of that year, the software company said the app had been downloaded more than 100 million times globally and had amassed over 4 million paying subscribers.

Investors valued the firm, which said it had been profitable since 2016, at $2bn.

In the memo, Ko went on: “We did not come to this decision lightly, but are confident that these changes will help us prioritize the future, focus on growth and become a more efficient organization.”

More than 500 startups have laid off staff this year, according to, a website that tracks such announcements.

Source link

Continue Reading


Let there be ambient light sensing, without data theft • The Register

Voice Of EU



Six years after web security and privacy concerns surfaced about ambient light sensors in mobile phones and notebooks, browser boffins have finally implemented defenses.

The W3C, everyone’s favorite web standards body, began formulating an Ambient Light Events API specification back in 2012 to define how web browsers should handle data and events from ambient light sensors (ALS). Section 4 of the draft spec, “Security and privacy considerations,” was blank. It was a more carefree time.

Come 2015, the spec evolved to include acknowledgement of the possibility that ALS might allow data correlation and device fingerprinting, to the detriment of people’s privacy. And it suggested that browser makers might consider event rate limiting as a potential mitigation.

By 2016, it became clear that allowing web code to interact with device light sensors entailed privacy and security risks beyond fingerprinting. Dr Lukasz Olejnik, an independent privacy researcher and consultant, explored the possibilities in a 2016 blog post.

Olejnik cited a number of ways in which ambient light sensor readings might be abused, including data leakage, profiling, behavioral analysis, and various forms of cross-device communication.

He described a few proof-of-concept attacks, devised with the help of security researcher Artur Janc, in a 2017 post and delved into more detail in a 2020 paper [PDF].

“The attack we devised was a side-channel leak, conceptually very simple, taking advantage of the optical properties of human skin and its reflective properties,” Olejnik explained in his paper.

“Skin reflectance only accounts for the 4-7 percent emitted light but modern display screens emit light with significant luminance. We exploited these facts of nature to craft an attack that reasoned about the website content via information encoded in the light level and conveyed via the user skin, back to the browsing context tracking the light sensor readings.”

It was this technique that enabled the proof-of-concept attacks like stealing web history through inferences made from CSS changes and stealing cross origin resources, such as images or the contents of iframes.

Snail-like speed

Browser vendors responded in various ways. In May 2018, with the release of Firefox 60, Mozilla moved access to the W3C proximity and ambient light APIs behind flags, and applied further limitations in subsequent Firefox releases.

Apple simply declined to implement the API in WebKit, along with a number of other capabilities. Both Apple and Mozilla currently oppose a proposal for a generic sensor API.

Google took what Olejnik described his paper as a “more nuanced” approach, limiting the precision of sensor data.

But those working on the W3C specification and on the browsers implementing the spec recognized that such privacy protections should be formalized, to increase the likelihood the API will be widely adopted and used.

So they voted to make the imprecision of ALS data normative (standard for browsers) and to require the camera access permission as part of the ALS spec.

Those changes finally landed in the ALS spec this week. As a result, Google and perhaps other browser makers may choose to make the ALS API available by default rather than hiding it behind a flag or ignoring it entirely. ®

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!