They said they would protect your privacy, not facilitate criminal activity.
If the whole reason you want privacy is to facilitate criminal activity, you’re going to have a bad time.
But it also raises the question: Doesn’t political dissent often get categorized as “criminal activity?”
I think the bigger question is if these services will stand up for obviously bogus charges when it comes to political dissidents. I actually don’t really have a problem with them being willing to shut down accounts associated with ransomware. However, I do understand how exceptions made for “criminal activity” can end up being directed at people who simply have a differing political opinion.
Finally, when it comes to political dissidence: If you are under the thumb of an authoritarian government, is violence taken to achieve freedom considered a “criminal act” by these privacy companies?
These companies have potentially put themselves in a very thorny situation in regards to their intended purpose.
I definitely agree with you. If a warrant is valid and attained honestly and legally in good faith through real evidence of serious crimes, that’s different than sending dick pics through Prism. In theory that mirrors how IRL should work.
Is there any kind of social contract RFC proposed to set global standards for boundaries? To your point, companies prefer to have clear discreet understanding of the laws, compliance, and generally accepted best practices. Easier, safer, cheaper. Everyone wins.
Imagine variable scoring on different traits per entity, that would make different rules/boundaries applicable! E.g., North Korea’s independent journalism score makes them inapplicable for XYZ activities (email account access, phone unlocks? 🤷)… CSAM 100% inexcusable, tiers of limits on disinfo or hate speech…
Would anyone reading this take something like this seriously? I can’t own this. I’m not at all an expert. But I have friends at places like Mozilla, EFF, and standards bodies, to whom I could reach out and maybe help with intros.
…And then you realize your tl;dr is ‘who wants to play pretend world police with me!!!’… and to what ends is it enforceable? Realistically any major entity can pull out of anything at the cost of their customers (and potential civil damages suits). Microsoft can stop supporting SPF, Schneider can stop supporting standard voltages. It’ll cost them customers, but it’s not regulatory/mandated, correct? If pornhub builds a city in the Pacific and refuses to relinquish emails about human trafficking, does the UN send armed forces? Obviously not. But do they get disconnected from 1.1.1.1, 8.8.8.8 or w3c’s yellow pages?
So what would make someone or some entity, trusted? Just curious for the thought exercise to see what you all think, and the sociological repercussions.
I think there was someone who was bitching here at one time, about ProtonMail handing out some user's account by court order. And they were trying to be snarky like "oh, guess ProtonMail doesn't care about your privacy after all!" or some shit.
And your comment here completely clarifies the differences about protecting privacy from enabling you to continue your criminal activity.
I myself cannot be 100% sure my privacy would be protected, if the service I knew, was having their door knocked because they knew I'm up to no good.
Your privacy is ensured from the likes of spam, advertisements and corporate eyes reading your e-mail. Not criminal activity.
I want to know what happens when something is only a criminal activity in a state.
Is an Alabama resident moving eggs and IVF clinics to a different state considered criminal activity?
How about a Texas resident talking about getting an abortion in a different state?
I’m not sure if state governments can even requests this but it does interest me what Proton’s response would be. What if it was countries instead of states?
On the plus side, being that they’re in European countries, they likely have the enviable position of being able to ignore and chastise the worst excesses of USA law. However, that’s my question as well, this is all well and good, but it also puts them in the position of having to have a “scale” of which crimes are “worth” legally complying with, and which ones are “worth” ignoring and fighting.
They don’t have to support the fanatical religious government in Afghanistan, for instance, but surely there are dissidents there who would like to be able to communicate without being monitored in Afghanistan as well. Where’s the line? Is the line different for each country and it’s laws? Are they going to count the absurd “religious crimes” there as the same as more egregious crimes like ransomware?
It actually would behoove these groups to codify and communicate their positions on this wholesale now because the issue isn’t going to go away.
As this thread had shown, there are dozens of serious questions for them to answer. Not least of which is the fact since you are not a criminal until a court has found you guilty , who are they calling criminal?
This makes perfect sense to me. If you plug your phone in to your car and give it permission to access all your shit, then it will access all your shit, and store it locally so that it doesn’t have to re-download all your shit every time. If you don’t want your car to do that, then don’t plug in your phone and give it permission to do that.
Having said that, it is terrifying how much of our personal data modern cars collect. We should be fighting that, but this specific case was not the way to do that.
Seriously, these cases seem like giant nothingburgers.
Did you expect that your car wouldn’t have your text message when it’s displaying it on the screen or reading it out loud?
Now, is there malicious intent? Can they be retrieved by technicians at the dealership if your phone isn’t plugged in? Is it forwarding them back to Honda Corporate or Zuck himself? If so, that’s a significant problem that would probably belong to Android Auto and Apple CarPlay…they should be storing them encrypted and only be able to decrypt them when the phone is connected. But I don’t see any mention of that in the article.
I expect to have access to all of my data that the system retains. I expect them to not share my text messages with anyone else. I expect to have the ability to manually delete data.
I prefer that it doesn’t retain information any longer than I have use for it.
But tons of stuff would have to get sync’s every time you connect your phone. Better to have them cached, encrypted at rest, decrypted by key stored in the phone, and just do a diff-sync.
This should be very easily possible with CarPlay and Android Auto. I have no idea if it does or not. But as Apple and Android both control both their respective app and the OS of the attached phone, there’s no reason it can’t (and even pre-compile diff packages for known cars, or expire and purge both sides after X days without a connection)
That may not be true for regular old Bluetooth though…which likely has more to gain in performance from caching the resources due to BTs limited throughput, but also has to conform to standards.
What would even need to be cached? Text is text, you shouldn’t need MMS besides maybe voice, media is streaming anyway, and maps are, again, text. Anything else, your phone is easier and faster, and probably works better.
There’s really no reason to cache anything more than a day old. And if you’re using Android Auto, the car shouldn’t need to store anything. It all goes through your phone.
"Many car manufacturers are selling car owners’ data to advertisers as a revenue boosting tactic, according to earlier reporting by Recorded Future News. "
So yeah at least some of them collecting it are then selling it
Their citation for that is their own article, which doesn’t mention anything about selling data from phones, but does talk about cars generating upwards of 25GB per hour of raw telemetry data. Again, mostly uncited.
The point of that line is to drive intra-site clicks and mislead you into getting more upset and drive the ever important “engagement”. Unfortunately a common theme in modern media.
The article specifically mentions this which implies that it’s stored on the car.
Berla’s software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access
But it’s immediately followed up with
Many car manufacturers are selling car owners’ data to advertisers as a revenue boosting tactic
Pretty much all new cars being sold today, most cars in the last 5 years, and a large percentage of cars sold in the last 10 all have some sort of cellular modem that reports back to home base with all sorts of info, then they turn around and sell it. GM has been doing this for 20+ years at this point with on star which is included in almost every car they’ve made.
Sure, but from what I’m seeing, the article wasn’t about them selling it. It was about them storing it, which only happens after you plug your phone in and agree to their terms.
auto manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record and intercept customers’ private text messages and mobile phone call logs.
But the appellate judge ruled Tuesday that the interception and recording of mobile phone activity did not meet the Washington Privacy Act’s standard
Privacy is a fundamental human right.
Just not in Usa, as it seems. Here it is indeed the law that needs to be fixed.
Oh nice, so people are spending $30,000 min on any new car AND it will record and pass on everything you do in it? Oh and depending on the car manufacturer you may have to pay a subscription for remote entry and heated seats. Its almost as if you are paying for something that you don’t control, don’t own and now works directly to steal information from you. Cool. Cool.
“In order to claim damages, there must be a breach in the duty of the defendant towards the plaintiff, which results in an injury”
Basically the judge is saying the plaintiff didn’t establish the basic foundation of a tort case. He’s not saying this isn’t wrong, he’s saying they didn’t present the case in a way that proves it.
It’s not enough to say “you shouldn’t be doing this”–even if that’s true.
Take a page from the conservative/GOP playbook and just find an activity judge who will wholesale accept your fabricated claim and provide a favorite judgement.
I myself am fine with the ruling, but only if we get a full-ownership deal on the car, and can legally completely gut and replace parts that do that. Also, the car should be sold with a warning label regarding these issues.
the question here is, on it’s face does an invasion of privacy constitute an injury? I’d argue that yes, it does. Privacy has inherent value, and that value is lost the moment that private data is exposed. That’s the injury that needs to be redressed, regardless of whether or how the exposed data is used after the exposure. There could be additional injury in how the data is used, and that would have to be adjudicated and compensated separately, but losing the assurance that my data can never be used against me because it is only know to me is absolutely an injury in and of itself.
For privacy to have inherent value, it first must be an established, inherent right. Unfortunately, the Constitution doesn’t talk about it to my knowledge. I’ve always inferred that our rights against unlawful search and seizure basically encapsulate the concept, but whatever.
The rights in the fourth amendment are generally a limit on the government, not what a third party does when it has a TOS/contract with you allowing it to do things.
I'd be interested in seeing the number of E2EE enabled accounts used for criminal activity versus the number of regular ol' free Gmail, Yahoo, Outlook etc accounts. Governments absolutely have a hate-on for E2EE, so the police calling out these services specifically raises questions of motive.
Not that we should not be shutting down criminals... but this sort of framing tends to suggest that E2EE services are inherently criminal enabling, and that does not feel like a mistake.
Forgive my question, but if the email is encrypted and the service is unable to read it, how are they sure the accounts in question are criminal? How would they know any account was?
This is confusing to me so I am grateful for any insight.
There’s typically reason to suspect the account owner first. They’re not trawling through random accounts, law enforcement doesn’t have the time or authority to do that. Note that intelligence agencies are not law enforcement, I’m not talking about what some spy agencies might do.
Since this is law enforcement, typically you don’t have a verdict to rely on, but they’d have a warrant or subpoena to get the necessary evidence to further the case.
If an email address is being used for fraud, they don't need to see the encrypted copy; they can see the copy sent out to other people from that address. So if I send you a message from my Protonmail to your Gmail, the following is true:
Copy @ Protonmail: E2EE.
Copy @ Gmail: NOT E2EE.
There are other, circumstantial ways to tell as well. If you're trying to scam people with DudeBro Cryptocurrency, you necessarily reveal the address you use when you send our your spam or scams. If I send malware from notactuallydiotima@proton.me, the proof that I sent the malware does not require you to see my server stored mail; you can just look at your own copy to see.
Yes, the “to address” cannot be encrypted as it is necessary to deliver the mail, the “from address” are needed to send a notification when the “to address” doesn’t exist.
Technically, the “from address” probably can be encrypted, like in signal; but I think it is required in the current email standard.
Surely Proton also receives the mails in plaintext? There’s no E2EE about it. You have to take their word that they encrypt it and discard the plaintext data.
I’d like to know more about the specifics involved. I’ve migrated my whole suite over to Proton and just want to know the specifics here. Guess I won’t know until Proton decides to frame their answer in a blogpost.
You don’t need that: Proton will only surrender accounts/information to local authorities with the appropriate paperwork - and that’s their selling point on privacy, swiss law being pretty protective of privacy ; in this case, a corpus of evidence has been submitted by a recognized foreign entity & considered valid for action in regard to swiss law.
That’s what makes proton secure for journalists, political opponents and such: no swiss judge will enable any random dictator to get a dissident’s info, it won’t fly with swiss law. And if that escalates to bogus criminal charges, it is still up to a swiss judge to decide how and if to proceed.
You put your trust in Switzerland here, not in a nerdy business with an atom-smashing background.
What they really clicked is “this is bullshit and I don’t have time to read all of this, just to use something I paid for”. If companies were required by law to distill their policies into plain English and short summaries then a lot fewer people would have clicked accept. But those ToS started out as nothing more than overly long liability waivers, and over the years the corporations started sneaking more and more exploitative language into them.
Disappointing result but this seems like something for the legislature to fix. Courts aren’t always the solution, sometimes you have to just fix the damn law.
You are implying that any data gathered will be delivered to the government upon request (unsure if you are implying with or without a warrant). If you can show me from this article, or even this case, regarding this privacy case that that happened, then yes I agree with you and the fourth amendment applies.
But this issue is between private entities which generally precludes amendments from being applicable. Specifically, the plaintiffs alleged that the infotainment systems collected and stored personal data without consent and violated Washington’s Privacy Act.
An Annapolis, Maryland-based company, Berla Corporation, provides the technology to some car manufacturers but does not offer it to the general public, the lawsuit said. Once messages are downloaded, Berla’s software makes it impossible for vehicle owners to access their communications and call logs but does provide law enforcement with access, the lawsuit said.
The Fourth Amendment will affect police, but it won’t restrict a random person who is given access to something from turning over whatever data they want to police.
Say I hire a painter, and the painter is painting my house’s interior, and sees a bloody knife in my house. He can report that to the police. But, remove the painter from the picture, and the police could not enter to look for such a thing absent a warrant.
'course, the flip side of that is that if the police get a warrant, then they can enter whether I want them in the house or not, whereas the painter can only enter because I choose to let him in.
Not just police, any armed investigatory unit or state sponsored militia. The idea of a “police” force was pretty vague at the time, so the umbrella covers much more than it initially intended to.
You’re getting a bit off-track here. The scenario is this: the company that provides the software for your care collects data. This part is unconcerned with Amendment 4. Amendment 4 prohibits the State from collecting information and searching unreasonably. It does not prohibit the private company that provides the software from doing so. That is what privacy laws are intended to protect against, not Amendment 4.
Amendment 4 also does not prevent the company that collected that data from providing it to the police upon request. Amendment 4 (and the rest of the US Constitution) applies only to the State. Private companies and private individuals are not bound by it.
You’re willingly giving this data to the manufacturer, at which point they’re free to do with that data whatever they please, according to the terms of the agreement you sign, including giving that data to government authorities. The government isn’t unlawfully searching and seizing because they aren’t even forcing the manufacturer to give up the data, they are freely giving it as they are allowed.
This isn’t to say I’m defending the privacy violations or the government, but it is the case that this situation isn’t protected by the constitution, we have to and should make a specific law for it.
Amendment 4 does not apply to the practices of a private company. That’s what privacy legislation is intended to protect against. Amendment 4 only applies to spying done by the State.
If you want to call it that, you can. The State spying by proxy (paying or asking companies for info) is legal and not prohibited by Amendment 4. Amendment 4 does not protect the subjects of information. It protects the controllers of information (which would be the car company).
If the purpose of collecting the data by private companies is to somehow make money, do you think that sharing this data, or conclusions based on this data, somehow manages to exclude access of governmental agencies? I’ve never gotten the impression that CIA/NSA would ever willingly play nice.
Government agencies paying private companies for your information, or even just asking for it in exchange for something or nothing is legal. That’s because nothing was searched unreasonably (because consent was given by the controller of the information) nor was anything seized against the controller’s will.
You are not in the picture. The information might be about you but you don’t control the information, the car company does. From a legal standpoint, you are irrelevant for the purposes of Amendment 4 protection.
Amendment 4 protects the controller of the information from Government seizure but does not protect the subject of that information. Privacy laws are what are intended to protect the subjects of information. There is some overlap of course. For example, your computer has lots of information about you and what you did in the past. You would be both the subject of the information and the controller (since it’s stored on your computer).
Please remember, I am describing what the law is, not what it should be.
Correct and it is not illegal. It is an invasion of privacy but the law doesn’t prohibit that. Amendment 4 covers the Government doing it without the permission of the person who controls the information. It refers to “can the Government bust in or sneak in to get info”, not “can the Government make clandestine deals to buy info for surveillance purposes”.
Just like with the first amendment, it doesn’t apply to private companies. The point is to prevent the government from passing tyrannical laws, it was never meant to district the activity of private citizens.
It sounds like someone needs to bring a similar suit in the EU and point to the GDPR. Where is the agreement to specific processing, the chance to opt out of the data collection, etc.
Warrants are required for U.S. Mail. Likewise, the government should not have warrantless access to all electronic communication. It’s an outrageous position.
Interesting piece. It’s a bit weirdly worded in that it suggests that the police shut the accounts when really it’s Mega, Proton, Tuta who are closing the accounts. Presumably the police tell those companies which accounts are being used for illegal purposes and then those companies then close the accounts. I was a bit alarmed at first because it sounded like the authorities were closing the accounts when that’s not really the case.
therecord.media
Top