Liberty News

The use of 'mobile phone extraction' tools enables police forces to download all of the content and data from people's phones. This can apply to suspects, witnesses and even victims -- without their knowledge.

With no clear policies or guidance on the use of this technology, individuals are unaware of their legal rights in terms of:

• whether data is only taken when necessary and proportionate;

• getting the police to delete this data when there is no legal reason to retain it, particularly if they are innocent of any crime;

• ensuring data is held securely to prevent exposure of their personal data as a result of loss of records, misuse or security breach.

As the use of this technology is unregulated, we don't know how this data is used, how it is stored and secured, and if it's ever even deleted.

Privacy International is calling for:

• the use of this intrusive technology is properly regulated, with independent oversight so that abuse and misuse does not go undetected;

• a proper warrantry regime to be implemented, so that the technology cannot be used arbitrarily;

• people to be informed of their rights if the police want to search their phone.

Dutch voters have rejected a law that would give spy agencies the power to carry out mass tapping of Internet traffic.

Dubbed the 'trawling law' by opponents, the legislation would allow spy agencies to install wire taps targeting an entire geographic region or avenue of communication, store information for up to three years, and share it with allied spy agencies.

The snooping law has already been approved by both houses of parliament. Though the referendum was non-binding prime minister Mark Rutte has vowed to take the result seriously.

On Thursday, the US House approved the omnibus government spending bill, with the unscrutinised CLOUD Act attached, in a 256-167 vote. The Senate followed up late that night with a 65-32 vote in favor. All the bill requires now is the president's signature.

U.S. and foreign police will have new mechanisms to seize data across the globe. Because of this failure, your private emails, your online chats, your Facebook, Google, Flickr photos, your Snapchat videos, your private lives online, your moments shared digitally between only those you trust, will be open to foreign law enforcement without a warrant and with few restrictions on using and sharing your information. Because of this failure, U.S. laws will be bypassed on U.S. soil.

As we wrote before, the CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:

Enable foreign police to collect and wiretap people's communications from U.S. companies, without obtaining a U.S. warrant.Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.Allow the U.S. president to enter executive agreements that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.Allow foreign police to collect someone's data without notifying them about it.Empower U.S. police to grab any data, regardless if it's a U.S. person's or not, no matter where it is stored.

And, as we wrote before, this is how the CLOUD Act could work in practice:

London investigators want the private Slack messages of a Londoner they suspect of bank fraud. The London police could go directly to Slack, a U.S. company, to request and collect those messages. The London police would not necessarily need prior judicial review for this request. The London police would not be required to notify U.S. law enforcement about this request. The London police would not need a probable cause warrant for this collection.

Predictably, in this request, the London police might also collect Slack messages written by U.S. persons communicating with the Londoner suspected of bank fraud. Those messages could be read, stored, and potentially shared, all without the U.S. person knowing about it. Those messages, if shared with U.S. law enforcement, could be used to criminally charge the U.S. person in a U.S. court, even though a warrant was never issued.

This bill has large privacy implications both in the U.S. and abroad. It was never given the attention it deserved in Congress.

Thailand's popular resort of Phuket has an ambition to turn the island into a 'smart city', according to Thailand's digital economy minister.

The province may also develop an electronic wristband system for foreign tourists so their identity and location would be known in case of untoward incidents, said Digital Economy and Society Minister Pichet Durongkaveroj.

He said the province has planned to develop the uses of wristbands to track tourists and to use Big Data to analyse information about tourists' habits.

He said the Phuket command centre would also link to all CCTVs on the island to work with face-recognition software to guard against crimes as well as to collect the data of tourists who use public boat services.

Comment: Alienation

19th March 2018. Thanks to Dave

Why are the Thai Authorities doing everything they can to Alienate Tourists and Expats.

Raiding Darts Clubs, Bridge Clubs, putting them in Gaol for Smoking on the Beach.

The Police are constantly stopping Tourists on Scooters looking for international Driving License's, which were never needed before.

Now wristbands to track Tourists movements, registering Mobile Phones with your Passport.

Thailand is turning into another North Korea, The sooner we have Elections and get rid of the Army the better.

The convenience store 7-Eleven is rolling out artificial intelligence at its 11,000 stores across Thailand.

7-Eleven will use facial-recognition and behavior-analysis technologies for multiple purposes. The ones it has decided to reveal to the public are to identify loyalty members, analyze in-store traffic, monitor product levels, suggest products to customers, and even measure the emotions of customers as they walk around.

The company announced it will be using technology developed by US-based Remark Holdings, which says its facial-recognition technology has an accuracy rate of more than 96%. Remark, which has data partnerships with Alibaba, Tencent, and Baidu, has a significant presence in China.

The rollout at Thailand's 7-Eleven stores remains unique in scope. It could potentially be the largest number of facial-recognition cameras to be adopted by one company. No corporate entity is so entrenched in Thai lives, according to a report from Public Radio International. And that may be crucial not only to the success of facial recognition in 7-Eleven stores in Thailand, but across the region.

EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation.

The CLOUD Act ( S. 2383 and H.R. 4943 ) is a dangerous bill that would tear away global privacy protections by allowing police in the United States and abroad to grab cross-border data without following the privacy rules of where the data is stored. Currently, law enforcement requests for cross-border data often use a legal system called the Mutual Legal Assistance Treaties, or MLATs. This system ensures that, for example, should a foreign government wish to seize communications stored in the United States, that data is properly secured by the Fourth Amendment requirement for a search warrant.

The other groups signing the new coalition letter against the CLOUD Act are Access Now, Advocacy for Principled Action in Government, American Civil Liberties Union, Amnesty International USA, Asian American Legal Defense and Education Fund (AALDEF), Campaign for Liberty, Center for Democracy & Technology, CenterLink: The Community of LGBT Centers, Constitutional Alliance, Defending Rights & Dissent, Demand Progress Action, Equality California, Free Press Action Fund, Government Accountability Project, Government Information Watch, Human Rights Watch, Liberty Coalition, National Association of Criminal Defense Lawyers, National Black Justice Coalition, New America's Open Technology Institute, OpenMedia, People For the American Way, and Restore The Fourth.

The CLOUD Act allows police to bypass the MLAT system, removing vital U.S. and foreign country privacy protections. As we explained in our earlier letter to Congress, the CLOUD Act would:

• Allow foreign governments to wiretap on U.S. soil under standards that do not comply with U.S. law;

• Give the executive branch the power to enter into foreign agreements without Congressional approval or judicial review, including foreign nations with a well-known record of human rights abuses;

• Possibly facilitate foreign government access to information that is used to commit human rights abuses, like torture; and

• Allow foreign governments to obtain information that could pertain to individuals in the U.S. without meeting constitutional standards.

You can read more about EFF's opposition to the CLOUD Act here .

The CLOUD Act creates a new channel for foreign governments seeking data about non-U.S. persons who are outside the United States. This new data channel is not governed by the laws of where the data is stored. Instead, the foreign police may demand the data directly from the company that handles it. Under the CLOUD Act, should a foreign government request data from a U.S. company, the U.S. Department of Justice would not need to be involved at any stage. Also, such requests for data would not need to receive individualized, prior judicial review before the data request is made.

The CLOUD Act's new data delivery method lacks not just meaningful judicial oversight, but also meaningful Congressional oversight, too. Should the U.S. executive branch enter a data exchange agreement--known as an "executive agreement"--with foreign countries, Congress would have little time and power to stop them. As we wrote in our letter:

"[T]he CLOUD Act would allow the executive branch to enter into agreements with foreign governments--without congressional approval. The bill stipulates that any agreement negotiated would go into effect 90 days after Congress was notified of the certification, unless Congress enacts a joint resolution of disapproval, which would require presidential approval or sufficient votes to overcome a presidential veto."

And under the bill, the president could agree to enter executive agreements with countries that are known human rights abusers.

Troublingly, the bill also fails to protect U.S. persons from the predictable, non-targeted collection of their data. When foreign governments request data from U.S. companies about specific "targets" who are non-U.S. persons not living in the United States, these governments will also inevitably collect data belonging to U.S. persons who communicate with the targeted individuals. Much of that data can then be shared with U.S. authorities, who can then use the information to charge U.S. persons with crimes. That data sharing, and potential criminal prosecution, requires no probable cause warrant as required by the Fourth Amendment, violating our constitutional rights.

The CLOUD Act is a bad bill. We urge Congress to stop it, and any attempts to attach it to must-pass spending legislation.

The US-based global tech giant Apple Inc. is set to hand over the operation of its iCloud data center in mainland China to a local corporation called Guizhou-Cloud Big Data (GCBD) by February 28, 2018. When this transition happens, the local company will become responsible for handling the legal and financial relationship between Apple and China's iCloud users. After the transition takes place, the role of Apple will restricted to an investment of US one billion dollars, for the construction of a data center in Guiyang, and for providing technical support to the center, in the interest of preserving data security.

GCBD was established in November 2014 with a RMB 235 million yuan [approximately US$ 37.5 million] registered capital investment. It is a state enterprise solely owned by Guizhou Big Data Development and Management Bureau. The company is also supervised by Guizhou Board of Supervisors of State-owned Enterprises.

What will happen to Apple's Chinese customers once iCloud services are handed over to GCBD? In public statements, Apple has avoided acknowledging the political implications of the move:

This will allow us to continue to improve the speed and reliability of iCloud in China and comply with Chinese regulations.

Apple Inc. has not explained the real issue, which is that a state-owned big data company controlled by the Chinese government will have access to all the data of its iCloud service users in China. This will allow the capricious state apparatus to jump into the cloud and look into the data of Apple's Chinese users.

Apple Inc. has not explained the real issue, which is that a state-owned big data company controlled by the Chinese government will have access to all the data of its iCloud service users in China.

Over the next few weeks, iCloud users in China will receive a notification from Apple, seeking their endorsement of the new service terms. These "iCloud (operated by GCBD) terms and conditions" have a newly added paragraph, which reads:

If you understand and agree, Apple and GCBD have the right to access your data stored on its servers. This includes permission sharing, exchange, and disclosure of all user data (including content) according to the application of the law.

In other words, once the agreement is signed, GCBD -- a company solely owned by the state -- would get a key that can access all iCloud user data in China, legally.

Apple's double standard

Why would a company that built its reputation on data security surrender to the Chinese government so easily?

I still remember how in February 2016, after the attack in San Bernardino, Apple CEO Tim Cook withstood pressure from the US Department of Justice to build an iPhone operating system that could circumvent security features and install it in the iPhone of the shooter. Cook even issued an open letter to defend the company's decision.

Apple's insistence on protecting user data won broad public support. At the same time, it was criticized by the Department of Justice , which retorted that the open letter "appears to be based on its concern for its business model and public brand marketing strategy."

This comment has proven true today, because it is clear that the company is operating on a double standard in its Chinese business. We could even say that it is bullying the good actor while being terrified by the bad one.

Apple Inc. and Tim Cook, who had once stayed firm against the US government, suddenly have become soft in front of Chinese government. Faced with the unreasonable demand put forward by the Chinese authorities, Apple has not demonstrated a will to resist. On the contrary, it is giving people the impression that it will do whatever needed to please the authorities.

Near the end of 2017, Apple lnc. admitted it had removed 674 VPN apps from Chinese App Store. These apps are often used by netizens for circumventing the Great Firewall (blocking of overseas websites and content). Skype also vanished from the Chinese App Store. And Apple's submission to the Chinese authorities' requests generated a feeling of "betrayal" among Chinese users.

Some of my friends from mainland China have even decided to give up using Apple mobile phones and shifted to other mainland Chinese brands. Their decision, in addition to the price, is mainly in reaction to Apple's decision to take down VPN apps from the Chinese Apple store.

Some of these VPN apps can still be downloaded from mobile phones that use the Android system. This indicates that Apple is not "forced" to comply. People suspect that it is proactively performing a "obedient" role.

The handover of China iCloud to GCBD is unquestionably a performance of submission and kowtow. Online, several people have quipped: "the Chinese government is asking for 50 cents, Apple gives her a dollar."

Selling the iPhone in China

Apple says the handover is due to new regulations that cloud servers must be operated by local corporation. But this is unconvincing. China's Cybersecurity Law, which was implemented on June 1 2017, does demand that user information and data collected in mainland China be stored within the border . But it does not require that the data center be operated by a local corporation.

In other words, even according to Article 37 of the Cybersecurity Law, Apple does not need to hand over the operation of iCloud services to a local corporation, to say nothing of the fact that the operator is solely owned by the state. Though Apple may have to follow the "Chinese logic" or "unspoken rule", the decision looks more like a strategic act, intended to insulate Apple from financial, legal and moral responsibility to their Chinese users, as stated in the new customer terms and conditions on the handover of operation. It only wants to continue making a profit by selling iPhone in China.

Many people have encountered similar difficulties when doing business in China -- they have to follow the authorities' demands. Some even think that it is inevitable and therefore reasonable. For example, Baidu's CEO Robin Li said in a recent interview with Time Magazine, "That's our way of doing business here".

I can see where Apple is coming from. China is now the third largest market for the iPhone. While confronting vicious competition from local brands, the future growth of iPhone in China has been threatened . And unlike in the US, if Apple does not submit to China and comply with the Cybersecurity Law, the Chinese authorities can use other regulations and laws like the Encryption Law of the People's Republic of China (drafting) and Measures for Security Assessment of Cross-border Data Transfer (drafting) to force Apple to yield.

However, as the world's biggest corporation in market value which has so many loyal fans, Apple's performance in China is still disappointing. It has not even tried to resist. On the contrary, it has proactively assisted [Chinese authorities] in selling out its users' private data.

Assisting in the making of a 'Cloud Dictatorship'

This is perhaps the best result that China's party-state apparatus could hope for. In recent years, China has come to see big data as a strategic resource for its diplomacy and for maintaining domestic stability. Big data is as important as military strength and ideological control. There is even a new political term "Data-in-Party-control" coming into use.

As an Apple fans, I lament the fact that Apple has become a key multinational corporation offering its support to the Chinese Communist Party's engineering of a "Cloud Dictatorship". It serves as a very bad role model: Now Apple that has kowtowed to the CCP, how long will other tech companies like Facebook, Google and Amazon be able to resist the pressure?

This week, Senators Hatch, Graham, Coons, and Whitehouse introduced a bill that diminishes the data privacy of people around the world.

The Clarifying Overseas Use of Data ( CLOUD ) Act expands American and foreign law enforcement's ability to target and access people's data across international borders in two ways. First, the bill creates an explicit provision for U.S. law enforcement (from a local police department to federal agents in Immigration and Customs Enforcement) to access "the contents of a wire or electronic communication and any record or other information" about a person regardless of where they live or where that information is located on the globe. In other words, U.S. police could compel a service provider--like Google, Facebook, or Snapchat--to hand over a user's content and metadata, even if it is stored in a foreign country, without following that foreign country's privacy laws.

Second, the bill would allow the President to enter into "executive agreements" with foreign governments that would allow each government to acquire users' data stored in the other country, without following each other's privacy laws.

For example, because U.S.-based companies host and carry much of the world's Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long as the target of the wiretap is not a U.S. person or located in the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is an enormous erosion of current data privacy laws.

This bill would also moot legal proceedings now before the U.S. Supreme Court. In the spring, the Court will decide whether or not current U.S. data privacy laws allow U.S. law enforcement to serve warrants for information stored outside the United States. The case, United States v. Microsoft (often called "Microsoft Ireland"), also calls into question principles of international law, such as respect for other countries territorial boundaries and their rule of law.

Notably, this bill would expand law enforcement access to private email and other online content, yet the Email Privacy Act , which would create a warrant-for-content requirement, has still not passed the Senate, even though it has enjoyed unanimous support in the House for the past two years .

The CLOUD Act and the US-UK Agreement

The CLOUD Act's proposed language is not new. In 2016, the Department of Justice first proposed legislation that would enable the executive branch to enter into bilateral agreements with foreign governments to allow those foreign governments direct access to U.S. companies and U.S. stored data. Ellen Nakashima at the Washington Post broke the story that these agreements (the first iteration has already been negotiated with the United Kingdom) would enable foreign governments to wiretap any communication in the United States, so long as the target is not a U.S. person. In 2017 , the Justice Department re-submitted the bill for Congressional review, but added a few changes: this time including broad language to allow the extraterritorial application of U.S. warrants outside the boundaries of the United States.

In September 2017, EFF, with a coalition of 20 other privacy advocates, sent a letter to Congress opposing the Justice Department's revamped bill.

The executive agreement language in the CLOUD Act is nearly identical to the language in the DOJ's 2017 bill. None of EFF's concerns have been addressed. The legislation still:

• Includes a weak standard for review that does not rise to the protections of the warrant requirement under the 4th Amendment.

• Fails to require foreign law enforcement to seek individualized and prior judicial review.

• Grants real-time access and interception to foreign law enforcement without requiring the heightened warrant standards that U.S. police have to adhere to under the Wiretap Act.

• Fails to place adequate limits on the category and severity of crimes for this type of agreement.

• Fails to require notice on any level -- to the person targeted, to the country where the person resides, and to the country where the data is stored. (Under a separate provision regarding U.S. law enforcement extraterritorial orders, the bill allows companies to give notice to the foreign countries where data is stored, but there is no parallel provision for company-to-country notice when foreign police seek data stored in the United States.)

The CLOUD Act also creates an unfair two-tier system. Foreign nations operating under executive agreements are subject to minimization and sharing rules when handling data belonging to U.S. citizens, lawful permanent residents, and corporations. But these privacy rules do not extend to someone born in another country and living in the United States on a temporary visa or without documentation. This denial of privacy rights is unlike other U.S. privacy laws. For instance, the Stored Communications Act protects all members of the "public" from the unlawful disclosure of their personal communications.

An Expansion of U.S. Law Enforcement Capabilities

The CLOUD Act would give unlimited jurisdiction to U.S. law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it. This applies to content, metadata, and subscriber information -- meaning private messages and account details could be up for grabs. The breadth of such unilateral extraterritorial access creates a dangerous precedent for other countries who may want to access information stored outside their own borders, including data stored in the United States.

EFF argued on this basis (among others) against unilateral U.S. law enforcement access to cross-border data, in our Supreme Court amicus brief in the Microsoft Ireland case.

When data crosses international borders, U.S. technology companies can find themselves caught in the middle between the conflicting data laws of different nations: one nation might use its criminal investigation laws to demand data located beyond its borders, yet that same disclosure might violate the data privacy laws of the nation that hosts that data. Thus, U.S. technology companies lobbied for and received provisions in the CLOUD Act allowing them to move to quash or modify U.S. law enforcement orders for extraterritorial data. The tech companies can quash a U.S. order when the order does not target a U.S. person and might conflict with a foreign government's laws. To do so, the company must object within 14 days, and undergo a complex "comity" analysis -- a procedure where a U.S. court must balance the competing interests of the U.S. and foreign governments.

Failure to Support Mutual Assistance

Of course, there is another way to protect technology companies from this dilemma, which would also protect the privacy of technology users around the world: strengthen the existing international system of Mutual Legal Assistance Treaties (MLATs). This system allows police who need data stored abroad to obtain the data through the assistance of the nation that hosts the data. The MLAT system encourages international cooperation.

It also advances data privacy. When foreign police seek data stored in the U.S., the MLAT system requires them to adhere to the Fourth Amendment's warrant requirements. And when U.S. police seek data stored abroad, it requires them to follow the data privacy rules where the data is stored, which may include important " necessary and proportionate " standards. Technology users are most protected when police, in the pursuit of cross-border data, must satisfy the privacy standards of both countries.

While there are concerns from law enforcement that the MLAT system has become too slow, those concerns should be addressed with improved resources, training, and streamlining.

The CLOUD Act raises dire implications for the international community, especially as the Council of Europe is beginning a process to review the MLAT system that has been supported for the last two decades by the Budapest Convention. Although Senator Hatch has in the past introduced legislation that would support the MLAT system, this new legislation fails to include any provisions that would increase resources for the U.S. Department of Justice to tackle its backlog of MLAT requests, or otherwise improve the MLAT system.

A growing chorus of privacy groups in the United States opposes the CLOUD Act's broad expansion of U.S. and foreign law enforcement's unilateral powers over cross-border data. For example, Sharon Bradford Franklin of OTI (and the former executive director of the U.S. Privacy and Civil Liberties Oversight Board) objects that the CLOUD Act will move law enforcement access capabilities "in the wrong direction, by sacrificing digital rights." CDT and Access Now also oppose the bill.

Sadly, some major U.S. technology companies and legal scholars support the legislation. But, to set the record straight, the CLOUD Act is not a " good start ." Nor does it do a " remarkable job of balancing these interests in ways that promise long-term gains in both privacy and security." Rather, the legislation reduces protections for the personal privacy of technology users in an attempt to mollify tensions between law enforcement and U.S. technology companies.

Legislation to protect the privacy of technology users from government snooping has long been overdue in the United States. But the CLOUD Act does the opposite, and privileges law enforcement at the expense of people's privacy. EFF strongly opposes the bill. Now is the time to strengthen the MLAT system, not undermine it.

The UK's mass digital surveillance regime preceding the snoopers charter has been found to be illegal by an appeals court.

The case was brought by the Labour deputy leader, Tom Watson in conjunction with Liberty, the human rights campaign group.

The three judges said Data Retention and Investigatory Powers Act 2014 (Dripa), which paved the way for the snooper's charter legislation, did not restrict the accessing of confidential personal phone and web browsing records to investigations of serious crime, and allowed police and other public bodies to authorise their own access without adequate oversight. The judges said Dripa was inconsistent with EU law because of this lack of safeguards, including the absence of prior review by a court or independent administrative authority.

Responding to the ruling, Watson said:

This legislation was flawed from the start. It was rushed through parliament just before recess without proper parliamentary scrutiny. The government must now bring forward changes to the Investigatory Powers Act to ensure that hundreds of thousands of people, many of whom are innocent victims or witnesses to crime, are protected by a system of independent approval for access to communications data. I'm proud to have played my part in safeguarding citizens' fundamental rights.

Martha Spurrier, the director of Liberty, said:

Yet again a UK court has ruled the government's extreme mass surveillance regime unlawful. This judgement tells ministers in crystal clear terms that they are breaching the public's human rights. She said no politician was above the law. When will the government stop bartering with judges and start drawing up a surveillance law that upholds our democratic freedoms?

Matthew Rice of the Open Rights Group responded:

Once again, another UK court has found another piece of Government surveillance legislation to be unlawful. The Government needs to admit their legislation is flawed and make the necessary changes to the Investigatory Powers Act to protect the public's fundamental rights.

The Investigatory Powers Act carves a gaping hole in the public's rights. Public bodies able to access data without proper oversight, and access to that data for reasons other than fighting serious crime. These practices must stop, the courts have now confirmed it. The ball is firmly in the Government's court to set it right.

The House of Representatives cast a deeply disappointing vote today to extend NSA spying powers for the next six years by a 256-164 margin. In a related vote, the House also failed to adopt meaningful reforms on how the government sweeps up large swaths of data that predictably include Americans' communications.

Because of these votes, broad NSA surveillance of the Internet will likely continue, and the government will still have access to Americans' emails, chat logs, and browsing history without a warrant. Because of these votes, this surveillance will continue to operate in a dark corner, routinely violating the Fourth Amendment and other core constitutional protections.

This is a disappointment to EFF and all our supporters who, for weeks, have spoken to defend privacy. And this is a disappointment for the dozens of Congress members who have tried to rein NSA surveillance in, asking that the intelligence community merely follow the Constitution.

Today's House vote concerned S. 139, a bill to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), a powerful surveillance authority the NSA relies on to sweep up countless Americans' electronic communications. EFF vehemently opposed S. 139 for its failure to enact true reform of Section 702.

As passed by the House today, the bill:

• Endorses nearly all warrantless searches of databases containing Americans' communications collected under Section 702.

• Provides a narrow and seemingly useless warrant requirement that applies only for searches in some later-stage criminal investigations, a circumstance which the FBI itself has said almost never happens.

• Allows for the restarting of "about" collection, an invasive type of surveillance that the NSA ended last year after being criticized by the Foreign Intelligence Surveillance Court for privacy violations.

• Sunsets in six years, delaying Congress' best opportunity to debate the limits NSA surveillance.

You can read more about the bill here .

Sadly, the House's approval of S. 139 was its second failure today. The first was in the House's inability to pass an amendment--through a 183-233 vote--that would have replaced the text of S. 139 with the text of the USA Rights Act, a bill that EFF is proud to support. You can read about that bill here .

The amendment to replace the text of S. 139 with the USA Rights Act was introduced by Reps. Justin Amash (R-MI) and Zoe Lofgren (D-CA) and included more than 40 cosponsors from sides of the aisle. Its defeat came from both Republicans and Democrats.

S. 139 now heads to the Senate, which we expect to vote by January 19. The Senate has already considered stronger bills to rein in NSA surveillance, and we call on the Senate to reject this terrible bill coming out of the House.

A large number of games apps are snooping on players using the smart phone's microphone to listen to what is playing on TV, The apps recognise TV audio and report back what is being watched to home base, supposedly to help in targeted advertising.

Software from Alphonso, a start-up that collects TV-viewing data for advertisers, is used in at least 1000 games. The games do actually seek user consent to use the microphone but users may not be fully aware of the consequences of leaving an open mike in their house or in their children's rooms

Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership.

Alphonso claims that its software does not record human speech. The company claims that it did not approve of its software being used in apps meant for children. But it was, as of earlier this month, integrated in more than a dozen games like Teeth Fixed and Zap Balloons from KLAP Edutainment in India, which describes itself as primarily focusing on offering educational games for kids and students.

The app can record audio from the microphone when the game is being player or when it is still running in background on the phone.

Comment: Alphonso knows what you watched last summer

5th January 2018 See  article from openrightsgroup.org

Technology startup Alphonso has caused widespread concern by using smartphones microphones to monitor the TV and media habits of games and apps users.

The New York Times has published a story about a company called Alphonso that has developed a technology that uses smartphone microphones to identify TV and films being played in the background. Alphonso claims not to record any conversations, but simply listen to and encode samples of media for matching in their database. The company combines the collected data with identifiers and uses the data to target advertising, audience measurement and other purposes. The technology is embedded in over one thousand apps and games but the company refuses to disclose the exact list.

Alphonso argues that users have willingly given their consent to this form of spying on their media consumption and can opt out at any time. They argue that their behaviour is consistent with US laws and regulations.

Even if Alphonso were not breaking any laws here or in the US, there is a systemic problem with the growing intrusion of these types of technologies that monitor ambient sounds in private spaces without sufficient public debate. Apps are sneaking this kind of surveillance in, using privacy mechanisms that clearly cannot cope. This is despite the apps displaying a widget asking for permission to use the microphone to detect TV content, which would be a "clear affirmative action" for consent as required by law. Something is not working, and app platforms and regulators need to take action.

In addition to the unethical abuse of users' lack of initiative or ignorance - a bit like tobacco companies - there could be some specific breaches of privacy. The developers are clearly following the letter of the law in the US, obtaining consent and providing an opt out, but in Europe they could face more trouble, particularly after May when the General Data Protection Regulaiton (GDPR) comes into force.

One of the newer requirements on consent under GDPR will be to make it as easy to withdraw as it was to give it in the first place. Alphonso has a web-page with information on how to opt out through the privacy settings of devices, and this information is copied in at least some of the apps' privacy policies, buried under tons of legalese. This may not be good enough. Besides, once that consent is revoked, companies will need to erase any data obtained if there is no other legitimate justification to keep it. It is far from clear this is happening now, or will be in May.

There is also a need for complete clarity on who is collecting the data and being responsible for handling any consent and its revocation. At present the roles of app developers, Apple, Google and Alphonso are blurred.

We have been asked whether individuals can take legal action. We think that under the current regime in the UK this may be difficult because the bar is quite high and the companies involved are covering the basic ground. GDPR will make it easier to launch consumer complaints and legal action. The new law will also explicitly allow non-material damages, which is possible already in limited circumstances, including for revealing "political opinions, religion or philosophical beliefs" . Alphonso is recording the equivalent of a reading list of audiovisual media and might be able to generate such information.

Many of these games are aimed at children. Under GDPR, all data processing of children data is seen as entailing a risk and will need extra care. Whether children are allowed to give consent or must get it from their parents/guardians will depend on their age. In all cases information aimed at children will need to be displayed in a language they can understand. Some of the Alphonso games we checked have an age rating of 4+.

Consumer organisations have presented complaints in the past for similar issues in internet connected toys and we think that Alphonso and the developers involved should be investigated by the Information Commissioner.