• chevron_right

      Contact publication

      blabla.movim.eu / slixfeed · Tuesday, 30 April - 21:41 edit





    <p><a class="mention hashtag" href="https://fosstodon.org/tags/Networks" rel="tag">#<span>Networks</span></a> like <a class="mention hashtag" href="https://fosstodon.org/tags/I2P" rel="tag">#<span>I2P</span></a> serve useful to <a class="mention hashtag" href="https://fosstodon.org/tags/OSINT" rel="tag">#<span>OSINT</span></a> <a class="mention hashtag" href="https://fosstodon.org/tags/investigations" rel="tag">#<span>investigations</span></a>, <a class="mention hashtag" href="https://fosstodon.org/tags/Journalism" rel="tag">#<span>Journalism</span></a>, and <a class="mention hashtag" href="https://fosstodon.org/tags/activism" rel="tag">#<span>activism</span></a> (<a class="mention hashtag" href="https://fosstodon.org/tags/clearnet" rel="tag">#<span>clearnet</span></a> conns can be more private using <a class="mention hashtag" href="https://fosstodon.org/tags/outproxy" rel="tag">#<span>outproxy</span></a> in I2P).</p><p>You can customize your routing experience, even change number of hops, banning and unbanning routers based on suspicious behavior! 😎 </p><p>💡 TIP: take advantage of using both I2P &amp; <a class="mention hashtag" href="https://fosstodon.org/tags/Tor" rel="tag">#<span>Tor</span></a> browser set up - spreading the risk to personal <a class="mention hashtag" href="https://fosstodon.org/tags/privacy" rel="tag">#<span>privacy</span></a> / <a class="mention hashtag" href="https://fosstodon.org/tags/anonymity" rel="tag">#<span>anonymity</span></a> (+ avoid blocks).</p><p>Right now I2P is under attack: help by running i2p!</p><p><a class="mention hashtag" href="https://fosstodon.org/tags/infosec" rel="tag">#<span>infosec</span></a> <a class="mention hashtag" href="https://fosstodon.org/tags/cybersecurity" rel="tag">#<span>cybersecurity</span></a></p>
    • chevron_right

      CJEU Gives File-Sharer Surveillance &#038; Data Retention a Green Light

      news.movim.eu / TorrentFreak · Tuesday, 30 April - 19:13 · 7 minutes

    Spy As part of anti-piracy scheme featuring warning letters, fines, and ISP disconnections, France has monitored and stored data on millions of internet users since 2010.

    Digital rights groups insist that as a general surveillance and data retention scheme, the ‘Hadopi’ program violates fundamental rights.

    Any program that monitors citizens’ internet activities, retains huge amounts of data, and then links identities to IP addresses, must comply with EU rules. Activists said that under EU law, only “serious crime” qualifies and since petty file-sharing fails to make the grade, the whole program represents a mass violation of EU citizens’ fundamental rights.

    Surveillance and Serious Crime

    Seeking confirmation at the highest level, La Quadrature du Net, Federation of Associative Internet Service Providers, French Data Network, and Franciliens.net, began their challenge in France . The Council of State referred the matter to the Constitutional Council, which in turn referred questions to the Court of Justice of the European Union (CJEU) for interpretation under EU law.

    EU member states may not pass national laws that allow for the general and indiscriminate retention of traffic and location data. Retention of traffic and location data is permitted on a targeted basis as a “preventative measure” but only when the purpose of retention is to fight “serious crime.”

    In his non-binding opinion , CJEU Advocate General Szpunar described Hadopi’s access to personal data corresponding to an IP address as a “serious interference with fundamental rights,” the clearest sign yet that the right to privacy had already taken a blow.

    CJEU judgments have balanced citizens’ rights and rightsholders’ right to copy many times over the years but here, case law was deemed potentially problematic. In fact so much so, AG Szpunar proposed “readjustment of the case-law of the Court” to ensure that rightsholders would not be left in a position where it was impossible to enforce their rights on BitTorrent and similar networks.

    EU Law Shouldn’t Rule Surveillance Out

    By last September, it was clear that a legal basis needed to be found to allow Hadopi and similar programs to continue. For example, the fluid nature of dynamic IP addresses was mentioned as an obstacle to comprehensive tracking.

    Well-constructed arguments stated that balance could be found in securing the harvested data and, to protect fundamental rights, limitations on how much data could be used in the event an alleged file-sharer was prosecuted.

    Ultimately, however, when infringement occurs exclusively online, an IP address may be the only means to track down an alleged infringer, leading to the conclusion that retention and access to civil identifying data is both “necessary” and “wholly proportionate.”

    Copyrights Trump Privacy Rights

    In its decision handed down Tuesday, initially only in French, the CJEU leaves no stone unturned in delivering a win for rightsholders. Despite the problematic case law, the judgment builds a framework for how monitoring and data retention can be conducted within the requirements of EU law.

    The judgment deals with three key questions, summarized as follows:

    1. Is civil identity data corresponding to an IP address included among the traffic and location data which, in principle, requires prior review by a court or administrative entity?

    2. If yes, is EU law to be interpreted as precluding national legislation that provides for the collection of such data, corresponding to users’ IP addresses, without prior review by a court or administrative entity?

    3. If yes, does EU law preclude the review from being performed in an adapted fashion, for example as an automated review?

    In other words, are member states precluded from having a national law that authorizes a copyright authority to access stored IP addresses and civil identity data relating to users, collected by rightsholders monitoring their activities on the internet, for the purpose of taking further action, without a review by a court or administrative body?

    Data collected includes date and time of alleged infringement, IP address, peer-to-peer protocol, user pseudonym, details of copyright works, filename, ISP name.

    Ensuring Privacy and Data Security

    The judgment notes that IP addresses can constitute both traffic data and personal data. However, IP addresses that are public and visible, as they are in file-sharing swarms, are not being used in connection with the provision of an ‘electronic communication service’.

    The judgment also states that, if Member States seek to impose “an obligation to retain IP addresses in a general and indiscriminate manner, in order to attain an objective linked to combating criminal offenses in general”, they should lay down clear and precise rules in legislation relating to retention of data, meeting strict requirements.

    IP and civil identity data must be separated from each other and all other data, in a secure and reliable computer system. When IP addresses and civil data need to be linked, a process that does not undermine the “watertight separation” should be used, and regularly inspected for effectiveness. When these rules are followed, even citizens’ data gathered indiscriminately cannot result in “serious interference” to fundamental rights.

    The judgment notes that EU law does not “preclude the Member State concerned from imposing an obligation to retain IP addresses, in a general and indiscriminate manner, for the purposes of combating criminal offenses in general.”

    Balancing Competing Rights

    The CJEU says that while EU citizens using internet services “must have a guarantee that their privacy and freedom of expression” will be respected, those fundamental rights are not absolute. The prevention of crime or the protection of the rights and freedoms of others may see those rights deemed less important.

    Then, with some fluidity, the CJEU pulls the rug on excuses and upgrades petty file-sharing to something, well, a bit more serious .

    To prevent crime, it may be strictly necessary and proportional for IP addresses to be captured and retained for “combating criminal offenses such as offenses infringing copyright or related rights committed online.”

    Indeed, not allowing the above “would carry a real risk of systemic impunity not only for criminal offenses infringing copyright or related rights, but also for other types of criminal offenses committed online or the commission or preparation of which is facilitated by the specific characteristics of the internet.”

    Pirate Privacy? Not Here

    The judgment adds that despite the strict security guarding private information, there’s always a chance that a person might find themselves profiled. And that, the court suggests, may be of their own making.

    [S]uch a risk to privacy may arise, inter alia, where a person engages in activities infringing copyright or related rights on peer-to-peer networks repeatedly, or on a large scale, in connection with protected works of particular types that can be grouped together on the basis of the words in their title, revealing potentially sensitive information about aspects of that person’s private life.

    Thus, in the present case, in the context of the graduated response administrative procedure, a holder of an IP address may be particularly exposed to such a risk to his or her privacy where that procedure reaches the stage at which Hadopi must decide whether or not to refer the matter to the public prosecution service with a view to the prosecution of that person for conduct liable to constitute the minor offense of gross negligence or the offense of counterfeiting.

    Throughout the course of the next few paragraphs, the judgment mentions processing data for the “prevention, investigation, detection or prosecution of criminal offenses,” and a quote from the French government stating that “the measures adopted by Hadopi in the context of the graduated response procedure ‘are of a pre-criminal nature directly linked to the judicial proceedings’.”

    That leads to the predictable conclusion that EU law does not preclude national legislation that allows for the surveillance of internet users and the retention of their data, for the purpose of identifying users and taking legal action against them.

    Member states just need to follow the rules to ensure that those who didn’t have their privacy breached when their data was collected, don’t have it breached or leaked as they wait for whatever punishment arrives in the mail.

    La Quadrature du Net says it’s disappointed with the judgment.

    “[T]his decision from the CJEU has, above all, validated the end of online anonymity. While in 2020 it stated that there was a right to online anonymity enshrined in the ePrivacy Directive, it is now abandoning it.

    Unfortunately, by giving the police broad access to the civil identity associated with an IP address and to the content of a communication, it puts a de facto end to online anonymity.”

    The judgment is available here

    From: TF , for the latest news on copyright battles, piracy and more.

    • chevron_right

      Message-scraping, user-tracking service Spy Pet shut down by Discord

      news.movim.eu / ArsTechnica · Friday, 26 April - 18:06

    Image of various message topics locked away in a wireframe box, with a Discord logo and lock icon nearby.

    Enlarge (credit: Discord)

    Spy Pet, a service that sold access to a rich database of allegedly more than 3 billion Discord messages and details on more than 600 million users, has seemingly been shut down.

    404 Media, which broke the story of Spy Pet's offerings, reports that Spy Pet seems mostly shut down . Spy Pet's website was unavailable as of this writing. A Discord spokesperson told Ars that the company's safety team had been "diligently investigating" Spy Pet and that it had banned accounts affiliated with it.

    "Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines," the spokesperson wrote. "In addition to banning the affiliated accounts, we are considering appropriate legal action." The spokesperson noted that Discord server administrators can adjust server permissions to prevent future such monitoring on otherwise public servers.

    Read 4 remaining paragraphs | Comments

    • chevron_right

      U.S. &#8220;Know Your Customer&#8221; Proposal Will Put an End to Anonymous Cloud Users

      news.movim.eu / TorrentFreak · Thursday, 25 April - 16:38 · 4 minutes

    identity-s It’s long been the case that access to certain services, whether on or offline, will only be granted when customers prove their identity.

    Often linked to financial products but in many cases basic money/goods transactions carried out online, handing over a name, address, date of birth and similar details, can increase confidence that a deal will more likely than not go according to plan. In some cases, especially when buying restricted products, proving identity can be a condition of sale.

    Yet, for many years, companies operating in the online space have been happy to do business with customers without knowing very much about them at all.

    In some cases, where companies understand that a lack of friction is valuable to the customer, an email address has long been considered sufficient. If the credit or pre-payment card eventually used to pay for a product has enough credit and isn’t stolen, there seems very little to be concerned about. For many governments, however, any level of anonymity has the capacity to cause concern, and if that means unmasking everyone to identify a few bad actors, so be it.

    Improving Detection and Prevention of Foreign Malicious Cyber Activity

    Perceived and actual threats from shadowy overseas actors are something few countries can avoid. Whether in the West or the East, reports of relatively low-key meddling through to seriously malicious hacks, even attacks on key infrastructure, are becoming a fact of modern life.

    After being under discussion for years, late January the U.S. Department of Commerce published a notice of proposed rulemaking hoping to reduce threats to the United States. If adopted, the proposal will establish a new set of requirements for Infrastructure as a Service providers (IaaS), often known as cloud infrastructure providers, to deny access to foreign adversaries.

    The premise is relatively simple. By having a more rigorous sign-up procedure for platforms such as Amazon’s AWS, for example, the risk of malicious actors using U.S. cloud services to attack U.S. critical infrastructure, or undermine national security in other ways, can be reduced. The Bureau of Industry and Security noted the following in its announcement late January.

    The proposed rule introduces potential regulations that require U.S. cloud infrastructure providers and their foreign resellers to implement and maintain Customer Identification Programs (CIPs), which would include the collection of “Know Your Customer” (KYC) information. Similar KYC requirements already exist in other industries and seek to assist service providers in identifying and addressing potential risks posed by providing services to certain customers. Such risks include fraud, theft, facilitation of terrorism, and other activities contrary to U.S. national security interests.

    While supposedly aimed at external threats, only positive identification of all customers can eliminate the possibility that an ‘innocent’ domestic user isn’t actually a foreign threat actor. Or, according to the proposal, anyone (or all people) from a specified jurisdiction at the government’s discretion. Upon notification by IaaS providers, that could include foreign persons training large artificial intelligence models “with potential capabilities that could be used in malicious cyber-enabled activity.”

    Scope of IaaS and Customer Identification Programs

    Under the proposed rule, Customer Identification Programs (CIPs) operated by IaaS providers must collect information from both existing and prospective customers, i.e. those at the application stage of opening an account. The bare minimum includes the following data: a customer’s name, address, the means and source of payment for each customer’s account, email addresses and telephone numbers, and IP addresses used for access or administration of the account.

    What qualifies as an IaaS is surprisingly broad:

    Any product or service offered to a consumer, including complimentary or “trial” offerings, that provides processing, storage, networks, or other fundamental computing resources, and with which the consumer is able to deploy and run software that is not predefined, including operating systems and applications.

    The consumer typically does not manage or control most of the underlying hardware but has control over the operating systems, storage, and any deployed applications. The term is inclusive of “managed” products or services, in which the provider is responsible for some aspects of system configuration or maintenance, and “unmanaged” products or services, in which the provider is only responsible for ensuring that the product is available to the consumer.

    And it doesn’t stop there. The term IaaS includes all ‘virtualized’ products and services where the computing resources of a physical machine are shared, such as Virtual Private Servers (VPS). It even covers ‘baremetal’ servers allocated to a single person. The definition also extends to any service where the consumer does not manage or control the underlying hardware but contracts with a third party for access.

    “This definition would capture services such as content delivery networks, proxy services, and domain name resolution services,” the proposal reads.

    The proposed rule , National Emergency with Respect to Significant Malicious Cyber-Enabled Activities , will stop accepting comments from interested parties on April 30, 2024.

    Given the implications for regular citizens, many of whom are already hanging on to what remains of their privacy, the prospect of handing over highly sensitive information just to obtain a product trial is a real concern. The potential for leaks grows with each disclosure, as does the possibility of personal information ending up for sale on the dark web.

    Which is where the threat actors will obtain other people’s credentials to masquerade as regular users when subjected to a Know Your Customer process. For IaaS services themselves, the largest will have few problems implementing customer identification programs and may even consider them useful. On one hand, they can help to stop threat actors and on the other, take the opportunity to build a database containing the personal details of every single customer.

    From: TF , for the latest news on copyright battles, piracy and more.

    • chevron_right

      Contact publication

      blabla.movim.eu / slixfeed · Tuesday, 23 April - 01:12 edit

    :darthvader: Should Our Law Enforcement Be Embracing Darth Vader-like ethics? 🤔

    How The Practices Of Hiding Illegal / Warrant-less #Surveillance Normalizes #police corruption

    HOW? Enter #ParallelConstruction #testilying / false reports / discovery / 'fruit of poisonous tree'

    Depriving defendant right to truly fair #trial 😞

    #Law #privacy #USA #BillOfRights #HumanRights #federation #Justice #FISA #IMSIcatcher #stingray #geolocation

    hrw.org/report/2018/01/09/dark

    :darthvader: Should Our Law Enforcement Be Embracing Darth Vader-like ethics? 🤔

    How The Practices Of Hiding Illegal / Warrant-less #Surveillance Normalizes #police corruption

    HOW? Enter #ParallelConstruction #testilying / false reports / discovery / 'fruit of poisonous tree'

    Depriving defendant right to truly fair #trial 😞

    #Law #privacy #USA #BillOfRights #HumanRights #federation #Justice #FISA #IMSIcatcher #stingray #geolocation

    hrw.org/report/2018/01/09/dark

    • chevron_right

      Billions of public Discord messages may be sold through a scraping service

      news.movim.eu / ArsTechnica · Wednesday, 17 April - 19:42 · 1 minute

    Discord logo, warped by vertical perspective over a phone displaying the app

    Enlarge (credit: Getty Images)

    It's easy to get the impression that Discord chat messages are ephemeral, especially across different public servers, where lines fly upward at a near-unreadable pace. But someone claims to be catching and compiling that data and is offering packages that can track more than 600 million users across more than 14,000 servers.

    Joseph Cox at 404 Media confirmed that Spy Pet, a service that sells access to a database of purportedly 3 billion Discord messages, offers data "credits" to customers who pay in Bitcoin, Ethereum, or other cryptocurrency. Searching individual users will reveal the servers that Spy Pet can track them across, a raw and exportable table of their messages, and connected accounts, such as GitHub. Ominously, Spy Pet lists more than 86,000 other servers in which it has "no bots," but "we know it exists."

    As Cox notes, Discord doesn't make messages inside server channels, like blog posts or unlocked social media feeds, easy to publicly access and search. But many Discord users many not expect their messages, server memberships, bans, or other data to be grabbed by a bot, compiled, and sold to anybody wishing to pin them all on a particular user. 404 Media confirmed the service's function with multiple user examples. Private messages are not mentioned by Spy Pet and are presumably still secure.

    Read 3 remaining paragraphs | Comments

    • chevron_right

      Leisure centres scrap biometric systems to keep tabs on staff amid UK data watchdog clampdown

      news.movim.eu / TheGuardian · Tuesday, 16 April - 05:00

    Firms such as Serco and Virgin Active pull facial recognition and fingerprint scan systems used to monitor staff attendance

    Dozens of companies including national leisure centre chains are reviewing or pulling facial recognition technology and fingerprint scanning used to monitor staff attendance after a clampdown by the UK’s data watchdog.

    In February, the Information Commissioner’s Office (ICO) ordered a Serco subsidiary to stop using biometrics to monitor the attendance of staff at leisure centres it operates and also issued more stringent guidance on the use of facial recognition and fingerprint scanning.

    Continue reading...
    • Sl chevron_right

      Contact publication

      pubsub.blastersklan.com / slashdot · Thursday, 11 April - 15:08 edit

    DuckDuckGo, the privacy-focused web search and browser company, announced on today the launch of its first subscription service, Privacy Pro. The service, priced at $9.99 per month or $99.99 per year, includes a browser-based tool that automatically scans data broker websites for users' personal information and requests its removal. The service also includes DuckDuckGo's first VPN and an identity-theft-restoration service. Available initially only in the U.S.

    Read more of this story at Slashdot.

    DuckDuckGo Launches Privacy Pro: A 3-in-1 Service That Includes a VPN
    • wifi_tethering open_in_new

      This post is public

      yro.slashdot.org /story/24/04/11/1442256/duckduckgo-launches-privacy-pro-a-3-in-1-service-that-includes-a-vpn

    • chevron_right

      Would ID cards be such a bad idea if they made things work a bit better? | Martha Gill

      news.movim.eu / TheGuardian · Saturday, 6 April - 18:00

    Libertarian politicians like Jacob Rees-Mogg are out of touch with a public comfortable with sharing its personal data

    ‘Britain has never been a ‘papers, please’ society,” said Jacob Rees-Mogg, speaking on his GB News radio show last week. “I’ve always loved the quotation from the historian AJP Taylor, who wrote that ‘until August 1914, a sensible, law-abiding Englishman could pass through life and hardly notice the existence of the state beyond the post office and the policeman’. But the world has changed… is it time to sacrifice freedom for administrative efficiency, and bow down to po-faced officialdom?”

    What prompted this rallying cry for freedom? A subject that has ebbed in and out of public discourse for decades: whether or not every Brit should be required to carry an identity card. It ebbed in again last week when former Labour home secretary David Blunkett challenged Keir Starmer to set up a national ID scheme to tackle the small boats crisis, which in turn prompted the usual lines of debate.

    Continue reading...