TIME technology

How US Companies Help Central Asian Autocrats Eavesdrop

A Long Island firm is helping Kazakhstan and Uzbekistan clamp down on dissent

American companies are supplying technology that the governments of Kazakhstan and Uzbekistan are using to spy on their citizens’ communications and clamp down on dissent, according to a new report from the UK-based advocacy group Privacy International.

Verint Systems, a manufacturer of surveillance systems headquartered in Melville, N.Y., has sold software and hardware to Kazakhstan and Uzbekistan that is capable of mass interception of telephone, mobile, and Internet networks, the group alleged in its Nov. 20 report. It also provided the training and technical support needed to run them, the report said.

Verint, which claims customers in 180 nations, in turn sought decryption technology made by a firm in California, Netronome, as it helped the Uzbek government attempt to crack the encryption used by Gmail, Facebook, and other popular sites, according to the report.

The report’s overall message is that countries in Central Asia – including also Turkmenistan and Kyrgyzstan – regarded as among the world’s most autocratic are getting Western help to install, on a much smaller scale, some of the same advanced mass interception techniques that Edward Snowden revealed are used by the National Security Agency.

Those acquisitions have been facilitated in part by loose export controls over surveillance technology. To be subject to U.S. export restrictions, products must appear on a Commerce Department control list — and the key components of the surveillance products described in the Privacy International report do not appear to be on those lists, according to report co-author Edin Omanovic.

Products that can lay the foundation for mass surveillance are not restricted by special export controls if they are sold in an off-the-shelf, unaltered state, according to Eva Galperin, a global policy analyst at the Electronic Frontier Foundation, a non-profit digital rights foundation.

While many of the group’s sources are not listed in the report, and its claims therefore cannot all be confirmed, the report says that staff members interviewed activists in the region who recounted that transcripts of their private communications were used to convict and imprison them on charges of conspiracy.

Recent U.S. State Department reports for Kazakhstan and Uzbekistan describe a pattern of state-sponsored torture, inhumane treatment of prisoners, arbitrary arrest, and limited civil liberties in both countries. The State Department’s report on Uzbekistan specifically accused authorities there of detaining and prosecuting activists and journalists for politically motivated reasons. In the Kazakhstan report, “severe limits on citizens’ rights to change their government” was listed as a significant human rights problem.

Kathleen Sowers, an assistant to the general manager of Verint Systems, said in a telephone conversation on Nov. 20 that all of the company’s senior personnel were traveling and could not be reached for comment. Netronome spokeswoman Jennifer Mendola said in an email that the company had “no information on the matter” described in the Privacy International report. The company complies with all applicable laws of the United States and every other jurisdiction in which it operates, and “does not condone any violation of human rights or personal privacy,” she added.

Privacy International, a 24-year-old registered charity in the United Kingdom, publishes investigations and studies about digital privacy. It has challenged the legality of Britain’s spy agency using information obtained from the U.S. National Security Agency’s PRISM surveillance program to conduct mass surveillance of British citizens.

Several of the firms alleged to have exported snooping gear to the region have Israeli connections. Verint’s exports, for example, were dispatched by its Israeli subsidiary, according to the report. According to Omanovic, multiple sources had told his group that the transfers had been approved by the Israeli government. Israel and Kazakhstan signed an agreement for defense trade and cooperation at the beginning of 2014. A spokesman at the Israeli embassy in Washington did not have any immediate comment.

The report also said the Israeli firm NICE Systems has supplied monitoring systems with mass surveillance capabilities to the Kazakh and Uzbek regimes. Erik Snyder, NICE’s director of Corporate Communications, told the group in response that NICE provides law enforcement agencies and intelligence organizations with solutions for lawful communication interception, collection, processing, and analysis, but that it “does not operate these systems, and has no access to the information gathered.”

Some of the U.S. companies named in the report allegedly provided the Central Asian governments with technology that has less controversial purposes. Sunnyvale, CA-based Juniper Networks manufactured broadband equipment that Kazakhstan has been using to transmit data, according to the report, and a surveillance system that actively monitors internet users is now operating from that equipment. But the report makes no claim about Juniper’s complicity in surveillance. Juniper spokeswoman Danielle Hamel said she would look into the claim but then did not respond further.

The sole international agreement that includes regulations for the export of mass surveillance technologies – known as the Wassenaar arrangement — is non-binding on its 41 signatories. Israel is not a signatory, but says it uses Wassenaar’s control list as a guide, according to Privacy International’s Omanovic.

In October 2014, the European Commission amended its export controls to impose extra licensing requirements on monitoring and interception technologies. But the U.S. has not enacted its own controls on such exports.

Rep. Chris Smith (R-N.J.) has introduced several versions of a bill entitled “The Global Online Freedom Act,” meant to “prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance.” But he has not been able to get the bill approved even by the subcommittee on Africa, Global Health, Global Human Rights and International Organizations that he chairs.

TIME privacy

What Is Uber Really Doing With Your Data?

The Hamptons Lure Uber Top Drivers Amid NYC Slow Summer Weekends
Th Uber Technologies Inc. car service application (app) is demonstrated for a photograph on an Apple Inc. iPhone in New York, U.S., on Wednesday, Aug. 6, 2014. Bloomberg—Bloomberg via Getty Images

"I was tracking you"

Uber has had a rocky few days. On Monday, it was revealed that the ride-sharing app’s senior vice president, Emil Michael proposed the idea of investigating critical journalists’ personal lives in order to dig up dirt on them. On Tuesday, the company published a blog post clarifying its privacy policy. And Uber is investigating its top New York executive for tracking a reporter without her permission, TIME learned Wednesday.

What is Uber really up to, and what are its employees allowed to do?

What Uber does with your data

Uber has a company tool called “God View” that reveals the location of Uber vehicles and customers who request a car, two former Uber employees told Buzzfeed. Corporate employees have access to the tool, though drivers do not. But a wide number of Uber employees can apparently view customers’ locations. (Uber did not confirm or deny the tool’s existence to TIME, but it’s worth noting that “God View” is a widely used term in the gaming world.)

Still, several previous incidents appear to confirm the existence of Uber’s so-called God View.

Venture capitalist Peter Sims said in a September blog post that Uber had once projected his private location data on a screen at a well-attended Chicago launch party:

One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? “No,” he replied, “that’s not possible.”

At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain “known people” (whatever that means) were currently riding in Uber cabs. After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a “cool” event and as if I should be honored to have been one of the chosen.

And this month, a Buzzfeed reporter arrived for an interview at Uber’s New York headquarters only to find the company’s top manager in the city, Josh Mohrer, was waiting for her. According to Buzzfeed, Mohrer said, “There you are,” while gesturing at his iPhone. “I was tracking you.” Mohrer didn’t ask for permission to track Johana, Buzzfeed reports.

Of course, Uber also uses customer data for the humdrum daily task of connecting riders with drivers as well as resolving disputes and reaching out to customers.

What Uber says it can do with your data

Uber says it only uses your data for “legitimate business purposes” and that its team audits who has access to its data on an ongoing basis. “Our data privacy policy applies to all employees: access to and use of data is permitted only for legitimate business purposes,” a spokesperson told TIME. “Data security specialists monitor and audit that access on an ongoing basis. Violations of this policy do result in disciplinary action, including the possibility of termination and legal action.”

And in its privacy policy, Uber says that it can use your personal information or usage information—that includes your location, email, credit card, name or IP address—”for internal business purposes” as well as to facilitate its service for pickups and communicating with customers.

Uber clarified in a blog post Tuesday that “legitimate business purposes” include facilitating payments for drivers, monitoring for fraudulent activity and troubleshooting user bugs.

Another important point: Uber says it can hold on to your data even if you delete your account. The company claims it keeps your credit card information, geo-location and trip history “to comply with our legal and regulatory obligations” and “resolve disputes.” Users have to provide a written request in order to completely delete an Uber profile along with all their data.

MORE: A Historical Argument Against Uber: Taxi Regulations Are There for a Reason

So did Uber do anything wrong?

Strictly by its own standards, it appears that Uber may not have violated its own rules when Josh Mohrer tracked Buzzfeed’s reporter. There’s no indication Mohrer shared the information outside Uber—which would disqualify it from being “internal”—but it’s hard argue that he tracked the reporter for a “business purpose.” (Maybe it saved Mohrer time? Or he was showing off the feature? It’s hard to say.)

At the Uber Chicago launch party where Peter Sims’ location was reportedly tracked, the data was shared with people outside the company, as non-employees were at the event. That’s hard to justify by Uber’s rules. However, Uber’s privacy policy was updated in 2013, and the Chicago launch party occurred “a couple of years ago,” by Sims’ telling. So it’s unclear whether the move violated Uber’s privacy rules at that time.

Should you delete your Uber account?

If you’ve lost all trust in Uber and think that other ride-share apps like Lyft (or plain old taxis) are better, than yes, perhaps. But there isn’t any evidence that Uber is inappropriately using customer data on a widespread scale. And if you do delete your account, remember: unless you write in, Uber will still have your data.

TIME Companies

Uber Investigating Executive Over Use of ‘God View’ to Spy on User

After spate of bad publicity

Uber said Tuesday that it’s investigating one of its top New York executives for tracking a reporter without her permission.

The ride-sharing App has a system known as “God View,” BuzzFeed reports, in which the location of Uber vehicles and waiting customers are “widely available to corporate employees.” BuzzFeed reports that an executive used this system to track one of its reporters while she was working on a story about the company that has put it under fire for revelations that an executive raised the prospect of investigating journalists.

Early this November, one of the reporters of this story, Johana Bhuiyan, arrived to Uber’s New York headquarters in Long Island City for an interview with Josh Mohrer, the general manager of Uber New York. Stepping out of her vehicle — an Uber car — she found Mohrer waiting for her. “There you are,” he said, holding his iPhone and gesturing at it. “I was tracking you.”

Mohrer never asked for permission to track her.

[BuzzFeed]

TIME Innovation

Five Best Ideas of the Day: November 18

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

1. The worst ceasefire: Russia and Ukraine are both preparing for war as their uneasy peace slips away.

By Jamie Dettmer in the Daily Beast

2. With the rise of legal cannabis, the small-holders running the industry may soon be run off by the “Marlboro of Marijuana”

By Schumpeter in the Economist

3. From taking India to Mars on the cheap to pulling potable water from thin air: Meet the top global innovators of 2014.

By the writers and editors of Foreign Policy

4. Some charter schools promote aggressive policies of strict discipline, and that strategy may be backfiring.

By Sarah Carr in the Hechinger Report

5. As local police forces become intelligence agencies, we need sensible policies to balance privacy and public safety.

By Jim Newton in the Los Angeles Times

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME intelligence

Tech Firms Push NSA Reform Bill as Senate Vote Approaches

The USA FREEDOM Act still faces challenges from both sides

In an open letter to U.S. Senators a powerful coalition of technology companies including Google, Apple, Facebook and others called for passage of the USA FREEDOM Act surveillance reform package as Sen. Harry Reid scheduled a vote to advance the measure Tuesday.

“The Senate has the opportunity to send a strong message of change to the world and encourage other countries to adopt similar protections,” wrote CEOs of the companies comprising the Reform Government Surveillance coalition. The CEOs called the bill “bipartisan” and said it “protects national security and reaffirms America’s commitment to the freedoms we all cherish.” Signatories to the letter include Facebook’s Mark Zuckerberg, Apple’s Tim Cook, Google’s Larry Page, Microsoft’s Satya Nadella, Twitter’s Dick Costolo and others.

The USA FREEDOM Act is a package of changes to the way the U.S. National Security Agency conducts mass surveillance of American citizens chiefly sponsored by Judiciary Committee chair Sen. Patrick Leahy (D—VT). Debate over the issue accelerated a year and a half ago after leaks from former NSA contractor Edward Snowden revealed vast non-public surveillance programs and duplicity on the part of some officials about the extent of the programs.

U.S. Senate Majority Leader Harry Reid (D—Nevada) called for a cloture vote on Tuesday to end debate. Cloture requires a 60-vote majority is likely to be the biggest hurdle the legislation would face on its path out of Congress.

Though major interest groups, including the American Civil Liberties Union, the Electronic Frontier Foundation and the President’s own surveillance reform task force have backed the compromise legislation passage is anything but certain. Intelligence Committee chair Sen. Dianne Feinstein (D—CA) is reported to have reservations about the bill and other surveillance hawks have expressed outright hostility toward the measure. On the other side of the issue, libertarian-leaning Sen. Rand Paul has said he will oppose the bill for not going far enough to rein the NSA.

In current form the bill puts new limits on the NSA’s ability legally to gather up bulk U.S. phone meta-data and installs special privacy advocates in the Foreign Intelligence Surveillance Court, the body that oversees and authorizes NSA activities. The measure also forbids the NSA from storing data it collects in its own computers, instead requiring telecom companies to retain the data for up to five years. Some critics say the measure puts onerous restrictions on the NSA’s ability to protect Americans from harm. Others say the bill actually codifies and formalizes surveillance practices that once existed in a legal grey area.

“This is a first step in surveillance reform. This is by no means the whole kit and caboodle,” Director of the ACLU’s Washington Legislative Office Laura Murphy tells TIME. “For over the last decade we’ve been empowering government with more and more capabilities to surveil with less and less protections for its citizens. This legisaition would mark a departure from the trajectory since 9-11. We think it’s a very important first step.”

TIME privacy

Is the Government’s Aerial Smartphone Surveillance Program Legal?

The program could violate the Fourth Amendment, some privacy groups say

Civil rights groups are raising serious constitutional questions about the Justice Department’s use of dragnet technology onboard aircraft to collect data from suspects’ cell phones, as reported by the Wall Street Journal Thursday.

The program, run by the U.S. Marshals Service, uses small aircraft equipped with high-tech devices that mimic cell towers, tricking suspects’ cell phones into connecting with them instead of legitimate towers. The devices, called dirtboxes, can then grab certain data from the tricked phones, most notably their location. The aircraft involved operate from five U.S. metropolitan areas and have together a flying range covering most of the country’s population, the Journal reported.

The program is designed to target suspects in law enforcement investigations. However, the nature of the technology means that devices in a certain range of the aircraft are fooled into connecting to the dirtbox, potentially giving law enforcement access to identifying data and general location information about hundreds or thousands of innocent Americans with each flight. Because that access comes without probable cause, civil liberties groups say, the program could be a violation of the Fourth Amendment.

“These devices are sweeping up information about the cell phones of thousands of completely innocent bystanders. That looks a whole lot like the kind of dragnet search that the framers of the Fourth Amendment abhorred,” said American Civil Liberties Union attorney Nathan Wessler.

The Justice Department said it could not confirm or deny the existence of the program. But a department official said that all federal investigations are consistent with federal law and are subject to court approval. That official also said the Marshals Service does not maintain any databases of cell phone information — meaning the program could possibly only be used to track the whereabouts of suspects on a case-by-case basis and that it’s vastly different in nature from the kinds of sweeping government surveillance programs first revealed by Edward Snowden.

Still, is the Justice Department’s airborne dragnet program legal? The answer is “maybe.”

Federal authorities have employed similar tools in the past. The Federal Bureau of Investigation is known to use a surveillance tool called a “stingray,” a portable transceiver that tricks cell phones within a certain area into relaying their locations, not unlike the equipment onboard the Marshals’ aircraft. A government vehicle with a stingray can net hundreds of nearby cell phones’ approximate locations just by driving through a typical neighborhood. The government has said it doesn’t need a probable cause warrant to use stingrays because investigators don’t collect the content of phone calls, just the locations of those phones. Government officials, meanwhile, have said they get court approval to use the devices.

Much of the government’s warrantless use of stingray-style technology hinges on a 1979 Supreme Court decision titled Smith v. Maryland. Smith involved law enforcement’s use of a device called a pen register that, when attached to a suspect’s phone line, recorded the numbers of outgoing calls, but not the calls themselves. The Smith decision upheld the warrantless use of such devices because the suspect’s phone company would record the same data picked up by the pen register, and therefore the suspect had no reasonable expectation of privacy when it came to that information. Currently, the law requires a court to approve the use of a pen register, but investigators only have to show that the device’s use is “relevant to an ongoing criminal investigation,” a much weaker standard than a probable cause warrant requires.

Hanni Fakhoury, an attorney at the pro-privacy Electronic Frontier Foundation, says the Department of Justice could use the Smith precedent as legal justification for the airborne dirtbox program. However, Fakhoury also highlighted a key problem with that argument: Location. Pen registers aren’t intended to pick up location data beyond an area code, whereas the airborne dirtboxes can track a person down to a single building. Many courts, he said, have expressed that location data deserves greater constitutional protection than is afforded to other kinds of information.

However, to get back to the Smith decision, wireless carriers do store your location history for several months to several years, information they obtain by keeping a record of the cell towers to which your device connects as you move from place to place. That could mean Americans don’t have a reasonable expectation of privacy over their location data and the Smith precedent applies, making the DoJ’s aerial surveillance program legal. Still, that would be a matter for the courts to decide.

“There are a lot of tricky questions whether a stingray or dirtbox operated by the government directly is a pen register, or the Fourth Amendment concerns dismissed by the Supreme Court 35 years ago in Smith v. Maryland are more applicable here,” Fakhoury said.

TIME Social Networking

Facebook’s New Privacy Policy Is Way Simpler

Demonstration Held Against Facebook's Privacy Policies
Mary Guedon of the group Raging Grannies holds a sign as she protests outside of the Facebook headquarters June 4, 2010 in Palo Alto, California. Justin Sullivan—Getty Images

Facebook also launched an interactive privacy settings explainer

Facebook unveiled a drastically simplified privacy policy Thursday that explains in plain English who can see your personal information shared through the social network.

The streamlined policy strips out more than two-thirds of the verbiage from the previous policy, which consumer advocates had previously criticized as unnecessarily long and byzantine. “Our hope is that it won’t take long for people to read through this and really get it,” Facebook’s chief privacy officer told the Wall Street Journal.

Facebook also launched an interactive walkthrough of its privacy settings, called “Privacy Basics,” which guides users through drop down menus with options that can restrict viewing rights or delete posts entirely.

The update marks the company’s latest bid to make its privacy settings more user friendly since the company in 2011 settled Federal Trade Commission accusations that it broke its privacy promises. In September, Facebook launched a “Privacy Checkup” in an attempt to give users a greater measure of control over their data.

TIME privacy

9 in 10 Americans Feel They’ve Lost Control of Their Personal Data

Facebook Said to Plan IPO Filing for as Early as Coming Week
David Paul Morris—Bloomberg / Getty Images

A new survey finds many Americans want stronger safeguards for their personal data

More than 90% of Americans feel they have lost control of their personal data, according to a new survey of Internet users that reveals a pervasive sense of unease about who is monitoring and misusing their information.

Pew Research Center surveyors asked 607 Americans which interlopers, in particular, were a cause for concern. Eight out of ten respondents expressed concerns about the government surveilling their online communications and phone calls. An equal percentage shared concerns about businesses and marketers accessing their social media feeds. Meanwhile, nearly two-thirds of respondents wanted lawmakers to pass tighter regulations against advertisers looking to access people’s personal data.

Still, those polled expressed ambivalence about exchanging their personal information for access to free online services — more than half said they were willing to accept that trade-off.

The survey results come despite recent efforts by social media companies to give users a greater sense of control over privacy settings. Facebook, for example, tightened its default privacy settings in May and launched a “privacy checkup” pop-up window.

Read the full survey at Pew.

TIME privacy

Twitter Joins Partnership to Improve Handling of Harassment Claims

Nonprofit Women, Action & the Media will vet reports of abuse based on gender

Twitter is partnering with a nonprofit to make it easier for people to report harassment based on gender. The organization Women, Action & the Media will begin collecting reports of harassment via an online form and send the reports it deems valid to Twitter. The new tool is a pilot program, and the organization says it will monitor Twitter’s responses to harassment claims and help the social network improve how it handles complaints.

At least a quarter of female Internet users between 18 and 24 have been sexually harassed or stalked online, according to a Pew Research Center survey. In the past, Twitter has faced criticism for how it deals with harassment towards women on its site. There was an uproar last year when Twitter neutered the ability to block other users, and the social network was forced to quickly revert back to the original blocking feature. The site has also become a feverish battleground for the #GamerGate controversy, through which some women have faced harassment on the social network.

TIME legal

Why the Constitution Can Protect Passwords But Not Fingerprint Scans

Password Fingerprints Fifth Amendment
A portable fingerprint scanner is displayed at the Biometrics Conference and Exhibition at the Queen Elizabeth II Conference Centre. Peter Macdiarmid—Getty Images

Fingerprint scans are more secure, except when it comes to the Fifth Amendment

Cellphone fingerprint passcodes weren’t on James Madison’s mind when he authored the Fifth Amendment, a constitutional protection with roots in preventing torture by barring self-incriminating testimonials in court cases.

Yet those tiny skin ridges we all share were at the heart of a Virginia court case last week in which a judge ruled that police, who suspected there was incriminating evidence on a suspect’s smartphone, could legally force the man to unlock his device with its fingerprint scanner. While the Fifth Amendment protects defendants from revealing their numeric passcodes, which would be considered a self-incriminating testimonial, biometrics like fingerprint scans fall outside the law’s scope.

“If you are being forced to divulge something that you know, that’s not okay,” said Marcia Hofmann, an attorney and special counsel to digital rights group Electronic Frontier Foundation. “If the government is able through other means to collect evidence that just exists, then they certainly can do that without stepping on the toes of the constitutional protection.”

“The important thing is,” Hofmann said, “is it something you know, or something you have?”

The Virginia ruling was perhaps the most clear-cut decision among similar cases whose outcomes have varied significantly by circumstance. In United States v. Fricosu (2012), a court ruled because it was “a foregone conclusion” that the defendant’s password-locked data was incriminating, the Fifth Amendment didn’t apply. In United States v. John Doe (2011), the defendant, who had a hard drive protected by encryption, at first didn’t receive Fifth Amendment protection, but that decision was reversed by an appellate court that ruled that if Doe provided his decryption password, then it would “lead the Government to evidence that would incriminate him.” Last week’s Virginia ruling is a fresh example of what can happen when a 225-year-old law is applied to a field as rapidly changing as digital security.

“I think the courts are struggling with this, because a fingerprint in and of itself is not testimony,” said Hayes Hunt, a criminal defense and government investigations lawyer at Cozen O’Connor. “The concern is, once we put a password on something or on ourselves, we have a certain privacy interest.”

Judges across the country will only have to make more decisions about biometrics, as their use by everyday consumers is on the rise. Today, our data is protected by everything from iris scans at airports to heartbeat measurements and ear-print smartphone locks. “This whole area is in such a state of flux,” said Jody Goodman, a counsel at Crowell & Moring. “It seems like every week there are new things happening.”

Apple in particular is one of the most widely-recognized consumer technology companies that have adopted biometrics, though it wasn’t the first. Its latest flagship iPhones and iPads come with Touch ID, which lets users unlock their devices or make payments by scanning their thumbprints instead of inputting a numeric passcode. But while Apple and other companies with fingerprint scanners on their devices say the feature provides more protection from data theft, the Virginia ruling means that data protected only by an old-school passcode is afforded stronger legal protection under the Fifth Amendment.

The solution for those seeking more legal cover for their data, though, is surprisingly simple. If a defendant’s data is protected by both a thumbprint and a passcode, he or she could invoke the Fifth for the thumbprint, thereby blocking access to the data — at least according to the precedent set by the Virginia case. But for now, iPhones at least lack this option, probably because it’s not being demanded by consumers.

“I think Apple will respond to what the market demands,” said Goodman. “Most people don’t want to be bothered [by additional security]. That’s why the fingerprint technology was created in the first place.”

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser