amnesty.org · Domains · Slashdot Mirror

Egypt Government Used Gmail Third-Party Apps To Phish Activists (zdnet.com)

Yro · Privacy · 2019-03-07 12:03 · posted by BeauHD · from the sneaky-bastards dept. · 16 comments

An anonymous reader quotes a report from ZDNet: Members of Amnesty International say that Egyptian authorities are behind a recent wave of spear-phishing attacks that have targeted prominent local human rights defenders, media, and civil society organizations' staff. The attacks used a relatively new spear-phishing technique called "OAuth phishing," Amnesty experts said. OAuth phishing is when attackers aim to steal a user account's OAuth token instead of the account password. When a user grants a third-party app the right to access their account, the app receives an OAuth token instead of the user's password. These tokens work as authorization until the user revokes their access. Amnesty investigators said that in the recent spear-phishing campaign that targeted Egyptian activists, authorities created Gmail third-party apps through which they gained access to victim's accounts. Victims would receive an email that looked like a legitimate Gmail security alert. But when they clicked the link, they'd be redirected to a page where a third-party app would request access to their account. Once the victim granted the app access to their Gmail account, the user would be redirected to the account's legitimate security settings page where they'd be left to change their password. Even if the victim changes their password, at this point, the phishers would still have access to the account via the newly acquired OAuth token. The Amnesty International report says the spear-phishing campaign also targeted Yahoo, Outlook and Hotmail users.

A Woman on Twitter is Abused Every 30 Seconds (fastcompany.com)

Tech · Twitter · 2018-12-25 16:00 · posted by msmash · from the whose-social-network? dept. · 483 comments

That shocking statistic comes from a study conducted by Amnesty International and AI software startup Element AI. From a report: In the study, called Troll Patrol, Amnesty International and Element AI looked at data from 288,000 tweets sent to 778 female politicians and journalists in the U.S. and U.K. in 2017. Using machine learning on the data, the group then extrapolated just how wide-ranging abuse toward women is on Twitter. The result: 1.1 million abusive or problematic tweets were sent to the women in the study during the year -- that's one abusive or problematic tweet every 30 seconds. And it's even worse for women of color -- and especially black women -- who were targeted more frequently than white women.

UK's GCHQ Intelligence Agency Violated Human Rights With Its Mass Surveillance Tactics, Top European Court Rules (theguardian.com)

Yro · Privacy · 2018-09-13 02:40 · posted by msmash · from the judgement-arrives dept. · 45 comments

GCHQ's methods in carrying out bulk interception of online communications violated privacy and failed to provide sufficient surveillance safeguards, the European court of human rights (ECHR) has ruled in a test case judgment. From a report: But the Strasbourg court found that GCHQ's regime for sharing sensitive digital intelligence with foreign governments was not illegal. It is the first major challenge to the legality of UK intelligence agencies intercepting private communications in bulk, following Edward Snowden's whistleblowing revelations. The long-awaited ruling is one of the most comprehensive assessments by the ECHR of the legality of the interception operations operated by UK intelligence agencies. The case was brought by a coalition of 14 human rights groups, privacy organisations and journalists, including Amnesty International, Liberty, Privacy International and Big Brother Watch. In a statement, published on Amnesty's website, Lucy Claridge, Amnesty International's Strategic Litigation Director, said, today's ruling "represents a significant step forward in the protection of privacy and freedom of expression worldwide. It sends a strong message to the UK Government that its use of extensive surveillance powers is abusive and runs against the very principles that it claims to be defending." He added: This is particularly important because of the threat that Government surveillance poses to those who work in human rights and investigative journalism, people who often risk their own lives to speak out. Three years ago, this same case forced the UK Government to admit GCHQ had been spying on Amnesty -- a clear sign that our work and the people we work alongside had been put at risk. The judges considered three aspects of digital surveillance: bulk interception of communications, intelligence sharing and obtaining of communications data from communications service providers. By a majority of five to two votes, the Strasbourg judges found that GCHQ's bulk interception regime violated article 8 of the European convention on human rights, which guarantees privacy, because there were said to be insufficient safeguards, and rules governing the selection of "related communications data" were deemed to be inadequate, The Guardian newspaper reported.

Commenting on the ruling, Snowden, wrote, "For five long years, governments have denied that global mass surveillance violates of your rights. And for five long years, we have chased them through the doors of every court. Today, we won. Don't thank me: thank all of those who never stopped fighting."

Fourth Bangladeshi Blogger Murdered

News · Crime · 2015-08-08 04:39 · posted by Soulskill · from the rest-in-peace dept. · 147 comments

An anonymous reader writes: In May we discussed news that three bloggers in Bangladesh had been targeted for brutal killings in recent months over what they wrote online. Now, the local branch of Al-Qaeda is claiming responsibility for a new victim, blogger Niloy Chakrabarti. "The journalist had contributed to the humanist blogging platform Mukto-Mona. His posts often were critical of Islam. Mukto-Mona was established by another blogger—Avijit Roy, who was murdered in Bangladesh in February." His murder was as ghastly as the previous three — six men broke into his apartment with machetes. Rights groups are condemning the killings and demanding that the government put a stop to them. "There is little doubt that these especially brutal killings are designed to sow fear and to have a chilling effect on free speech. This is unacceptable."

Protesters Are Dodging Sudan's Internet Shutdown With a Phone-Powered Crowdmap

Politics · Cellphones · 2013-09-27 10:30 · posted by Soulskill · from the routing-around-damage dept. · 7 comments

Lasrick writes "Motherboard's Africa correspondent, Amanda Sperber, has a great piece on how protesters in Sudan are getting around the government's shutdown of the internet. Quoting: 'Since Wednesday afternoon, Sudan's internet has been sporadically shut off amid a fifth day of protests against President Omar al Bashir's regime. Despite the attempt to cut off communications and limit organization and reporting on the ground, a group of tech-savvy people based in Khartoum have developed a map for recording key data about the protests that's powered by cell networks. '"

The Google Transparency Project Transparency Project

Yro · Government · 2012-06-26 03:33 · posted by timothy · from the correctly-formatted-theocratic-calls-for-caning dept. · 50 comments

Regular contributor Bennett Haselton writes "As Google releases more data about their compliance with requests from foreign governments, they should clarify their stance on exactly when they will comply with requests to turn over user data to foreign law enforcement." Bennett expands on that thought below; read on for some details of just why that kind of disclosure matters, in making sense of Google's own efforts to provide transparency. Google, as part of its ongoing Transparency Project, announced last week the release of its latest data on takedown requests and user account information requests from governments around the world. I'm glad that notorious human rights violators like Turkey are still scoring 0 for 88 in their requests to get Google to turn over information on users allegedly breaking Turkish law. But Google should still clear up some ambiguities in its stated policies about when it will remove content in response to a government request, and (especially) when it will turn over user information to foreign law enforcement. Google's FAQ on user data requests says that "whenever we receive a request we make sure it meets both the letter and spirit of the law before complying." This, however, raises a few questions:

Does "the letter and spirit of the law" refer to U.S. law, or the law in the country from which law enforcement sends the request? Presumably if a user in China or Saudi Arabia were using their Google account to send messages that criticized their own government, in violation of local "laws," Google would not turn over that user's information to that country's law enforcement on demand. That should be an easy call, since China and Saudi Arabia are dictatorships. But what about democratic countries like Canada and Germany, which nonetheless have anti-hate-speech laws that are inconsistent with American free speech guarantees? If German law enforcement demanded the identity of a German account holder who was publishing Nazi propaganda (which would be legal in the U.S., but is illegal in Germany), what would Google do?
What if foreign law enforcement claims that a Google account holder is doing something which would be illegal even in the U.S. — but the request comes from a country where law enforcement is known to be corrupt? And what if the claim is such that Google can't verify the veracity of the claim by simply looking at the account contents? (For example, if law enforcement claims that a criminal gave the police a gmail.com address as a Dropbox for them to respond to a ransom demand, Google can't verify that claim just by looking at the contents of the inbox.) In such cases, does Google respond to the request anyway, even if the police might be lying in order to unmask a Google account holder who hasn't done anything illegal?
Does the answer to either #1 or #2 above depend on whether Google has offices in the country making the request, and can be more easily pressured to comply with their demands?

With regard to governmental requests to remove content, Google has also not explicitly stated whether they use local laws or U.S. laws as a guideline. However, based on the incidents in the Notes section, the rule seems to be: Google will remove content only if it violates Google's own terms of service, but if content violates local laws in a given country, Google may block access to that content from that country, even if the content doesn't violate Google's policies. For example, Google restricted users in Thailand from viewing YouTube videos that offended the Thai monarch, and restricted Turkish users from viewing two videos that criticized Atatürk. As insulting as this is to the free speech rights of the people of those nations, Google could argue that if they hadn't restricted those videos, the entire YouTube site would have been blocked in those countries (which it has been in the past, in both Thailand and Turkey). And at least having your YouTube videos blocked in your home country won't put you in physical danger.

On the other hand, having your identity unmasked and turned over to your government could put you at risk of arrest and a long prison sentence, as happened to Shi Tao after Yahoo disgracefully turned his information over to Chinese officials. So it's a good thing that Google's compliance rate with user data requests is much lower. But given the higher stakes, it's all the more important for Google to clarify when they will comply with such requests.

I sent a message to Google's press office asking about their policy of following the "letter and spirit of the law" in complying with data requests, and whether that referred to U.S. law or the law in the country whose government made the demand. I got back a response copied and pasted from the user data requests FAQ:

Like all law-abiding companies, we comply with valid legal process. We take user privacy very seriously, and whenever we receive a request we make sure it meets both the letter and spirit of the law before complying. When possible and legal to do so, we notify affected users about requests for user data that may affect them. And if we believe a request is overly broad, we will seek to narrow it.

I immediately wrote back:

But when you say you make sure a request "meets both the letter and spirit of the law", whose law are you talking about — U.S. law, or the law of the country where the request originated?

If Saudi Arabia has laws on the books against criticizing the King, and the Saudi police use that as the pretext to demand that you turn over a subscriber's identity because that user criticized the government, I presume you don't comply with requests like that. But does that mean that you only turn over subscriber identities if the foreign law enforcement can show that the subscriber did something that would be illegal under U.S. law?

(It's always a bit awkward trying to turn a cut-and-paste job into a real conversation.) Google's PR said they had nothing more to add, but I've asked some mid-to-highly-placed friends at the company to see if they could get someone to comment in more detail, and I'll follow up if they get back to me.

The question came up when I was at a conference talking with some activists from Latin America, who were asking about the safest way to email a sensitive message or document out of the country over an encrypted connection, to a contact person in the U.S. I said that even though they had already heard about solutions like Tor and PGP, the simplest solution in their case would just be to use Gmail to send the message or the file, since their connection to Google's Gmail servers in the U.S. would be encrypted over https://. (Once the message is sent out from Gmail's servers to its recipient, it would be transmitted unencrypted, but by that point the law enforcement in the sender's home country would no longer be able to intercept it.) Another techie pointed out that Google had long been complying with many foreign governments' requests for user data, as documented on their Transparency Project page, and said that should be taken into account before recommending for anyone to use Google products in a hostile country.

But if you look at the Transparency Project chart for user data requests, it looks like Google does not regularly hand out user data to regimes that are major human rights violators (the only two such countries appearing on the list are Russia and Turkey, and Google has apparently complied with exactly 0% of their requests). I'm not a fan of everything that every other country on that list has done, but they're mostly democratic nations that are probably not abusing the data request process as much as, say, Venezuela would.

So even without specific assurances from Google, I still think that Gmail is safer than PGP for the purpose of sending an encrypted message out of a hostile country without attracting attention to yourself. Remember, if you send a message to someone encrypted with PGP, and a third party intercepts the message, the interceptor can still see that the encrypted portion is bookended with the words "BEGIN PGP ENCRYPTED MESSAGE" and "END PGP ENCRYPTED MESSAGE" — so even if they can't tell what you said, they still know that you went out of your way to send an encrypted email. (Similarly, if you're using Tor, an eavesdropper can't tell what you did over your encrypted Tor connection, but they could still detect that you're using Tor, either by studying the traffic patterns or by keeping a list of known Tor servers and watching to see if you connect to one of them.) By contrast, everyone who connects to Gmail, connects automatically over an encrypted https:// connection, so an eavesdropper would not detect anything unusual about your usage of Gmail that might tip them off that you were trying to hide something. Gmail is the safest of the major mail providers in this regard; Hotmail serves your messages over an encrypted connection only if you opt in to that feature, and Yahoo Mail doesn't provide that option at all. So it's precisely because Gmail is an almost-perfect secure communications solution, that I'd really like to be able to trust it even more, by getting a clearer statement from Google about when exactly it would turn over a subscriber's identity to a government.

Google seems like they're trying to do the right thing in response to demands from foreign countries with less-than-stellar human rights records. With regard to user data requests, Google must be following some internal rule, and the right thing to do would be to tell us what the rule is.

"Liberated" Tunisia Still Censoring Websites

Yro · Censorship · 2012-02-13 02:35 · posted by samzenpus · from the I-don't-think-that-word-means-what-you-think-it-means dept. · 108 comments

Frequent Slashdot contributor Bennett Haselton writes "Tunisia's high court will decide on Wednesday whether to allow censoring of websites containing pornography or 'calls to violence.' It's disappointing that censorship continues in post-revolutionary Tunisia, but it's enough of an improvement over the old regime, that anti-censorship cyber-activism efforts would probably best be spent on helping other countries." Read on for Bennett's analysis.

In Tunisia, where dictator Zine El Abidine Ben Ali was ousted one year ago amid hopes for a new era of freedom, the high court will decide on Wednesday whether to censor foreign pornographic websites in accordance with local law. Facebook pages that "call for violence" may also be blocked. Conveniently, all the machinery for censoring the Internet in Tunisia is already in place, having been installed under Ben Ali's dictatorship for the purposes of censoring and spying on Tunisian citizens (and, for a while, phishing their Facebook passwords). The irony recalls the situation in Iraq in 2009, when the government announced plans to start censoring foreign websites -- to which Iraqi citizens complained that they thought censorship would end with the fall of Saddam's regime. Actually, apart from the three outlier countries of Turkey, Israel and Lebanon, pornography remains illegal in every Middle Eastern country (and some conservative African nations), including the recently "liberated" ones including Egypt, Iraq and Tunisia. (Although, Iraq's street market in pornography thrives as long as the police have better things to do.)

I'm against such censorship in principle -- I think that even the right to publish and access pornography counts as a fundamental human right. But I think we have to take what progress we can get, and censoring just pornography and calls to violence, is a big improvement over censoring pornography and dissident political speech, which is the norm in most non-"liberated" Middle Eastern countries like Syria, Iran, and Saudi Arabia. Syria blocks foreign opposition sites like All4Syria.info, Iran blocks Facebook and YouTube to keep dissidents from posting or viewing anti-government material, and Saudi Arabia blocks Reporters Without Borders and filters the Amnesty International report on human rights in Saudi Arabia (but not the rest of the Amnesty International site!).

Saudi Arabia blocking the Amnesty International report on human rights in their country (while leaving the rest of the site unblocked), in particular, seems like the kind of thing that a government would do more as a "fuck you" to human rights activists, than a means to achieve a practical goal. For one thing, most of the facts in the human rights report about Saudi Arabia -- about sex discrimination and lack of political and religious freedom -- are already well known to the people who live there. And secondly, what percent of the citizens of a country would ever read the Amnesty International report on human rights in that country, even if it were not blocked? How many Americans even know that Amnesty puts out an annual report about human rights violations in the United States? So it seems more like a symbolic move to remind everyone who's in charge. For all the disappointment in the lack of progress for free speech in post-"liberation" countries, the non-"liberated" ones are indeed worse.

As for the Tunisian proposal to censor "calls to violence", I wouldn't always be against that, even in principle. In most countries, direct incitements to violence can be considered illegal (it depends on what you say and, of course, on what judge you get). In a developing country rife with ethnic tensions, even greater restrictions on calls to violence could be justified. When you finally watched Hotel Rwanda , weren't you hoping someone would bust in on that radio DJ telling everyone to kill Tutsis in the middle of a civil war, and blow him to hell? The biggest problem with a rule against "calls to violence" is that the government could stretch the definition to silence political speech. But it's possible to keep that kind of abuse in check, as has mostly been achieved in the U.S. For that, what you need is an independent judiciary, not an abolishment of all rules against calls to violence.

So the free-speech situation in "liberated" Tunisia may be nothing to write home about, but it sounds much better than it used to be, when writing home to complain about it could get you arrested. A Wall Street Journal article from July 2011 describes how, under Ben Ali's dictatorship, Tunisian cyber-activist Slim Amamou had been imprisoned and abused by the police for calling for peaceful demonstrations. Post-revolution, he was freed and asked to join the interim government, where the strictest restriction placed on him was to "stop sending Twitter messages during internal government meetings to his 25,000 followers". They may not have their porn, but that's still progress.

Of course, if someone in Tunisia wants to circumvent the government filters (using tools like proxy sites, VPNs, Tor, UltraSurf, Psiphon, etc.) and get to a porn site, more power to them. I just wouldn't make it a priority to set aside resources to help them get it. Not while there are Iranians who need help getting around the latest restrictions blocking them from Facebook and Gmail.

Two caveats. First, if someone wants to sell circumvention services to Tunisians who just want to get around the porn blocker, that doesn't count as "setting aside resources", so that's a perfectly noble endeavor. In fact, given the economies of scale in the circumvention business, selling to Tunisians could help to bring the price down for other users, including users in countries like Saudi Arabia where the government does engage in political filtering, and where circumvention services could be a tool for social change. Second, providing circumvention services (free or paid) to Tunisians, does probably make it less likely that the new government would revert to political censorship, knowing that many of its citizens have the tools to beat it, even if those tools are only currently used to access porn sites. So to that extent, setting aside resources to provide circumvention services in Tunisia might be a worthwhile cause.

Still, I think it's a lot less important than using circumvention tools to fight political censorship in truly autocratic countries like Iran. For the next generation of proxy servers that I'm rolling out, I'm working on setting aside some of them just for Iranian IP addresses. Even if Iranians just use them to get on Facebook, that's still contributes more to advancing the cause of social democracy, than Tunisians using them to get on Playboy.