Supreme Court, Help! My Mini-Bar Is Spying Without Warrants

WASHINGTON — It was perhaps the Super Bowl of all Fourth Amendment privacy cases: The Supreme Court was holding oral arguments here Tuesday on whether the police may attach GPS devices to vehicles, without a court warrant, and monitor that car’s every movement.

I listened as the Obama administration told the nine justices that it has the unfettered right to perform such surveillance, for however long it wants, on however many people it wants, without any judicial oversight whatsoever. That includes slapping trackers on the rides of the Supreme Court justices, the feds said. It’s an alarming concept in an age where GPS devices are the size of a credit card, and cost less than $200 — and like all computer devices, they will only get smaller, cheaper and more powerful.

But there I was, listening to the argument and fretting that my gutting of the mini-bar in my D.C. hotel might contribute to the court’s ultimate decision against privacy.

That sobering fear is by no means farfetched. Here’s why:

I went BYOB, pulling out the hotel mini-bar’s sodas, junk beer and snacks — setting it aside for later return, and replacing it with Sierra Nevada Pale Ale. Later on, I saw the sign inside the fridge that said, “For your convenience, any product removed from the MiniBar is automatically charged to your account.”

Unbeknownst to me, my mini-bar fridge uses infrared technology to automatically charge preposterous prices for sub-par beer, baby shots of liquor and chilled Pringles. As it turns out, that’s a generally accepted charging method employed by many hotels.

I informed the front desk of my switcheroo, asking to remove any blasphemous charges that may have occurred. The clerk told me that, indeed, the fridge was spying on me, and that the hotel would confirm my story at checkout.

All the while, the Supreme Court was debating whether Americans had a “reasonable” expectation their movements would not be electronically monitored. Yet we live in a world today where we pay $300 for a hotel room that spies on your alcohol intake, where millions of people voluntarily “check in” their every movement on FourSquare and Facebook, and where we routinely give big-name and no-name mobile-phone applications the right to track us everywhere we go.

All of which means we submit to our own warrantless monitoring voluntarily.

That Americans have conceded their privacy was not lost on the top court, and it just might be the deciding factor in the court’s ultimate decision, whatever that may be.

Justice Samuel Alito put it bluntly:

You know, I don’t know what society expects, and I think it’s changing. Technology is changing people’s expectations of privacy. Suppose we look forward 10 years, and maybe 10 years from now, 90 percent of the population will be using social networking sites and they will have on average 500 friends and they will have allowed their friends to monitor their location 24 hours a day, 365 days a year, through the use of their cell phones. Then — what would the expectation of privacy be then?

The Supreme Court first created the standard of “reasonableness” in the context of the Fourth Amendment in 1967, when it ruled that Americans had a “reasonable expectation of privacy” that what they said on the phone was private, requiring a court warrant for the authorities to wiretap phone calls.

Fast forward to 1983, one of the last times the Supreme Court dealt with the collision of technology and locational privacy. The question before the court was whether the police may use a beeper or a “bird dog” without a warrant to track a vehicle. Beepers (now outdated) are devices that assist police who are actually tailing a traveling vehicle, whereas a GPS device requires no officers to be anywhere near the target.

The court said no warrant was needed for beepers.

A person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements. While respondent had the traditional expectation of privacy within a dwelling place insofar as his cabin was concerned, such expectation of privacy would not have extended to the visual observation from public places of the automobile arriving on his premises after leaving a public highway.

The justices debated Tuesday whether that precedent was outdated with the proliferation of sophisticated, inexpensive GPS devices.

Chief Justice John Roberts said the beeper of yesteryear was nothing compared to today’s GPS devices.

That’s a lot of work to follow the car. They’ve got to listen to the beeper; when they lose it they have got to call in the helicopter. Here they just sit back in the station and they — they push a button whenever they want to find out where the car is. They look at data from a month and find out everywhere it’s been in the past month. That — that seems to me dramatically different.

Precedent and the advancement of technology were not lost on Justice Stephen Breyer, either.

“If you win this case,” Breyer told the government’s attorney, “there is nothing to prevent the police or government from monitoring 24 hours a day every citizen of the United States.”

“The real issue here is whether this is reasonable,” Breyer said.

And therein rests the heart of the debate.

Justice Antonin Scalia replied moments later that the police “can do a lot of stuff that is unreasonable under the Fourth Amendment.”

“Why is this an invasion of privacy?” he asked.

We already seem to be at or near the scenario Alito had painted, and it’s unlikely to ever revert back. As it turns out, our culture has voluntarily joined the Surveillance Society, leaving reasonable expectations behind. And only a fool would deny that.

Perhaps all that we can hope for now is the Supreme Court finding a reasonable way to save us from our unreasonable selves.

Seven Charged With Clickjacking IRS, Apple Links to Tune of $14 Million

Seven Eastern European men have been charged in New York with operating a clickjacking scheme that infected more than 4 million computers in order to hijack surfers trying to get to the iTunes store or the IRS. The enterprise allegedly netted the crooks more than $14 million.

The scam appears to have begun in 2007 and involved six Estonians and one Russian, all residing in Eastern Europe, who allegedly used multiple front companies to operate their intricate scam, which included a bogus internet advertising agency, according to the 62-page indictment (.pdf), unsealed Wednesday in the Southern District of New York.

The bogus agency contracted with online advertisers who would pay a small commission each time users clicked on their ads, or landed on their website.

To optimize the payback opportunities, the suspects then infected computers in more than 100 countries with malicious software called DNSChanger to ensure that users would visit the sites of their online advertising partners. The malware altered the DNS server settings on target machines in order to direct victims’ browsers to a DNS server controlled by the defendants, which then directed browsers to sites that would pay a fee to the defendants.

For example, users who clicked on a link on a search results page would have their browsers directed not to the legitimate destination page but to a different page designated by the defendants.

An infected user who searched for Apple’s iTunes store and clicked on the legitimate Apple link at the top of the page would be directed instead to, a site purporting to sell Apple software. Users trying to access the government’s Internal Revenue Service site were redirected to a web site for H & R Block, a top tax preparation business in the U.S. The suspects received a fee for every visitor directed to the site.

At least half a million machines in the U.S. were infected with the malware, including ones belonging to the National Aeronautics and Space Administration (NASA) and other unnamed government agencies.

In addition to redirecting the browsers of infected users, the malware also prevented infected machines from downloading security updates to operating systems or updates to antivirus software that might have helped detect the malware and stop it from operating. When an infected user’s machine tried to access a software update page, that person would get a message saying the site was currently unavailable. In blocking the updates, infected users were also left open to infections from other malware as well.

Vladimir Tsastsin, Timur Gerassimenko, Dmitri Jegorow, Valeri Aleksejev, Konstantin Poltev and Anton Ivanov of Estonia and Andrey Taame of Russia have been charged with 27 counts of wire fraud and other computer-related crimes.

The Federal Bureau of Investigation has provided a handout to users (.pdf) to help them determine if their system might be infected with the malware. Individuals who think they might be infected are being asked to submit an online form to the Bureau.

The Internet Systems Consortium has also been tasked with operating a DNS server that replaces the defendants’ rogue DNS server. The ISC will be collecting IP addresses that contact this server in order to determine which systems might be infected. According to a protective order submitted to the court by the government, however, ISC is not authorized to collect any other data from the computers, such as the search terms that led them to the DNS server.

Photo: Crossley/Flickr

Mozilla Releases Firefox 8 and 3.6.24

The Mozilla Foundation has released Firefox 8 and Firefox 3.6.24 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, operate with escalated privileges, cause a denial-of-services condition, obtain sensitive information, or perform a cross-site scripting attack. 

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories for Firefox 8 and Firefox 3.6.24 and apply any necessary updates to help mitigate the risk.

Apple Bans Security Researcher Charlie Miller For Exposing iOS Exploit

The latest wave in the infosec world is that Apple has banned the well known security researcher – Charlie Miller – from it’s developer program for exposing a new iOS exploit. It’s not really the smartest move as I’m pretty sure anyone as smart as Charlie Miller still has plenty of options – use another [...]

Read the full post at