Appeals Court Caves to TSA Over Nude Body Scanners

Photo: TSA

A federal appeals court on Tuesday said it was giving the Transportation Security Administration until the end of March to comport with an already 14-month-old order to “promptly” hold public hearings and take public comment concerning the so-called nude body scanners installed in U.S. airport security checkpoints.

The public comments and the agency’s answers to them are reviewable by a court, which opens up a new avenue for a legal challenge to the agency’s decision to deploy the scanners. Critics maintain the scanners, which use radiation to peer through clothes, are threats to Americans’ privacy and health, which the TSA denies.

On July 15, 2011, the U.S. Circuit Court of Appeals for the District of Columbia Circuit set aside a constitutional challenge brought by the Electronic Privacy Information Center trying to stop the government from using intrusive body scanners across U.S. airports. But the decision also ordered the TSA “to act promptly” and hold public hearings and publicly adopt rules and regulations about the scanners’ use, which it has not done, in violation of federal law.

Then on Aug. 1 of this year, the court ordered (.pdf) the TSA to explain why it had not complied with its order. In response, the agency said it was expected to publish, by the end of February, a notice in the Federal Register opening up the Advanced Imaging Technology scanners to public comments and public hearings. That would be 19 months after the court order.

On Tuesday, the court gave the TSA until the end of March, meaning the agency has 20 months to “promptly” comply with the court’s order. EPIC was urging the appeals court to reverse the court’s blessing of the so-called nude body scanners because of the TSA’s lack of compliance with the court’s original order.

The Transportation Security Administration has denied allegations from the Electronic Privacy Information Center that it was stonewalling the court’s order. (.pdf) The TSA said the agency was having staffing issues and was awaiting approval from the Department of Homeland Security and the Office of Management and Budget before it releases public documents associated with its 2009 decision to make the body scanners the “primary” security apparatus at the nation’s airports.

The three-judge appellate court, which is one stop from the Supreme Court, ruled last year that the TSA breached federal law when it formally adopted the Advanced Imaging Technology scanners as the primary method of screening. The judges — while allowing the scanners to be used — said the TSA violated the Administrative Procedures Act for failing to have a 90-day public comment period, and ordered the agency to undertake one.

Under the Administrative Procedures Act, agency decisions like the TSA’s move toward body scanners must go through what is often termed a “notice and comment” period if their new rules would substantially affect the rights of the public — in this case, air passengers. But the court’s decision last year did not penalize the TSA for its shortcomings. The TSA argued to the court that a public comment period would thwart the government’s ability to respond to “ever-evolving threats.”

Concerns about the machines include the graphicness of the human images, the potential health risks and the scanners’ effectiveness.

Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says

Photo: Magic Madzik/Flickr

Seven rent-to-own companies and a software maker are settling charges with the Federal Trade Commission that rental computers illegally used spyware that took “pictures of children, individuals not fully clothed, and couples engaged in sexual activities.”

As per the course, the FTC slapped the hand of DesignerWare of North East Pennsylvania and the rent-to-own companies. The settlement, announced Tuesday, only requires them to halt using their spy tools, which has been employed on as many as 420,000 rentals.

The software, known as Detective Mode, didn’t just secretly turn on webcams. It “can log the keystrokes of the computer user, take screen shots of the computer user’s activities on the computer, and photograph anyone within view of the computer’s webcam. Detective Mode secretly gathers this information and transmits it to DesignerWare, who then transmits it to the rent-to-own store from which the computer was rented, unbeknownst to the individual using the computer,” according to the complaint.

Under the settlement, the companies can still use tracking software on their rental computers, so long as they advise renters, the FTC said. The companies include Aspen Way Enterprises Inc.; Watershed Development Corp.; Showplace Inc., doing business as Showplace Rent-to-Own; J.A.G. Rents LLC, doing business as ColorTyme; Red Zone Inc., doing business as ColorTyme; B. Stamper Enterprises Inc., doing business as Premier Rental Purchase; and C.A.L.M. Ventures Inc., doing business as Premier Rental Purchase.

Claudia Bourne Farrell, an FTC spokeswoman, said in a telephone interview the agency does not have jurisdiction when it comes to criminal offenses. She said the agency, when it believes criminal conduct may have occurred, will forward that to the appropriate agencies. But the agency, she said, has a policy against disclosing when it has done so.

“We don’t have criminal authority. We only have civil,” she said.

The companies were not fined, she said, because “we don’t have the authority to impose civil fines for the first violation of the FTC Act.”

The software installed on the laptops also enables the companies to automatically disable computers of renters behind on monthly payments and to secretly track the computers’ whereabouts.

Even more evil, the rental stores would force a fake popup for software registration on computers they rented. The window would not go away, the FTC said, until the computer user typed their contact information, including address, phone number and e-mail. The rent-to-own store would use that information “to try to collect money” from renters in arrears, the FTC said.

In all, private data obtained through the spyware included user names and passwords for e-mail accounts, social media websites and financial institutions. Also snagged were Social Security numbers, medical records, private e-mails to doctors, bank and credit card statements and webcam pictures of children, partially undressed individuals, and intimate activities at home, the FTC said.

Drones Subject to GPS Spoofing, Privacy ‘Abuses,’ GAO Report Warns

Photo: U.S. Department of Defense

The Government Accountability Office is warning Congress that its push for drones to become commonplace in U.S. airspace fails to take into account concerns surrounding privacy, security and even GPS jamming and spoofing.

The GAO, Congress’ research arm, was responding to the FAA Modernization and Reform Act of 2012, signed by President Barack Obama in February, which among other things requires the Federal Aviation Administration to accelerate drone flights in U.S. airspace.

Drones, known in the report as “unmanned aerial systems,” are currently limited in the United States to law enforcement activities, search and rescue, forensic photography, monitoring or fighting forest fires, border security, weather research, and, among other things, scientific data collection and for hobby.

But there’s a concerted push to expand the commercial use of drones for pipeline, utility, and farm fence inspections; vehicular traffic monitoring; real-estate and construction-site photography; relaying telecommunication signals; fishery protection and monitoring; and crop dusting, according to the report (.pdf), which was distributed to lawmakers earlier this month.

That’s despite the fact that many drones don’t have “elaborate on-board detection systems to help them avoid crashes in the air,” which could cause complications when and if drones share airspace with private aircraft.

Among other things, the report urged the Transportation Security Administration to come up with a plan to secure operation centers for unmanned drones, recommended the government formulate privacy protections to head off “abuses” and also pointed out safety concerns that need to be addressed regarding GPS spoofing and jamming.

In a GPS jamming scenario, the UAS could potentially lose its ability to determine its location, altitude, and the direction in which it is traveling. Low-cost devices that jam GPS signals are prevalent. This problem can be mitigated by having a second or redundant navigation system onboard the UAS that is not reliant on GPS, which is the case with larger UAS typically operated by DOD and DHS.

The reported noted that “GPS jamming can be mitigated for small UAS by encrypting its communications, but the costs and weight associated with encryption may make it infeasible.”

What’s more, unencrypted non-military GPS signals are “vulnerable to being counterfeited, or spoofed.”

In a GPS-spoofing scenario, the GPS signal going from the ground control station to the UAS is “first counterfeited and then overpowered,” the report said. “Once the authentic (original) GPS signal is overpowered, the UAS is under the control of the ‘spoofer.’ This type of scenario was recently demonstrated by researchers at the University of Texas at Austin at the behest of DHS.”

The report comes three months after it was revealed that there are 64 drone bases on U.S. soil, with several private companies cleared to operate them. As for legal protections for citizens, “there is very little in American privacy law that prohibits drone surveillance within our borders,” points out Ryan Calo, the director for Privacy and Robotics at the Stanford Center for Internet and Society.

According to the GAO report, the government should set guidelines on drone spying which “could preclude abuses of the technology that could lead to a negative public perception of UAS and possibly affect their acceptance and use.”

FAA documents obtained by the Electronic Frontier Foundation via a Freedom of Information Act request indicate that dozens of local law enforcement agencies fly drones in U.S. airspace.

According to the EFF:

The Seattle Police Department’s drone comes with four separate cameras, offering thermal infrared video, low light ‘dusk-dawn’ video, and a 1080p HD video camera attachment. The Miami-Dade Police Department and Texas Department of Public Safety have employed drones capable of both daytime and nighttime video cameras, and according to the Texas Department of Public Safety’s Certificate of Authorization (COA) paperwork, their drone was to be employed in support of ‘critical law enforcement operations.’

The report noted that commercial and government drone expenditures could top $89 billion over the next decade.

Fake Antivirus App Steals Contact Data on Mobile Devices

The authors of Android.Enesoluty have added another app to their repertoire. The new app is called “Safe Virus Scan” in Japanese, and as the name suggests, it is supposed to function as an antivirus app. However, as you might have guessed, it does not contain any antivirus functionality and the only action it performs is to steal personal data.

Previous variants displayed messages stating that the app was incompatible with the device. However, unlike its predecessors, this app appears as though it actually functions as advertised.

Figure 1. Fake scan run by malicious app

By the time the scan is complete, the app has uploaded all contact data that is stored on the device to an external site. The app is actually quite convincing and it is difficult to identify anything suspicious about it.

As we have seen in similar cases, the app is downloaded by following a link in a spam email that leads to a third-party hosting site.

Figure 2. Site hosting the malicious app

This is a popular method used by scammers to steal contact data in Japan. Some of the spam focuses on introducing apps throughout the whole email, while others only make a small note of the app in an otherwise unrelated email. Some mention that the sender has changed email addresses so that the recipient does not feel suspicious about the email being sent from an unknown address.

Another tactic used recently by these scammers is to create fake Google Play pages to host the apps.

Figure 3. Examples of fake Google Play pages

If you happen to stumble upon these types of tricks, such as emails from unknown senders providing links to download apps, I would advise you to avoid downloading the app involved. To help protect your device, you can install security apps such as Symantec Mobile Security and Norton Mobile Security.