in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

May 2018 - Posts

  • US Court Says Border Searches Require "Suspicion"

    As many travellers may know, people at US borders are subject to an altered set of laws due to the fact that… well, a border is a border. This includes "pseudo-borders" like airports that may be located well within US soil. The most obvious alteration is the seeming suspension of the Fourth Amendment, the Constitutional law that covers one's right against search and seizure.
    Last week, the media was slightly abuzz over a decision by the Fourth Circuit Court of Appeals in Virginia. The appeals court, many news sites mentioned, confirmed that US border authorities cannot search a traveller's cellphone contents without a warrant. Other sites, more law-oriented than general news sites, correctly noted that the court confirmed that phones cannot be searched without a reason (also referred to as cause or suspicion).
    The decision appears to be more nuanced than that, actually. At the border, the government is not bound to the same level of Fourth Amendment oversight as elsewhere in the US – which is why they're already able to go through your luggage for absolutely no reason whatsoever.
    Not only that, they're also able to go through you laptops, USB flash drives (the government has dogs that can sniff out electronics in your luggage), and your smartphones. And when it comes to the last one, they can poke, swipe, and press through it or even do a forensic analysis – all of it without a warrant.  

    What's a Manual Search and a Forensic Search?

    The difference between a manual and forensic search of your smartphone (or your laptop) is in whether a device for rummaging through your digital files was doing the searching. If a Customs and Border Patrol (CBP) agent looks through a phone's contents, not unlike what an average guy would do if he found a smartphone just lying on the street, that's a manual search.
    A forensic search usually requires the use of a separate computer or similar device to analyze your smartphone's files: it might go through all of your pictures, videos, emails, texts, apps, GPS data, etc. and analyze file names, file sizes, the existence of hidden files, possibly run facial recognition similar to what Facebook uses for tagging photographs, etc.
    (There is also, apparently, something that is considered to be a "deep forensic examination," although it's not detailed how it differs from a regular forensic search).
    A manual search is considered to be "routine," just like going through your luggage. A forensic search is "nonroutine." That is, you've got to have a reason for doing it. Among examples of nonroutine searches at borders, courtesy of the Appeals Court:
    overnight detention [of a suspect] for monitored bowel movement followed by rectal examination is "beyond the scope of a routine customs search" and permissible … only with reasonable suspicion [, which is the basis for nonroutine searches].
    If you're wondering why the government is detaining people to monitor their caca, it's because it involves a case where a person was suspected of being a drug mule. Notice how the word "warrant" does not show up anywhere. That's because a warrant is not necessary at the border. Whereas a warrant would probably be required in normal circumstances to carry forth what's quoted above, at US borders the government only requires "reasonable suspicion." What exactly is that, you may wonder. Per Wikipedia:
    reasonable suspicion is a legal standard of proof in United States law that is less than probable cause … but more than an "inchoate and unparticularized suspicion or 'hunch'"; it must be based on "specific and articulable facts", "taken together with rational inferences from those facts", and the suspicion must be associated with the specific individual.
    Probable cause, emphasized above, is the basis for obtaining a search warrant. At a border, you don't need probable cause; all you need is its more relaxed, less strict and chill brother – reasonable suspicion. This includes, according to the Fourth Circuit Court of Appeals, instances where the CBP wants to perform a forensic examination of your smartphone. In short, the Appeals Court confirmed that:
    • Forensic searches of phones are allowed at borders as long as authorities can validate their suspicion. This does not mean that they need a warrant. But, it does mean that they must have reason to believe that criminal activity is ongoing.
    • The Fourth Amendment gets suspended at borders.
    We already knew this. So, why all the hubbub? Because it's indicative that things could change at the border.  

    The Application of Riley

    This latest judgment is one of the handful of court decisions that declare that there is a limit to what border agents can do when searching through your devices' data. It is a reflection of US vs. Riley, where the Supreme Court ruled, in 2014, that a warrant is required to go through a phone's data. There are exceptions, of course, in exigent cases. But otherwise, a warrant is required, even if a police officer is merely conducting a manual search (and this applies to flip phones as well as smartphones). This ruling went counter to how police had operated, viewing the search of a detained person's phone as no different from a physical pat-down.
    Since then, the courts have been trying to decide whether Riley applies at borders and, if so, to what extent. Per aclu.org:
    Courts across the country have been struggling with how to apply the Fourth Amendment in this context, in an era when tens of thousands of people are subjected to searches of their electronic devices at the border each year. Today’s ruling from the Fourth Circuit joins an earlier decision from the Ninth Circuit Court of Appeals requiring at least reasonable suspicion for forensic searches of electronic devices seized at the border. In March, two judges on the Eleventh Circuit concluded that such searches should be treated the same as searches of physical luggage, which don’t require a warrant, while a third judge dissented, arguing for a warrant requirement. Earlier that month, a Fifth Circuit judge expressed strong skepticism that the traditional rationales for warrantless border searches should be extended to searches of electronic devices, but that court declined to set a rule.
    As you can see from the above summary, the issue is a contentious one. But if we were to make some projections based on what's happened so far, and what we know so far, it would appear that Riley cannot, and won't, be instituted exactly as it is at borders.
    As already noted, the law operates differently at the border just because it happens to be the border. A warrant has never been required at the border. That's over two hundred years of precedence. The counterargument goes that, well, we've never had the ability to carry through a border what constitutes the entire private contents that are found in your house (medical files, photo albums, correspondence, diary, etc) and then some.
    Sure.
    But just like invasion of privacy is greatly suspended at the border (honestly, how many people would say searching through a smartphone is more of an invasion than having one's bowel movements monitored and followed by a cavity inspection? Mind you, it has happened and was found legal by the courts), you can expect the courts to dilute the Riley findings when it comes to transnational crossings.  
     
    Related Articles and Sites:
    https://www.aclu.org/blog/privacy-technology/privacy-borders-and-checkpoints/another-federal-court-rules-fourth-amendment
    https://www.theguardian.com/world/2018/may/09/us-border-cell-phone-searches-cant-without-reason-crime-court-ruling
    https://www.eff.org/deeplinks/2018/05/fourth-circuit-rules-suspicionless-forensic-searches-electronic-devices-border-are
    https://en.wikipedia.org/wiki/Reasonable_suspicion
     
  • Yahoo (ie, Altaba) Settles Two Lawsuits Tied To Huge Data Breach

    Last week, Yahoo (now reborn as Altaba after Verizon's acquisition) announced a settlement with the SEC over misleading investors regarding the biggest data breach in known history. The crime: not revealing it in a timely manner. It was one of the many lawsuits the company is fighting currently as a result of the data breach.
    The final settlement is for $35 million.
    Before that, in March, the company also settled a lawsuit for $80 million. As noted by biglawbusiness.com, that would be the first instance of a security fraud lawsuit tied to a data breach that was successfully won by plaintiffs.  

    The Tides are Not Turning

    Over the past ten years (or possibly longer), most if not all lawsuits revolving around a data breach were tossed out of courts for not having "standing." That is, it couldn't be shown that a data breach was directly tied to a harm… if there was any harm at all. So, the cases were tossed out of court.
    For example, nearly all courts ruled that having your personal information stolen in of itself was not an actual harm. So, if you were suing a company merely because they were hacked and your information was stolen, forget about it. No standing.
    (Call the same information a client list, and switch a company's status from defendant to plaintiff, though, and suddenly it has value and hence standing in court. The prosecution of client list theft is quite the business in legal circles. The irony).
    Returning to the topic at had, even if you were eventually harmed per the courts' definition – due to identity theft, phishing attempts, etc. – data breach victims still couldn't see their day in court because the link between the data breach and their being victimized is tenuous. With so many companies losing personal information left and right, it's virtually impossible to show that your personal torments are tied to a particular data breach.
    So, these latest legal results seem to indicate, if certain headlines are to be believed, that companies are sensing that the courts will change their stance. But that's not the case at all.  

    $350 Million

    After learning of the data breach, Verizon knocked off $350 million from the original acquisition offer for Yahoo. This means that shareholders of Yahoo stock received, as a group, $350 million less than they could have. That's not chump change.
    As a result, it could be argued, and it has, that the data breach was material information that could affect a stock's market price, and that it was not revealed in a timely fashion.
    Not revealing pertinent information in a timely fashion is illegal for companies listed in stock markets. It is this illegality that the courts would have ruled on. Yahoo/Altaba, knowing they were licked, offered a settlement in both cases. So, what you're seeing here is not a watershed moment but more of the same.
    If we were to look for a silver-lining, maybe it's that companies now know how bad things can get if they don't go public over a massive data breach within a reasonable amount of time. Do it fast enough and all you have to deal with is a bunch of lawsuits that won't go anywhere. Delay and hide, and you get the same plus lawsuits that will cost you big.  
     
    Related Articles and Sites:
    https://www.databreaches.net/altaba-formerly-known-as-yahoo-charged-with-failing-to-disclose-massive-cybersecurity-breach-agrees-to-pay-35-million/
    https://biglawbusiness.com/yahoo-agrees-to-pay-80m-to-settle-securities-fraud-suit/