Research in Motion (RIM), the BlackBerry manufacturer, has published an update addressing a flaw in the way security certificate mismatches are reported by the BlackBerry that could be exploited to initiate a phishing attack.
Affected are the BlackBerry software versions 4.5 to 4.7, whereas both the Blackberry Desktop and Server software are unaffected.
In mid to late August, the US Department of Homeland Security (DHS) has issued two new directives, CBP Directive No. 3340-049 – “Border Search of Electronic Devices Containing Information” and ICE Directive No. 7-6.1 – “Border Searches of Electronic Devices”, that apply to US Customs and Border Protection (CBP) and US Immigration and Customs Enforcement (ICE), respectively, as reported by the Federal Computer Week and other publications.
They specify the circumstances under which laptop computers and other electronic media can be searched at the border by border and immigration agents.
Please be aware that an officer, subject to various requirements and limitations, may, “with or without individualized suspicion,” examine the electronic device and “review and analyze” the information.
The American Civil Liberties Union (ACLU) considers the new rules to be a good first step but cautions that “the new standards fail to address the fundamental constitutional problems of suspicionless searches that have been occurring at the border.”
Two of the improvements found in the new policies are that a limit has been set on the time that CBP officers can retain the laptop computers and electronic devices they are searching, and that now probable cause is required for the agency to be allowed to keep information gathered from the aforementioned laptops and devices.
As the San Francisco Chronicle and others reported, programmer Joey Hess determined more than a week ago that his new Palm Pre was “calling home” to the Palm headquarters all the time, reporting his location.
This “feature” does not just drain the battery faster, it also shows a blatant disregard for cellular users’ privacy.
By default, the Palm Pre collects GPS location/coordinates non-stop and sends this data to Palm all the time. It stands to reason that Palm correlates said information in a database with the subscriber/registration info.
Whereas the GPS function of an iPhone, for all that’s known, requires explicit user approval and provides a prompt whenever an application uses it, Palm apparently elected to continuously track the users’ whereabouts, be it to provide them with localized information or to provide said information to third parties, e.g. for marketing purposes.
For all practical purposes, the Palm Pre becomes the equivalent of an ankle bracelet, usually used to track criminals, unless the user knows about this and turns the function off.
This can be done under Location Services, by switching Background Data Collection to “OFF”, according to Palm. Given that Palm did not take privacy serious the first time around, one might wonder though whether or not this actually stops the collection and transmittal of the information or simply tags it as “private” or “confidential” in their database.
Alternatively, if you’re more of a geek and like to play around with the innards of the Linux-based WebOS operating system, go to the command line and comment out the ‘exec’ line in /etc/event.d/uploadd, then reboot and “disable” the contextupload process (started by dbus) by removing or renaming /usr/bin/contextupload. Just bear in mind that these changes will not necessarily survive an upgrade of the WebOS operating system.
Palm’s privacy policy covers this, but is fails to explain that the “Location Based Services” are activated by default:
- On-Device Services. If you use services we provide through your Palm mobile device, we will collect information relevant to providing the services and as you designate. For example:
- Remote Diagnostics and Updates. When you use a remote diagnostics or software update service, we will collect information related to your device (including serial number, diagnostic information, crash logs, or application configurations) as required to help identify and troubleshoot issues, and to provide such services.
If you would like us to help you assure that your applications don’t commit a similar faux pas, contact us today.
