THIS YEAR, LAWMAKERS surprised us by taking initial steps—albeit, baby ones—to rein in some of the NSA’s mass spying and provide better oversight of the intelligence agency’s activities. It’s unclear, however, if these gains and other privacy victories will hold or will be undone in the panic after the Paris attacks.
Following the terrorist assault in November, which killed more than 100 people, US government officials seized the opportunity to revive their campaign against encryptionand password-protected devices, calling on companies like Apple and Google to install “voluntary backdoors” in their phones so law enforcement can access protected content with, or perhaps even without, a warrant. Lawmakers have also introduced legislation that would reinstate the NSA’s program for bulk-collecting US phone records, a program that lawmakers ended earlier this year.
So although we’ve had a few victories on the privacy and security fronts in 2015, it’s unclear whether they will endure or turn into more losses. With that caveat in mind, we’ve compiled a list of the year’s winners and losers: the people, companies, and events that had the biggest security wins and most epic fails—many of which bolstered, or compromised, your online privacy and security.
California Passes the Nation’s Best Digital Privacy Law
California has long led the nation in progressive privacy laws and this year it continued that tradition by passing the most comprehensive data-protection law in the country. The state’s new Electronic Communications Privacy Act bars any state law enforcement agency or other investigative entity from compelling a business to hand over metadata or digital communications—including emails, texts, and documents stored in the cloud—without a warrant. It also requires a warrant to track the location of electronic devices like mobile phones, or search them. Only a handful of other states have data-protection laws, and these are more limited in the protections they provide. Five other states, for example, have warrant protection for content, and nine others have warrant protection for GPS location tracking. But California’s law is the first to provide comprehensive protection for location data, content, metadata, and device searches. Even the nation’s federal laws are not as comprehensive as the Golden State’s new statute. Where California legislation goes, other states often follow. Let’s hope that’s true in 2016.
Apple vs. the Feds
If you have the NSA to thank for anything, thank it for the competitive race it spawned among tech companies who are scrambling to outdo one another to protect your data. Apple took the lead when it announced last year that its new iOS 8 operating system would encrypt nearly all data on iPhones and iPads by default—including text messages, photos and contacts—and that the company would no longer be able to unlock customers’ phones if they’re protected with a passcode. Previous versions of the operating system allowed Apple to unlock devices with a key the company controlled. Google announced it would follow suit with its next Android software release, and the praise, and backlash, were immediate. While consumers lauded the two companies for putting privacy first, US Attorney General Eric Holder and FBI director James Comey blasted the two companies, saying the move would prevent law enforcement from accessing data even when they have a warrant (which is only partly true, since law enforcement with a warrant can still access metadata and data backed up to iCloud). The FBI also warned that the lives of children were at stake. But this year, even as US authorities stepped up their call for encryption backdoors, Apple CEO Tim Cook stood firm, asserting that “any backdoor [for US law enforcement] is a backdoor for everyone” and would weaken security for all.
Capitol Hill Two-Step
Federal lawmakers finally voted to rein in NSA spying withpassage of the USA Freedom Act, though the bill tookseveral attempts and more than a year to pass, and civil liberties groups criticized it for not going far enough to reform government surveillance. The law’s biggest privacy win? It put an end to the NSA’s bulk collection of phone records from US telecoms. Instead, the legislation calls for telecoms to retain the records and allows the NSA to access only records that are relevant to a national security investigation and only with a court order from the Foreign Intelligence Surveillance Court. The legislation gave the government six months to wind down the current collection program and transition to the new arrangement, which it did at the end of November. But the program hadn’t even ended before Republican lawmakers, riding the wave of fear that arose after the terrorist attacks in Paris last month, introduced a new bill that would roll back the USA Freedom Act and reauthorize the government’s collection of phone records through 2017.
FISA Court Finally Gets Public Advocates
The Edward Snowden leaks in 2013 made one thing very clear—the government needs to reform the Foreign Intelligence Surveillance Court. The court of rotating federal judges was responsible for authorizing the spy agency’s controversial mass collection of US phone records as well as its PRISM program, which bulk-collects data from Google, Yahoo, and other tech companies using broadly written terms. Until now, anytime the government wanted to obtain a court order for data, the FISA Court heard only one argument—that of the government’s—with no one present to question the request’s lawfulness or to advocate for more measured surveillance requests. Although the companies receiving the court orders could resist on grounds that the orders were too broad, few did so, leaving consumers, and their private data, defenseless. This is about to change, hopefully. The USA Freedom Act, which federal lawmakers passed in June, required the appointment of public advocates who can provide balance to the process and represent the public’s privacy interests in FISA Court proceedings. In November, the court finally picked five public advocates for this purpose—and it’s a list that even civil liberties groups have called “impressive.”
Tesla—No Gas, No USB
Software makers like Microsoft, Apple, and Google have long had the ability to quickly fix vulnerable code by distributing patches for users to download and install. Vehicle makers are fairly new to the software game, however, and although they’re now selling cars and trucks that contain code that is critical to the safety and operation of their vehicles, they have yet to become adept at responding to and fixing vulnerabilities in that code. Tesla is the exception. After researchers found six vulnerabilities in its Model S, the company worked with them over several weeks to develop fixes for some of the flaws. But more impressively, the company delivered the fixes via an over-the-air patch sent to every Model S remotely. If only Chrysler, which had to mail software fixes to car owners on a USB stick, had been able to do the same.
Privacy and Security Losers
The US Office of Personnel Management’s Struggle to… Manage
OPM, or the US Office of Personnel Management, takes the top spot for the worst security fail in 2015. For more than a year, hackers—reportedly from China—were in the agency’s networks unimpeded, accessing sensitive unencrypted data on more than 21 million federal workers and contractors. This included more than 19 million people who had applied for security clearances and undergone background investigations as well as 1.8 million spouses and live-in partners of applicants, who were questioned as part of their background checks. It also included the fingerprint files of some 5.6 million federal employees, many of whom hold classified clearances and use their fingerprints to gain access to secured facilities and computers. The breach exposed the agency’s abhorrent lack of concern over security. Until 2013, for example, the OPM had no IT security staff at all and in 2014 it was harshly criticized in an inspector general’s report for its failure to encrypt data and use multi-factor authentication for workers remotely accessing its network. And, of course, there were obvious problems with monitoring its network for intruders. OPM didn’t discover the breach on its own; the intrusion was only uncovered after a security firm, performing a sales demo with the aim of acquiring OPM as a client, detected suspicious traffic on OPM’s network. OPM chief Katherine Archuleta rightly resigned after the breach went public, but the effects of the massive hack live on—six months later, the agency is still sending out notices to victims affected by it.
AshleyMadison Cheaters Were Cheated Out of Their Privacy
Customers of AshleyMadison.com, which touts itself as the premier platform for marital cheating, aren’t exactly a sympathetic bunch. But it was hard not to feel empathy for some of them after a hacker (or hackers) stole the site’s customer and employee data and ruined many lives. When the company refused to meet the hacker’s demand to shut down the site, the intruder dumped more than 30 gigabytes of company emails and documents online, including details and log-ins for some 32 million user accounts. At least one user whose real identity was exposed in the breach—a married pastor in New Orleans who already suffered from depression—committed suicide following the exposure. A Texas police chief, also under prior work-related stress,killed himself as well after being falsely identified as a customer of the site. One victim who drew no sympathy? Noel Biderman, CEO of AshleyMadison’s parent company, who resigned from his job in the wake of the breach. He stepped down from his position, however, not after losing customer data but only after the hacker published emails from his work account purportedly showing the married Biderman arranging several assignations with a paid escort.
Gemalto’s Rapid Response to Hack Was a Little Too Rapid
When news broke this year that the Dutch firm Gemalto, a leading maker of chips for mobile phone SIM cards, had been hacked years ago by the NSA and Britain’s GCHQ in an effort to steal its cryptographic keys, Gemalto insisted that the spy agencies never succeeded in their mission. This was good news since the company’s cryptographic keys are used to help secure the phone communications of billions of customers of AT&T, T-Mobile, Verizon, Sprint, and more than 400 other wireless carriers in 85 countries. If the spy agencies had stolen Gemalto’s keys, it could have allowed them to intercept and decipher encrypted phone communications between mobile handsets and cell towers without the assistance of telecom carriers or the oversight of a court. But just six days after news of the breach broke, Gemalto published the findings of its breach investigation, which was strange, since the breach had occurred in 2010 and 2011, according to Snowden’s leaked documents. This should have made it difficult, if not impossible, to reconstruct the intrusion in full. Gemalto asserted that itwas able to do so because it had detected a breach in 2010 that it assumed was the same one referred to in the Snowden documents and still had records from that breach to consult. The attackers in that breach, Gemalto said, only accessed its office networks and did not reach systems where keys were stored. Furthermore, the company asserted, the breach “could not have resulted in a massive theft of SIM encryption keys” because by the time of the intrusion, Gemalto had widely deployed a secure key transfer system with most customers, and any theft of keys could only have occurred in a few rare situations where it had not deployed this transfer system. Many in the infosec community scoffed at Gemalto’s conclusion and the idea that it could thoroughly investigate a five-year-old breach, particularly one conducted by sophisticated spy agencies.
Oracle CSO’s Screed Against Security Researchers
She was probably only expressing loudly what many companies think, but Oracle’s Chief Security Officer Mary Ann Davidson should have known better when she published a 3,000-word rant against customers who report security holes found in the company’s software. Davidson ridiculed “hyperventilating” customers who report bugs out of concern that “the Big Bad Advanced Persistent Threat using a zero-day is out to get me!” She also leveled a veiled legal threat against them by reminding them that reverse-engineering Oracle’s code to find vulnerabilities is a violation of their customer agreement. It’s the sort of hostile stance the security community used to get from tech giants like Microsoft on a regular basis … years ago. But those companies have all come around to recognizing the great value that researchers who find security holes in their software provide—sometimes by rewarding the researchers with lucrative bug bounties. So it’s no surprise that the reaction to Davidson from the security community was swift and harsh, leading Oracle to hastily delete her blog post and assert that her comments did “not reflect our beliefs or our relationship with our customers.”
Hillary Clinton’s Server
Hillary Clinton’s rogue email server dominated so many headlines this year that, inevitably, it got its own parody Twitter account. Questions still remain about why the former secretary of state and current presidential candidatemaintained a private email account and server exclusively to conduct government business while she was secretary of state. Was it done to hide her government correspondence from public records requests? The Clinton camp denies this. But if Clinton was trying to keep her correspondence away from the public, the plan was a security fail. Putting her email server in the hands of a small private company, rather than the federal government’s own IT security team, made itmore vulnerable to hackers and more likely that anyclassified information discussed in her emails would be exposed. Clinton’s email server was indeed in the sights of hackers after one intruder named Guccifer hacked into the private AOL account of her former White House staffer Sidney Blumenthal in 2013 and siphoned some of his correspondence with Clinton. In the batch of emails Guccifer grabbed he discovered and publicly exposed her private email address and domain clintonemail.com. There’s no known evidence that Clinton’s own email account and server were hacked, but among the emails investigators have found on her server were several phishing emails containing virus-laden attachments that might have allowed attackers access to her system if she had clicked on them.