Apple, Google, Twitter, Facebook And Other Tech Giants Demand Change To The US Surveillance Laws

America‘s leading technology companies have united to demand significant changes in US surveillance laws, pushing for an international ban on data being collected in bulk in order to preserve their customers’ “trust in the internet.”

The Guardian reports that Apple, Google, Microsoft, Facebook, Yahoo!, LinkedIn, Twitter and AOL have written a joint-letter to Washington in response to the disclosures of NSA whistleblower Edward Snowden.

“The balance in many countries has tipped too far in favour of the state and away from the rights of the individual – rights that are enshrined in our constitution,” the letter urges.“This undermines the freedoms we all cherish. It’s time for change.”

The companies claim Snowden’s revelations have made people afraid of subscribing to them, thus making the NSA a threat to the American economy and private sector.

“People won’t use technology they don’t trust,” said Brad Smith of Microsoft’s general counsel. “Governments have put this trust at risk, and governments need to help restore it.”

Another composer of the letter was Yahoo! CEO Marissa Mayer:

“Recent revelations about government surveillance activities have shaken the trust of our users, and it is time for the United States government to act to restore the confidence of citizens around the world,” she said.

The letter also features a list of five “reform principles” derived by bipartisan legislation to limit the power of the NSA proposed by Patrick Leahy, the Democratic chair of the Senate judiciary committee, and Rep. Jim Sensenbrenner, the Republican author of the Patriot Act.

The tech firms, along with Leahy and Sensenbrenner, agree that the NSA should not be allowed to gather mass quantities of data from people it does not have cause to suspect of terrorism.

“Governments should limit surveillance to specific, known users for lawful purposes, and should not undertake bulk data collection of internet communications,” reads the list of principles.

The companies argue that request for data should be limited by a new set of rules that balance the “need for the data in limited circumstances, users’ reasonable privacy interests, and the impact on trust in the internet.”

Another previous demand repeated in the letter states that tech companies should be allowed to reveal how often requests for data are made.

The proposed legislation directly conflicts with a rival bill composed by Dianne Feinstein, the Democratic chair of the Senate Intelligence Committee, which would cement and protect the NSA’s right to collect data in bulk.

The eight companies also highlight the fear that responses to Snowden’s leaks will not only hurt them commercially, but also lead to the government dividing the web into separate warring units to prevent tech companies from seeking business overseas.

“The ability of data to flow or be accessed across borders is essential to a robust, 21st century, global economy,” the companies argue.“Governments should permit the transfer of data and should not inhibit access by companies or individuals to lawfully available information that is stored outside of the country. Governments should not require service providers to locate infrastructure within a country’s borders or operate locally.”

They also argue that foreign governments should agree on a new set of standards for regulating surveillance in order to prevent legal disputes that could damage international trade.

“In order to avoid conflicting laws, there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions, such as improved mutual legal assistance treaty – or “MLAT” – processes,” say the companies. “Where the laws of one jurisdiction conflict with the laws of another, it is incumbent upon governments to work together to resolve the conflict.”

Internet pioneer Martha Lane Fox, a former digital ambassador to Britain, told the Guardian that the letter displays a lack of understanding regarding the scale and complexity of the British government’s surveillance programs.

“We do have an issue in this country among the corporate world, the political establishment and the general population where we have a shortage of skills and understanding for the digital age,” she said.“There is an absence of a clear, coherent debate around this subject in this country and it’s a very big issue that will only become more frequent the more technologically dependent we become. [The government] needs to listen to people, to examine whether their policies are fit for the digital age. It’s not that people aren’t used to their data being collected, but what it is being collected for, and there needs to be a distinction between the average person and a security threat.”

The letter concludes with the eight companies stressing that all businesses have the responsibility to protect the privacy of their clients or customers.

“For our part, we are focused on keeping users’ data secure, deploying the latest encryption technology to prevent unauthorised surveillance on our networks, and by pushing back on government requests to ensure that they are legal and reasonable in scope,” it says.“We urge the US to take the lead and make reforms that ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight.”

Google, Twitter, Yahoo! and, as of last week, Microsoft have all heightened the security of their products by introducing “perfect forward secrecy,” a type of encryption that protects data on their internal systems.

“The security of users’ data is critical, which is why we’ve invested so much in encryption and fight for transparency around government requests for information,” said Google’s chief executive, Larry PageThis is undermined by the apparent wholesale collection of data, in secret and without independent oversight, by many governments around the world. It’s time for reform and we urge the US government to lead the way.”

Via: The Guardian, Top Photo Credit: Justin Sullivan/Getty Images

Read More

Google Wants To Make Your Passwords Obsolete

The YubiKey Neo is a small, batteryless USB device that offers a very secure alternative to user-generated passwords.

If there’s one thing that decades of computer use have taught security experts, it’s that most of us are really bad at creating good passwords. After the recent data breach involving Adobe’s customer accounts, security researcher Jeremi Gosney took a look at the stolen data and found that the most popular user password was “123456″, with “password” not far behind. It’s a given in thesecurity industry that when consumers have a choice between safety and convenience, the latter usually wins.

Based on security technology found in the smart card devices favored by the military, the YubiKey Neo can be thought of as a digital key. Your Google account is the lock; one that is configured on-the-fly to accept only the YubiKey Neo in your possession. Because the YubiKey Neo and Google’s Chrome browser will engage in secure public-key encryption, the user-generated password you’d normally enter along with your username can be reduced to a simple four-digit PIN. The username and PIN simply state your identity. The YubiKey Neo is what actually verifies it.If Google GOOG -0.2% has its way, however, the very notion of typing in a password may soon be obsolete. In 2014, the Internet giant plans to release an ultra-secure and easy to use identity verificationplatform that eliminates the need for long, user-generated passwords. Dubbed U2F (Universal 2nd Factor), the consumer-facing side of this initiative will be a USB dongle called the YubiKey Neo. Built to Google’s specifications by security specialist Yubico, the YubiKey Neo is a small, durable and driverless device that requires no battery. Plugged into your computer’s USB port it will add a second, highly secure layer of verification when you point Google’s Chrome browser to your Gmail or Google Docs account. You’ll initiate the login by typing your username and a simple PIN. The browser will then communicate directly with the YubiKey Neo, using encrypted data, to authorize account access. With U2F verification, if someone wanted to login surreptitiously to your account, he or she would need to know your username and PIN while simultaneously having physical possession of that specific YubiKey Neo.

Although U2F logins are not yet available to the public, Google has already deployed several hundred thousand YubiKey Neo devices to its employees since the beginning of 2013, according to Yubico CEO, Stina Ehrensvärd. Google’s Product Management  Director for Information Security, Sam Srinivas confirmed the scope of the internal pilot program – as well as a 2014 public release – and says that the response to the device has been overwhelmingly positive, with employees remarking on the ease of use.

This is more than just a deal between Google and Yubico to provide more secure access to your Gmail account, though. Last February, Google joined the FIDO (Fast IDentity Online) Alliance, an industry standards group committed to effective, easy-to-use, open source solutions to Internet security. And when it joined the FIDO Alliance, Google published its U2F specification as an open standard, available to all interested parties. The Alliance, while still growing, includes heavyweights like PayPal, MasterCard MA +0.05%, Lenovo and LG Electronics , along with security specialists like NXP  Semiconductor and Yubico.

It’s clear to Google and everyone else involved in the FIDO Alliance that for U2F to be viable, it must be implemented across a broad range of consumer products and services. The goal is ambitious: to create a viable ecosystem of web browsers, apps and hardware authentication devices supporting the protocol so that users can have easy, secure access to shopping, financial and social sites from both their desktop and mobile devices.

Because the login information that you manually provide (username and PIN) is only the first step of authentication, representatives from Google, NXP and Yubico that I spoke with all emphasized that you can reuse your PIN across multiple sites without compromising security. A single four-digit PIN, used on every site you visit, would be a game-changer for consumers, and make hard-to-remember passwords a thing of the past.

While the YubiKey Neo is the first U2F-certified hardware device, FIDO Alliance members expect competition to soon follow, in the form of chips embedded into new computers and biometric-scanning devices that use fingerprints or other unique physical traits to verify identity. For now, the YubiKey Neo offers an interesting look at the possibilities of the U2F standard. One of the great usability benefits of the YubiKey Neo is that this single hardware device can work with any number of U2F-enabled sites. You could register the same YubiKey Neo to work with all of your email, banking and social media accounts.

User privacy gets a prominent role in the U2F specification. No personal information is stored on the device. Nor is it possible for a thief to determine the individual sites that your YubiKey has been configured to work with. Furthermore, because it’s a physical product, rather than a virtual one that can be surreptitiously copied, you’ll know when your YubiKey Neo goes missing.

Not to be overlooked is the fact that you will buy the YubiKey Neo, thus owning your digital “key” outright. While Ehrensvärd offered no firm details on pricing, she envisions scaling to the point where YubiKey Neos, “can be bought at your local 7-Eleven in packs of five.” You could keep the extras as backups. In the case of loss or theft, you will be able to disable the connection between the sites you log into and the missing YubiKey Neo, and simply register one of your backups, instead. And keep in mind that even if a YubiKey Neo is lost or stolen, anyone trying to use it to access your accounts would need to know which site or sites it was registered with as well as your username and PIN.

For mobile devices, the YubiKey Neo is currently limited to compatibility with NFC-enabled smartphones, a shortcoming that Ehrensvärd readily acknowledges. She tells me however, that they are working on a solution for non-NFC devices (iPhone, anyone?) and will be ready to announce a solution in early 2014.

The big news about Google’s participation in the FIDO Alliance is, of course, that its millions of users will be exposed to the U2F standard. And ultimately it’s consumers who will decide if a U2F ecosystem will develop and flourish. If U2F becomes synonymous with customer security, much the way SSL certificates did years ago, adoption rates will grow.

The promise of a digital life unencumbered by the need to create passwords is a tantalizing one. Beyond simple convenience, however, the U2F standard offers robust protection against malware that records your keystrokes, since there’s no password to type. Phishing attacks, in which you unknowingly submit information to fake sites, are greatly minimized as well. For an in-depth look at the U2F protocol, Google has posted several documents with details about the specification.

We shouldn’t get ahead of ourselves, particularly since there isn’t a publicly available product yet, but we may be on the verge of a much more secure Internet, with an implementation easy enough for consumers to actually use.

Read More

Google Unveils Second Generation Google Glass

Although the first generation Google Glass has yet to see a wide release, Google has already unveiled the second generation of the device. Presented with a new hardware update, the redesign of the wearable augmented reality (AR) unit will now be compatible with existing prescription eyeglasses. Further additions include an external mono earbud that replaces the previous bone-conduction speaker from the first prototype.

Earlier in the week, the tech giant announced it would expand their current Explorer program, offering existing Glass users the chance to invite three friends in the U.S. to become part of the test group. For your chance to be enrolled in the program, head over here

Read More

BlackBerry wrinkles its nose at fake BBM reviews

How did all those "potentially fake" positive -- and badly written -- reviews of the BBM messaging app get on the Google Play Store? Beats us, BlackBerry says.

• Comments

BlackBerry CEO Thorsten Heins announcing BBM support for iOS and Android in May 2013.

(Credit: Brian Bennett/CNET)

If you can't trust anonymous Internet commenters, who can you trust? BlackBerry has denied it has anything to do with a vast swath of positive -- if overwhelmingly badly written -- reviews of itsBBM messaging app on the Google Play Store.

"We have been made aware of a number of potentially fake reviews of BBM for Android on Google Play, with ratings anywhere from one to five stars," BlackBerry told The Next Web. "We have no knowledge of how these reviews were created or populated. We do not approve of or condone such activities."

BBM finally launched for Android and iOS on Monday, having been delayed for months -- leaving a vacuum into which poured many a fake. On Thursday blogger Terence Eden noted thousands of reviews had appeared on Google Play all saying the same thing: "Thank you so much blackberry team. I was waiting this app. Its really great user friendly and smooth."

This story originally appeared at CNET UK under the headline "BlackBerry denies fake BBM reviews as Samsung fined."

Read More

Google could have a floating data center in Maine, too

The tech giant is likely building a floating data center in San Francisco Bay. But a very similar project rolled into the harbor in Portland, Maine, earlier this month. The two are definitely connected.

This structure, seen on a barge in Portland, Maine, could well be a Google floating data center. A very similar structure is under construction in San Francisco Bay.

(Credit: John Ewing/Portland Press Herald)

As CNET reported Friday, it looks very much like Google has been building a floating data center made from shipping containers on a barge in the middle of San Francisco Bay. But it may not be the only one of its kind.

Google has not responded to multiple requests for comment. But the project in San Francisco Bay appears likely to be the manifestation of a 2009 patent for a "water-based data center," and would likely leverage the fact that wave energy can provide cheap and plentiful power.

Now it seems as though Google may well have built a sister version of the project, and, according to the Portland Press Herald, it recently showed up in the harbor in Portland, Maine.

In both cases, the structures on both barges appear to be made from a number of shipping containers, many of which have small slats for windows, and each has one container that slants down to ground level at a 45-degree angle.

The registration on the Portland barge is "BAL 0011," which ties it to the barge in San Francisco Bay, which has the registration number "BAL 0010." Both are owned by By and Large, LLC.

(Credit: Tom Bell/Portland Press Herald)

If that wasn't enough to establish that the two are related, it's also clear that both were built on barges owned by the same company. The one in San Francisco Bay was built on top of a barge with the registration "BAL 0010," while the one in Portland harbor is on a barge with the registration "BAL 0011." According to online documents, both are owned by By and Large, LLC. That company, which has a miniscule online profile, is also the current tenant in Hangar 3, an immense building alongside the pier where the San Francisco Bay project is under construction.

The structure that is likely a Google floating data center, on a barge in San Francisco Bay.

(Credit: James Martin/CNET)

Now the question is, if there's one in San Francisco Bay and another in Maine, are there more out there? If you've seen a barge with a large structure that looks like the ones pictured here, please let me know.

Read More