Google’s Street View cars collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world, a practice that raises novel privacy concerns, CNET has confirmed.

The cars were supposed to collect the locations of Wi-Fi access points. But Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks and then made the data publicly available through Google.com until a few weeks ago.

The French data protection authority, known as the Commission Nationale de l’Informatique et des Libertés (CNIL) recently contacted CNET and said its investigation confirmed that Street View cars collected these unique hardware IDs. In March, CNIL’s probe resulted in a fine of 100,000 euros, about $143,000.

The confirmation comes as concerns about location privacy appear to be growing. Apple came under fire in April for recording logs of approximate location data on iPhones, and eventually released a fix. That controversy sparked a series of disclosures about other companies’ location privacy practices, questions and complaints from congressmen, a pair of U.S. Senate hearings, and the now-inevitable lawsuits seeking class action status.

A previous CNET article, published June 15 and triggered by the research of security consultant Ashkan Soltani, was the first to report that Google made these unique hardware IDs–called MAC addresses–publicly available through a Web interface. Google curbed the practice about a week later.

But it was unclear at the time whether Google’s location database included the hardware IDs of only access points and wireless routers or client devices, such as computers and mobile phones, as well.

Anecdotal evidence suggested they had been swept up. Alissa Cooper, chief computer scientist at the Center for Democracy and Technology and co-chair of an Internet Engineering Task Force on geolocation, said her 2009 home address was listed in Google’s location database. Nick Doty, a lecturer at the University of California at Berkeley who co-teaches the Technology and Policy Lab, found that Google listed his former home in the Capitol Hill neighborhood in Seattle.

“It would be helpful to have some clarity about why and how (a hardware address) got in there so people can act accordingly,” says Soltani, the security researcher.

Lift Off of Space Shuttle Antlantis

 Landing Off of Space Shuttle Antlantis

Just before sunrise, the space shuttle Atlantis made its final landing, putting to bed the 30-year U.S. shuttle program. “Like a UFO in the dark, fiery contrails lighting Florida up,” Beth Carpenter wrote on Twitter in one of the many elegies.

The NASA Goddard Photo and Video team put together a short, sweet tribute to the last flights of Discovery and Atlantis. In the first few seconds, Discovery moves past the night side of the Earth into the daytime, as the Aurora Borealis clings to Earth’s side. In the second, the Discovery shuttle moves over a cloudy United States. And in the last few moments, the sun rises behind Atlantis in this time-lapse sequence on July 19, 2011, just two days before it landed:

Source

The Transportation Security Agency violated federal law when installing controversial full-body scanners in U.S. airports without following proper procedures, a federal appeals court ruled today.

The D.C. Circuit Court of Appeals in Washington, D.C., rejected arguments from the Obama administration that the TSA was exempt from laws requiring federal agencies to first notify the public and seek comments.

“It is clear that by producing an image of the unclothed passenger, (a full-body) scanner intrudes upon his or her personal privacy in a way a magnetometer does not,” wrote Judge Douglas Ginsburg for the three-judge panel.

Ginsburg said he would not order TSA to immediately halt the full-body screening–which resulted in a near-revolt by air travelers last fall–but instead instructs “the agency promptly to proceed in a manner consistent with this opinion.”

The Electronic Privacy Information Center, a Washington, D.C.-based advocacy group, filed the lawsuit in July 2010 asking for an immediate injunction pulling the plug on TSA’s body scanning program.

EPIC executive director Marc Rotenberg said today: “The TSA is now subject to the same rules as other government agencies that help ensure transparency and accountability. Many Americans object to the airport body scanner program. Now they will have an opportunity to express their views…”

British tabloid News of the World said today it is closing down over a phone hacking scandal in which workers for the Rupert Murdoch-owned newspaper allegedly snooped on voice mail messages left on the mobile phones of murder victims, as well as celebrities, politicians, and the British royal family.

If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, “Ghost in the Wires,” and who serves as a security consultant, helping clients protect against privacy breaches such as this.

Phone hacking, also known as “phreaking,” is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I’m listening to a voice message a friend of mine left me last night that I hadn’t erased.

“See how easy it is?!” Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator’s equipment into registering the call as coming from the handset–basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I’m keeping some of the details sketchy to avoid providing a how-to for phreaking.)

“Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes,” Mitnick said. “If you’re not adept at programming, you could use a spoofing service and pay for it.”

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims’ voicemail accounts, assuming correctly that many people wouldn’t bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn’t address the fact that mobile operators don’t authenticate caller ID. “The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it,” Mitnick said. “Caller ID is automatically trusted.”

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won’t put an end to the practice.

Little is known for certain about the federal grand jury investigation of Infosys and its sponsorship of B-1 business visas.

In May, the Indian IT outsourcing company revealed that it had received a subpoena from a U.S. grand jury to provide records in connection with its use of B-1 business visas. A current* American employee of Infosys (INFY) alleged that the company was using the easier to obtain B-1 visa—intended to be used for travel to attend a specific event, receive short-term training, or conduct contract negotiations—in a fraudulent manner to import foreign workers to fill company roles stateside that actually required H-1B visas.

“It’s hard to say what the State Department and U.S. Customs and Immigration Service (USCIS) are doing with respect to the investigation,” says Ron Hira, associate professor of public policy at the Rochester Institute of Technology and co-author of Outsourcing America. “Neither agency has been forthcoming.”

Some industry watchers predict that the probe could hamper the IT outsourcing industry’s ability to use of a variety of guest worker and business travel visas, which in turn could lead these companies to hire more American IT workers.

“This could have some serious ramifications with the issuances of temporary work visas for employees of Indian-based service providers and non-Indian service providers seeking to bring Indian staff into the U.S.,” says Phil Fersht, founder of outsourcing analyst firm HfS Research. “While valid H-1Bs and L-1s should still go through, the USCIS has the ability to probe visa applications hard when under scrutiny, and slow down the whole process for all providers, not only for Infosys.”

Any media attention the Infosys case garners, particularly with the 2012 elections approaching and continued high unemployment rates, could drive further visa restrictions. “The publicity surrounding the investigation likely will generate continued Congressional interest and calls for further changes to the H-1B and L-1 programs to limit their perceived adverse effects on U.S. workers,” says Carl W. Hampe, a partner in the immigration law group at Baker & McKenzie. “Companies sponsoring H-1B employees and those seeking the temporary transfer of their key personnel to the U.S. could face more obstacles.”

Recent Visa (V) Reform Initiatives

IT service providers have been facing increased scrutiny of their use of visas to bring foreign workers to the U.S. in recent years. In 2004, Congress passed the L-1 Visa Reform Act, which increased limitations on the visas IT service providers use to bring specialized knowledge workers to client sites.

In recent years, USCIS has been more stringent in its assessment of H-1B visa petitions, reportedly beefing up its anti-fraud auditing efforts. Guidance issued by USCIS associate director Don Neufeld in 2010 required evidence of an actual employee-employer relationship between the visa petitioner and the H-1B employee. The so-called Neufeld memo “represented a significant change in policy and imposed substantial limitations on third party placement of H-1B visa holders. [It] was an example of efforts by USCIS to eliminate so-called [body shops],” says Paul W. Virtue, a partner in the immigration law group at Baker & McKenzie. Now, Virtue says, the U.S. government is turning its attention to B-1 business visitor visa abuse.

Implications of Infosys Visa Probe on American IT Workers

“The companies and stock market analysts have said that the effect will be that the firms will hire more American workers in lieu of bringing in foreign guest-workers,” says Hira.

Donna Conroy, executive director of Bright Future Jobs, a grassroots lobbying group for IT professionals, thinks the Infosys investigation will be a tipping point in favor of American IT workers. “We are entering a period where foreign workers will be training their replacements. It’s happening in one of our member’s offices right now,” she says. “It’s curtains for the corporate culture that has avoided hiring experienced, highly-skilled Americans and new science and technology grads whom we’ve paid dearly to educate.”

Others say the consequences of the Infosys investigation may be more limited. “I think that the opponents of skilled immigration are getting unduly excited again,” says Vivek Wadhwa, visiting scholar at the University of California-Berkeley School of Information and senior research associate in Harvard Law School’s labor and worklife program. “Infosys may have abused these visas and will likely get slapped on the wrist if it did. [But] we’re talking about a very small proportion of its workforce being on these visas.”

Dr. Lindsay Lowell, director of policy studies at Georgetown University’s Institute for the Study of International Migration, says any fallout will depend on how widespread the alleged visa abuse is. “Will other companies be investigated? The blogosphere suggests the complaints may be there. But the investigation arm tends not to seek out problems,” Lowell says. “Policymakers and companies that play by the rules need to decide if they’ll police the system so that it serves U.S. employers as intended, or let regulations and enforcement slip, which is not in the best long-term interest of the United States.”

Norm Matloff, professor of computer science at the University of California-Davis, says the Infosys investigation is a distraction from the real problem with America’s skilled worker visa program. “The major problem is the legal underpayment of the foreign workers, due to loopholes,” Matloff says. “Investigations of possible violations of the rules distract attention from that loopholes issue.”

Increased scrutiny of visa petitions will be a headache for IT service providers reliant on foreign employees working at U.S. sites, but “it’s not a game changer,” says Fersht of HfS Research. “The leading service providers are quite adept these days at deploying onshore staff—local Americans or Indians already living in the US with valid visas—to facilitate offshore work transition over to locations like India. [They] can work around issues created by prolonged visa applications and tougher guidelines.”

Virtue of Baker & McKenzie is counseling clients to ensure that any employees visiting the U.S. on B-1 visas do not engage in any activities that could be construed as employment and that the employee-employer relationship for any sponsored H-1B and L-1 visa holder is clearly documented. Virtue is also advising outsourcing customers to make sure their contracts are for specific deliverables and not for the assignment of specific personnel, in order to avoid liability in any visa audit or investigation.

Source

Percento Technologies