In most contests the winner isn't simultaneously the loser. But that wasn't the case this past year in the unofficial contest to determine computer security and privacy winners and losers.
The biggest winner in 2014 was you, the user. That's because a host of new products and services emerged to help protect the privacy and security of your data and communications. The rulings in two court cases also provided better protection against the warrantless seizure of your data.
But you were also the biggest loser this year in terms of privacy and security. Ongoing revelations about the NSA's widespread surveillance have made it clear that the intelligence agency, and its spy partners in the UK and elsewhere, will not rest until they've seized or deciphered every bit of your data.
There were other winners and losers this year as well---defined as those who contributed to the privacy and security of your data, those who defeated it, and those who simply failed to respond in a security-conscious way. Looking back at 2014 then, here's a breakdown of the year's biggest winners and losers.
Apple
If the NSA can be thanked for anything it's for the competitive race the spy agency helped spur among tech companies scrambling to outdo one another in the privacy realm. Apple took the lead when it announced that the operating system, iOS8, would encrypt nearly all data on iPhones and iPads by default---including text messages, photos and contacts---and that Apple itself would not be able to decrypt it without the user's passcode. Previous versions of the operating system allowed Apple to unlock devices with a key that the company controlled. It was a move intended to protect the data from all intruders but would in particular prevent law enforcement from forcing the company to unlock a user's device. Google announced it would follow suit with its next Android software release. The praise, and backlash, were immediate. While consumers lauded the two companies for putting their privacy first, U.S. Attorney General Eric Holder and FBI director James Comey blasted the two companies saying that it would prevent law enforcement agencies from obtaining data even when they have a warrant (which was not entirely true---data backed up to iCloud and metadata is still available to law enforcement with a warrant). Apple responded by saying its intent wasn't to hamper law enforcement but to make user data more secure against all intruders.
WhatsApp
The mobile messaging app outdid even Apple's own messaging protections when it announced it was implementing end-to-end encryption for its hundreds of millions of users. WhatsApp communication is now encrypted with a key that only the user possesses and stores on his or her mobile phone or tablet, which means that even WhatsApp cannot read the user's communication or be compelled by spy agencies and law enforcement to decrypt it. Although Apple has implemented a version of end-to-end encryption for iMessage users, that implementation has some security drawbacks that don't exist in the WhatsApp scheme.
Florida Supreme Court
In an important case closely watched by civil liberties groups, Florida's top court ruled that cops need a warrant to obtain cell tower data. The court ruled that obtaining cell phone location data to track a person’s location or movement in real time constitutes a Fourth Amendment search and therefore requires a court-ordered warrant. The case specifically involves cell tower data for a convicted drug dealer that police obtained from a telecom without a warrant. But the ruling would also cover law enforcement's use of so-called “stingrays”—--devices that simulate a legitimate cell tower and force mobile devices in the vicinity to connect to them so that law enforcement agencies can locate and track people in the field without assistance from telecoms.
U.S. Supreme Court
In another important case, the nation's top court ruled that cops can't search the cell phones of arrestees without a warrant. U.S. prosecutors had argued that an arrestee's cell phone was “materially indistinguishable” from any other storage device, such as a bag or wallet, found on an arrestee. But the justices weren't buying that claim. “Modern cell phones, as a category," they wrote in their decision, "implicate privacy concerns far beyond those implicated by a cigarette pack, a wallet or a purse.”
Yahoo
Say what you will about Yahoo as a viable internet company, but when news of the NSA's Prism program broke last year, the tech giant emerged as a bit of a privacy hero. Many of the companies named as participants in the government's data-collection program were caught flat-footed, having to defend against accusations that they had willingly handed customer data over to officials without a fight. But it soon emerged that Yahoo had in fact put up a scrappy legal fight against the government's demands---although it ultimately lost. The company launched the fight after receiving a warrantless request for data in 2007. It’s not clear the extent of the data the government sought, but Yahoo fought back on Fourth Amendment grounds, asserting that the request required a probable-cause warrant and that the request was too broad and unreasonable and, therefore, violated the Constitution. The battle came to an end in 2008 after the Feds threatened the company with a massive $250,000 a day fine if it didn’t comply, and a court ruled that Yahoo’s arguments for resisting had no merit. While ultimately failing, Yahoo's role in The Resistance should be commended.
Google's Project Zero
Vendor bug bounty programs have been around for at least a decade, with software makers and web sites increasingly upping the amount they're willing to pay to anyone who finds and reports a security vulnerability in their program or system. This year Google upended the tradition by announcing it had built an in-house hacking team to hunt for vulnerabilities not only in its own software, but in the software of other vendors as well. Project Zero aims to make the internet more secure for everyone by focusing on uncovering the high-value vulnerabilities, like Heartbleed and Shellshock, that put everyone at risk.
Sony
Plenty of companies over the years have suffered sensational hacks, but Sony's breach may turn out to be the hack of the decade---not only because of the nature of the breach and the information stolen, but the way the pilfered data is being rolled out in batches, prolonging the agony and suspense for workers and executives. Some of the disclosures have been lame and mundane---for example, the pseudonyms celebrities use to check into hotels. Others have been embarrassing, such as the tasteless and racist exchange about President Obama between Sony Co-Chairman Amy Pascal and producer Scott Rudin. Still others have been outright damaging and invasive---the release of information about employee background checks and medical records and corporate secrets about negotiations and business deals.
President Obama
This year the U.S. government finally acknowledged that it withholds information about security vulnerabilities to exploit them, rather than passing the information on to software vendors and others to fix them. In making this revelation, the White House announced it was "reinvigorating" a so-called equities process designed to determine when to withhold and when to disclose---overseen by the president's National Security Council. Going forward, the NSA must disclose any vulnerabilities it discovers---unless the hole would be useful for intelligence agencies or law enforcement to exploit. But loopholes that allow law enforcement to retain zero-days in order to exploit them, and a decision process that doesn't include an external oversight body like Congress, means the public has to trust important issues about security to a process that isn't transparent.
US Marshals
In a move so stunning that civil liberties groups are still shaking their heads over it, the U.S. Marshals Service in Florida made a Hail Mary to seize public records about a surveillance tool before the ACLU could obtain them. The civil liberties group had filed a public records request with the Sarasota, Florida, police department for information detailing its use of stingrays and had made an appointment to visit the facility where the documents were being held. But before they could get there, marshals swooped in to grab the recordsand abscond with them, claiming the police department didn't own them. The feds and local police around the country have gone to other extraordinary lengths to keep the public in the dark about their use of the tool. This was simply the boldest. ACLU staff attorney Nathan Freed Wessler called the move “truly extraordinary and beyond the worst transparency violations” his group had seen in the secrecy battle over the use of stingrays.
Verizon
Consider it the digital cookie monster that gobbles all your footprints. Verizon Wireless ran into trouble when a technologist with the Electronic Frontier Foundation noticed that the telecom had been tracking its wireless users online activity by subtly slipping a "permacookie"---a string of about 50 letters, numbers, and characters---into data flowing between users and the websites they visited. Users got the cookie whether they wanted to be tracked or not, since Verizon revealed there was no way to "turn it off." AT&T was testing a similar system with its customers until the backlash prompted the telecom to stop the practice.
Gamma International
The British-German maker of the government spy tool FinFisher has claimed for years that it doesn't sell its product to police and spy agencies in countries with oppressive regimes known for human rights violations. But this year a hacker broke into the company's network, stole about 40 gigabytes of data and released it online. Among data published from the company were internal logs and documents leaked to WikiLeaks, which showed discussions between Bahraini officials and tech support workers for Gamma over problems officials were having with the software. They complained they were “losing targets daily” as a result of glitches with the spy tool and provided Gamma with a list of 13 computers they were targeting, all of which were based in the UK. Although the names of the victims were not directly identified, their IP addresses, user names, and unique computer names were all on the target list shared with Gamma. The human rights group Bahrain Watch analyzed the data and were able to identify three Bahrainian pro-democracy activists, who have been living in asylum in Great Britain after being imprisoned and tortured in Bahrain. In October, the UK civil liberties group Privacy International filed a criminal complaint against with the National Cyber Crime Unit of the National Crime Agency alleging that the company was criminally complicit in helping the Bahrain government engage in unlawful interception of communications---a violation of UK’s Regulation of Investigatory Powers Act 2000---and that Gamma was not only aware of the surveillance but actively assisted it. By selling and assisting Bahraini authorities in their surveillance, the complaint asserts, Gamma is liable as an accessory under the Accessories and Abettors Act 1861 and is also guilty of encouraging and assisting the unlawful activity, a crime under the Serious Crime Act 2007. The group wants the government to conduct a formal investigation, though so far the government has failed to respond to their complaint.
