By Michelle Martin

FRANKFURT |
Mon Aug 15, 2011 1:02am EDT

SAN FRANCISCO – An illegal, Orwellian violation of free-speech rights? Or just a smart tactic to protect train passengers from rowdy would-be demonstrators during a busy evening commute?

The question resonated Saturday in San Francisco and beyond as details emerged of Bay Area Rapid Transit officials' decision to cut off underground cellphone service for a few hours at several stations Thursday. Commuters at stations from downtown to near the city's main airport were affected as BART officials sought to tactically thwart a planned protest over the recent fatal shooting of a 45-year-old man by transit police.

Two days later, the move had civil rights and legal experts questioning the agency's move, and drew backlash from one transit board member who was taken aback by the decision.

"I'm just shocked that they didn't think about the implications of this. We really don't have the right to be this type of censor," said Lynette Sweet, who serves on BART's board of directors. "In my opinion, we've let the actions of a few people affect everybody. And that's not fair."

Similar questions of censorship have arisen in recent days as Britain's government put the idea of curbing social media services on the table in response to several nights of widespread looting and violence in London and other English cities. Police claim that young criminals used Twitter and Blackberry instant messages to coordinate looting sprees in riots.

Prime Minister David Cameron said that the government, spy agencies and the communications industry are looking at whether there should be limits on the use of social media sites like Twitter and Facebook or services like BlackBerry Messenger to spread disorder. The suggestions have met with outrage — with some critics comparing Cameron to the despots ousted during the Arab Spring.

In the San Francisco instance, Sweet said BART board members were told by the agency of its decision during the closed portion of its meeting Thursday afternoon, less than three hours before the protest was scheduled to start.

"It was almost like an afterthought," Sweet told The Associated Press. "This is a land of free speech and for us to think we can do that shows we've grown well beyond the business of what we're supposed to be doing and that's providing transportation. Not censorship."

But there are nuances to consider, including under what conditions, if any, an agency like BART can act to deny the public access to a form of communication — and essentially decide that a perceived threat to public safety trumps free speech.

These situations are largely new ones, of course. A couple of decades ago, during the fax-machine and pay-phone era, the notion of people organizing mass gatherings in real time on wireless devices would have been fantasy.

BART Deputy Police Chief Benson Fairow said the issue boiled down to the public's well-being.

"It wasn't a decision made lightly. This wasn't about free speech. It was about safety," Fairow told KTVU-TV on Friday.

BART spokesman Jim Allison maintained that the cellphone disruptions were legal as the agency owns the property and infrastructure. He added while they didn't need the permission of cellphone carriers to temporarily cut service, they notified them as a courtesy.

The decision was made after agency officials saw details about the protest on an organizer's website. He said the agency had extra staff and officers aboard trains during that time for anybody who wanted to report an emergency, as well as courtesy phones on station platforms.

"I think the entire argument is that some people think it created an unsafe situation is faulty logic," Allison said. "BART had operated for 35 years without cellphone service and no one ever suggested back then that a lack of it made it difficult to report emergencies and we had the same infrastructure in place."

But as in London, BART's tactic drew immediate comparisons to authoritarianism, including acts by the former president of Egypt to squelch protests demanding an end to his rule. Authorities there cut Internet and cellphone services in the country for days earlier this year. He left office shortly thereafter.

"BART officials are showing themselves to be of a mind with the former president of Egypt, Hosni Mubarak," the Electronic Frontier Foundation said on its website. Echoing that comparison, vigorous weekend discussion on Twitter was labeled with the hashtag "muBARTek."

Aaron Caplan, a professor at Loyola Law School in Los Angeles who specializes in free-speech issues, was equally critical, saying BART clearly violated the rights of demonstrators and other passengers.

"We can arrest and prosecute people for the crimes they commit," he said. "You are not allowed to shut down people's cellphones and prevent them from speaking because you think they might commit a crime in the future."

Michael Risher, the American Civil Liberty Union's Northern California staff attorney, echoed the sentiment in a blog: "The government shouldn't be in the business of cutting off the free flow of information. Shutting down access to mobile phones is the wrong response to political protests, whether it's halfway around the world or right here in San Francisco."

On Saturday at a station where cell phone service was disrupted, passenger Phil Eager, 44, shared the opinion that BART's approach seemed exaggerated.

"It struck me as pretty strange and kind of extreme," said Eager, a San Francisco attorney. "It's not a First Amendment debate, but rather a civil liberties issue."

Eager said many of his friends riding BART on Thursday were upset with the agency's actions, some even calling it a "police state."

Mark Malmberg, 58, of Orinda, Calif., believes that BART could've used a different approach instead of shutting down cellphone usage.

"Even though it sounds like they wanted to avoid a mob gathering, you can't stop people from expressing themselves," Malmberg said. "I hope those who protest can do so in a civil manner."

The ACLU already has a scheduled meeting with BART's police chief on Monday about other issues and Thursday's incident will added be to the agenda, spokeswoman Rebecca Farmer said.

But others said that while the phone shutdown was worth examining, it may not have impinged on First Amendment rights. Gene Policinski, executive director of the First Amendment Center, a nonprofit educational organization, said freedom of expression can be limited in very narrow circumstances if there is an immediate threat to public safety.

"An agency like BART has to be held to a very high standard," he said. "First of all, it has to be an immediate threat, not just the mere supposition that there might be one. And I think the response has to be what a court would consider reasonable, so it has to be the minimum amount of restraint on free expression."

He said if BART's actions are challenged, a court may look more favorably on what it did if expression was limited on a narrow basis for a specific area and time frame, instead of "just indiscriminately closing down cellphone service throughout the system or for a broad area."

University of Michigan law professor Len Niehoff, who specializes in First Amendment and media law issues, found the BART actions troublesome for a few reasons.

He said the First Amendment generally doesn't allow the government to restrict free speech because somebody might do something illegal or to prohibit conversations based on their subject matter. He said the BART actions have been portrayed as an effort to prevent a protest that would have violated the law, but there was no guarantee that would have happened.

"What it really did is it prevented people from talking, discussing ... and mobilizing in any form, peaceful or unpeaceful, lawful or unlawful," he said. "That is, constitutionally, very problematic."

The government does have the right to break up a demonstration if it forms in an area where protests are prohibited and poses a risk to public safety, Niehoff said. But it should not prohibit free speech to prevent the possibility of a protest happening.

"The idea that we're going to keep people from talking about what they might or might not do, based on the idea that they might all agree to violate the law, is positively Orwellian," he said.

___

Associated Press reporters Tom Murphy in Indianapolis; Gene Johnson in Seattle; Jonathan Cooper in Portland, Ore.; and Cassandra Vinograd and David Stringer in London contributed.

By Rachel Armstrong

SINGAPORE |
Wed Aug 10, 2011 9:20am EDT

LAS VEGAS – Hackers are out to stymie your smartphone.

Last week, security researchers uncovered yet another strain of malicious software aimed at smartphones that run Google's popular Android operating system. The application not only logs details about incoming and outgoing phone calls, it also records those calls.

That came a month after researchers discovered a security hole in Apple Inc.'s iPhones, which prompted the German government to warn Apple about the urgency of the threat.

Security experts say attacks on smartphones are growing fast — and attackers are becoming smarter about developing new techniques.

"We're in the experimental stage of mobile malware where the bad guys are starting to develop their business models," said Kevin Mahaffey, co-founder of Lookout Inc., a San Francisco-based maker of mobile security software.

Wrong-doers have infected PCs with malicious software, or malware, for decades. Now, they are fast moving to smartphones as the devices become a vital part of everyday life.

Some 38 percent of American adults now own an iPhone, BlackBerry or other mobile phone that runs the Android, Windows or WebOS operating systems, according to data from Nielsen. That's up from just 6 percent who owned a smartphone in 2007 when the iPhone was released and catalyzed the industry. The smartphone's usefulness, allowing people to organize their digital lives with one device, is also its allure to criminals.

All at once, smartphones have become wallets, email lockboxes, photo albums and Rolodexes. And because owners are directly billed for services bought with smartphones, they open up new angles for financial attacks. The worst programs cause a phone to rack up unwanted service charges, record calls, intercept text messages and even dump emails, photos and other private content directly onto criminals' servers.

Evidence of this hacker invasion is starting to emerge.

• Lookout says it now detects thousands of attempted infections each day on mobile phones running its security software. In January, there were just a few hundred detections a day. The number of detections is nearly doubling every few months. As many as 1 million people were hit by mobile malware in the first half of 2011.

• Google Inc. has removed about 100 malicious applications from its Android Market app store. One particularly harmful app was downloaded more than 260,000 times before it was removed. Android is the world's most popular smartphone operating software with more than 135 million users worldwide.

• Symantec Corp., the world's biggest security software maker, is also seeing a jump. Last year, the company identified just five examples of malware unique to Android. So far this year, it's seen 19. Of course, that number pales compared with the hundreds of thousands of new strains targeting PCs every year, but experts say it's only a matter of time before criminals catch up.

"Bad guys go where the money is," said Charlie Miller, principal research consultant with the Accuvant Inc. security firm, and a prominent hacker of mobile devices. "As more and more people use phones and keep data on phones, and PCs aren't as relevant, the bad guys are going to follow that. The bad guys are smart. They know when it makes sense to switch."

When it comes to security, smartphones share a problem with PCs: Infections are typically the responsibility of the user to fix, if the problem is discovered at all.

The emergence in early July of a previously unknown security hole in Apple Inc.'s iPhones and iPads cast a spotlight on mobile security. Users downloaded a program that allowed them to run unauthorized programs on their devices. But the program could also be used to help criminals co-opt iPhones. Apple has since issued a fix.

It was the second time this year that the iPhone's security was called into question. In April the company changed its handling of location data after a privacy outcry that landed an executive in front of Congress. Researchers had discovered that iPhones stored the data for a year or more in unencrypted form, making them vulnerable to hacking. Apple CEO Steve Jobs emerged from medical leave to personally address the issue.

The iPhone gets outsize attention because it basically invented the consumer smartphone industry when it was introduced in 2007. But Apple doesn't license its software to other phone manufacturers. Google gives Android to phone makers for free. So, Android phones are growing faster. As a result, Google's Android Market is a crucial pathway for hacking attacks. The app store is a lightly curated online bazaar for applications that, unlike Apple's App Store, doesn't require that developers submit their programs for pre-approval.

Lookout says it has seen more unique strains of Android malware in the past month than it did in all of last year. One strain seen earlier this year, called DroidDream, was downloaded more than 260,000 times before Google removed it, though additional variants keep appearing.

Lookout says about 100 apps have been removed from the Android Market so far, a figure Google didn't dispute.

Malicious applications often masquerade as legitimate ones, such as games, calculators or pornographic photos and videos. They can appear in advertising links inside other applications. Their moneymaking schemes include new approaches that are impossible on PCs.

One recent malicious app secretly subscribed victims up to a service that sends quizzes via text message. The pay service was charged to the victims' phone bills, which is presumably how the criminals got paid. They may have created the service or been hired by the creator to sign people up. Since malware can intercept text messages, it's likely the victims never saw the messages — just the charges.

A different piece of malware logs a person's incoming text messages and replies to them with spam and malicious links. Most mobile malware, however, keep their intentions hidden. Some apps set up a connection between the phone and a server under a criminal's control, which is used to send instructions.

Google points out that Android security features are designed to limit the interaction between applications and a user's data, and developers can be blocked. Users also are guilty of blithely click through warnings about what personal information an application will access.

Malicious programs for the iPhone have been rare. In large part, that's because Apple requires that it examine each application before it goes online. Still, the recent security incidents underline the threat even to the most seemingly secure devices.

A pair of computer worms targeting the iPhone appeared in 2009. Both affected only iPhones that were modified, or "jailbroken," to run unauthorized programs.

And Apple has dealt with legitimate applications that overreached and collected more personal data than they should have, which led to the Cupertino, Calif.-based company demanding changes.

"Apple takes security very seriously," spokeswoman Natalie Kerris said in July. "We have a very thorough approval process and review every app. We also check the identities of every developer and if we ever find anything malicious, the developer will be removed from the iPhone Developer Program and their apps can be removed from the App Store."

A criminal doesn't even need to tailor his attacks to a mobile phone. Standard email-based "phishing" attacks — tricking people into visiting sites that look legitimate — work well on mobile users. In fact, mobile users can be more susceptible to phishing attacks than PC users.

The small screens make it hard to see the full Internet address of a site you're visiting, and websites and mobile applications working in tandem train users to perform the risky behavior of entering passwords after following links, new research from the University of California at Berkeley has found.

The study found that the links within applications could be convincingly imitated, according to the authors, Adrienne Porter Felt, a Ph.D. student, and David Wagner, a computer science professor.

They found that "attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated."

A separate study released earlier this year by Trusteer, a Boston-based software and services firm focused on banking security, found that mobile users who visit phishing sites are three times more likely to submit their usernames and passwords than desktop PC users.

Mobile users are "always on" and respond to emails faster, in the first few hours before phishing sites are taken down, and email formats make it hard to tell who's sending a message, Trusteer found.

Still, mobile users have an inherent advantage over PC users: Mobile software is being written with the benefit of decades of perspective on the flaws that have made PCs insecure. But smartphone demand is exploding, with market research firm IDC predicting that some 472 million smartphones will be shipped this year, compared with 362 million PCs. As a result, the design deterrents aren't likely to be enough to keep crooks away from the trough.

"It's going to be a problem," Miller said. "Everywhere people have gone, bad guys have followed."