Saturday, July 11, 2015

XFINITY Privacy Policy

http://my.xfinity.com/privacy/2014-05/

Web Services Privacy Policy May 15, 2014

Effective May 15, 2014 Learn More

If you are accessing this Web Services Privacy Policy from a mobile device, and would like to read a mobile-optimized and TRUSTe-approved summary privacy notice for http://m.comcast.net and the XfinityTV Player mobile application, please click here. http://privacy-policy.truste.com/certified-policy/mobile/app/en/comcast.com/index.html

Summary (Jump to Full Policy)

What the Privacy Policy does

The Web Services Privacy Policy describes the information Comcast collects about you, how Comcast uses that information, and how Comcast protects your privacy when you use:

Comcast-branded mobile applications that link to this Web Services Privacy Policy, such as the Xfinity Connect and Xfinity TV iOS and Android apps;
the Websites and the services and software we offer here: www.comcast.net, (including all subdomains thereof), www.tunerfish.com, www.xfinityhomesecurity.com, www.plaxo.com, www.see.it, and www.rdkcentral.com; and
versions of these sites that are optimized for mobile browsing (e.g., m.comcast.net).

This summary gives you some key points from the Privacy Policy, but you should read the whole Privacy Policy to get a full understanding of our privacy practices.

What the Privacy Policy does not do

Please note: the Privacy Policy does not tell you what information we collect and how we use it when you use other Comcast services (XFINITY TV, XFINITY Voice, or XFINITY Internet). These services have their own privacy policy, which we post at http://www.comcast.com/customerprivacy/ and mail to subscribers.

TRUSTE's certifications apply to our mobile website, http://m.comcast.net and the XfinityTV Player mobile application, and all websites listed on the TRUSTe validation page reached by clicking the TRUSTe seal. This means that TRUSTe has reviewed the privacy practices on these Websites, and you can contact TRUSTe about a privacy concern if we don't resolve it to your satisfaction.

The Information Comcast Collects and How It is Used and Shared

We want you to understand what kinds of information may be collected about your use of the Websites and Web Services, and what we might do with that information.

Comcast collects two types of information from people who use its Websites: (i) information that identifies a particular person using a Website, and (ii) information that provides facts about a person without identifying him or her.

Our mobile website, http://m.comcast.net and the XfinityTV Player mobile application do not use your mobile device's location services.

Information that Identifies Someone

Information that identifies a particular person could be a full name, or address, for example. We will not share this information with an advertiser, and we will not share it with another Website or company, unless you tell us to (for example, if you want to post information from your Plaxo page on your Facebook page).

We also use this kind of identifying information to provide services to you. For example, we may use it to bill you for services, to check your credit, to confirm your identity when you login, or to communicate with you. Sometimes we use other companies to help us provide our services. We may share your information with these companies, but they are required to protect it and to use it only to provide services to you.

Information that Does Not Identify a Specific Person

Information that does not identify a person could be a non-personal record of online activity, or information you put in a profile - like your zip code, your age or your gender (when it's used without your name). We routinely collect this kind of information and use it to improve your experience, for example, by showing you content and advertising that may be more relevant and interesting to someone like you. Sometimes we share this kind of non-personal information with other companies that help us deliver and improve our services.

Your Information May be Shared Among Comcast Companies

The Web Services are provided by various companies that are part of Comcast. We may share your information among these Comcast companies so we can make it easier for you to use several Web Services seamlessly. Also, if you use the Web Services in connection with other Comcast services (for example, to set your DVR online to record a show on your television), we may need to share your information with the Comcast companies that offer those services, too.

Disclosure of your Information

We respect and protect your privacy, but it is possible that we may be required to provide information about you to a court or law enforcement agency. We will only disclose your information if we are legally required to do so—if we receive a valid subpoena, court order, or search warrant, for example.

Your Choices

We want you to know how you can control the personal information that we may collect. Read the full Privacy Policy to find out all of your choices. When you use the Websites and Services that post the Privacy Policy, you are agreeing that the policy applies to you.

Registering

You may choose not to register for any one of the Web Services (or for all of them) if you do not want to share information that identifies you when you use that Website.

If you do register, we will give you a chance to create a profile. We may use some of the information in that profile to choose the content and advertising we think you would like to see.

When you register, we may also send you email about other products and services. You may choose not to receive these messages. However, we will still send you email with information about the specific services you use.

Plaxo and Tunerfish

Plaxo users have several choices about how to share information from their address books and calendars. Tunerfish users have several choices about how to share information about themselves and the television shows they watch. The full Privacy Policy explains how you can make those choices.

Third-Party Advertising

We use advertising networks to help us display ads to you. In addition, our content providers may have the right to sell ads in the content they distribute through the Comcast Web Services. All of these parties may use cookies and other technology to help them understand how you interact with their services so they can deliver you ads that are more useful to you. In the Privacy Policy, we give you more information about these parties' privacy practices and the functionality these parties make available to you to control certain of those practices. If you wish to not have this information used for the purpose of serving you targeted ads, you may opt-out using the links provided here.

Please note this does not opt you out of being served advertising. You will continue to receive generic advertisements.

Blogs and Forums

If you choose to post information on blogs or forums on the Websites, it will not be private. Once the information is posted, other users may copy or store it.

Information Sharing with Social Networking Sites

You may choose to exchange information between the Comcast Web Services and a social network, such as information from your Comcast profile, information about what you do on Comcast Web Services, or information about the people, places, and things that you follow on your social network. If we get instructions to send your information to, or collect your information from, one of these networks, we will follow those instructions. On pages of the Comcast Site (as defined below) that contain social network functionality, the social network providing the functionality may be able to collect information about you regardless of whether you use that functionality. For example, if a page within the Comcast Site contains a Facebook "Like" button, Facebook may be able to collect data about your visit to that page, even if you don't click on the "Like" button. Please review the privacy policy of the relevant social network and/or log out of it before you use the Comcast Web Services. As with other Websites, you may be able delete any cookies placed on your device by the social network using your browser.

Changes to Comcast's Business or the Privacy Policy

If Comcast's business changes—for example, if our company merges with another company or we sell one or more of the Comcast companies that provide the Web Services—we may give the new owners of the Web Services your information. If there is a change of ownership, we will tell you using any means permitted by law, including via e-mail and/or a prominent notice on the Comcast Sites, as well as let you know of any choices you may have regarding your personal information. We will also let you know if the Privacy Policy changes for any other reason, so you can decide whether you want to continue using the Web Services.

Full Policy

1. About the Privacy Policy and the Comcast Web Services

The Comcast family of companies respects your privacy. Within this Web Services Privacy Policy ("Privacy Policy") the term "Comcast" or "we" will refer to Comcast Cable Communications Management, LLC, and its respective subsidiaries and affiliates that own and operate Websites and Internet services on their behalf. The term "you" refers to you as a user of Comcast's Websites or Internet services described below. The term "Personally Identifiable Information" or "PII" refers to information that identifies a specific person, such as the person's name, address, social security number, financial account number, or phone number. The term "Non-Personally Identifiable Information" or "non-PII" refers to information that is demographic, aggregated, or does not otherwise identify a specific person, such as a person's age, gender, ZIP code, or other information when that information is not used with Personally Identifiable Information.

What does this Privacy Policy cover?

This Privacy Policy explains how Comcast will use the information that you provide when you use these Comcast-owned and operated Websites and services:

the Websites www.comcast.net (including all subdomains thereof, such as xfinitytv.comcast.net ("XfinityTV.com") and m.comcast.net), www.xfinityhomesecurity.com, www.tunerfish.com, www.plaxo.com, www.see.it, and www.rdkcentral.com (the "Comcast Sites"); and
all mobile applications provided by Comcast that link to this Privacy Policy (including the Xfinity TV Player, Xfinity TV Remote, and Xfinity Connect applications) (the "Comcast Apps"); and
all software and services provided by Plaxo, including those services made available through its application programming interfaces ("APIs") (collectively the "Plaxo Service"); and
all other software and services provided by Tunerfish, including those services made available by Tunerfish through its APIs (collectively the "Tunerfish Service", and collectively, (1), (2), (3), and (4) the "Comcast Web Services").

Certain Comcast Apps provide you with features that are not found on the Comcast Sites. You can read disclosures related to those app-specific features here:

Family Point by Comcast Labs

What is outside the scope of this Privacy Policy?

This Privacy Policy does not apply to your use of any other products or services provided by Comcast such as XFINITY TV, XFINITY Voice, or XFINITY Internet. If you subscribe to or use one or more of these services (including using the Comcast Web Services to place or receive XFINITY Voice calls), you can see the privacy policy that applies to the residential versions of these services by visiting http://www.comcast.com/customerprivacy/.

This Privacy Policy also does not apply to Comcast's use of information provided by you when you sign up for or use the XFINITY TV Store (xfinitytvstore.comcast.net). Comcast's use of the information you provide through the XFINITY TV Store is described in the XFINITY TV Store Privacy Policy, a link to which is available within the footer of that website.

Some of the Comcast Web Services contain links to other Websites, including Websites of third parties who are acting on our behalf as our agents, suppliers, or providers. These other Websites are not operated by Comcast and have their own privacy policies that we encourage you to read before you use them. Other sites that we link to may contain Comcast branding, but these non-Comcast Websites and resources are provided by companies or persons other than Comcast. Examples of these non-Comcast Websites include Websites where you are required to log-in using a username and password other than your username and password for the Comcast Web Services, such as the Jobs channel and the Dating channel on Comcast.net. This Privacy Policy does not apply to those non-Comcast sites. Those sites will have their own policies that we encourage you to read before you use them.

2. Comcast is a Member of TRUSTe

Comcast has been awarded TRUSTe's Privacy Seal signifying that this Privacy Policy and the practices set forth in it have been reviewed by TRUSTe for compliance with TRUSTe's program requirements including transparency, accountability and choice regarding the collection and use of your personal information while on Comcast Sites and the XfinityTV Player mobile application. The TRUSTe program does not cover information that may be collected through downloadable software or our mobile applications, other than the XfinityTV Player mobile application. TRUSTe's mission, as an independent third party, is to accelerate online trust among consumers and organizations globally through its leading privacy trustmark and innovative trust solutions. If you have questions or complaints regarding our privacy policy or practices, please contact us at Comcast_Web_Privacy at Comcast dot com. If you are not satisfied with our response you can contact TRUSTe here.

TRUSTe does not review or certify the privacy practices related to any other Comcast Websites, software programs, products, or services including XFINITY TV, XFINITY Voice, XFINITY Internet, or the XFINITY TV Store.

3. Collection of Information

All Users

Comcast, or third parties acting on Comcast's behalf, routinely logs Non-Personally Identifiable Information that is automatically generated when all users visit or use the Comcast Web Services (including both the Comcast Sites and Comcast Apps), as a by-product of the user's activities ("Web Log Data"). This information includes, but is not limited to, Internet protocol ("IP") and HTTP header information that is automatically passed between a user's device and the Comcast Web Services, such as the device's IP address, the browser being used at the time, the operating system being used at the time, the UDID of the device (if the device being used to access the Comcast Web Services is a mobile device) and the URL of the webpage or other asset within the Comcast Web Services that is being requested. This information may also include details relating to the activities users perform within the Comcast Web Services, such as what links they click on, in what order they access specific web pages within the Comcast Web Services, and the search queries they perform on the Comcast Services.

Some of the Comcast Web Services allow you to store certain details and preferences that help you personalize that Comcast Service ("Preference Data"). This Non-Personally Identifiable Information may include ZIP code, age, gender, favorite genre to watch on television, and preferred type of news. We do this so that you do not have to enter this data every time you return to the Comcast Web Services. We may also use the Preference Data to deliver other personalized services and features of the Comcast Web Services.

Registered Users

Comcast asks you to provide certain information when you initially register to use the Comcast Web Services and then afterwards may ask you to provide additional information when you use certain Comcast Web Services for the first time. In addition, Comcast also collects information about your use of the Comcast Web Services as a registered user. This table summarizes the different types of information that we may collect from you when you register for the Comcast Web Services and use the Comcast Web Services as a registered user.

Type/Name	When Collected	Representative Examples
Registration Data	When you create an account for the Comcast Web Services or subsequently modify your Registration Data	First and last name, username, password, e-mail address, mailing address, phone number, and gender
Profile Data	The first time you access certain Comcast Web Services after you have created an account or subsequently modify your Profile Data	Additional e-mail addresses, lists of people to connect with through certain Comcast Web Services, school affiliations, movie genre preferences, and notification preferences for products and services made available by Comcast
Activity Data	When you log-in to your account and use the Comcast Web Services	Flagging or rating news articles, movies, television shows or other content, posting blog entries or comments, sharing URLs, and content and data feeds from non-Comcast social networks or services that you choose

Collectively, your Registration Data, Profile Data, Activity Data, and any other generally available demographic data about you that Comcast gathers from other sources is referred to as "Your Data." Your Data does not include information that third parties may independently gather from other Websites about you using their own cookies, as further described in this Privacy Policy.

Most Comcast Sites have their own pages where you can manage certain portions of your Registration Data and Profile Data relevant to that specific Comcast Site. For your reference, those pages can be found here:

http://xfinitytv.comcast.net/mytv/settings

http://www.plaxo.com/settings/account

If you choose to use our referral service to tell a friend about the Comcast Sites, we will ask you for your friend's name and e-mail address. We will automatically send your friend a one-time e-mail inviting him or her to visit the Comcast Site. We do not store this information and use it for the sole purpose of sending this one-time e-mail and tracking the success of our referral program.

If your personal information changes, you may update it (or correct it if it is incorrect) by contacting us. If you'd like us to help you remove any of your personal information that we have previously collected through the Comcast Sites or that is currently posted on the Comcast Sites in a public forum, directory, or testimonial, please contact us. We will respond to your request within 30 days. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

We will retain Your Data for as long as your account is active or as needed to provide you with the Comcast Web Services, or as otherwise necessary to help us improve our products and services, comply with our legal obligations, resolve disputes, and enforce our agreements with you.

Cookies, Web Beacons, and Comcast's Data Collection

A cookie is a small file that is stored on a user's computer. Among other things, cookies enable the Comcast Web Services to store Preferences Data, as further described in this Privacy Policy. For example, cookies enable Xfinity.com to remember your preferred ZIP code for weather forecasts and also enable XfinityTV.com to remember where you stopped watching a movie, so the next time you use XfinityTV.com you have the option to resume watching that movie where you left off. Cookies can also hold information like an anonymous but unique string of numbers and letters, that Comcast may use to help it collect Activity Data, as further described in this Privacy Policy.

The Comcast Web Services may use different types of cookies, like HTTP cookies (sometimes referred to as "browser cookies") and Flash cookies (sometimes referred to as "Flash LSOs"). For more information on controlling HTTP cookies and Flash cookies, please see Section 8, below.

We may also use a software technology called clear gifs (a.k.a. Web Beacons/Web Bugs) to help us collect Activity Data, as further described in this Privacy Policy. Clear gifs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to HTTP cookies, which are stored on a user's computer hard drive, clear gifs are embedded invisibly on web pages and are about the size of the period at the end of this sentence. If you are a registered user of the Comcast Web Services, we may associate the data we collect using cookies and/or clear gifs with your personal information and use it as further described in this Privacy Policy. If your web browser is configured not to accept cookies, you may still use the Comcast Web Services, but your ability to use some areas or functionality may be limited.

4. Use of Information

Comcast uses Web Log Data, Preferences Data, and Your Data, including both Personally Identifiable Information and Non-Personally Identifiable Information in both aggregated and individual forms, to provide the Comcast Web Services and support them. We may process and use this data for purposes consistent with this Privacy Policy including, but not limited to:

Customize, measure, and improve the Comcast Web Services, and the content and advertising provided through them;
Enforce our Web Services Terms of Service and detect fraud and other illegal activities;
Bill and collect for any applicable fees or charges;
Let you know about new products or services from Comcast or other companies we work with as well as promotional offers, based on your preference settings;
Let you know about changes to the Comcast Web Services, the Web Services Terms of Service, this Privacy Policy, and other terms that apply to our services; and
Update any programs or other tools that we provide in conjunction with the Comcast Web Services.

Comcast may use Web Log Data, Preferences Data, and Your Data in these forms for internal business purposes, such as determining how much traffic certain portions of the Comcast Web Services receive, for license reporting and assessment of service levels, to better understand how the Comcast Web Services are used, to gauge traffic patterns and determine what types of content and services are most popular with users of the Comcast Web Services, or determining which search queries on certain Comcast Service are the most popular.

Comcast may also use Web Log Data, Preferences Data, and Your Data to customize the Comcast Web Services and make them more relevant to you. For example, Comcast may use such data to determine which news articles, movies, or television shows to recommend to you.

Comcast may use your Registration Data to verify that you are the person authorized to use the Comcast Web Services or to manage your account. Comcast may also use your Registration Data to determine whether your XFINITY TV subscription allows you to access premium content or services offered through some of the Comcast Web Services. For example, Comcast may use this subscription information to permit you to access, via one or more of the Comcast Web Services, certain programming included in your XFINITY TV package or to recommend additional Comcast products and services that it thinks may be of interest to you.

5. Sharing of Information

Comcast uses third parties to assist us in delivering parts of the Comcast Web Services to you. We may share portions of Your Data with these third parties to the extent necessary for them to provide these services. These companies are acting on Comcast's behalf and are required, by contract with Comcast, to keep this information confidential and are only authorized to use it for specific purposes. As described in more detail below, Comcast may also provide Non-Personally Identifiable Information elements of Your Data to third parties who deliver ads to you on Comcast's behalf. Comcast will not provide your Personally Identifiable Information to these advertisers unless you expressly authorize us to do so.

Comcast may also share Web Log Data and Preference Data, which do not contain Personally Identifiable Information, with third parties. For example, Comcast may share traffic data for one of the Comcast Sites with a third party that analyzes and publishes Website traffic surveys. Or, Comcast may share Web Log Data and Preference Data with one of the providers of movies on XfinityTV.com, so that Comcast and the provider can determine what additional movies that provider should show on XfinityTV.com.

Comcast may also share Web Log Data, Preference Data, and Your Data within its internal family of companies solely to provide you with the Comcast Web Services, other cross-platform services, and advertising it thinks may be of interest to you. For example, Comcast will share your Registration Data within its internal family of companies to provide you with online access to content from premium networks that are part of your XFINITY TV subscription if you have signed up for that service, and to make you aware of other Comcast products and services it thinks may be of interest to you. This sharing occurs when you sign up for and use these other services, and may be necessary for us to provide them. If you do not want Your Data shared with a specific service, then you may choose not to sign up for that service or stop using it at any time if you have already signed up for it.

You may authorize other Websites such as Facebook to access and publish on their Websites some of Your Data, including your Activity Data. For example, you may enable a Facebook widget to access and publish to your Facebook page what shows you watch on XfinityTV.com. In addition, certain Comcast Web Services allow you to import information from Websites such as Facebook to use within the Comcast Web Services. For example, XfinityTV.com may enable you to use the television shows that you "Like" on Facebook to create your "Favorites" on XfinityTV.com. If you provide Comcast with your credentials for this kind of Internet service and use the features of the Comcast Service that share information across these Internet services, or, if one of these Internet service contacts Comcast using your Comcast Web Services credentials and asks to have access to certain portions of Your Data, Comcast will treat this as your authorization to share such portions of Your Data with that Internet service.

On pages of the Comcast Site that contain social network functionality, the social network providing the functionality may be able to collect information about you, even if you don't use that functionality. For example, if a page within the Comcast Site contains a Facebook "Like" button, Facebook may be able to collect data about your visit to that page, even if you don't click on the "Like" button. Please review the privacy policy of the relevant social network and/or log out of it before you use the Comcast Web Services. As with other Websites, you may be able delete any cookies placed on your device by the social network using your browser.

6. Online Tracking Policy

Some of the third-party service providers that Comcast uses to deliver services, content, and advertising on the Comcast Web Services may collect information from those services, as disclosed in this Privacy Policy. This information may include PII or may be used to contact you online.

As stated in this Privacy Policy, in the sections titled "7. Advertisements sold by Comcast" and "8. Advertising Networks and Advertising Sold by Content Providers," we and our service providers may also use cookies to deliver relevant advertising to you when you visit other websites, including advertising based on the products and services you viewed on the Comcast Web Services.

Comcast participates in the World Wide Web Consortium's (W3C) process to develop a "Do Not Track" standard. Given that the definitions and rules for such a standard have not yet been defined, Comcast does not yet respond to "Do Not Track" signals sent from browsers.

The Comcast Web Services comply with the applicable rules of the Digital Advertising Alliance's (DAA) "Ad Choices" program. The Ad Choices program permits you to opt out of receiving online behavioral advertising by making choices at

Ad Choices

7. Advertisements sold by Comcast

Comcast, or third parties acting at Comcast's request, may deliver advertisements to you through the Comcast Web Services, depending on whether you are a registered user or not, as described in more detail below.

All Users

We, or our advertising providers, automatically deliver ads to all users of the Comcast Web Services, whether the users are registered or not, based on non-personal information including: (i) the IP address associated with your device for purposes of determining your approximate geographic location; (ii) the type of web page that is being displayed, such as a news or sports page; or (iii) the content on the page that is shown, such as a sports article about a certain team or a movie review for a particular movie. Because this advertising activity automatically applies to all users and it is purely contextual, this type of advertising delivery cannot be customized or controlled by individual users.

We may also use one or more advertising networks and/or other audience segmenting technology providers to help select and deliver advertisements sold by Comcast or other content on the Comcast Web Services, and on other websites that display Comcast advertisements. These providers help us deliver advertisements or content tailored to interests you have shown by the way you interact with the Comcast Web Services, and other websites and web-based content that contains their technology, such as opening an HTML-formatted e-mail that contains their web beacon. This is intended to provide you with an opportunity to look at advertising that may be of interest to you. These providers may collect and use data subject to their own privacy policies, not Comcast's Web Services Privacy Policy. If you do not want the benefits of the data collected by these providers, you may opt-out here. Ad Choices

Registered Users

If you are a registered user, Comcast, or service providers acting at Comcast's request, may use Your Data, regardless of where we gathered such information, to determine what type of ad to display to you on the Comcast Web Services. For example, Comcast may use portions of Your Data that it gathered on www.comcast.net to determine which ad to show you when you visit xfinitytv.comcast.net. In addition, some of the graphical display, text, and other ads on the Comcast Web Services are customized for you based on the ZIP code of your XFINITY Internet service address, information about your current subscription, or use of Comcast products and services. If you do not want this information to be used to serve you targeted ads, you may opt-out here. Please note this does not opt you out of being served advertising. You will continue to receive generic advertisements.

8. Advertising Networks and Advertising Sold By Content Providers

The advertising networks and/or content providers that deliver ads on the Comcast Web Services may use technologies such as HTTP cookies and Flash cookies to uniquely distinguish your web browser and keep track of information relating to serving ads on your web browser, such as the type of ads shown and the web pages on which the ads appeared. In addition, the third parties that provide Web Log services for Comcast may use cookies to uniquely distinguish your web browser and to keep track of the Websites that your web browser visits across the service provider's network of Websites. For more information on controlling HTTP cookies, please visit our "Customer Control" FAQ here. Cookie management tools provided by your browser may not affect Flash cookies. To learn how to manage privacy and storage settings for Flash cookies click here: http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#117118

Some of these companies may combine information they collect in connection with the Comcast Web Services with other information they have independently collected relating to your web browser's activities across their network of Websites. These companies collect and use this information (which may include personally identifiable information or information that can be used to contact you online) under their own privacy policies. More information about these companies, their privacy policies, and the opt-outs they offer can be found here.

9. Communicating with You

Comcast may use your Registration Data to send you a confirmation e-mail verifying the ownership of the e-mail addresses provided in your Registration Data and to send you service-related communications about the Comcast Web Services. In addition, Comcast may send you promotional or commercial e-mail relating to each Comcast Web Services for which you have activated your account as permitted by applicable law. You can opt-out from receiving such promotional or commercial e-mail by following the instructions contained in the e-mails or by going to:

http://xfinity.comcast.net/subscribe

http://www.plaxo.com/settings/email

http://www.comcast.com/preferences

http://www.tunerfish.com/settings

and following the directions there.

Non-members may elect to permanently opt-out from receiving invite requests from members to join Plaxo. When you register for permanent opt-out, you provide us with a validated e-mail address at which you no longer wish to receive Plaxo invite requests. Comcast may send you an opt-out confirmation e-mail to the address you enter. If you are sent an opt-out confirmation e-mail, you must respond to that e-mail to complete the opt-out process. The opt-out is available here:

http://www.plaxo.com/opt_out

10. Signing in Using Non-Comcast Credentials

Comcast may allow you to access portions of the Comcast Web Services by signing in using your username or other identifier from another Internet service ("Non-Comcast Username"). Comcast will treat your Non-Comcast Username and any additional data that the relevant Internet service provides to Comcast about you as Your Data.

11. Participating in Blogs and Forums

If you post comments to any of the blogs, forums, or other editorial sections of the Comcast Web Services, any information you submit there can be read, collected, or used by other users of the Comcast Web Services and any PII you post could be used to contact you. We are not responsible for PII you choose to submit through these features.

Children under the age of 13 should not post in any of the blogs, forums, or other editorial sections of the Comcast Web Services.

12. Security

Comcast uses industry standard approaches to securely store, control access to, and make appropriate use of Your Data, and we require our contractors and other providers to do so as well. However, no security measure is completely effective and Comcast cannot guarantee the complete security of Your Data. If you don't want Comcast to know any particular information about you, you should not register to use the Comcast Web Services or include it in anything that you submit or post to Comcast, including posts on the Comcast Sites or e-mails to Comcast. More information on Internet security can be found here: http://security.comcast.net/.

Comcast also takes additional steps to increase the security and reliability of customer communications. We do not read your outgoing or incoming e-mail, file attachments, video mail, private chat, or instant messages. However, we (along with our third party providers) use software and hardware tools to help prevent and block "spam" e-mails, viruses, spyware, and other harmful or unwanted communications and programs from being sent and received over Comcast.net e-mail and the Comcast Sites. These tools may automatically scan your e-mails, video mails, instant messages, file attachments, and other files and communications in order to help us protect you and the Service against these harmful or unwanted communications and programs. You can learn more about Comcast's anti-spam approach at http://customer.comcast.com/help-and-support/internet/reducing-spam-email/.

We follow generally-accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our Web site, you can contact us.

As an additional security precaution, neither Comcast nor any of our authorized service providers will ask you for your Comcast password in an e-mail, over the telephone, or in an online support forum or chat area. Do not give your Comcast password to anyone in an e-mail, over the telephone, or in an online support area.

13. Disclosures of Information

Comcast holds customer privacy in the highest regard and we make every reasonable effort to protect your privacy as described in this Privacy Policy. Nevertheless, we may be required by law to disclose Personally Identifiable Information or other information about you or other users of the Comcast Web Services. These disclosures may be made with or without your consent, and with or without notice, in compliance with the terms of a subpoena, court order, search warrant, or other valid legal process. We may also disclose information about you or users of the Comcast Web Services when we believe in good faith that the disclosure of information is necessary to prevent financial loss, address suspected illegal activity, protect our rights or property, or prevent imminent physical harm.

14. Special Note About Children

Comcast does not knowingly collect Personally Identifiable Information from anyone under the age of 13 through the Comcast Web Services. Children should always get permission from a parent or legal guardian before sending any information about themselves (such as their names, e-mail addresses, and telephone numbers) over the Internet, to Comcast or to anyone else.

15. Your California Privacy Rights

California law permits its residents to request and receive information about a business' disclosure of certain categories of PII to other companies for their use for direct marketing. If you are a California resident and a user of any of the Comcast Web Services, you can request a copy of this information from Comcast by sending e-mail to Comcast_Web_Privacy at Comcast dot com or a letter to Comcast Cable Communications Management, LLC, Attn: California Direct Marketing Information, One Comcast Center, Philadelphia, PA 19103. Please include your name and e-mail address in e-mail requests, and your name and postal address in mail requests.

16. Change of Ownership or Other Business Transaction

In the event Comcast enters into a business transition, such as a merger, acquisition, or the sale of all or part of its assets (a "Business Transition"), Your Data (including PII and non-PII associated with the Comcast Web Services) will likely be part of the assets transferred.

In this event, we will notify you of any Business Transition. We will also notify you of any subsequent material changes to this Privacy Policy as a result of a Business Transaction and give you the opportunity to opt-out for information that we have collected before, or may collect after, a new Privacy Policy containing material changes takes effect.

17. Plaxo

The following terms in this section apply only to your use of the Plaxo Service and www.plaxo.com (collectively the "Plaxo Offerings").

Plaxo complies with the U.S. - E.U. Safe Harbor framework and the U.S. - Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. Plaxo has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Plaxo's certification, please visit http://www.export.gov/safeharbor/
Comcast uses Your Data to enable you to use the Plaxo Offerings as follows.

Registration Data and Profile Data. The name you put in your Registration Data and the photo (if you have uploaded one) in your Profile Data will be displayed to members; and to non-members who use the Plaxo Service if you choose to make the data publicly accessible. This is primarily so your friends, family or business colleagues can find you and connect with you. All users can control whether or not their names are listed in the Plaxo people search listings. You also control how all other information in your Registration Data and Profile Data is shared with others through your Plaxo privacy settings (for example, friends, family, business) located at http://www.plaxo.com/settings/account. You control whether or not you have a public profile. If you have a public profile you choose which information from your Registration Data and Profile Data is part of your public profile. Public profiles are viewable by any member or non-member who uses the Plaxo Service.
Activity Data. You control with whom your Activity Data is shared. Once you share data with someone, however, you cannot control what those recipients do with your data.

A special note about the contacts stored in your Plaxo address book and Plaxo's Personal Assistant:

Plaxo provides its members with updated contact information for the people they already have in their address books. Plaxo uses publicly available contact information corresponding to the contacts in a Plaxo member's address book, and suggests updates for that contact information to the Plaxo member. When using the Import Contacts feature You can import contacts from your Outlook or other e-mail account address book to invite them to become members of our site or to connect with them. We collect the username and password for the e-mail account you wish to import your contacts from and will only use it for that purpose.

To help Plaxo determine whether a piece of publicly available contact information is accurate, Plaxo looks at how frequently that public information appears in the aggregation of all address book data stored in the Plaxo system. Plaxo members who do not want their address book data used in this aggregation process can easily remove their address book data from the Plaxo Offerings. Before removing the data, Plaxo members can export it to another online address book provider. Learn more about exporting your address book and deleting your account.

Anyone, whether a Plaxo member or not, can prevent Plaxo from suggesting updates to their contact info as it appears in a Plaxo member's address book by opting out.

18. Tunerfish

The following terms in this section apply only to your use of the Tunerfish Service and www.tunerfish.com (collectively the "Tunerfish Offerings").

Comcast uses Your Data to enable you to use the Tunerfish Offerings as follows.

Registration Data and Profile Data. Some of your Registration Data and Profile Data, for example your name, bio, and photo, is publicly available through the Tunerfish Offerings. You can control the contents of these fields, but any content you put in these fields will be viewable by anyone who visits the Tunerfish Website or uses the Tunerfish Offerings.
Activity Data. By default, your Activity Data is viewable by anyone who visits the Tunerfish Website or uses the Tunerfish Offerings. You may make your Activity Data more private by changing your Tunerfish privacy settings at http://www.tunerfish.com/settings. Once you share your Activity Data with someone, you cannot control what that person does with your data. You may choose to share your Activity Data with third parties (e.g., Facebook, Twitter) ("Third Party Sites"). If you choose to share your Activity Data with any Third Party Sites, they may use that data as described in their own privacy policies and other applicable terms and conditions.

19. Changes to this Privacy Policy

Comcast reserves the right to change this Privacy Policy from time to time consistent with applicable privacy laws. When we do change it, we will make a copy of the updated Privacy Policy available to you before it takes effect. If we make material changes to this Privacy Policy, we will also notify you by e-mail, direct mail, or other reasonable methods that we select. In the event of material changes to this Privacy Policy, we will give you the opportunity to opt-out for information that we have collected before, or may collect after, a new Privacy Policy containing material changes takes effect.

You understand and agree that if you use the Comcast Web Services after the effective date of the updated Privacy Policy, Comcast will consider your use as acceptance of the updated Privacy Policy.

20. International Visitors

Our computer systems are currently based in the United States, so your PII will be processed by us in the United States, where data protection and privacy regulations may be different than other parts of the world, such as the European Union. If you create an online account to use the Comcast Sites as a visitor from outside the United States, you will have agreed to the terms of the Privacy Policy and our Web Services Terms of Service and you will have consented to the transfer to and processing of all such information in the United States, which many not offer an equivalent level of protection of that in the European Union or certain other countries.

21. Contacting Comcast & Customer Support

You can direct questions regarding this Privacy Policy to Comcast by e-mailing us at Comcast_Web_Privacy at Comcast dot com. You can also send a letter by mail to Comcast Cable Communications Management, LLC, Attn: Web Services Privacy Policy Questions, One Comcast Center, Philadelphia, PA 19103 USA.

You can find customer support and help information at http://customer.comcast.com/Pages/Help.aspx. Some online support areas and tools may ask you to provide information to Comcast to help us address your questions or problems. We may also make software tools available to help configure your device's or network's settings, or collect information from your device or network to help us provide support to you. If you choose to provide this information to Comcast or use these tools, we will use the information only for customer support purposes.

Revised and Effective: May 15, 2014

^ed

Sent via iPhone

Friday, July 10, 2015

FBI software cracks encryption wall - Security

http://www.nbcnews.com/id/3341694/ns/technology_and_science-security/t/fbi-software-cracks-encryption-wall/

FBI software cracks encryption wall

By Bob Sullivan

msnbc.com

Nov. 20, 2001 — The FBI is developing software capable of inserting a computer virus onto a suspect's machine and obtaining encryption keys, a source familiar with the project told MSNBC.com. The software, known as "Magic Lantern," enables agents to read data that had been scrambled, a tactic often employed by criminals to hide information and evade law enforcement. The best snooping technology that the FBI currently uses, the controversial software called Carnivore, has been useless against suspects clever enough to encrypt their files.

Magic lantern installs so-called "keylogging" software on a suspect's machine that is capable of capturing keystrokes typed on a computer. By tracking exactly what a suspect types, critical encryption key information can be gathered, and then transmitted back to the FBI, according to the source, who requested anonymity.

The virus can be sent to the suspect via e-mail — perhaps sent for the FBI by a trusted friend or relative. The FBI can also use common vulnerabilities to break into a suspect's computer and insert Magic Lantern, the source said.

Magic Lantern is one of a series of enhancements currently being developed for the FBI's Carnivore project, the source said, under the umbrella project name of Cyber Knight.

Mentioned in unclassified documents
The FBI released a series of unclassified documents relating to Carnivore last year in response to a Freedom of Information Act request filed by the Electronic Privacy Information Center. The documentation was heavily redacted — most information was blacked out. They included a document describing the "Enhanced Carnivore Project Plan," which was almost completely redacted. According to the anonymous source, redacted portions of that memo mention Cyber Knight, which he described as a database that sorts and matches data gathered using various Carnivore-like methods from e-mail, chat rooms, instant messages and Internet phone calls. It also matches the files with the necessary encryption keys.

MSNBC.com repeatedly contacted the FBI to discuss this story. However, after three business days the FBI was still requesting more time before commenting. MSNBC.com has filed a Freedom of Information Act request with the bureau.

Word of the FBI's new software comes on the heels of a major victory for the use of Carnivore. The USA Patriot Act, passed last month, made it a little easier for the bureau to deploy the software. Now agents can install it simply by obtaining an order from a U.S. or state attorney general — without going to a judge. After-the-fact judicial oversight is still required.

FBI has already stolen keys
If Magic Lantern is in fact used to steal encryption keys, it would not be the first time the FBI has employed such a tactic. Just last month, in an affidavit filed by Deputy Assistant Director Randall Murch in U.S. District Court, the bureau admitted using keylogging software to steal encryption keys in a recent high-profile mob case. Nicodemo Scarfo was arrested last year for loan sharking and running a gambling racket. During their investigation, Murch wrote in his affidavit, FBI agents broke into Scarfo's New Jersey office and installed encryption-key-stealing software on the suspect's machine. The key was later used to decrypt critical evidence in the case.

Magic Lantern would take the method used in Scarfo one step further, allowing agents to "break in" to a suspect's office and install keylogging software remotely. But in both cases, the software works the same way.

It watches for a suspect to start a popular encryption program called Pretty Good Privacy. It then logs the passphrase used to start the program, essentially given agents access to keys needed to decrypt files.

Encryption keys are unbreakable by brute force, but the keys themselves are only protected by the passphrase used to start the Pretty Good Privacy program, similar to a password used to log on to a network. If agents can obtain that passphrase while typed into a computer by its owner, they can obtain the suspect's encryption key — similar to obtaining a key to a lock box which contains a piece of paper that includes the combination for a safe.

Breaking new ground
David Sobel, attorney for the Electronic Privacy Information Center and outspoken critic of Carnivore, did not outright reject the notion of a Magic-Lantern-style project, but raised several cautions.

"This is breaking new ground for law enforcement, to be planting viruses on target computers," Sobel said. "It raises a new set of issues that neither Congress nor the courts have ever dealt with."

Stealing encryption keys could be touchy ground for federal investigators, who have always fretted openly about encryption's ability to help criminals and terrorists hide their work. During the Clinton administration, the FBI found itself on the losing side of a lengthy public debate about the federal government's ability to circumvent encryption tools. The most recently rejected involved so-called key escrow — all encryption keys would have been stored by the government for emergency recall.

Levels playing field with criminals
A spokesperson for Rep. Dick Armey (R-Texas), said he thought Magic Lantern, as described to him by MSNBC.com, was considerably more palatable than key escrow.

"Citizens should have ability to keep their files and e-mails safe from bureaucratic prying eyes. But this would only be usable against a limited set of people. It's not as troubling as saying the government should have all the keys," said the Armey spokesperson. He also said Magic Lantern didn't raise the same Fourth Amendment concerns regarding search and seizure as Carnivore, because Magic Lantern apparently targets one suspect at a time. Armey, an outspoken Carnivore critic, has complained about the potential for the FBI's Internet sniffing software to capture too much data as packets fly by headed for a suspect — known in the legal world as an "overly broad" search.

Sobel was concerned that the keylogging software itself could result in overly broad searches, since it would be possible to observe every keystroke entered by a suspect, even if a court order specified a search only for encryption keys. Developers in the Scarfo case went to some trouble to limit the data stored by the keylogging software installed on Scarfo's computer, shutting the system on and off in an attempt to comply with the court order, according to Murch's affidavit. But given the confusion surrounding keylogging and encryption, and the mystery surrounding projects like Carnivore, Sobel said he's worried about the bureau's use of software that hasn't been clearly explained to the public or the Congress.

"It is a matter of what protections are in place. At this point, the best documented case is Scarfo, and that raises concerns," he said. "The federal magistrate who approved the technology in Scarfo had no understanding of what this thing was. I hope there can be meaningful oversight (for Magic Lantern)."

^ed

Sent via iPhone

Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide - The Intercept

https://firstlook.org/theintercept/2014/10/30/hacking-team/

SECRET MANUALS SHOW THE SPYWARE SOLD TO DESPOTS AND COPS WORLDWIDE

When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn't be able to unlock evidence on criminals' digital devices. What they didn't say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept.

We're publishing in full, for the first time, manuals explaining the prominent commercial implant software "Remote Control System," manufactured by the Italian company Hacking Team. Despite FBI director James Comey's dire warnings about the impact of widespread data scrambling — "criminals and terrorists would like nothing more," he declared — Hacking Team explicitly promises on its website that its software can "defeat encryption."

The manuals describe Hacking Team's software for government technicians and analysts, showing how it can activate cameras, exfiltrate emails, record Skype calls, log typing, and collect passwords on targeted devices. They also catalog a range of pre-bottled techniques for infecting those devices using wifi networks, USB sticks, streaming video, and email attachments to deliver viral installers. With a few clicks of a mouse, even a lightly trained technician can build a software agent that can infect and monitor a device, then upload captured data at unobtrusive times using a stealthy network of proxy servers, all without leaving a trace. That, at least, is what Hacking Team's manuals claim as the company tries to distinguish its offerings in the global marketplace for government hacking software.

Hacking Team's efforts include a visible push into the U.S. Though Remote Control System is sold around the world — suspected clients include small governments in dozens of countries, from Ethiopia to Kazakhstan to Saudi Arabia to Mexico to Oman — the company keeps one of its three listed worldwide offices in Annapolis, Maryland, on the edge of the federal intelligence and law-enforcement cluster around the nation's capital; has sent representatives to American homeland security trade shows and conferences, where it has led training seminars like "Cyber Intelligence Solutions to Data Encryption" for police; and has even taken an investment from a firm headed by America's former ambassador to Italy. The United States is also, according to two separate research teams, far and away Hacking Team's top nexus for servers, hosting upwards of 100 such systems, roughly a fifth of all its servers globally.

The company has made at least some sales to American entities, according to comments its outspoken co-founder and CEO David Vincenzetti made in l'Espresso in 2011. "We sell Remote Control System to institutions in more than 40 countries on five continents," he told the Italian newsmagazine. "All of Europe, but also the Middle East, Asia, United States of America." In the English-language press, where Hacking Team has been more circumspect about its client list, Vincenzetti's l'Espresso comments about selling implants to U.S. institutions seem to have fallen through the cracks. Asked about them, Hacking Team spokesman Eric Rabe told The Intercept, "we do not identify either our clients or their locations."

(After publication of this article, Vincenzetti responded with a letter, available here along with a reply from The Intercept.)

Whatever the extent of its U.S. sales, Hacking Team's manuals deserve an audience in America and beyond. This summer, researchers at the Citizen Lab at the University of Toronto's Munk School of Global Affairs, including the co-author of this piece, published excerpts of the manuals and technical descriptions of Hacking Team's capabilities. Publishing the manuals in their entirety here will give the public a better understanding of the sophistication of these relatively low-cost and increasingly prevalent surveillance tools. That sort of understanding is particularly important at a time when digital monitoring has spread from large federal agencies to local police departments and as more national governments gain the once-rarified ability to deploy digital implants across borders. Turnkey solutions like RCS effectively multiply the online threats faced by activists, dissidents, lawyers, businessmen, journalists, and any number of other computer users.

A Niche for Commercial Spyware

Within the U.S., there's relatively little information on the prevalence of law enforcement hacking. The FBI only rarely discloses its use in criminal cases. Chris Soghoian, principal technologist with the American Civil Liberties Union's Project on Speech, Privacy and Technology, who has closely tracked the FBI's use of malware, says that agents use vague language when getting judges' permission to hack devices. "This is a really, really, invasive tool," Soghoian says. "If the courts don't know what they're authorizing, they're not a good check on its use. If we as a society want malware to be used by the state, we ought to have a public debate."

What is clear is that large nations with well-funded intelligence establishments have long been capable of the kind of surveillance Hacking Team offers. In 2001, it was first reported that the FBI had developed malware known as Magic Lantern, which could take over a computer and log its users' keystrokes, as a way around encryption. Soghoian says it's likely that the bureau and American intelligence agencies get more customized spying solutions from contractors other than Hacking Team. Countries such as China and Russia probably develop their spyware in-house.

Hacking Team and the German firm FinFisher have taken over another niche, as the most prominent purveyors of user-friendly, off-the-shelf spyware for less moneyed customers, says Ben Wagner, director of the Center for Internet and Human Rights at the European University Viadrina. A recent leak of FinFisher data showed customer service communications between the company and Bahrain, Pakistan, Estonia, and a regional police department in Australia, among other clients. The cost of a Hacking Team installation package, meanwhile, ranges from 200,000 to 1 million euros, Vincenzetti told l'Espresso in 2011. Pricey, but not out of reach.

"If those countries didn't have access to Gamma [FinFisher's former parent company] or Hacking Team, they probably wouldn't be able to do this kind of surveillance," says Wagner. "Those are the two that we know about who have really gone for this targeted surveillance market for smaller and midsize countries."

Soghoian thinks that "to the extent that Hacking Team has sold in the U.S., it would be to less well-resourced federal agencies or bigger local police teams."
Hacking Team has built up enough of a profile to become something of an icon in its home country. "Elegant and tan" Vincenzetti has been lauded as a poster-boy for modernizing the Italian economy and is touted to stateside investors at events like "Italy Meets the USA." Among those promoting Hacking Team is Innogest, an Italian venture capital firm headed by the former U.S. ambassador to Italy Ronald Spogli. The company is in Innogest's own portfolio.

Despite the acclaim, Hacking Team — and its competitor FinFisher — have drawn the ire of human rights and privacy activists. "We have not that many companies doing nasty things for not that much money on a global scale, but with huge human rights effects," Wagner said.

Companies like Hacking Team refer to their products as "lawful intercept" technology. They need at least the pretense of dealing with legitimate actors because the legality of surveillance software depends on the behavior of its users. That's all that fundamentally separates their software from tools for crime or repression. But evaluating that legitimacy becomes tougher as prices fall and customers proliferate.

Hacking Team offers the assurance that its users are all government institutions. Spyware is perfectly legal in law enforcement or intelligence investigations "if used with the proper legal authorization in whatever jurisdiction they're in," according to Nate Cardozo, staff attorney at the Electronic Frontier Foundation. Hacking Team's "customer policy" also claims that it will not sell to countries listed on international "blacklists" or that it believes "facilitate gross human rights abuses." The company won't disclose what it means by blacklists, how its review process works, or which, if any, customers have been dumped. Hacking Team's spokesman refused to provide details beyond what is on the company's website.

There's evidence the company is not being particularly selective about to whom it sells. Of 21 suspected Hacking Team users tracked down by Citizen Lab, nine had been given the lowest possible ranking, "authoritarian," in The Economist's 2012 Democracy Index, and four of those were singled out for particularly egregious abuses — torture, beatings and rapes in detention, lethal violence against protestors — by Human Rights Watch.

Its competitors face similar criticism. Activists in Bahrain and Ethiopia have found FinFisher spyware on their computers. (FinFisher did not respond to an emailed request for comment.)

The U.S. government has shown an interest in policing the improper use of packaged malware. The Justice Department just recently brought its first case against a spyware developer, arresting a Pakistani man who marketed StealthGenie, an app that does some of the same things as Hacking Team's RCS – monitoring all phone calls, messages, emails, texts and more without the owner's knowledge — except for individuals rather than governments. Announcing the charges against StealthGenie's maker, an assistant attorney general called the spyware "reprehensible…expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim's personal life."

How It Works

Key to the spread of software like Hacking Team RCS is that it's designed to be simple for non-experts to use.

In a brochure, Hacking Team boasts, "You cannot stop your targets from moving. How can you keep chasing them? What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that."

Hacking Team manuals, dated September 2013, provide step-by-step instructions for technicians, administrators, and analysts on how to infect a device and set up spying.

The software can be installed physically, via a USB stick, if the authorities have direct access to the computer (imagine a police stop or an airport search.)

Or, the infection can happen remotely. It could take the familiar form of a phishing attack or email scam – as a group of Moroccan reporters found out in 2012. A document promising them a secret scoop (it was titled "scandale," in French) turned out to be a decoy for Hacking Team software. An Emirati blogger fell victim to the same trick. The implant can also be melded with legitimate, useful software that the victim is prompted to download.

As The Intercept has previously reported, Hacking Team also installs its bugs via "network injectors" – physical devices housed with internet service providers, that allow them to intercept ordinary web traffic, like streaming video, and replace it with infectious code. (After we reported that YouTube and Microsoft Live were exploitable in this way, both companies moved to fix the vulnerabilities.)

From page 107 of the RCS Technician's Guide. Click to enlarge.

Then there are covert network injections. The spyware installer might lay in wait in a hotel, or a Starbucks, and gain access to your computer by "emulating an access point" – in other words, pretending to be a free wifi hotspot to which the victim connected previously. The manual also describes how the software can deploy password-busting tools to break into closed wifi networks.

From RCS Technician's Guide, page 115. Click to enlarge.

From RCS Technician's Guide, page 117. Click to enlarge.

The Hacking Team manuals recommend that customers buy a code signing certificate from Verisign (now Symantec), Thawte, or GoDaddy– companies that offer a stamp of assurance that signals to operating systems and anti-virus scanners that the software is legitimate. Getting what Symantec calls its "digital shrinkwrap" added to Hacking Team software makes it less likely to be detected. (Symantec declined to comment on how it handles malware in issuing certificates. GoDaddy and Thawte did not respond.)

Via one of those methods, the "agent" — ie., the bug — is implanted on any of these devices:

From RCS Technician's Guide, page 39. Click to enlarge

And set up to start recording:

From RCS Technician's Guide, page 71. Click to enlarge.

The "analyst" can then explore and take virtually anything from the target's phone or computer, at least according to the manual.

From RCS Analyst's Guide, page 59-60. Click to enlarge.

Here our analyst selects an investigation – code-named "Swordfish," and described as a "Terrorist Attack in Singapore."

From RCS Analyst's Guide, page 32. Click to enlarge.

Opening that up, he sees the targets in swordfish – "Alejandro Reade," "Joey Fargo," and "Jimmy Page" – "head of the terrorist cell."

From RCS Analyst's Guide, page 34. Click to enlarge.

Here's what he's looking at on Jimmy's computer: his desktop, Skype account, Firefox browsing. All of that can be exported from the bugged device to the spy's computer, undetected.

From RCS Analyst's Guide, page 49. Click to enlarge.

But before he sends everything off to his higher-ups, he can have a listen, to decide if it's relevant:

From RCS Analyst's Guide, page 56. Click to enlarge.

And can even translate it:

From RCS Analyst's Guide, page 48. Click to enlarge.

Once he's got all that, he maps out the various people and places tied to his target.

From RCS Analyst's Guide, pages 66-67. Click to enlarge.

Entities are automatically linked by the software based on their contacts – either as a "know," a "peer," or an "identity" (ie., two addresses associated with the same person.)

From RCS Analyst's Guide, pages 68, 70, and 71. Click to enlarge.

Here are Jimmy and his friends in an industrial lot in Los Angeles:

From RCS Analyst's Guide, page 76. Click to enlarge.

From RCS Analyst's Guide, page 81. Click to enlarge.

And here's the man himself, with all his vital stats. Web sites and physical locations get similar profiles. That photo, the manual notes, will default to the "first image captured by the webcam."

From RCS Analyst's Guide, page 85. Click to enlarge.

For more on how this all works, see Citizen Lab's report, and explore the full set of documents below.

Manuals

Hacking Team RCS 9 Analyst's Guide (PDF):

Hacking Team RCS 9 Administrator's Guide (PDF):

Hacking Team RCS 9 Technician's Guide (PDF):

Hacking Team RCS 9 System Administrator's Guide (PDF):

Hacking Team RCS Invisibility Report (PDF):

Hacking Team RCS 9.0 Changelog (PDF):

Hacking Team RCS 9.1 Changelog (PDF):

Update: Added a link to a response letter from Vincenzetti. Nov. 3, 2014 4:20 pm ET

Top Photo: Pablo Blazquez Dominguez/Getty Images; Vincenzetti: Google+

^ed

Sent via iPhone

Psychologists Shielded U.S. Torture Program, Report Finds - NYTimes.com

http://mobile.nytimes.com/2015/07/11/us/psychologists-shielded-us-torture-program-report-finds.html?emc=edit_na_20150710&nlid=58887930&ref=cta&_r=0&referrer=

Psychologists Shielded U.S. Torture Program, Report Finds

WASHINGTON — The Central Intelligence Agency's health professionals repeatedly criticized the agency's post-Sept. 11 interrogation program, but their protests were rebuffed by prominent outside psychologists who lent credibility to the program, according to a sweeping new report.

The 542-page report, which examines the involvement of the nation's psychologists and their largest professional organization, the American Psychological Association, with the harsh interrogation programs of the Bush era, raises repeated questions about the collaboration between psychologists and officials at both the C.I.A. and the Pentagon.

The report, completed this month, concludes that some of the association's top officials, including its ethics director, sought to curry favor with Pentagon officials by seeking to keep the association's ethics policies in line with the interrogation policies of the Defense Department, while several prominent outside psychologists took actions that aided the C.I.A.'s interrogation program and helped protect it from growing dissent inside the agency.

The association's ethics office, the report found, "prioritized the protection of psychologists — even those who might have engaged in unethical behavior — above the protection of the public."

Elyssa D. Durant, Ed.M.

Research & Policy Analyst