Jennifer Valentino-Devries, Natasha Singer, Michael H. Keller and Aaron Krolik, for The New York Times:
More than 1,000 popular apps contain location-sharing code from such companies, according to 2018 data from MightySignal, a mobile analysis firm. Google’s Android system was found to have about 1,200 apps with such code, compared with about 200 on Apple’s iOS.
The most prolific company was Reveal Mobile, based in North Carolina, which had location-gathering code in more than 500 apps, including many that provide local news. A Reveal spokesman said that the popularity of its code showed that it helped app developers make ad money and consumers get free services.
Apple is a better proprietor than Google in this regard, but a lot more can and should be done to protect users.
Nicole Nguyen, for Buzzfeed:
Facebook has filed several patent applications with the US Patent and Trademark Office for technology that uses your location data to predict where you’re going and when you’re going to be offline.
Have you deleted your Facebook account yet?
In a statement, Facebook spokesperson Anthony Harrison said, “We often seek patents for technology we never implement, and patent applications — such as this one — should not be taken as an indication of future plans.”
Yeah… it really should in Facebook’s case.
Joseph Menn for Reuters:
A senior Apple Inc security expert left for a much lower-paying job at the American Civil Liberties Union this week, the latest sign of increasing activity on policy issues by Silicon Valley privacy specialists and other engineers.
Jon Callas, who led a team of hackers breaking into pre-release Apple products to test their security, started Monday in a two-year role as technology fellow at the ACLU. Prior to his latest stint at Apple, Callas designed an encryption system to protect data on Macs and co-founded communications companies Silent Circle, Blackphone and PGP Corp. […]
Callas said he felt particular kinship with Google employees pressing to have more of a say in the company’s prospective deal to return to mainland China with a censored search engine.
“A bunch of people have in fact woken up and said ‘Where are we, where are we going?’” Callas said. “These employees are wanting more discussion and access to what’s going on.”
Callas said phone makers had improved security and he wanted to see progress continue and widen without companies succumbing to pressure to install back doors.
There could be a simple explanation for his choice but the elephant in the room is Apple in China.
Kurt Wagner, reporting for Recode:
Last Monday, we wrote: “No data collected through Portal — even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook.”
We wrote that because that’s what we were told by Facebook executives.
But Facebook has since reached out to change its answer: Portal doesn’t have ads, but data about who you call and data about which apps you use on Portal can be used to target you with ads on other Facebook-owned properties.
Of course it can. And over time it’ll probably do other nasty stuff to its users.
Gerrit de Vynck, for Bloomberg:
Alphabet Inc.’s Google said it found a “software glitch” in its Google+ social network in March that could have exposed the personal data of as many as half a million users, but decided not to tell the public until Monday.
Google chose not to disclose the flaw out of concern it would trigger regulatory backlash, especially in the wake of criticism against Facebook Inc. for its privacy failures, according to the Wall Street Journal, which initially reported the news Monday. In a statement posted to its blog minutes after the report, Google said it plans to shut down Google+ for consumers and introduce new privacy tools restricting how developers can use information on products ranging from email to file storage.
Portal was created with privacy, safety and security in mind. And it has clear and simple settings, so you always stay in control.
Having all of Facebooks privacy scandals in mind, this product feels like the perfect companion device to their portfolio… if it was released on April Fool’s.
Do not buy this product. You probably shouldn’t be using Google’s Home or Amazon’s Alexa either.
Gennie Gebhart and Cory Doctorow, for the EFF:
While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security […]
Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode “confidential” is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new “Confidential Mode” in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.
The one thing I trust Google with is their uncanny ability to try to create an illusion of privacy and security, while in reality doing the exact opposite.
Edmund Lee and John Koblin, for The New York Times:
Known for “The Sopranos,” “Game of Thrones” and “Westworld,” HBO has long favored quality over quantity. Its high-gloss productions often take years to develop and can cost millions per episode. That approach has won the network more Primetime Emmy Awards than any of its competitors over the last 16 years, with Mr. Plepler the master curator.
In recent years, Mr. Plepler has emphasized HBO’s “bespoke culture” and its enduring appeal to A-list producers and stars at a time when Netflix, Amazon and Apple have bottomless budgets. On his watch, “Big Little Lies” has brought the Oscar winners Reese Witherspoon, Nicole Kidman and Meryl Streep to the network, and shows like “Barry” and “Insecure” have charmed critics. But during the town hall meeting, Mr. Stankey said HBO should consider trying something new.
The feeling that quality over quantity gives is something hard to measure in terms of viewer appreciation but its a very important aspect of a service.
“We need hours a day,” Mr. Stankey said, referring to the time viewers spend watching HBO programs. “It’s not hours a week, and it’s not hours a month. We need hours a day. You are competing with devices that sit in people’s hands that capture their attention every 15 minutes.”
Continuing the theme, he added: “I want more hours of engagement. Why are more hours of engagement important? Because you get more data and information about a customer that then allows you to do things like monetize through alternate models of advertising as well as subscriptions, which I think is very important to play in tomorrow’s world.”
This pursuit of engagement is why so many products and services are absolutely terrible today. Please HBO, don’t go down that route. Oh, and Stankey’s mention of “alternate models of advertising” is utterly unacceptable.
Ashley Carman, writing for The Verge:
Bad news for Samsung phone owners: some devices are randomly sending your camera roll photos to your contacts without permission. As first spotted by Gizmodo, users are complaining about the issue on Reddit and the company’s official forums. One user says his phone sent all his photos to his girlfriend. The messages are being sent through Samsung’s default texting app Samsung Messages. According to reports, the Messages app does not even show users that files have been sent; many just find out after they get a response from the recipient of the random photos sent to them.
I wonder how many people actually received “dick pics” (as in nudes). This sounds funny at first, but it could really be catastrophic, depending on the people involved.
I finally got around to setting up 2FA for my FastMail account on Wednesday, preferring to switch over to 1Password, to an authenticator instead of SMS. I forgot I would need to create an app password for my iPhone to continue receiving emails on it. FastMail was nice enough to notify me of this via email, as a reminder, but I did not receive this email, because I was locked out, because I didn’t create an app password, because I completely forgot about it.
Yeah, my bad.
The upside was that I was happy for two days because I barely got any email (a few slipped by on my other accounts). The downside? It’s the weekend and I am calling email bankruptcy.
Dan Goodin, writing for Ars Technica:
The Internet’s two most widely used methods for encrypting email—PGP and S/MIME—are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from email clients.
The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”
You can find an “EFAIL” paper discussing the vulnerabilities here.
The zip file I eventually received from Apple was tiny, only 9 megabytes, compared to 243 MB from Google and 881 MB from Facebook. And there’s not much there, because Apple says the information is primarily kept on your device, not its servers. The one sentence highlight: a list of my downloads, purchases and repairs, but not my search histories through the Siri personal assistant or the Safari browser.
This approach by Apple makes me trust them more with my data than any other company.
Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password. Mozilla Firefox browser is recommended to watch network cameras.
These cameras have no passwords set. Some on purpose, others not so much.
Marco Arment, on his blog:
One of the ways publishers try to get around the limitations of the current model is by embedding remote images or invisible “tracking pixels” in each episode’s HTML show notes. When displayed in most apps, the images are automatically loaded from an analytics server, which can then record and track more information about you.
In Overcast 4.2, much like Mail (and for the same reason), remote images don’t load by default. A tappable placeholder shows you where each image will load from, and you can decide whether to load it or not.
This is one developer I would trust with my data without hesitation. I’m keeping my email-based login for Overcast, even though he’ll probably hate me for burdening him with it.
The guys behind 1Blocker for iOS and macOS are launching 1Blocker X tomorrow, with support for many more rules by combining several content blockers into one app — this rewrite took them 6 months, which is why I completely understand their need to make back their investment. Salavat Khanov wrote up all the new features of 1Blocker X on their blog — it’s an interesting read — and now that I finally understand how it works under the hood, I’m upgrading tomorrow, when the app goes live. You can pre-order it today though…
★ 1Blocker X — $4.99 / €5,49 / 23,49 PLN →
Christopher Mims, for The Washington Post:
As justifiable as the focus on Facebook has been, though, it isn’t the full picture. If the concern is that companies might be collecting some personal data without our knowledge or explicit consent, Alphabet’s Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps […]
It’s likely that Google has shadow profiles on at least as many people as Facebook does, says Chandler Givens, chief executive of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting. Yet, like Facebook, it continues to gather your data […]
Google also is the biggest enabler of data harvesting, through the world’s two billion active Android mobile devices. Because Google’s Android OS helps companies gather data on us, then Google is also partly to blame when troves of that data are later used improperly, says Woodrow Hartzog, a professor of law and computer science at Northeastern University.
A good example of this is the way Facebook has continuously harvested Android users’ call and text history. Facebook never got this level of access from Apple ’s iPhone, whose operating system is designed to permit less under-the-hood data collection. Android OS often allows apps to request rich data from users without accompanying warnings about how the data might be used.
Meanwhile, we still don’t have the tools or means to protect ourselves from being targeted by Google, Facebook, and others, or to block their tracking practices completely.
Gregorio Zanon, posting on Medium:
Facebook could potentially access your WhatApp chats. In fact, it could easily acces your entire chat history and every single attachment. Now, I am not saying it does and have no evidence it did. But after Android users have recently been finding out that their call history and SMS data had been collected by Facebook, I believe it is important to go over the means by which Facebook is already in a position to collect our WhatsApp data, from any iPhone running iOS 8 and above.
In case you did not know about this for some reason…
Alex Hern and Carole Cadwalladr, writing for The Guardian:
Aleksandr Kogan collected direct messages sent to and from Facebook users who installed his This Is Your Digital Life app, the Guardian can reveal. It follows Facebook’s admission that the company “may” have handed over the direct messages of some users to the Cambridge Analytica contractor without their express permission. The revelation is the most severe breach of privacy yet in the Cambridge Analytica scandal.
This just gets better and better. I wonder what else we don’t know yet.
For the record, I deleted my Facebook account on March 22, a day after my last post on the subject.
Sewell Chan, for The New York Times:
Nearly all applicants for a visa to enter the United States — an estimated 14.7 million people a year — will be asked to submit their social media user names for the past five years, under proposed rules that the State Department issued on Friday […]
Along with the social media information, visa applicants will be asked for past passport numbers, phone numbers and email addresses; for records of international travel; whether they have been deported or removed, or violated immigration law, in the past; and whether relatives have been involved in terrorist activities.
We have been planning to travel to USA, to spend a few weeks visiting all the major national parks, but since Trump happened we’re putting it off indefinitely. Social Media screening isn’t helping and I refuse to submit to something I consider a violation of my privacy.
Of all the countries in the world, USA is one of the few I would not want to live in.
Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.
Quartz observed the data collection occur and contacted Google, which confirmed the practice.
I wonder what would have happened had they not been caught, and I mean that with all the sarcasm in the world.
What scares me most is that people stopped caring about companies doing things like this. Sure, I care. Maybe even you care. But most people don’t.
This is yet another example of third-party libraries, plugins, or add-ons, which do things they aren’t supposed to:
DJI has removed a third-party plugin called JPush, which was introduced in March 2016 for iOS and May 2017 for Android. We implemented the plugin as a way to push notifications when video files are successfully uploaded to DJI’s SkyPixel video sharing platform. JPush assigns a unique JPush ID to each user and informs SkyPixel of this ID when the user chooses to upload a video. After uploading is complete, SkyPixel sends the user’s unique JPush ID back to the JPush server, triggering an “Upload Complete” notification on the user’s DJI GO or DJI GO 4 apps. By using JPush’s third-party plugin, DJI has allowed users to multitask while uploading large video files to SkyPixel occurs in the background of their app.
As a third-party company, JPush only needs to send and receive a minimal, narrowly-defined amount of data in order for this function to work properly. Recent work by DJI’s software security team and external researchers has discovered that JPush also collects extraneous packets of data, which include a list of apps installed on the user’s Android device, and sends them to JPush’s server. DJI did not authorize or condone either the collection or transmission of this data, and DJI never accessed this data. JPush has been removed from our apps, and DJI will develop new methods for providing app status updates that better protect our customers’ data.
I still don’t quite understand how and why developers and companies would choose to go down this route without a detailed check of what the used third-party code does precisely. Laziness, I guess.
(…) we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.
I completely agree and have much respect for the DarkSky team for their declarations. Especially since Adam also posted many examples of companies, such as Reveal Mobile, contacting them and offering to pay for their data. In the meantime, AccuWeather’s response on the matter was a non-answer.
Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing.
AccuWeather is one of the most popular weather apps in Apple’s app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn’t say is that it sends sensitive data to a firm designed to monetize user locations without users’ explicit permission.
Delete this crap and never install it again.
This is why it’s so great that iOS 11’s new easily-invoked Emergency SOS mode requires you to enter your passcode after invoking it. When you’re entering customs or in a situation where you’re worried you’re about to be arrested, you can quickly disable Touch ID without even taking your phone out of your pocket.
Until iOS 11 ships, it’s worth remembering that you’ve always been able to require your iPhone’s passcode to unlock it by powering it off. A freshly powered-on iPhone always requires the passcode to unlock.
This unfortunately does not help at borders, which you should take into account while traveling to countries such as Russia, China, USA, and Australia, amongst others:
In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.
Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents.
First, let’s dispose of the notion that Apple could have chosen to defy the Chinese government and keep the VPN apps in the App Store. Technically, Apple could have done that. But if they had, there would have been consequences. My guess is that the Chinese government would move to block all access to the App Store in China, or even block access to all Apple servers, period. This would effectively render all iOS devices mostly useless. iPhones have been sagging in popularity in China for a few years now — with no access to apps, their popularity would drop to zero. And Apple would have a lot of angry iPhone-owning users in China on its hands.
When I first saw how hard Apple was pushing into China, to expand its potential market, my only thought was, that they were in it for the money. Quite frankly, I believe they should leave China. What’s more, they should never have entered it. If they choose to remain there, then they should stand by their beliefs — today it’s VPNs, tomorrow it will be asking for access to iMessages or some other nonsense. At this point all Apple can do is “pray they don’t alter the deal further.”
While this is obviously a much deeper subject, Apple being in China with the iPhone always felt wrong to me.
David Gewirtz, for ZDnet:
First things first, iRobot will never sell your data. Our mission is to help you keep a cleaner home and, in time, to help the smart home and the devices in it work better.
iRobot further clarified:
This was a misinterpretation. Angle never said that iRobot would look to sell customer maps or data to other companies. iRobot has not had any conversations with other companies about data transactions, and iRobot will not sell customer data.
This is in response to Reuter’s report from a few days ago.
Jan Wolfe, reporting for Reuters:
Angle told Reuters that iRobot, which made Roomba compatible with Amazon’s Alexa voice assistant in March, could reach a deal to sell its maps to one or more of the Big Three in the next couple of years.
I was recently considering buying a Roomba or one of the copycats on the market but I have now changed my mind. I will gladly pay more for a product that does not make me the… product.
The ShadowBrokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent (and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.
Keep your system up-to-date!
Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 Samata Ullah, with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.
I can understand the other charges, but how is using HTTPS a criminal offence?
Rick Falkvinge has a few interesting comments on the subject:
(…) four years ago, I predicted that the UK won’t just jail you for encryption, but for carrying astronomical noise, too. It’s already a crime to not give up keys to an encrypted document in the UK (effectively making encryption illegal), but it’s worse than that – it’s a five-years-in-prison offense to not give up the keys to something that appears encrypted to law enforcement, but may not actually be. In other words, carrying astronomical noise is a jailable offense, because it is indistinguishable from something encrypted, unless you can pull the documents the police claim are hidden in the radio noise from a magic hat. This case takes the UK significantly closer to such a reality, with charging a person for terrorism (!) merely for following privacy best practices.
Jo Becker, Adam Goldman, Michael S. Schmidt and Matt Apuzzo:
The F.B.I. secretly arrested a National Security Agency contractor in recent weeks and is investigating whether he stole and disclosed highly classified computer code developed to hack into the networks of foreign governments, according to several senior law enforcement and intelligence officials.
The theft raises the embarrassing prospect that for the second time in three years, an insider has managed to steal highly damaging secret information from the N.S.A. In 2013, Edward J. Snowden, who was also a contractor for the agency, took a vast trove of documents that were later passed to journalists, exposing N.S.A. surveillance programs in the United States and abroad.
What if Harold T. Martin III had also stolen the ‘golden keys’ to backdoors of various tech companies infrastructures? How long would it take for anyone and everyone in the world to get a peek into the lives of people using those services?