privacy

Amazon’s Ring Has Access to All of It’s Customer’s Live Video Feeds and Recordings →

January 11, 2019 · 10:36

Sam Biddle, for The Intercept:

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click […]

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs.

Trust takes a long time to earn, but it can be lost in a heartbeat. I still cannot believe that companies don’t take this topic more seriously, especially after all of the Uber and Facebook fiascos.

More Lies from Facebook — Users’ Private Data Disclosed to Other Companies →

December 19, 2018 · 13:23

Gabriel J.X. Dance, Michael LaForgia and Nicholas Confessore, for The New York Times:

For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules, according to internal records and interviews […]

Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages.

The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts as recently as this summer, despite public statements that it had stopped that type of sharing years earlier.

There’s a lesson to be learned here for other tech companies, which I’m sure they’ll completely ignore. Lying to users and toying with the privacy should not be taken lightly and I keep on wondering when most will realise they don’t need Facebook anymore.

Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret →

December 12, 2018 · 10:07

Jennifer Valentino-Devries, Natasha Singer, Michael H. Keller and Aaron Krolik, for The New York Times:

More than 1,000 popular apps contain location-sharing code from such companies, according to 2018 data from MightySignal, a mobile analysis firm. Google’s Android system was found to have about 1,200 apps with such code, compared with about 200 on Apple’s iOS.

The most prolific company was Reveal Mobile, based in North Carolina, which had location-gathering code in more than 500 apps, including many that provide local news. A Reveal spokesman said that the popularity of its code showed that it helped app developers make ad money and consumers get free services.

Apple is a better proprietor than Google in this regard, but a lot more can and should be done to protect users.

Facebook Filed a Patent to Calculate Your Future Location →

December 12, 2018 · 10:03

Nicole Nguyen, for Buzzfeed:

Facebook has filed several patent applications with the US Patent and Trademark Office for technology that uses your location data to predict where you’re going and when you’re going to be offline.

Have you deleted your Facebook account yet?

In a statement, Facebook spokesperson Anthony Harrison said, “We often seek patents for technology we never implement, and patent applications — such as this one — should not be taken as an indication of future plans.”

Yeah… it really should in Facebook’s case.

Apple Security Expert Jon Callas Moves to ACLU →

December 5, 2018 · 03:28

Joseph Menn for Reuters:

A senior Apple Inc security expert left for a much lower-paying job at the American Civil Liberties Union this week, the latest sign of increasing activity on policy issues by Silicon Valley privacy specialists and other engineers.

Jon Callas, who led a team of hackers breaking into pre-release Apple products to test their security, started Monday in a two-year role as technology fellow at the ACLU. Prior to his latest stint at Apple, Callas designed an encryption system to protect data on Macs and co-founded communications companies Silent Circle, Blackphone and PGP Corp. […]

Callas said he felt particular kinship with Google employees pressing to have more of a say in the company’s prospective deal to return to mainland China with a censored search engine.

“A bunch of people have in fact woken up and said ‘Where are we, where are we going?’” Callas said. “These employees are wanting more discussion and access to what’s going on.”

Callas said phone makers had improved security and he wanted to see progress continue and widen without companies succumbing to pressure to install back doors.

There could be a simple explanation for his choice but the elephant in the room is Apple in China.

Facebook Portal — Who You Call and What Apps You Use Could Determine What Ads You See →

October 17, 2018 · 11:00

Kurt Wagner, reporting for Recode:

Last Monday, we wrote: “No data collected through Portal — even call log data or app usage data, like the fact that you listened to Spotify — will be used to target users with ads on Facebook.”

We wrote that because that’s what we were told by Facebook executives. 

But Facebook has since reached out to change its answer: Portal doesn’t have ads, but data about who you call and data about which apps you use on Portal can be used to target you with ads on other Facebook-owned properties.

Of course it can. And over time it’ll probably do other nasty stuff to its users.

Google Discloses Privacy Security Flaw Kept Quiet Since March →

October 9, 2018 · 17:30

Gerrit de Vynck, for Bloomberg:

Alphabet Inc.’s Google said it found a “software glitch” in its Google+ social network in March that could have exposed the personal data of as many as half a million users, but decided not to tell the public until Monday.

Google chose not to disclose the flaw out of concern it would trigger regulatory backlash, especially in the wake of criticism against Facebook Inc. for its privacy failures, according to the Wall Street Journal, which initially reported the news Monday. In a statement posted to its blog minutes after the report, Google said it plans to shut down Google+ for consumers and introduce new privacy tools restricting how developers can use information on products ranging from email to file storage.

Unsurprising.

Facebook Portal →

October 9, 2018 · 11:18

Portal was created with privacy, safety and security in mind. And it has clear and simple settings, so you always stay in control.

Having all of Facebooks privacy scandals in mind, this product feels like the perfect companion device to their portfolio… if it was released on April Fool’s.

Do not buy this product. You probably shouldn’t be using Google’s Home or Amazon’s Alexa either.

Problems With Gmail’s “Confidential Mode” →

August 2, 2018 · 09:50

Gennie Gebhart and Cory Doctorow, for the EFF:

While many of its features sound promising, what “Confidential Mode” provides isn’t confidentiality. At best, the new mode might create expectations that it fails to meet around security and privacy in Gmail. We fear that Confidential Mode will make it less likely for users to find and use other, more secure communication alternatives. And at worst, Confidential Mode will push users further into Google’s own walled garden while giving them what we believe are misleading assurances of privacy and security […]

Ultimately, for the reasons we outlined above, in EFF’s opinion calling this new Gmail mode “confidential” is misleading. There is nothing confidential about unencrypted email in general and about Gmail’s new “Confidential Mode” in particular. While the new mode might make sense in narrow enterprise or company settings, it lacks the privacy guarantees and features to be considered a reliable secure communications option for most users.

The one thing I trust Google with is their uncanny ability to try to create an illusion of privacy and security, while in reality doing the exact opposite.

HBO Must Get Bigger and Broader →

July 9, 2018 · 11:35

Edmund Lee and John Koblin, for The New York Times:

Known for “The Sopranos,” “Game of Thrones” and “Westworld,” HBO has long favored quality over quantity. Its high-gloss productions often take years to develop and can cost millions per episode. That approach has won the network more Primetime Emmy Awards than any of its competitors over the last 16 years, with Mr. Plepler the master curator.

In recent years, Mr. Plepler has emphasized HBO’s “bespoke culture” and its enduring appeal to A-list producers and stars at a time when Netflix, Amazon and Apple have bottomless budgets. On his watch, “Big Little Lies” has brought the Oscar winners Reese Witherspoon, Nicole Kidman and Meryl Streep to the network, and shows like “Barry” and “Insecure” have charmed critics. But during the town hall meeting, Mr. Stankey said HBO should consider trying something new.

The feeling that quality over quantity gives is something hard to measure in terms of viewer appreciation but its a very important aspect of a service.

“We need hours a day,” Mr. Stankey said, referring to the time viewers spend watching HBO programs. “It’s not hours a week, and it’s not hours a month. We need hours a day. You are competing with devices that sit in people’s hands that capture their attention every 15 minutes.”

Continuing the theme, he added: “I want more hours of engagement. Why are more hours of engagement important? Because you get more data and information about a customer that then allows you to do things like monetize through alternate models of advertising as well as subscriptions, which I think is very important to play in tomorrow’s world.”

This pursuit of engagement is why so many products and services are absolutely terrible today. Please HBO, don’t go down that route. Oh, and Stankey’s mention of “alternate models of advertising” is utterly unacceptable.

Samsung Phones Are Spontaneously Texting Users’ Photos to Random Contacts Without Their Permission →

July 3, 2018 · 10:17

Ashley Carman, writing for The Verge:

Bad news for Samsung phone owners: some devices are randomly sending your camera roll photos to your contacts without permission. As first spotted by Gizmodo, users are complaining about the issue on Reddit and the company’s official forums. One user says his phone sent all his photos to his girlfriend. The messages are being sent through Samsung’s default texting app Samsung Messages. According to reports, the Messages app does not even show users that files have been sent; many just find out after they get a response from the recipient of the random photos sent to them.

I wonder how many people actually received “dick pics” (as in nudes). This sounds funny at first, but it could really be catastrophic, depending on the people involved.

Locked Out of My FastMail Account (Sort Of)

June 9, 2018 · 19:43

I finally got around to setting up 2FA for my FastMail account on Wednesday, preferring to switch over to 1Password, to an authenticator instead of SMS. I forgot I would need to create an app password for my iPhone to continue receiving emails on it. FastMail was nice enough to notify me of this via email, as a reminder, but I did not receive this email, because I was locked out, because I didn’t create an app password, because I completely forgot about it.

Yeah, my bad.

The upside was that I was happy for two days because I barely got any email (a few slipped by on my other accounts). The downside? It’s the weekend and I am calling email bankruptcy.

PGP and S/MIME Vulnerable to Hacks That Can Reveal the Plaintext of Encrypted Messages →

May 14, 2018 · 15:29

Dan Goodin, writing for Ars Technica:

The Internet’s two most widely used methods for encrypting email—PGP and S/MIME—are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from email clients.

The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

You can find an “EFAIL” paper discussing the vulnerabilities here.

Apple Took 8 Days to Give Jefferson the Data It Had Collected on Him →

May 5, 2018 · 11:53

Jefferson Graham:

The zip file I eventually received from Apple was tiny, only 9 megabytes, compared to 243 MB from Google and 881 MB from Facebook. And there’s not much there, because Apple says the information is primarily kept on your device, not its servers. The one sentence highlight: a list of my downloads, purchases and repairs, but not my search histories through the Siri personal assistant or the Safari browser.

This approach by Apple makes me trust them more with my data than any other company.

Unsecured IP Video Cameras Directory →

May 3, 2018 · 23:20

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password. Mozilla Firefox browser is recommended to watch network cameras.

These cameras have no passwords set. Some on purpose, others not so much.

Marco Arment’s Stellar Privacy Update →

April 28, 2018 · 08:46

Marco Arment, on his blog:

One of the ways publishers try to get around the limitations of the current model is by embedding remote images or invisible “tracking pixels” in each episode’s HTML show notes. When displayed in most apps, the images are automatically loaded from an analytics server, which can then record and track more information about you.

In Overcast 4.2, much like Mail (and for the same reason), remote images don’t load by default. A tappable placeholder shows you where each image will load from, and you can decide whether to load it or not.

This is one developer I would trust with my data without hesitation. I’m keeping my email-based login for Overcast, even though he’ll probably hate me for burdening him with it.

1Blocker X for iOS — New App, More Rules

April 25, 2018 · 12:15

The guys behind 1Blocker for iOS and macOS are launching 1Blocker X tomorrow, with support for many more rules by combining several content blockers into one app — this rewrite took them 6 months, which is why I completely understand their need to make back their investment. Salavat Khanov wrote up all the new features of 1Blocker X on their blog — it’s an interesting read — and now that I finally understand how it works under the hood, I’m upgrading tomorrow, when the app goes live. You can pre-order it today though…

1Blocker X — $4.99 / €5,49 / 23,49 PLN

Google Has More of Your Personal Data Than Facebook →

April 23, 2018 · 11:04

Christopher Mims, for The Washington Post:

As justifiable as the focus on Facebook has been, though, it isn’t the full picture. If the concern is that companies might be collecting some personal data without our knowledge or explicit consent, Alphabet’s Google is a far bigger threat by many measures: the volume of information it gathers, the reach of its tracking and the time people spend on its sites and apps […]

It’s likely that Google has shadow profiles on at least as many people as Facebook does, says Chandler Givens, chief executive of TrackOff, which develops software to fight identity theft. Google allows everyone, whether they have a Google account or not, to opt out of its ad targeting. Yet, like Facebook, it continues to gather your data […]

Google also is the biggest enabler of data harvesting, through the world’s two billion active Android mobile devices. Because Google’s Android OS helps companies gather data on us, then Google is also partly to blame when troves of that data are later used improperly, says Woodrow Hartzog, a professor of law and computer science at Northeastern University.

A good example of this is the way Facebook has continuously harvested Android users’ call and text history. Facebook never got this level of access from Apple ’s iPhone, whose operating system is designed to permit less under-the-hood data collection. Android OS often allows apps to request rich data from users without accompanying warnings about how the data might be used.

Meanwhile, we still don’t have the tools or means to protect ourselves from being targeted by Google, Facebook, and others, or to block their tracking practices completely.

End-to-End Encryption Does Not Prevent Facebook From Accessing WhatsApp Chats →

April 13, 2018 · 11:49

Gregorio Zanon, posting on Medium:

Facebook could potentially access your WhatApp chats. In fact, it could easily acces your entire chat history and every single attachment. Now, I am not saying it does and have no evidence it did. But after Android users have recently been finding out that their call history and SMS data had been collected by Facebook, I believe it is important to go over the means by which Facebook is already in a position to collect our WhatsApp data, from any iPhone running iOS 8 and above.

In case you did not know about this for some reason…

Aleksandr Kogan Collected Facebook Users’ Direct Messages →

April 13, 2018 · 11:45

Alex Hern and Carole Cadwalladr, writing for The Guardian:

Aleksandr Kogan collected direct messages sent to and from Facebook users who installed his This Is Your Digital Life app, the Guardian can reveal. It follows Facebook’s admission that the company “may” have handed over the direct messages of some users to the Cambridge Analytica contractor without their express permission. The revelation is the most severe breach of privacy yet in the Cambridge Analytica scandal.

This just gets better and better. I wonder what else we don’t know yet.

For the record, I deleted my Facebook account on March 22, a day after my last post on the subject.

US Social Media Screening Proposal →

April 5, 2018 · 16:38

Sewell Chan, for The New York Times:

Nearly all applicants for a visa to enter the United States — an estimated 14.7 million people a year — will be asked to submit their social media user names for the past five years, under proposed rules that the State Department issued on Friday […]

Along with the social media information, visa applicants will be asked for past passport numbers, phone numbers and email addresses; for records of international travel; whether they have been deported or removed, or violated immigration law, in the past; and whether relatives have been involved in terrorist activities.

We have been planning to travel to USA, to spend a few weeks visiting all the major national parks, but since Trump happened we’re putting it off indefinitely. Social Media screening isn’t helping and I refuse to submit to something I consider a violation of my privacy.

Of all the countries in the world, USA is one of the few I would not want to live in.

Google Collects Android Users’ Locations Even When Location Services Are Disabled →

December 7, 2017 · 08:27

Keith Collins:

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

I wonder what would have happened had they not been caught, and I mean that with all the sarcasm in the world.

What scares me most is that people stopped caring about companies doing things like this. Sure, I care. Maybe even you care. But most people don’t.

DJI Removes JPush Plugin From Their App for Collecting User Data Without Approval →

August 29, 2017 · 08:04

This is yet another example of third-party libraries, plugins, or add-ons, which do things they aren’t supposed to:

DJI has removed a third-party plugin called JPush, which was introduced in March 2016 for iOS and May 2017 for Android. We implemented the plugin as a way to push notifications when video files are successfully uploaded to DJI’s SkyPixel video sharing platform. JPush assigns a unique JPush ID to each user and informs SkyPixel of this ID when the user chooses to upload a video. After uploading is complete, SkyPixel sends the user’s unique JPush ID back to the JPush server, triggering an “Upload Complete” notification on the user’s DJI GO or DJI GO 4 apps. By using JPush’s third-party plugin, DJI has allowed users to multitask while uploading large video files to SkyPixel occurs in the background of their app.

As a third-party company, JPush only needs to send and receive a minimal, narrowly-defined amount of data in order for this function to work properly. Recent work by DJI’s software security team and external researchers has discovered that JPush also collects extraneous packets of data, which include a list of apps installed on the user’s Android device, and sends them to JPush’s server. DJI did not authorize or condone either the collection or transmission of this data, and DJI never accessed this data. JPush has been removed from our apps, and DJI will develop new methods for providing app status updates that better protect our customers’ data.

I still don’t quite understand how and why developers and companies would choose to go down this route without a detailed check of what the used third-party code does precisely. Laziness, I guess.

DarkSky Comments on AccuWeather, Location Tracking, and Privacy →

August 28, 2017 · 13:12

Adam Grossman:

(…) we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.

I completely agree and have much respect for the DarkSky team for their declarations. Especially since Adam also posted many examples of companies, such as Reveal Mobile, contacting them and offering to pay for their data. In the meantime, AccuWeather’s response on the matter was a non-answer.

AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off →

August 23, 2017 · 14:33

Zack Whittaker:

Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing.

AccuWeather is one of the most popular weather apps in Apple’s app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn’t say is that it sends sensitive data to a firm designed to monetize user locations without users’ explicit permission.

Delete this crap and never install it again.

Cops Can Make You Unlock Your Phone With Your Fingerprint, but Not Your Passcode →

August 21, 2017 · 08:58

John Gruber:

This is why it’s so great that iOS 11’s new easily-invoked Emergency SOS mode requires you to enter your passcode after invoking it. When you’re entering customs or in a situation where you’re worried you’re about to be arrested, you can quickly disable Touch ID without even taking your phone out of your pocket.

Until iOS 11 ships, it’s worth remembering that you’ve always been able to require your iPhone’s passcode to unlock it by powering it off. A freshly powered-on iPhone always requires the passcode to unlock.

This unfortunately does not help at borders, which you should take into account while traveling to countries such as Russia, China, USA, and Australia, amongst others:

In fact, US Customs and Border Protection has long considered US borders and airports a kind of loophole in the Constitution’s Fourth Amendment protections, one that allows them wide latitude to detain travelers and search their devices. For years, they’ve used that opportunity to hold border-crossers on the slightest suspicion, and demand access to their computers and phones with little formal cause or oversight.

Even citizens are far from immune. CBP detainees from journalists to filmmakers to security researchers have all had their devices taken out of their hands by agents.

Apple Should Leave the Chinese Market →

August 1, 2017 · 23:20

John Gruber:

First, let’s dispose of the notion that Apple could have chosen to defy the Chinese government and keep the VPN apps in the App Store. Technically, Apple could have done that. But if they had, there would have been consequences. My guess is that the Chinese government would move to block all access to the App Store in China, or even block access to all Apple servers, period. This would effectively render all iOS devices mostly useless. iPhones have been sagging in popularity in China for a few years now — with no access to apps, their popularity would drop to zero. And Apple would have a lot of angry iPhone-owning users in China on its hands.

When I first saw how hard Apple was pushing into China, to expand its potential market, my only thought was, that they were in it for the money. Quite frankly, I believe they should leave China. What’s more, they should never have entered it. If they choose to remain there, then they should stand by their beliefs — today it’s VPNs, tomorrow it will be asking for access to iMessages or some other nonsense. At this point all Apple can do is “pray they don’t alter the deal further.”

While this is obviously a much deeper subject, Apple being in China with the iPhone always felt wrong to me.

CEO Says iRobot Will Never Sell Your Data →

July 29, 2017 · 09:13

David Gewirtz, for ZDnet:

First things first, iRobot will never sell your data. Our mission is to help you keep a cleaner home and, in time, to help the smart home and the devices in it work better.

iRobot further clarified:

This was a misinterpretation. Angle never said that iRobot would look to sell customer maps or data to other companies. iRobot has not had any conversations with other companies about data transactions, and iRobot will not sell customer data.

This is in response to Reuter’s report from a few days ago.

Roomba Wants to Sell Maps of Homes Its Robots Clean →

July 25, 2017 · 10:38

Jan Wolfe, reporting for Reuters:

Angle told Reuters that iRobot, which made Roomba compatible with Amazon’s Alexa voice assistant in March, could reach a deal to sell its maps to one or more of the Big Three in the next couple of years.

I was recently considering buying a Roomba or one of the copycats on the market but I have now changed my mind. I will gladly pay more for a product that does not make me the… product.

Leaked NSA Malware Threatens Windows Users Around the World →

April 20, 2017 · 13:57

Sam Biddle:

The ShadowBrokers, an entity previously confirmed by The Intercept to have leaked authentic malware used by the NSA to attack computers around the world, today released another cache of what appears to be extremely potent (and previously unknown) software capable of breaking into systems running Windows. The software could give nearly anyone with sufficient technical knowledge the ability to wreak havoc on millions of Microsoft users.

Keep your system up-to-date!