Feds ask court to force Facebook to break Messenger's end-to-end voice encryption for MS-13 gang probe

In secret court proceedings, the U.S. government is trying to force Facebook to help wiretap Messenger. Facebook has declined, so the Justice Department is asking a judge for an order of contempt. Read the rest

Award-winning security research reveals a host of never-seen, currently unblockable web-tracking techniques

Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies won the Distinguished Paper prize at this year's Usenix Security Conference; its authors, researchers at Belgium's Catholic University in Leuven, revealed a host of devastating, never-seen tracking techniques for identifying web-users who were using privacy tools supplied by browser-vendors and third-party tracking-blocking tools. Read the rest

EBGAP: Error Between Google and Privacy

The year is 2031, and I'm going to see Avengers 7 in 8K-vision. I hop in my Goober self-driving car and notice something strange – my location is displayed on the Goober Dashboard, even though I opted out of Google AlwaysTrack™! There's a complete disconnect between what the user interface is telling me and what actually happens without my knowledge or consent.

AP and Princeton University: Google tracks location of users even when they tell it not to

The Associated Press, working with Princeton University researchers, report that Google services on both Android and iOS devices store the user's location irrespective of location data privacy settings. The company was caught after prompting a graduate student to rate a retail store they had recently visited.

Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. ...The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search.

There is some elaborate ratmaze of settings you can dig into to actually turn the tracking off, one of which is apparently this "Web and App Activity” panel. Google says it is "being perfectly clear." The AP's interactive map of its researcher being tracked over a three day period shows what is perfectly clear: where you are. Read the rest

Talking the hard questions of privacy and freedom with the Yale Privacy Lab podcast

This week, I sat down for an hour-long interview with the Yale Privacy Lab's Sean O'Brien (MP3); Sean is a frequent Boing Boing contributor and I was honored that he invited me to be his guest on the very first episode of the Lab's new podcast. Read the rest

Stylistic analysis can de-anonymize code, even compiled code

A presentation today at Defcon from Drexel computer science prof Rachel Greenstadt and GWU computer sicence prof Aylin Caliskan builds on the pair's earlier work in identifying the authors of software and shows that they can, with a high degree of accuracy, identify the anonymous author of software, whether in source-code or binary form. Read the rest

Defective Comcast security exposes 26.5m customers' partial Social Security Numbers and addresses

Comcast Xfininty's login page had an easily found bug that allowed anyone to gain access to the partial Social Security Numbers and partial home addresses of over 26.5 million customers. Read the rest

Facebook to banks: give us our users' financial data and we'll let them bank with Facebook

Facebook wants to "deepen user engagement" with Messenger, and to that end, it's been pitching America's giant banks on joint enterprises where Facebook will get to see all your financial info (especially info on where you're shopping and what you're buying) to help it suck you into using Messenger for longer. Read the rest

Consumer Reports now evaluates products' security and privacy

Consumer Reports is arguably America's most trusted source of product reviews -- published by Consumers Union, a venerable nonprofit with a deserved reputation for scrupulous care and neutrality -- and for years it has been wrestling with how to address privacy and cybersecurity in modern products (disclosure: I have advised them some on this). Read the rest

On the cruelty of ankle-monitors

Ankle monitors are billed as a humane alternative to incarceration, allowing people who might otherwise be locked up to be reintegrated into the community. Read the rest

SpiderOak warrant canary to be replaced by 'transparency report'

SpiderOak is a cloud backup service with a warrant canary: a formal statement that assured users that the company and its operators had never been made to secretly cooperate with the government, law enforcement or other surveilling authority. The canary reportedly disappeared this weekend, then reappeared, along with a statement saying it was being replaced by a "transparency report."

Don't be mad at the company! The canary worked exactly as it was supposed to. Read the rest

Canadian government investigating mall's use of biometric surveillance

Last week, it was revealed by a sharp-eyed Redditor that the information kiosks at a mall in Calgary, Canada, were full of software designed to track the age and sex of anyone that stopped to use it. Pretty damn greasy. Greasier still, the management company that operates the mall, Cadillac Fairview admitted that the software was in use at a number of its other properties. The greasiest bit out of all of it? They shrugged off privacy concerns raised by a number of news outlets as there’s nothing in Alberta’s laws that keeps them from doing it without permission, or warning mall patrons that it’s being done.

Well, that was last week.

From The CBC:

The privacy commissioners of Alberta and Canada are launching investigations into the use of facial recognition technology, without the public's consent, in at least two malls in Calgary.

A notice posted Friday to the Alberta privacy commissioner website says the investigation will look to determine, "what types of personal information are being collected, whether consent for collection or notice of collection is required or would be recommended, for what purposes personal information is collected, whether the data is being shared with other businesses, law enforcement or third parties, and what safeguards or security measures are in place to protect personal information."

It’s said that Alberta’s privacy commissioner opened the investigation, based on the level of public interest surrounding the issue of whether or not it’s cool for property owners to collect biometric information without a visitor’s knowledge or consent. Read the rest

Calgary malls caught secretly using facial recognition to characterise shoppers' age and gender

Calgary's Chinook Centre and Market Mall -- operated by Cadillac Fairview -- have been caught running background software that analysed the footage from the CCTVs in the malls' electronic directories to guess at the age and gender of visitors, without consent or notification. Read the rest

Patches remove spyware from Civilization VI, other games

The game Civilization VI contained Red Shell, a spyware application that tracks what ads players are looking at, among other things. It's now gone after a new patch -- and other game publishers have been scrambling to do likewise after being caught with their spyglasses up and their pants down.

Developers and publishers behind games including Conan Exiles, The Elder Scrolls Online, Hunt: Showdown, and Total War have vowed to remove Red Shell – or already removed it.

“Whilst Red Shell is only used to measure the effectiveness of our advertising, we can see that players are clearly concerned about it and it will be difficult for us to entirely reassure every player,” said Total War devs Creative Assembly, for example. “So, from the next update we will remove the implementation of Red Shell from those Total War games that use it.”

Other statements were broadly the same: a defence along the lines of “it’s not spyware as bad as you might think but yeah we get you’re skeezed out and we will remove it.”

Read the rest

British Airways won't let you check in while ad-blocking, insists that passengers post personal info to Twitter "for GDPR compliance"

British Airways was outed by security researcher Mustafa Al-Bassam for telling passengers they couldn't help with delays and other problems unless they posted their personal information publicly to Twitter, in order "to comply with the GDPR." Read the rest

Venmo's "public by default" transactions reveal drug deals, breakups, more

Because Venmo defaults to making all payments public, privacy researcher Hang Do Thi Duc was able to download and analyze 208,000,000 transactions, whose notes and other metadata revealed a wealth of personal, compromising information, including drug deals and breakups. Read the rest

Microsoft asks Congress to regulate facial recognition technology

Microsoft on Friday joined a growing number of tech industry voices who want the government to limit the use of facial recognition technology. Read the rest

More posts