540 million Facebook users' data exposed by third party developers

The Mexican media company Cultura Colectiva and an app called "At the Pool" used their access to their users Facebook data to make local copies of it, then left that data exposed, in the clear, without a password, on the public internet -- 540 million records in all, stored in publicly accessible Amazon S3 buckets. Read the rest

Facebook caught asking for new users' email passwords

Facebook is asking new users to give it the passwords to their email accounts as the price of entry, reports The Daily Beast.

Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”

A form below the message asked for the users’ “email password.”

“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

At this point, the most unsettling thing about Facebook is that it keeps churning out the apologies and promises as it descends to abuses that would have seems impossible to get away with even a few years ago. It's a wolf with a tiny, creepy sheep mask balanced on its snout that far too many journalists feel bound to respect.

One of the most nauseating things online is writers who are scathing about Facebook on social media but whose published journalism takes everything it says in steeple-fingered good faith. Twitter, the bar next to the public defenders' office. Read the rest

Researchers find mountains of sensitive data on totalled Teslas in junkyards

Teslas are incredibly data-hungry, storing massive troves of data about their owners, including videos of crashes, location history, contacts and calendar entries from paired phones, photos of the driver and passengers taken with interior cameras, and other data; this data is stored without encryption, and it is not always clear when Teslas are gathering data, and the only way to comprehensively switch off data-gathering also de-activates over-the-air software updates for the cars, which have historically shipped with limited or buggy features that needed the over-the-air updates to fix them. Read the rest

NSA domestic surveillance debate returns to Congress with 'Ending Mass Collection of Americans’ Phone Records Act'

“It’s time, finally, to put a stake in the heart of this unnecessary government surveillance program and start to restore some of Americans’ liberties,” Wyden said in a statement.

Edward Snowden to keynote London's ORGCON!

ORGCON19 is the annual conference put on by the UK Open Rights Group (disclosure: I co-founded ORG and volunteer on its advisory board); it is "the UK’s largest human and digital rights conference," and this year's conference -- held on July 13 in central London -- is centred on "Data and Democracy, Digital Privacy, Online Censorship & the Role of Algorithms," so it only follows that the whistleblower Edward Snowden as its keynote speaker! Read the rest

Telegram allows you to "unsend" messages coming from either party, and has no time limit

Although the private message app Telegram already had an "unsend" feature, you were only able to delete messages that you had sent, and only up to 48 hours after you had sent it. But yesterday they announced an expansion of this feature that allows you to unsend messages that stem from either you or the person who sent you the message, and there is no time limit. And there's more.

According to Telegram's blog:

You can also delete any private chat entirely from both your and the other person's device with just two taps.

To make your privacy complete, we’ve also introduced a way to restrict who can forward your messages. When this setting is enabled, your forwarded messages will no longer lead back to your account — they'll just display an unclickable name in the “from” field. This way people you chat with will have no verifiable proof you ever sent them anything.

Look for “Forwarded messages” in Privacy and Security settings. By the way, you can now also restrict who can view your profile photos.

A company that cares about your privacy is almost unheard of nowadays, so it's really refreshing when Telegram says, "We never use your data to target ads. We never disclose your data to third parties. We store only what is absolutely necessary for Telegram to work."

Image: By Telegram Messenger LLP - Javitomad, Public Domain, Link Read the rest

Online privacy tips for 2019

Keith Axline at The Tools We Need, writes that if you haven't already, switch to Firefox and install Privacy Badger, HTTPS Everywhere, uBlock Origin, Decentraleyes, CanvasBlocker and Smart Referrer. Use 1.1.1.1 as your DNS and change your default search engine. He explains why: A Few Simple Steps to Vastly Increase Your Privacy Online. Read the rest

Facebook stored millions of passwords as plain text

"Change your Facebook password right now" is the instructive title of a news story at Wired today, sourced to a report at Krebs on Security. Read the rest

Two arrested for hiding cameras in motel rooms and charging for access to livestreams

Some 1,600 people were secretly livestreamed while staying in South Korean motel rooms where cameras had been hidden by criminals who operated a 4,000-user service for voyeurs, where a $45/month upcharge bought subscribers the right to access replays and other extra services. Read the rest

There is a federal criminal investigation into Facebook's data-sharing deals

The Eastern District of New York empaneled a Grand Jury into the dirty data dealings of Facebook.

What ephemeral messaging is good for

A few years ago, a friend of mine, Nico Sell (who runs the Defcon kids' programming track r00tz) asked me to join the advisory board for her startup, Wickr, which does "ephemeral messaging," a subject that is greatly in the news with Facebook's recent announcement of a new kind of "ephemeral messaging" option. Read the rest

Firefox is getting more browser fingerprinting protection courtesy of Tor Browser's "letterboxing" technique

Even if you block cookies, many sites still track you with "browser fingerprinting," that use the unique combination of your screen resolution, browser and OS version, installed fonts and plugins, and other data that allows you to be reliably identified between sessions and across sites. Read the rest

Zuckerberg announces a comprehensive plan for a new, privacy-focused Facebook, but fails to mention data sharing and ad targeting

Mark Zuckerberg's 3,000 word blog post about his plan to create a parallel set of Facebook services that contain long-overdue privacy protections has plenty to please both the regulators who are increasingly ready to fine the company billions and possibly even break it up, but also privacy advocates who will rightly cheer the announcement that the service will be increasing its end-to-end encryption offerings, only storing data in countries with good track records on human rights and the rule of law, and allowing users to mark some of their conversations as ephemeral, designed to be permanently deleted after a short while. Read the rest

You cannot opt out of Facebook's surveillance network

Even if you don't use it, Facebook is embedded across the web and in apps through ads, share buttons, tracking pixels and so forth, watching everything and everyone. Katherine Brindley set out to find how forthright the company was in its claims not to track users who engage privacy controls. Not very.

"I enabled a bunch of privacy settings and still felt like my Facebook/Insta ads were a little too relevant. So I faked a pregnancy by downloading the What to Expect app to see how long it would take for FB to hit me with a maternity ad. The answer? 11 hours."

Facebook won't stop claiming the high ground, and will even present new high ground to claim. But the truth is that its algorithmic exploitation of human weakness is barely concealed, yet it lies chronically and decisively about every aspect of what it does, while respecting no master — not governments, not courts, not users — in turning political chaos and personal misery into profit. As Will Oremus puts it, Facebook is "a massive, global, highly sophisticated surveillance operation that no one can opt out of—and its privacy features are largely illusory." Read the rest

Bounty hunters and stalkers are able to track you in realtime by lying to your phone company and pretending to be cops

Early in January, Motherboard's Joseph Cox broke a blockbuster story about how America's mobile carriers sold access to their customers' realtime location data to many shady marketing brokers, who then quietly slipped that data to bounty hunters and other unsavory characters -- a practice that they'd been caught in before and had falsely promised to end. Read the rest

A brilliant, simple exercise to teach privacy fundamentals

Kate Klonick, an assistant professor at St John's Law School, teaches an Information Privacy course for second- and third-year law students; she devised a wonderful and simply exercise to teach her students about "anonymous speech, reasonable expectation of privacy, third party doctrine, and privacy by obscurity" over the spring break. Read the rest

#FixItAlready: EFF's wishlist for fixing tech's worst privacy and security choices

Android should let users deny and revoke permissions; Apple should let people encrypt Icloud backups, Twitter should end-to-end encrypt DMs; all these and more appear on the Electronic Frontier Foundation's #FixItAlready page, which calls out Big Tech's biggest players for their biggest security and privacy fumbles, and explains in clear terms why these changes are needed. Read the rest

More posts