Vigneri and co began by downloading over 2,000 free apps from all 25 categories on the Google Play store. They then launched each app on a Samsung Galaxy SIII running Android version 4.1.2 that was set up to channel all traffic through the team’s server. This recorded all the urls that each app attempted to contact. Next they compared the urls against a list of known ad-related sites from a database called EasyList and a database of user tracking sites called EasyPrivacy, both compiled for the open source AdBlock Plus project. Finally, they counted the number of matches on each list for every appThe results make for interesting reading. In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific.Vigneri and co give as an example “Music Volume Eq,” an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. “We find the app Music Volume EQ connects to almost 2,000 distinct URLs,” they say.And it is not alone in its excesses. The team say about 10 percent of the apps they tested connect to more than 500 different urls. And nine out of 10 of the most frequently contact ad-related domains are run by Google.
It’s a fundamental misunderstanding of the problem. Why do you think Apple and Google are doing this? It’s because the public is demanding it. People like me: privacy advocates. A public does not want an out-of-control surveillance state. It is the public that is asking for this. Apple and Google didn’t do this because they thought they would make less money. This is a private sector response to government overreach.
Then you make another statement that somehow these companies are not credible because they collect private data. Here’s the difference: Apple and Google don’t have coercive power. District attorneys do, the FBI does, the NSA does, and to me it’s very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution.
And because the NSA didn’t do that and other law enforcement agencies didn’t do that, you’re seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated the Fourth Amendment rights of every American citizen for years by seizing all of our phone records, by collecting our Internet traffic, that is now spilling over to other aspects of law enforcement. And if you want to get this fixed, I suggest you write to NSA: the FBI should tell the NSA, stop violating our rights. And then maybe you might have much more of the public on the side of supporting what law enforcement is asking for.
Then let me just conclude by saying I do agree with law enforcement that we live in a dangerous world. And that’s why our founders put in the Constitution of the United States—that’s why they put in the Fourth Amendment. Because they understand that an Orwellian overreaching federal government is one of the most dangerous things that this world can have. I yield back.
– Rep. Ted Lieu (D-CA)
Four Columbia University boffins reckon they can spy on keystrokes and mouse clicks in a web browser tab by snooping on the PC’s processor caches.
The exploit is apparently effective against machines running a late-model Intel CPU, such as a Core i7, and a HTML5-happy browser – so perhaps about 80 percent of desktop machines.
The research has prompted Google, Microsoft, Mozilla, and Apple to upgrade their browsers to smother the attack vector. Nothing has yet been released.
“In the meantime the best suggestion I have for end-users is: close all non-essential browser tabs when you’re doing something sensitive on your computer,” he says.
Like lots of people, I’m paying attention to the Apple Watch buzz, and doing some of my own speculation. Needless to say, I have no special expertise here. But what the heck; I might as well put my own thoughts out there.
So, here’s my pathetic version of a grand insight: wearables like the Apple watch actually serve a very different function — indeed, almost the opposite function — from that served by previous mobile devices. A smartphone is useful mainly because it lets you keep track of things; wearables will be useful mainly because they let things keep track of you.
The researchers point out that Facebook’s “social plug-ins” — which other sites frequently use — tracked users who didn’t use the plug-ins, were not logged in to Facebook, and who did not even have a Facebook account. In its response post, Facebook conceded that “a bug” affected “a few” users and would be fixed.
The “bug” is that they got caught.
The European Commission has warned EU citizens that they should close their Facebook accounts if they want to keep information private from US security services, finding that current Safe Harbour legislation does not protect citizen’s data.
The comments were made by EC attorney Bernhard Schima in a case brought by privacy campaigner Maximilian Schrems, looking at whether the data of EU citizens should be considered safe if sent to the US in a post-Snowden revelation landscape.
“You might consider closing your Facebook account, if you have one,” Schima told attorney general Yves Bot in a hearing of the case at the European court of justice in Luxembourg.
When asked directly, the commission could not confirm to the court that the Safe Harbour rules provide adequate protection of EU citizens’ data as it currently stands.
Schrems maintains that companies operating inside the EU should not be allowed to transfer data to the US under Safe Harbour protections – which state that US data protection rules are adequate if information is passed by companies on a “self-certify” basis – because the US no longer qualifies for such a status.
For years, RadioShack made a habit of collecting customers’ contact information at checkout. Now, the bankrupt retailer is putting that data on the auction block.
A list of RadioShack assets for sale includes more than 65 million customer names and physical addresses, and 13 million email addresses. Bloomberg reports that the asset sale may include phone numbers and information on shopping habits as well.
The auction is already over, with Standard General—a hedge fund and RadioShack’s largest shareholder—reportedly emerging as the victor. But a bankruptcy court still has to approve the deal, and RadioShack faces a couple legal challenges in turning over customer data.
Lawyers, journalists and three small telecoms firms went to court in a bid to get the legislation set aside. They argue that internet firms should not be keeping information about the communications of everyone in the country, whether or not they are suspected of a crime.
Companies have been required to keep the information for a year since 2009. The EU found in 2014 that the mass storage of information is a serious breach of privacy and put its data retention legislation on hold.
This put Dutch telecoms firms in a difficult position. They were required to keep the information under Dutch law even though it was not allowed in European legal terms.
‘Dutch law conflicted with European law and that has now been put right,’ a lawyer for the complainants told broadcaster Nos.
Britain needs to draw a line under the debate about mass surveillance by the intelligence agencies sooner rather than later to stop them getting distracted from their work, Philip Hammond, the foreign secretary, said on Tuesday.
The senior Conservative said his party would legislate early in the next parliament to give the security services extra powers and address legitimate public concerns about their oversight.
But he said the debate about privacy sparked by the American whistleblower Edward Snowden, whose revelations about mass surveillance by the agencies were published by the Guardian and others, “cannot be allowed to run on forever”.
Speaking at the Royal United Service Institute (Rusi), Hammond said: “We need to have it, address the issues arising from it and move on sooner rather than later if the agencies are not to become distracted from their task.
“The prime minister, home secretary and I are determined we should draw a line under the debate by legislating early in the next parliament to give our agencies clearly and transparently the powers they need and to ensure our oversight regime keeps pace with technological change and addresses the reasonable concerns of our citizens.”
Debate cannot be allowed to happen when we decide it can’t. Like whether or not we were at war with Eastasia. We were always allies with Eastasia, and we will not tolerate this argument to be dragged on forever.
Geographically annotated social media is extremely valuable for modern information retrieval. However, when researchers can only access publicly-visible data, one quickly finds that social media users rarely publish location information. In this work, we provide a method which can geolocate the overwhelming majority of active Twitter users, independent of their location sharing preferences, using only publicly-visible Twitter data.
Our method infers an unknown user’s location by examining their friend’s locations. We frame the geotagging problem as an optimization over a social network with a total variation-based objective and provide a scalable and distributed algorithm for its solution. Furthermore, we show how a robust estimate of the geographic dispersion of each user’s ego network can be used as a per-user accuracy measure which is effective at removing outlying errors.
Leave-many-out evaluation shows that our method is able to infer location for 101,846,236 Twitter users at a median error of 6.38 km, allowing us to geotag over 80\% of public tweets.
The CIA has spent almost a decade attempting to breach the security of Apple’s iPhone, iPad and Mac computers to allow them secretly plant malware on the devices. Apple announced on Monday, 9 March, that it had sold over 700 million iPhones since the first version was announced in 2007, giving some idea of the scope of the CIA tactics.
Revealed in documents released to The Intercept by Edward Snowden, the CIA’s efforts at undermining Apple’s encryption has been announced at an secret annual gathering known as the “Jamboree” which has been taking place since 2006, a year before the first iPhone was released.
He’s been a U.S. senator for 12 years, and was a Congressman for eight more before that, but South Carolina Republican Lindsey Graham says he has never sent an email.
In a discussion on NBC’s Meet the Press about the controversy surrounding Hillary Clinton’s use of a home-based email server while she was secretary of state, moderate Chuck Todd asked Graham, “Do you have a private e-mail address?”
Graham’s surprising answer: “I don’t email. No, you can have every email I’ve ever sent. I’ve never sent one.”
In a sane world, this would make him ineligible to be on the Privacy, Technology, and Law subcommittee.
President Barack Obama on Monday sharply criticized China’s plans for new rules on U.S. tech companies, urging Beijing to change the policy if it wants to do business with the United States and saying he had raised it with President Xi Jinping.
In an interview with Reuters, Obama said he was concerned about Beijing’s plans for a far-reaching counterterrorism law that would require technology firms to hand over encryption keys, the passcodes that help protect data, and install security “backdoors” in their systems to give Chinese authorities surveillance access.
“This is something that I’ve raised directly with President Xi,” Obama said. “We have made it very clear to them that this is something they are going to have to change if they are to do business with the United States.”
But, of course, if American law enforcement wants the passwords, it’s OK. Here’s Obama last week:
Obama: … the company says “sorry, we just can’t pull it. It’s so sealed and tight that even though the government has a legitimate request, technologically we cannot do it.”
Swisher: Is what they’re doing wrong?
Obama: No. I think they are properly responding to a market demand. All of us are really concerned about making sure our…
Swisher: So what are you going to do?
Obama: Well, what we’re going to try to do is see if there’s a way for us to narrow this gap. Ultimately, everybody — and certainly this is true for me and my family — we all want to know if we’re using a smartphone for transactions, sending messages, having private conversations, we don’t have a bunch of people compromising that process. There’s no scenario in which we don’t want really strong encryption.
The narrow question is going to be: if there is a proper request for — this isn’t bulk collection, this isn’t fishing expeditions by government — where there’s a situation in which we’re trying to get a specific case of a possible national security threat, is there a way of accessing it? If it turns out there’s not, then we’re really going to have to have a public debate. And, I think some in Silicon Valley would make the argument — which is a fair argument, and I get — that the harms done by having any kind of compromised encryption are far greater than…
Swisher: That’s an argument you used to make, you would have made. Has something changed?
Obama: No, I still make it. It’s just that I’m sympathetic to law enforcement…
It’s starting to look like Superfish and other software containing the same HTTPS-breaking code library may have posed more than a merely theoretical danger to Internet users. For the first time, researchers have uncovered evidence suggesting the critical weakness may have been exploited against real people visiting real sites, including Gmail, Amazon, eBay, Twitter, and Gpg4Win.org, to name just a few.
Following up on the payment space, most of your competitors are collecting personal data. You’re not.
We believe customers have a right to privacy, and the vast majority of customers don’t want people knowing everything about them. When you make a purchase, we make a little bit of money. It’s very simple, very straightforward. You are not our product, that’s our product. There’s no need for us to know what you’re buying, where you’re buying, I don’t want to know any of that. We think customers will rebel on that. Similar with HealthKit…you want control over that. So we think over the arc of time, consumers will go with people they trust with their data. People are unknowingly sharing things with others, and info can be pieced together. Over time people will realize this more and demand privacy.
So with Apple Pay we needed something easier than pulling out a credit card, we knew it needed to be secure as well. We never give the merchant your credit card number. We don’t even have it. We’re making up a proxy for each transaction. Think about it…how secure is a card with your number on the front, and then a security code on the back! So Apple Pay had to be private. We’re facilitating a transaction between you, the merchant, and the bank.
In a new court filing, the Department of Justice revealed that it kept a secret database of telephone metadata—with one party in the United States and another abroad—that ended in 2013.
The three-page partially-redacted affidavit from a top Drug Enforcement Agency (DEA) official, which was filed Thursday, explained that the database was authorized under a particular federal drug trafficking statute. The law allows the government to use “administrative subpoenas” to obtain business records and other “tangible things.” The affidavit does not specify which countries records were included, but specifically does mention Iran.
This database program appears to be wholly separate from the National Security Agency’s metadata program revealed by Edward Snowden, but it targets similar materials and is collected by a different agency. The Wall Street Journal, citing anonymous sources, reported Friday that this newly-revealed program began in the 1990s and was shut down in August 2013.
The criminal case involves an Iranian-American man named Shantia Hassanshahi, who is accused of violating the American trade embargo against Iran. His lawyer, Mir Saied Kashani, told Ars that the government has clearly abused its authority.
“They’ve converted this from a war on drugs to a war on privacy,” he said.
We considered the Section 215 request for [REDACTED] discussed earlier in this report at pages 33 to 34 to be a noteworthy item. In this case, the FISA Court had twice declined to approve a Section 215 application based on First Amendment Concerns. However, the FBI subsequently issued NSLs for information [REDACTED] even though the statute authorizing the NSLs contained the same First Amendment restriction as Section 215 and the ECs authorizing the NSLs relied on the same facts contained in the Section 215 applicants…
German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.
The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.
When I learned that the Intelligence Authorization Act for FY 2015 was being rushed to the floor for a vote—with little debate and only a voice vote expected (i.e., simply declared “passed” with almost nobody in the room)—I asked my legislative staff to quickly review the bill for unusual language. What they discovered is one of the most egregious sections of law I’ve encountered during my time as a representative: It grants the executive branch virtually unlimited access to the communications of every American.
Recently, Verizon was caught tampering with its customer’s web requests to inject a tracking super-cookie. Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers’ data to strip a security flag—called STARTTLS—from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1
By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco’s PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception.
A strange looking website is letting anyone in the world stream from more than 73,000 IP cameras whose respective owners have not yet changed their default passwords. Whether or not this website is highlighting an important security problem as they are claiming to do, this appears to be a serious breach of privacy.
Insecam has access to more than 73,000 cameras all around the globe which includes more than 11,000 cameras in the United States, 6500 in Republic of Korea and almost 5000 in China. Even though the website states that it is trying to emphasize on an important security issue, it is clearly profiting from advertisements as well.
During a Q&A in Canada, Glenn Greenwald was asked why his colleague and NSA whistleblower, Edward Snowden, wasn’t on any of the social media platforms — i.e., Facebook — and Greenwald didn’t mince words.
“He doesn’t use Facebook because he hates Facebook,” he said. “They’re one of the worst violators of privacy in history. Nobody should use Facebook.”
If there is a value in the Broadcast UID field at the top of this page, your carrier is sending active tracking beacons to every web site you visit.
Note: Viewing this page with Mobile Chrome or Flipboard can mask tracking beacons.
For technical details, see Jonathan Mayer’s post or recent coverage at Wired.
Update: My original motivation for this test page arose after reading several ad industry write-ups on Verizon’s PrecisionID technology and practices, in particular the fact that in most cases, even after opting out of marketing options via Privacy settings, Verizon continues to inject trackers to every HTTP connection made from your device, whether it’s an Access Point, mobile hotspot, tablet or mobile phone.
Since 2011, billions of dollars of venture capital investment have poured into public education through private, for-profit technologies that promise to revolutionize education. Designed for the “21st century” classroom, these tools promise to remedy the many, many societal ills facing public education with artificial intelligence, machine learning, data mining, and other technological advancements.
They are also being used to track and record every move students make in the classroom, grooming students for a lifetime of surveillance and turning education into one of the most data-intensive industries on the face of the earth.
After former US National Security Agency contractor Edward Snowden leaked thousands of top-secret documents revealing the extent of spying by the US and other “Five Eyes” agencies, including ones in Australia, I decided it was time to see if I could access what they could on me from my telco.
So I asked Telstra to provide me with all of the metadata it had stored about my mobile phone account, informing them that they had a duty to do this under the Privacy Act’s National Privacy Principles, which gives Australian citizens a right of access to their “personal information” from a company, and the right to have that information corrected if it is inaccurate, incomplete or out-of-date.
After about a month of back and forth phone calls chasing up a response, Telstra refused me access, saying I needed a subpoena to access the data. A subpoena is a writ usually issued by a court with authority to compel production of evidence under a penalty for failure.
As I didn’t have the cash to sue Telstra and get a court to issue a writ, I complained to the federal privacy commissioner, claiming Telstra was in breach of the Privacy Act.
Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.
I am not joking; Adobe is not only logging what users are doing, they’re also sending those logs to their servers in such a way that anyone running one of the servers in between can listen in and know everything,
But wait, there’s more.
Adobe isn’t just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.
In. Plain. Text.
And just to be clear, this includes not just ebooks I opened in DE4, but also ebooks I store in calibre and every Epub ebook I happen to have sitting on my hard disk.
On Thursday, FBI boss James Comey displayed not only a weak understanding of privacy and encryption, but also what the phrase “above the law” means, in slamming Apple and Google for making encryption a default:
“I am a huge believer in the rule of law, but I am also a believer that no one in this country is above the law,” Comey told reporters at FBI headquarters in Washington. “What concerns me about this is companies marketing something expressly to allow people to place themselves above the law.”
“There will come a day — well it comes every day in this business — when it will matter a great, great deal to the lives of people of all kinds that we be able to with judicial authorization gain access to a kidnapper’s or a terrorist or a criminal’s device. I just want to make sure we have a good conversation in this country before that day comes. I’d hate to have people look at me and say, ‘Well how come you can’t save this kid,’ ‘how come you can’t do this thing.'”
First of all, nothing in what either Apple or Google is doing puts anyone “above the law.” It just says that those companies are better protecting the privacy of their users. There are lots of things that make law enforcement’s job harder that also better protect everyone’s privacy. That includes walls. If only there were no walls, it would be much easier to spot crimes being committed. And I’m sure some crimes happen behind walls that make it difficult for the FBI to track down what happened. But we don’t see James Comey claiming that homebuilders are allowing people to be “above the law” by building houses with walls.
As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods. “What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,” he says. “You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.”
Apple issued a media advisory related to recent celebrity photo theft, saying the accounts were compromised by a very targeted attack on users names, password and security questions and was not related to any breach of Apple’s systems, including iCloud.
Over the weekend a number of nude celebrity photos appeared online. Jennifer Lawrence, Kate Upton, Lea Michele, Victoria Justice and Kirsten Dunst all had their photos comprised, among others.
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website athttp://support.apple.com/kb/ht4232.
If you are a celebrity, it’s more likely that people know the name of your first pet, or your mothers maiden name…