WebProNews

Category: CybersecurityUpdate

CybersecurityUpdate

  • Clearview AI Caught Lying About Who Can Use Its Software

    Clearview AI Caught Lying About Who Can Use Its Software

    The hits keep on coming: Clearview AI has been caught lying about who can access its controversial facial recognition software.

    Clearview has amassed a database of billions of photos, scraped from millions of websites, including the biggest social media platforms. The company then makes that database available through its facial recognition software. Since The New York Times broke the story in January, Clearview has faced ongoing criticism from lawmakers and privacy advocates alike who say the company represents a fundamental threat to privacy.

    To make matters worse, Buzzfeed discovered documents proving the company plans to expand internationally, including with authoritarian regimes. Following that, Clearview’s entire client list was stolen, showing its international expansion has already begun.

    Amid the scrutiny and controversy, Clearview has tried to reassure critics that it is responsible in its use of its database. In fact, in a blog post on the company’s site, Clearview says its “search engine is available only for law enforcement agencies and select security professionals to use as an investigative tool.”

    Similarly, the company’s Code of Conduct emphasizes their software is for law enforcement and security professionals, and that they hold themselves to a high standard of ethics, integrity and professionalism.

    There’s just one problem: it’s not true, if the NYT’s report is accurate. According to the report, the NYT “has identified multiple individuals with active access to Clearview’s technology who are not law enforcement officials. And for more than a year before the company became the subject of public scrutiny, the app had been freely used in the wild by the company’s investors, clients and friends.

    “Those with Clearview logins used facial recognition at parties, on dates and at business gatherings, giving demonstrations of its power for fun or using it to identify people whose names they didn’t know or couldn’t recall.”

    This is just the latest example of the irresponsible and unethical way Clearview has conducted business.

  • Intel’s CSME Bug Is ‘Unfixable’

    Intel’s CSME Bug Is ‘Unfixable’

    Intel has been struggling to fix security flaws in its processors, with researchers warning the current flaw is “unfixable.”

    Security firm Positive Technologies has discovered that one of the most recent issues is far more severe than previously thought. The vulnerability impacts the ROM of the Converged Security and Management Engine (CSME). The CSME is a subsystem chipset that is part of Intel’s Active Management Technology (AMT), and allows remote out-of-band management, useful for business and enterprise, but largely unnecessary for the consumer market.

    According to Positive Technologies, the latest discovery has chilling ramifications:

    “By exploiting vulnerability CVE-2019-0090, a local attacker could extract the chipset key stored on the PCH microchip and obtain access to data encrypted with the key,” reads the report. “Worse still, it is impossible to detect such a key breach. With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation, or in other words, pass off an attacker computer as the victim’s computer. EPID is used in DRM, financial transactions, and attestation of IoT devices.”

    While Intel is recommending impacted users contact their motherboard manufacturer for a BIOS update, Positive Technologies is warning that will not fix the underlying issue.

    “Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs. In this context, retrospective detection of infrastructure compromise with the help of traffic analysis systems such as PT Network Attack Discovery becomes just as important.”

    This is just the latest in a number of serious issues Intel has had with its recent chipsets, and could make offerings from AMD and ARM an increasingly appealing alternative.

  • Senators Urge UK to Reconsider Using Huawei

    Senators Urge UK to Reconsider Using Huawei

    Following the UK’s decision to include Huawei in their 5G networks, U.S. senators are urging the House of Commons to reconsider.

    A bipartisan group of 20 senators have penned a letter to the House of Commons to express “significant concern with the Government of the United Kingdom’s recent decision to allow Huawei Technologies in its 5G network infrastructure. Given the significant security, privacy, and economic threats posed by Huawei, we strongly urge the United Kingdom to revisit its recent decision, take steps to mitigate the risks of Huawei, and work in close partnership with the U.S. on such efforts going forward.”

    The senators go on to point out that the UK has already “warned that Huawei’s telecommunications equipment raises ‘significant’ security issues,” and highlights the Chinese government’s track record of compelling Chinese companies to cooperate with its intelligence-gathering efforts.

    The letter concludes by thanking the House of Commons for its “consideration of this critical issue, as well as for the trusted partnership between our governments which we remain committed to uphold.”

    The senators’ letter is the latest in efforts by U.S. officials to isolate Huawei and restrict its growth worldwide. Whether such efforts will succeed remains to be seen.

  • Clearview AI App Disabled On the App Store

    Clearview AI App Disabled On the App Store

    Clearview AI’s troubles continue to mount, with the company’s app being disabled on the App Store for violating Apple’s rules.

    Buzzfeed News first noticed that Clearview was doing an end-run around Apple’s distribution rules, “encouraging those who want to use the software to download its app through a program reserved exclusively for developers.” Buzzfeed contacted Apple to inquire about the situation, prompting Apple to investigate. As a result of their investigation, Apple suspended Clearview’s developer account, preventing the app from functioning. Apple told Buzzfeed the developer program Clearview was using is only for distributing apps within a company, not the kind of widescale distribution Clearview was using it for.

    In statement obtained by Buzzfeed, Clearview CEO Hoan Ton-That said: “We are in contact with Apple and working on complying with their terms and conditions. The app can not be used without a valid Clearview account. A user can download the app, but not perform any searches without proper authorization and credentials.”

    Clearview has been on an impressive streak of earning the disfavor of politicians, corporations, privacy advocates, journalists and citizens alike. The company has scraped millions of websites to amass a facial recognition database of some three billion photos, in the process violating the terms of service for industry giants like Google, YouTube, Facebook and Twitter. The company has been accused of monitoring how police are using the app to discourage them from interacting with journalists. Clearview was suspected of planning worldwide expansion, including to oppressive regimes, only to have its client list stolen, which showed it has already moved forward with those plans.

    Now the company has managed to violate Apple’s rules about how developers can or cannot distribute apps. Given the company’s shady practices, it’s a safe bet no one will be shedding a tear over this one.

  • FCC Announces Carrier Fines For Selling Customer Data

    FCC Announces Carrier Fines For Selling Customer Data

    The FCC has officially unveiled its proposed fines for wireless carriers over selling customer data to third parties, with T-Mobile receiving the highest fines.

    The FCC’s announcement (PDF) comes after all four major carriers were found guilty of selling customer location data to third parties without consent. This arrangement violated the requirement that telecom companies be the sole gateway for the government to conduct lawful surveillance.

    In at least one instance, “a Missouri Sheriff, Cory Hutcheson, used a ‘location-finding service’ operated by Securus, a provider of communications services to correctional facilities, to access the location information of the wireless carriers’ customers without their consent between 2014 and 2017. In some cases, Hutcheson provided Securus with irrelevant documents like his health insurance policy, his auto insurance policy, and pages from Sheriff training manuals as evidence of his authorization to access wireless customer location data.”

    In response to public outcry from journalists, privacy advocates and lawmakers, the FCC investigated, resulting in the proposed fines. The FCC proposes fining T-Mobile $91 million, AT&T $57 million, Verizon $48 million and Sprint more than $12 million. While the proposed fines are a significant amount of money, critics have already denounced them as not going far enough.

    Senator Ron Wyden, a well-known privacy advocate, was scathing in his response:

    If reports are true, then Ajit Pai has failed to protect consumers at every turn. This issue came to light after my office and dedicated journalists discovered how wireless carriers shared Americans’ locations without consent. He investigated only after public pressure mounted.

    — Ron Wyden (@RonWyden) February 27, 2020

    It remains to be seen if the carriers will appeal the fines. Given the reaction that is already building, they may do well to simply pay the fines and move on. Meanwhile, other companies should take a lesson that it’s never a good idea to try to double-dip by surreptitiously selling the data of paying customers who expect far better for the money they’re spending.

  • FCC Set to Fine Carriers For Sharing Location Data

    FCC Set to Fine Carriers For Sharing Location Data

    Following an investigation in which the FCC found carriers broke the law by selling customer location data, the agency is poised to levy significant fines.

    It first came to light in 2018 that carriers were selling customer location data to third-party companies that turned around and resold it again, or even gave it away. Privacy advocates and lawmakers alike raised the alarm, especially since it provided a legal loophole around the requirement that carriers be the sole gateway for the government to access such information.

    As a result of the outcry, Verizon was the first to stop sharing customer data, with the other three carriers following suit shortly thereafter. Even so, the FCC launched an investigation into the practice, concluding “that one or more wireless carriers apparently violated federal law.”

    Now, according to Reuters, the FCC is expected to announce fines on Friday, with the total amount likely to exceed $200 million. The carriers, of course, may appeal the fines or negotiate to reduce the amount.

  • U.S. Senate Committee Investigating 5G Supply Chain Security

    U.S. Senate Committee Investigating 5G Supply Chain Security

    U.S. Senator Roger Wicker, who serves as chairman of the Senate Committee on Commerce, Science, and Transportation is convening a hearing to investigate 5G vendor security.

    The hearing will investigate “the security and integrity of the telecommunications supply chain and efforts to secure networks from exploitation in the transition to 5G. The hearing will also examine the federal government’s role in mitigating risks to telecommunications equipment and services in the U.S. and abroad.”

    The committee hearing comes amid growing concerns about 5G and the role the technology plays in national security. The U.S. has banned Huawei, and pressured allies to do the same, alleging the company poses an unacceptable security risk. U.S. officials accuse the telecoms company of having backdoors in its equipment that can be used by Beijing to spy on governments and companies.

    According to the hearing agenda, the planned witnesses include:

    • Mr. Steven Berry, President and Chief Executive Officer, Competitive Carriers Association
    • Mr. Rick Corker, President of Customer Operations for the Americas, Nokia
    • Mr. Jason Boswell, Head of Security, Network Product Solutions, North America, Ericsson
    • Dr. James Lewis, Senior Vice President and Director of the Technology Policy Program, Center for Strategic and International Studies

    The hearing is scheduled for Wednesday, March 4, 2020 and will take place at the Russell Senate Office Building 253.

     

    Image Credit: https://www.wicker.senate.gov/

  • Huawei Still Open to Licensing Tech to American Company

    Huawei Still Open to Licensing Tech to American Company

    As the U.S. and Huawei continue battling over worldwide 5G dominance, Huawei has reiterated its willingness to license its tech to an American company.

    The U.S. has banned Huawei and engaged in an aggressive campaign to pressure its allies around the world to do the same. So far, the campaign has met with limited results, as even the UK has opted to include Huawei in a limited role in its 5G network.

    Further exacerbating the issue is the perceived advantages Huawei has, both in its technology and its ability to scale to the needs and demands of wireless carriers. Many carriers believe its lead is nearly insurmountable, causing them to conclude they have no choice but to use Huawei’s equipment, or risk spending years and untold amount of money working with alternatives. The situation even resulted in U.S. Attorney General William Barr floating the idea of the U.S. investing in Nokia and Ericsson, to help bolster and empower them to better compete and overcome Huawei’s advantage.

    According to CNBC, founder and CEO Ren Zhengfei previously offered to license Huawei tech exclusively to an American company to help the U.S. better compete with the Chinese firm. Although there have been no takers on the offer, CNBC reports the company says it is still “on the table.”

    It’s unclear whether such an offer would placate U.S. concerns. On the one hand, Huawei has offered to license its “proprietary 5G tech including source code, hardware, software, verification, production, and manufacturing know-how.” Proponents of the move could argue that it would be extremely difficult, if not impossible, for there to be any lingering backdoors or security concerns. On the other hand, U.S. officials would likely object to any kind of deal that continues to put money in Huawei’s coffers and, even indirectly, contribute to its continued global dominance.

     

    Image Credit: Huawei

  • Clearview AI’s Client List Stolen

    Clearview AI’s Client List Stolen

    Clearview AI has reported that its entire client list has been stolen by an intruder who “gained unauthorized access.”

    Clearview has repeatedly been in the news for its controversial practices over the last couple of months. The company has amassed a database of some three billion photos, which it has scraped from millions of websites, including the most popular social media sites on the web. Clearview then sells access to that searchable database, along with its facial recognition software, to law enforcement agencies around the country.

    The company is reportedly looking to expand its operation overseas, and has included oppressive regimes on its list of potential countries it may do business with. The potential harm the company’s software could do was illustrated when New York Times reporter Kashmir Hill asked police officers to run her face against the company’s database, which turned up no matches. After running her face, however, the police officers received phone calls from Clearview telling them they shouldn’t be talking to the media.

    Now, in a report The Daily Beast reviewed, Clearview says an intruder stole a copy of the company’s entire client list, including the number of user accounts each customer had created and the number of searches they had conducted. The company claims that its servers were not breached and that there was “no compromise of Clearview’s systems or network.”

    This breach perfectly illustrates the danger of a company rushing headlong into a potentially dangerous area where many other companies have feared to tread. Google, Facebook and others have certainly had the ability to do what Clearview has done and would no doubt greatly profit from it. Every other company, however, has acted with restraint out of recognition of the harm that could potentially be done.

  • Cisco Introduces SecureX, Cloud Security Service

    Cisco Introduces SecureX, Cloud Security Service

    Cisco has announced the release of SecureX, it’s open, cloud-native security platform.

    The company unveiled SecureX at RSA Conference, and is touting it as “a simpler, more consistent experience across endpoints, cloud, network, and applications.” The new platform has been in the works for 2.5 years, and builds on existing services, such as Cisco Threat Response.

    “SecureX provides unified visibility across all parts of your security portfolio – Cisco or third-party solutions – delivering metrics, activity feed and the latest threat intelligence,” writes Jeff Reed on the company’s blog. “I am particularly excited about the operational metrics capabilities of SecureX: Mean Time to Detection, Mean Time to Remediation, and Incident burndown times. These metrics are derived from full case management capabilities native to the SecureX platform. Case management enables SecureX customers to assign cases, track them to closure, and add relevant artifacts captured during investigation.”

    SecureX offers features such as unified visibility, automation, playbooks and managed threat hunting to help companies quickly identify, respond to and remediate threats. Cisco is also touting the speed with which companies will see a return on their investment.

    The company promises the platform will continue to evolve and help companies’ security keep pace.

  • TSA Bans Employees From Posting on TikTok

    TSA Bans Employees From Posting on TikTok

    The Transportation Security Administration (TSA) has banned employees from using TikTok to create posts for the agency.

    According to a report in Time, the policy change came after Senator Chuck Schumer wrote a letter to the agency’s head pointing out concerns over the app, given the allegations it poses a threat to national security. The Pentagon has already instructed military personnel to avoid the app and the company behind TikTok is facing a lawsuit in which the app is alleged to have secretly recorded and uploaded videos to China.

    In view of those concerns, Senator Schumer told the Associated Press, “given the widely reported threats, the already-in-place agency bans, and the existing concerns posed by TikTok, the feds cannot continue to allow the TSA’s use of the platform to fly.”

    TSA has said it never officially recommended or supported the app but, as Time points out, multiple TSA videos showed the TikTok logo. Since Senator Schumer’s letter, the agency has stated that a “small number of TSA employees have previously used TikTok on their personal devices to create videos for use in TSA’s social media outreach, but that practice has since been discontinued.”

  • Google Cloud Releases New Security Tools

    Google Cloud Releases New Security Tools

    Google used RSA Conference to announce new security tools aimed at helping secure customers’ data and cloud services.

    The first new feature is related to Chronicle, the Alphabet-sponsored cybersecurity firm that has since been rolled into Google Cloud. Chronicle’s security analytics software helped “change the way any business could quickly, efficiently, and affordably investigate alerts and threats in their organization.” Google says the new feature is designed to help companies “detect threats using YARA-L, a new rules language built specifically for modern threats and behaviors, including types described in Mitre ATT&CK. This advanced threat detection provides massively scalable, real-time and retroactive rule execution.”

    Google is also “introducing Chronicle’s intelligent data fusion, a combination of a new data model and the ability to automatically link multiple events into a single timeline. Palo Alto Networks, with Cortex XSOAR, is our first partner to integrate with this new data structure to enable even more powerful threat response.”

    The company has also announced the general availability of its reCAPTCHA Enterprise and Web Risk tools. reCAPTCHA Enterprise helps protect websites from unauthorized scraping, automated account creation and more, while the Web Risk API lets companies check URLs against Google’s list of malicious sites.

    The announcement comes as Google is working hard to build its cloud business, trying to make headway against rivals Microsoft and Amazon, and will likely help the company as it works to attract new enterprise clients.

  • EU Commission Switching to Signal Messaging App

    EU Commission Switching to Signal Messaging App

    In an effort to improve its cybersecurity, the EU Commission is encouraging its staff to switch to the Signal messaging app.

    In the world of messaging, Signal is considered the king of security. It features end-to-end encryption that is widely believed to be the best in the business. It’s so good, in fact, that its protocol serves as the basis of the more popular WhatsApp. Unlike WhatsApp, however, Signal is also open-source, ensuring a level of transparency that other apps can’t match.

    Signal has recently been in the news as it works to become a more mainstream alternative to more well-known competitors. A big part of that was an investment by WhatsApp cofounder Brian Acton of $50 million two years ago. Acton left Facebook over disagreements about WhatsApp’s privacy once Facebook acquires his creation. By throwing his weight—and money—behind Signal, Acton obviously sees the app as the successor to WhatsApp, and the best option for individuals who want to keep their communications secure.


    The EU Commission evidently agrees, as it wants its staff to switch to the messaging app to help avoid the kind of embarrassing leaks it has experienced recently, according to Politico. The move will likely cause turmoil in the greater debate about end-to-end encryption, as governments around the world are pushing tech companies to create backdoors for government access. Mathematicians, cryptographers, scientists, tech leaders and even some lawmakers have all said such a quest is foolhardy, dangerous and impossible to achieve without fundamentally weakening encryption and opening up innocent individuals to having their data compromised.

    The EU seemingly endorsing the single, most secure end-to-end encryption platform on the planet will go a long way toward making the case against backdoors or weakening of the very encryption the EU is counting on.

    Image Credit: Signal (Instagram @signal_app)

  • Safari Will Stop Accepting Security Certificates Older Than 13 Months

    Safari Will Stop Accepting Security Certificates Older Than 13 Months

    In an effort to improve web security, Apple’s Safari browser will only accept HTTPS security certificates that expire in 398 days or less.

    The move has been considered by Apple, Google and others for some time. The hope is that by rejecting older security certificates, it will force website administrators to keep their certificates updated with the latest cryptographic technology, as opposed to using older, less secure certificates. It will also help reduce the impact of a certificate that may have been compromised, unbeknownst to the admin.

    The move is not without its challenges, however, as it will create more work for site admins. However, that extra work to keep things current is precisely what will help make the whole system more secure, keeping security forefront in the minds and workflows of admins.

    In a post about Apple’s move, Dean Coclin, DigiCert’s Senior Director of Business Development, voiced agreement with the change.

    “DigiCert agrees that shorter lifetimes help enhance the security of the ecosystem and has the tools necessary to help our customers automate the certificate lifecycle process,” writes Coclin. “We support short-lived certificates, with lifetimes as short as a few hours for customers with advanced automation capabilities.”

  • PSA: Don’t Post Links to Private WhatsApp Groups

    PSA: Don’t Post Links to Private WhatsApp Groups

    Although WhatsApp is well-known for its security and end-to-end encryption, posting links to WhatsApp groups can open the entire group to the internet.

    Jordan Wildon, a journalist with DW News, first noticed that Google was indexing WhatsApp invitation links.

    Your WhatsApp groups may not be as secure as you think they are.

    The “Invite to Group via Link” feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups.

    — Jordan Wildon (@JordanWildon) February 21, 2020

    Following his tweet, Jane Manchun Wong—who specializes in reverse engineering apps to uncover security flaws—confirmed the issue.

    A misconfiguration by WhatsApp enabled ~470k Group Invite links to be indexed by search engines

    It should’ve been Disallowed with robots.txt or with the noindexmeta tag

    thanks @JordanWildon for the tip

    — Jane Manchun Wong (@wongmjane) February 21, 2020

     

    Motherboard did further testing and was able to join a variety of groups, including one that claimed to be “NGOs accredited by the United Nations.” Motherboard was able to see all of the group participants and their phone numbers.

    Google has said there is nothing wrong with what’s occurring, and this is a simple case of their search engine indexing publicly available information, just as it would any other source.

    In a statement to Motherboard, WhatsApp confirmed that stance: “Group admins in WhatsApp groups are able to invite any WhatsApp user to join that group by sharing a link that they have generated. Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

    The takeaway here is that if users want to keep their WhatsApp groups private, they shouldn’t share access via public links. Doing so essentially serves as an open invitation, only requiring someone to put forth the time and effort to find such groups.

  • Companies Pull Out Of RSA Conference 2020 Due To Coronavirus

    Companies Pull Out Of RSA Conference 2020 Due To Coronavirus

    RSA Conference 2020 is one of the biggest security conferences of the year, but it will have to go on without some major backers due to the coronavirus.

    According to organizers, Verizon, IBM and AT&T Cybersecurity have pulled out of the conference amid concerns over the virus. In total, that brings the count to 14 companies who have withdrawn, including six from China, seven from the U.S. and one from Canada.

    San Francisco Mayor London Breed has tried to reassure attendees, emphasizing that the “risk of becoming infected with COVID-19 in San Francisco is low, as the virus is not circulating within our community.”

    Overall, only an estimated 1.2 percent of expected attendees have canceled. In the meantime, organizers provided the following recommendations for those attending:

    “In addition to following CDC recommendations like frequent hand washing, RSA Conference reminds attendees that other preventive measures have been put in place to help reduce the risk of infection. The Moscone Center is following recommendations in the US EPA’s Emerging Pathogen Policy regarding the use of cleaning disinfectants effective against the coronavirus and CDC health screenings for qualified travelers arriving from international destinations at the San Francisco International Airport.“

  • Microsoft Defender ATP Coming to iOS and Android

    Microsoft Defender ATP Coming to iOS and Android

    Microsoft has announced it is bringing Microsoft Defender Advanced Threat Protection (ATP) to Linux, with iOS and Android coming soon.

    Since CEO Satya Nadella took over at Microsoft, the company has shifted gears, bringing its apps and services to multiple platforms. Rather than obsessing about protecting Windows, the company is focused on offering the best business-class software on as many platforms as possible.

    The company is now bringing its Microsoft Defender ATP to Linux starting today, with iOS and Android support coming soon. The company says Linux support has been a long-time ask from its customers. Similarly, although mobile devices have a reputation of being more secure than desktop environments, the company sees a need for improved protection on those devices.

    “They’re pretty safe, but pretty safe is not the same as safe,” Rob Lefferts, a Microsoft corporate vice president, told CNBC. “Malware does happen on those platforms.”

    Microsoft Defender ATP has received generally positive reviews. As threats continue to develop, having another reputable security package available can only be a good thing for both mobile platforms.

  • Brexit Means No GDPR Protection: Google May Move UK User Data

    Brexit Means No GDPR Protection: Google May Move UK User Data

    Brexit may have finally happened, but one side effect people may not have anticipated is losing GDPR protection as Google may be moving UK data out of the EU.

    The General Data Protection Regulation (GDPR) is one of the most sweeping, comprehensive data protection regulations in the world, aimed at giving people control of their own data and digital footprint. With Britain leaving the EU, sources have told Reuters that Google plans on moving its customers’ data to the U.S.

    British Google users’ data is currently housed in Ireland, which is staying in the EU. To date, Britain has not committed to following the GDPR or implementing its own solution. Google evidently has some concerns that leaving its British data in Ireland would make it harder for British authorities to access it if the UK does not continue abiding by the GDPR.

    As Reuters points out, the decision is likely encouraged by the fact that the U.S. has one of the weakest set of privacy laws of any major economy. Google will likely welcome the opportunity to deal with less oversight.

  • Google Cracking Down On How Android Apps Use Location Data

    Google Cracking Down On How Android Apps Use Location Data

    Google is making some welcome changes to how Android apps handle location data, making it easier for users to protect theirs.

    In a company blog post, Google announced it is making changes that will sound eerily similar to features that made their way to iOS 13, including the ability to only share location a single time.

    “Now in Android 11, we’re giving users even more control with the ability to grant a temporary ‘one-time’ permission to sensitive data like location,” wrote Krish Vitaldevara, Director of Product Management Trust & Safety, Google Play. “When users select this option, apps can only access the data until the user moves away from the app, and they must then request permission again for the next access.”

    Google also noticed that many apps accessing location data in the background didn’t actually need it and could function just as well only accessing location data when active. As a result, Google will be updating Google Play policies later this year to clearly outline when an app can or cannot access location data in the background. These rules will apply equally to Google’s own apps.

    These changes are good news for all Android users and come at a time when privacy is becoming more important than ever.

  • Mozilla’s Firefox VPN Now Available In Beta

    Mozilla’s Firefox VPN Now Available In Beta

    Mozilla’s standalone Firefox VPN service has entered beta and is available for Windows, Android and Chromebooks.

    Mozilla has emerged as one of the staunchest privacy advocates in corporate America, coming out in favor of the California Consumer Privacy Act (CCPA), vowing to extend its protections to all Firefox users. Similarly, Mozilla extended the protections offered by the EU’s GDPR to all users as well.

    Given its strong focus on privacy, it’s not surprising Mozilla has opted to offer VPN software. VPNs are critical components for journalists and political dissidents around the world, not to mention corporate use and anyone concerned with privacy.

    Mozilla is offering two varieties: one as a free browser extension and the other as a standalone service for $4.99/mo. The latter is what is now available in beta. Mozilla touts servers in 30+ countries and no browser or network monitoring or logging. The service can be used on five devices under a single account.

    The beta is currently available for Windows 10, Android and Chromebooks, with macOS, iOS and Linux coming soon.

  • ISPs Sue Maine Over Privacy Law

    ISPs Sue Maine Over Privacy Law

    Internet service providers (ISP) are suing the state of Maine to prevent a law designed to protect consumer privacy from going into effect.

    In June 2019, Maine Governor Janet Mills signed a law designed to prevent ISPs from “the use, sale, or distribution of a customer’s personal information by internet providers without the express consent of the customer.” The law had bipartisan support and passed the state senate unanimously.

    According to Ars Technica, the data covered by the law includes “Web-browsing history, application-usage history, precise geolocation data, the content of customers’ communications, IP addresses, device identifiers, financial and health information, and personal details used for billing.” All of the above data is extremely valuable to ISPs, giving them plenty of motivation to fight the law.

    The lawsuit cites the First Amendment and the U.S. Constitution’s Supremacy Clause. The ISPs say their First Amendment rights will be violated by their being limited from advertising and marketing to their customers. They say the law violates the Supremacy Clause because a prohibition against sharing data would prevent the ISPs from cooperating with federal agencies.

    Given that a recent court ruling allows states to set laws governing privacy and net neutrality, laws that may go beyond those the federal government enacts, the ISPs may have an uphill battle winning their case. It’s probably a safe bet the citizens of Maine are rooting against them.