WebProNews

Tag: Privacy

  • TikTok Accused of Illegally Collecting Data and Uploading It to China

    TikTok Accused of Illegally Collecting Data and Uploading It to China

    A California student has filed a class-action lawsuit against TikTock, the wildly popular social media app from China. According to a report in the Daily Beast, the suit alleges that TikTok uploads data without user consent—in some cases without a user even creating an account.

    Misty Hong, a student at Palo Alto, claims she downloaded the app but never got around to setting up an account. According to the suit, TikTok created an account using her phone number, and began analyzing videos she took but never uploaded. These videos included a facial scan.

    “The app, she alleges, transferred all of her information to servers owned and operated by companies that cooperate with the Chinese government. She’s filed the lawsuit on behalf of all U.S. residents who have downloaded TikTok, roughly 110 million people.”

    The suit also alleges the app secretly gathers “users’ locations, ages, private messages, phone numbers, contacts, genders, browsing histories, cell-phone serial numbers, and IP addresses. That data was allegedly then sent to Chinese servers.”

    TikTok’s executives have tried to reassure the American public that their data is stored in Virginia, with a backup in Singapore. In a recent New York Times profile, they tried to reassure American users that their data cannot be accessed by Chinese officials. Nonetheless, previous user agreements did stipulate that data could be sent to China. The suit is alleging that practice has continued despite changes to the agreement saying it won’t.

    Convincing users of its independence is a tall order, given that Chinese corporations are required to cooperate with Chinese intelligence when requested. This is partly what has led to Huawei being blacklisted in the U.S. and under scrutiny in many countries around the world.

    U.S. senators have already warned of the threat to national security TikTok may pose, should it be sending data back to China. This lawsuit will only add to those concerns and could result in punitive measures taken against ByteDance, the company that owns TikTok.

    In the meantime, given China’s poor history of respecting individual privacy—including, but not limited to China now requiring facial recognition scans to open a wireless account—this news should come as a surprise to exactly no one.

  • Twitter Making Changes Globally to Comply With Privacy Laws

    Twitter Making Changes Globally to Comply With Privacy Laws

    Reuters is reporting that Twitter is making changes throughout its platform in an effort to comply with privacy legislation around the world.

    The company is aiming to navigate the different laws and jurisdictions impacting how it collects and uses data. The European Union (EU) passed the General Data Protection Regulation (GDPR) last year, one of the most sweeping privacy protection laws in existence. California has its own legislation, the California Consumer Privacy Act (CCPA), going into effect January 1, 2020.

    Twitter is planning on moving accounts for users outside the EU and the U.S. “which were previously contracted by Twitter International Company in Dublin, Ireland, to the San Francisco-based Twitter Inc.” This will allow the company to experiment with different privacy features—figuring out what works and what doesn’t—without worrying about infringing on the GDPR.

    “We want to be able to experiment without immediately running afoul of the GDPR provisions,” Damien Kieran, Twitter’s data protection officer, told Reuters in a phone interview. “The goal is to learn from those experiments and then to provide those same experiences to people all around the world.

    Coinciding with these changes, the company has unveiled a new site, the Twitter Privacy Center, in an effort to keep users informed about Twitter’s privacy efforts, as well as give them more control over their data.

  • TrueDialog Database With Tens of Millions of Texts Left Exposed Online

    TrueDialog Database With Tens of Millions of Texts Left Exposed Online

    According to researchers at privacy firm vpnMentor, millions of Americans’ data is at risk following the discovery of a breached database belonging to TrueDialog. TrueDialog is “the leading SMS provider for mass text messaging, SMS marketing and personalized 2-way SMS texting at scale.”

    vpnMentor’s research team, led by Noam Rotem and Ran Locar, discovered the database, which was linked to “many aspects” of TrueDialog’s business. The database had “millions of account usernames and passwords, PII data of TrueDialog users and their customers, and much more.”

    The researchers found the database as part of a web mapping project, using port scanning “to examine particular IP blocks and test open holes in systems for weaknesses.” As ethical hackers, the company tries to identify breaches in an effort to make the web safer. Once a breach is found, they verify the database’s identity and alert the company who owns it.

    In the case of TrueDialog’s database, vpnMentor was able to access it because it was left “completely unsecured and unencrypted.” The database was 604 GB in size and “included nearly 1 billion entries of highly sensitive data.” The entries included account login details, full names, TrueDialog account holders and users, message contents, email addresses, time stamps of sent messages and more.

    vpnMentor says the type of data could make it possible for bad actors to take over TrueDialog customer accounts, engage in corporate espionage, steal identities, run phishing scams and blackmail users.

    Once the researchers verified the threat level, they reached out to TrueDialog to notify them and offer assistance in securing the database. Shortly after, access to the database was shut down, although TrueDialog never contacted vpnMentor.

    The Takeaway

    There are several lessons to be learned from TrueDialog’s data breach.

    • First and foremost, it is beyond shocking and inexcusable for a company of TrueDialog’s size and resources to be so irresponsible with customer data. There is simply no justification for leaving data—let alone highly sensitive data—unencrypted and exposed for the world to see.
    • As a general rule, when privacy researchers alert a company of a data breach, it’s never a good idea to ignore them. Even if steps are taken to fix the issue, ignoring the researchers who found it gives the impression the company doesn’t care or has something to hide.
    • Going silent is never a good response. TechCrunch was just one outlet that reached out to TrueDialog’s chief executive, John Wright, for comment. At the time of writing, John Wright and TrueDialog had not returned requests for comment or even acknowledged the breach. Wright also did not answer any of TechCrunch’s questions about what steps would be taken to alert impacted users, or notify regulators.

    In short, if there’s a single point to take away from TrueDialog’s experience, it’s this: Don’t do anything TrueDialog has done in this case.

  • China Requiring Facial Recognition Scans For Mobile Users

    China Requiring Facial Recognition Scans For Mobile Users

    China is ramping up its attacks on privacy, with new rules due to take effect requiring all citizens to submit to facial recognition scans when registering for mobile service. The BBC is reporting the new rules were first announced in September and went into effect December 1.

    China has been working for years to eliminate online anonymity among its citizens, even requiring online platforms to verify users’ identities before they’re allowed to post content. These new regulations are an effort to “strengthen” the government surveillance system and give them a way to track mobile users.

    According to the BBC, “Jeffrey Ding, a researcher on Chinese artificial intelligence at Oxford University, said that one of China’s motivations for getting rid of anonymous phone numbers and internet accounts was to boost cyber-security and reduce internet fraud.

    “But another likely motivation, he said, was to better track the population: ‘It’s connected to a very centralised push to try to keep tabs on everyone, or that’s at least the ambition.’”

    This goal is much easier in a country like China, where the vast majority of citizens access the internet via their phones. China is already known as a surveillance state, where facial recognition is regularly used to track citizens. This latest move will only increase the government’s surveillance powers.

  • EU Regulators Investigating Google’s Data Practices

    EU Regulators Investigating Google’s Data Practices

    Reuters is reporting that European Union (EU) antitrust regulators are asking to look at documents detailing Google’s data collection practices.

    The EU has already levied hefty fines against Google in past cases, amounting to $8.8 billion in the last two years. The judgements were the result of investigations proving Google had violated antitrust rules by using its dominance unfairly. If the current set of questions are any indication, Google may be facing yet more punishment.

    According to Reuters, the regulators sent questionnaires to a number of different companies. The companies were given a month to reply and provide information on Google’s data collection policies. Regulators were interested specifically in online advertising, local search, web browsers, online ad targeting, login services and more.

    “Companies were asked about agreements providing data to Google or allowing it to collect data via their services in recent years, and whether they were compensated for this.

    “Regulators also wanted to know the kind of data sought by Google, how it uses it and how valuable the companies consider such data. Another question asked whether Google and the companies were subjected to contractual terms that prohibit or limit the use of the data.

    “Regulators also wanted to know if Google had refused to provide data and how this affected the companies.”

    Whether anything will come of this new inquiry remains to be seen. Given the current climate, however, Google would do well to try to allay any concerns the EU has.

  • Roughly 100 Developers May Have Improperly Accessed FaceBook Groups Data

    Roughly 100 Developers May Have Improperly Accessed FaceBook Groups Data

    The last few weeks have seen the news go from bad to worse for Facebook, especially on the privacy front. Now the company is admitting that roughly 100 developers may have improperly accessed Groups member data.

    In April 2018, Facebook made changes to the Groups API to limit what information administrators could access. Prior to the change, admins could see identifiable information, such as member names and profile pictures. Following the change, group members would have to opt-in for an admin to see that information—at least in theory.

    According to Konstantinos Papamiltiadis, Facebook’s Platform Partnerships Head, an ongoing review discovered that some 100 developers had retained access to member information. Papamiltiadis said the company had taken steps to address the issues.

    “We have since removed their access. Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time. We know at least 11 partners accessed group members’ information in the last 60 days. Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted.”

    The post also made a point of promising that the company would continue to improve moving forward.

    “We aim to maintain a high standard of security on our platform and to treat our developers fairly. As we’ve said in the past, the new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products. As we continue to work through this process we expect to find more examples of where we can improve, either through our products or changing how data is accessed. We are committed to this work and supporting the people on our platform.”

    Given the current political climate, with politicians on both sides of the aisle increasingly looking at Facebook as a threat to privacy—and some even calling for its breakup—the company will need to do better to convince authorities and users alike that it can be trusted.

  • Interpol Delays Encryption Criticism After Pushback

    Interpol Delays Encryption Criticism After Pushback

    A week ago news broke that the FBI had drafted a resolution for Interpol to release condemning the use of strong encryption. Ultimately the resolution was not passed, with Interpol contacting Nicole Perloth with the New York Times to deny the resolution was ever under consideration.

    When the story first came out, we wrote:

    “There is no doubt the resolution was drafted, with both Reuters and Ars Technica having seen a copy of it. The only question is whether Reuters’ sources about Interpol’s intentions were incorrect, or whether Interpol is attempting to backpedal after the news broke.”

    In an update by Reuters, it appears Interpol was backpedaling.

    “The international police organization Interpol put off plans to condemn the spread of strong encryption after objections by tech companies and civil liberties advocates, according to two people familiar with the matter.

    “After the Reuters article appeared, Facebook and others complained that strong encryption also deters criminal hacking and surveillance of peaceful political activists by repressive regimes, the people said.

    “Conference organizers told some who had attended that they were surprised by the feedback and delayed putting out a statement while they reconsidered, those people said.”

    Interpol is still denying there was ever any plans to release the statement and the agency did not return Reuters’ request for comments.

    If Reuters’ sources are correct, it is reassuring Interpol was willing to hold off in response to feedback and criticism of the proposal. At the same time, it’s still disconcerting the agency was surprised by the pushback and shows how little understood the privacy issue is—even by those who should understand it best.

  • Filings Reveal There Was a Bidding War Over Fitbit

    Filings Reveal There Was a Bidding War Over Fitbit

    Fitbit made news recently when it was announced that Google would be purchasing the wearables firm. According to CNBC, it appears Facebook was also interested and “bid several times to acquire” the company.

    An SEC filing referred to “Party A,” a previously unidentified third party who made several bids to buy Fitbit.

    “According to the filing, Fitbit CEO James Park had dinner with ‘the chief executive officer of Party A’ on June 11, 2019 to discuss the wearables technology landscape. That person would be Facebook CEO Mark Zuckerberg, sources said. Park and other members of Fitbit’s senior management had dinner with Zuckerberg again on July 2, the filing said. Zuckerberg and Park met once more in September, according to the filing.”

    Evidently Facebook’s best offer, one they would not budge from, was $7.30 a share. A day after Facebook made its final offer, Fitbit signed an exclusivity deal with Google for $7.35 a share.

    While some users have understandably been concerned about privacy in the wake of the announcement Google was purchasing Fitbit, it’s probably a safe bet that far more users would be concerned if Facebook was the buyer.

  • California DMV Selling Drivers’ Personal Information

    California DMV Selling Drivers’ Personal Information

    In a case of “what are they thinking,” the California DMV has admitted that it sells drivers’ information to the tune of $50 million a year, according to an investigation by Motherboard. Motherboard used a public record acts request to find out how much the California DMV was being paid by companies for driver data, as well as who was buying it.

    “The responsive document shows the total revenue in financial year 2013/14 as $41,562,735, before steadily climbing to $52,048,236 in the financial year 2017/18.

    “The document doesn’t name the commercial requesters, but some specific companies appeared frequently in Motherboard’s earlier investigation that looked at DMVs across the country. They included data broker LexisNexis and consumer credit reporting agency Experian. Motherboard also found DMVs sold information to private investigators, including those who are hired to find out if a spouse is cheating. It is unclear if the California DMV has recently sold data to these sorts of entities.

    “In an email to Motherboard, the California DMV said that requesters may also include insurance companies, vehicle manufacturers, and prospective employers.”

    A spokesman for the DMV said that the money goes toward public and highway safety, “including availability of insurance, risk assessment, vehicle safety recalls, traffic studies, emissions research, background checks, and for pre- and existing employment purposes.”

    The DMV also said that any sale is in harmony with current legislation, and that it conducts regular reviews to make sure it sells data only to authorized entities.

    While it’s common practice for DMVs to sell driver information, California has made a name for itself as a more privacy-conscious state than most. For it to be profiting from private data is not a good look, and will likely be met with protest as it becomes more widely known.

  • OnePlus Reports Second Data Breach in Two Years

    OnePlus Reports Second Data Breach in Two Years

    OnePlus is reporting the second breach of customer data in as many years. A member of the security team informed customers of the breach on the company’s support forums.

    According to the statement, some “users’ order information was accessed by an unauthorized party. We can confirm that all payment information, passwords and accounts are safe, but certain users’ name, contact number, email and shipping address may have been exposed. Impacted users may receive spam and phishing emails as a result of this incident.”

    OnePlus says immediate action was taken to stop the intrusion and shore up security, but questions remain. In a related FAQ, the company says the breach occurred last week, but there is no explanation as to why it took a week to make an announcement. Similarly, the company does not definitively say where the breach occurred, although the wording of the announcement and the FAQ seem to indicate it happened via their website rather than through a flaw in their phones. Perhaps most significantly, OnePlus did not return requests by The Verge for information on exactly how many users were impacted.

    The company did say that affected users were notified before the public announcement. If customers have not received any notification, it’s a safe bet their information was not part of the breach.

  • Citing National Security, FCC Blocks Huawei and ZTE From Federal Subsidies

    Citing National Security, FCC Blocks Huawei and ZTE From Federal Subsidies

    The Verge is reporting that the Federal Communications Commission (FCC) has voted unanimously to block telecom companies from using federal funds to purchase equipment from Huawei or ZTE.

    The Universal Service Fund (USF) provides $8.5 billion a year in subsidies for carriers to provide wireless services throughout the United States, especially in rural areas. Under the new ruling, carriers would not be able to use money from the USF to purchase equipment from the two companies, both whom have been deemed a threat to national security.

    Huawei and ZTE have both been blacklisted by the U.S. government. In ZTE’s case, the company ran afoul by selling to North Korea and Iran, in violation of sanctions. The restrictions on ZTE were eventually eased in exchange for a $1 billion fine. Huawei, on the other hand, has been accused of being a possible conduit for spying by the Chinese government. Under Chinese law, all companies are required to help the government when prompted. Huawei, however, has been accused of much closer ties to the government and intelligence agencies than the average Chinese corporation.

    Rural carriers may be hit especially hard by the FCC’s decision, as Huawei is widely considered to be one of the most cost-effective solutions, saving companies millions of dollars. The FCC may go even further, however, having voted to consider requiring rural carriers to remove installed Huawei equipment for alternatives.

    At the hearing, FCC commissioner Brendan Carr said: “After all, if equipment poses a threat, it is not enough to stop subsidizing it. It must come out of the network.”

    Huawei continues to deny it is a threat and has denounced the FCC’s ruling.

    “Huawei believes this order is unlawful as the FCC has singled out Huawei based on national security, but it provides no evidence that Huawei poses a security risk,” a company spokesperson said in a statement.

  • T-Mobile Suffers Breach, Sensitive Prepaid Data Exposed

    T-Mobile Suffers Breach, Sensitive Prepaid Data Exposed

    T-Mobile announced it has suffered a data breach, exposing prepaid customers’ sensitive information to hackers.

    T-Mobile has not said when the attack occurred, but they have confirmed that financial data was not compromised. That means that credit card and back account information, as well as social security numbers, were not impacted. The company also stated that no passwords were compromised.

    “The data accessed was information associated with your prepaid service account, including name and billing address (if you provided one when you established your account), phone number, account number, rate plan and features, such as whether you added an international calling feature. Rate plan and features of your voice calling service are ‘customer proprietary network information’ (‘CPNI’) under FCC rules, which require we provide you notice of this incident.”

    The company has not said how many customer accounts were exposed, although a spokesman did tell CNET that the number was a “very small single digit percentage of customers.”

    T-Mobile says all affected customers have been, or shortly will be, notified. If customers have not received notification, it likely means they were not impacted.

  • Microsoft Announces Changes to Cloud Contract Terms Amid EU Probe

    Microsoft Announces Changes to Cloud Contract Terms Amid EU Probe

    Microsoft has announced an update to its cloud contract terms, one that brings it into greater compliance with EU privacy laws.

    In October, Reuters reported that an EU probe voiced serious concerns that Microsoft’s contract terms violated the GDPR, the comprehensive privacy laws the EU adopted last year.

    “Though the investigation is still ongoing, preliminary results reveal serious concerns over compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” said the EU watchdog EDPS in a statement.

    To address those concerns, as well as respond to customer feedback, Microsoft has updated its terms, bringing them inline with the GDPR.

    “At Microsoft, we listen to our customers and strive to address their questions and feedback, because one of our foundational principles is to help our customers succeed. Today Microsoft is announcing an update to the privacy provisions in the Microsoft Online Services Terms (OST) in our commercial cloud contracts that stems from additional feedback we’ve heard from our customers.

    “Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.

    “Microsoft is currently the only major cloud provider to offer such terms in the European Economic Area (EEA) and beyond.

    “We are also announcing that we will offer the new contractual terms to all our commercial customers – public sector and private sector, large enterprises and small and medium businesses – globally. At Microsoft we consider privacy a fundamental right, and we believe stronger privacy protections through greater transparency and accountability should benefit our customers everywhere.

    “Before and after GDPR became law in the EU, Microsoft has taken steps to ensure that we protect the privacy of all who use our products and services. We continue to work on behalf of customers to remain aligned with the evolving legal interpretations of GDPR.”

  • Android Flaw Lets Rogue Apps Spy On You, Accessing Camera and Mic

    Android Flaw Lets Rogue Apps Spy On You, Accessing Camera and Mic

    Security firm Checkmarx has announced a serious flaw in Android that allows rogue apps to access the camera, as well as the microphone.

    Director of Security Research Erez Yalon and Senior Security Researcher Pedro Umbelino authored the post detailing their findings. In short, rogue apps on Google and Samsung phones, and in the Android ecosystem in general, could access the camera, take photos, record videos, access stored photos and videos, as well as use the GPS metadata in photos to locate a user.

    “After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.

    In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.”

    That last part is especially concerning, as it means rogue apps can access the camera without the user realizing it. This opens up a world of possibilities for surveillance, both visual and audio, comprising a person’s privacy at best and corporate or government security at worst.

    The researchers were quick to praise both Google and Samsung for their quick and professional response, and both companies have fixed the issue with their devices. Unfortunately, other vendors are also affected and it is unknown to what extent they have addressed the vulnerability.

  • Microsoft Hires Attorney General Eric Holder To Audit AnyVision

    Microsoft Hires Attorney General Eric Holder To Audit AnyVision

    NBC News is reporting that Microsoft has hired Attorney General Eric Holder to investigate AnyVision, an Israeli-based facial recognition firm the company invested in.

    AnyVision creates facial recognition software in use by the Israeli military at border crossings. The software is used to log the faces of Palestinians entering Israel. However, according to NBC News, the software is also used to secretly surveil Palestinians throughout the West Bank.

    According to NBC News sources, AnyVision’s tech is at the heart of a secret military project, with one of those sources referring to it by the codename “Google Ayosh.” “Ayosh” refers to the West Bank and “Google” is a nod to the kind of powerful search capabilities Google is known for—although the search giant is not involved in the project. Google Ayosh was evidently so successful that it led to AnyVision winning Israel’s top defense prize in 2018.

    Microsoft invested $74 million Series A funding in AnyVision in June, through it’s venture capital arm, M12. In the wake of NBC News’ report, however, the company is concerned that AnyVision’s involvement in Google Ayosh may violate its ethical principles for the use of facial recognition: “fairness, transparency, accountability, nondiscrimination, notice and consent, and lawful surveillance.”

    Compliance with Microsoft’s facial recognition principles was included as part of the terms of the deal when Microsoft invested, giving them a right to perform the audit.

    When NBC News first reported on the surveillance allegations, a Microsoft spokesman said that, if true, “they would violate our facial recognition principles.”

    “If we discover any violation of our principles, we will end our relationship.”

    At the same time, AnyVision has denied the reports, stating: “All of our installations have been examined and confirmed against not only Microsoft’s ethical principles, but also our own internal rigorous approval process.”

    Whatever the case, Holder and a team of former federal prosecutors—currently working at law firm Covington & Burling—will investigate the allegations.

  • Border Agents Need Reasonable Suspicion To Search Phones and Computers At The Border

    Border Agents Need Reasonable Suspicion To Search Phones and Computers At The Border

    For years, Unites States borders have been a legal no-man’s-land where laws and rights citizens take for granted don’t always apply. Case in point is the search and seizure of electronic devices. Now, a federal judge has ruled that border agents must have reasonable suspicion to search travelers’ devices.

    At the heart of the issue is the rule-book that U.S. Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) have been operating from. In 1976, and again in 2004, the Supreme Court ruled that individuals were entitled to less Fourth Amendment protections at the border because of the government’s responsibility to protect said borders. CBP, and more recently ICE, have interpreted those rulings to mean that any electronic device could be searched without reasonable suspicion.

    The news has reported on case after case of American citizens having their electronic devices confiscated, searched and their contents downloaded and analyzed. While individuals were free to refuse, CBP would often respond by making life difficult. This often took the form of detaining the person for hours while trying to pressure them to turn over their device. Even professionals with sensitive information, such as doctors or lawyers, were not immune from such treatment.

    According to U.S. District Judge Denise Casper, however, the CBP’s actions violate the Fourth Amendment. 

“In light of this record, case law, and in conjunction with the lack of meaningful difference between basic and advanced searches, the Court concludes that agents and officials must have reasonable suspicion to conduct any search of entrants’ electronic devices under the ‘basic’ searches and ‘advanced’ searches as now defined by the CBP and ICE policies,” Judge Casper said in her ruing. “This requirement reflects both the important privacy interests involved in searching electronic devices and the Defendant’s governmental interests at the border.”

    This should be welcome news to travelers and privacy experts alike.

  • Google Faces Government Scrutiny Over “Project Nightingale” and Patient Privacy

    Google Faces Government Scrutiny Over “Project Nightingale” and Patient Privacy

    On the heels of news that Google has partnered with Ascension to collect data on millions of American patients, CBS News is reporting that government officials are opening an inquiry into the deal.

    Ascension is the second largest chain of hospitals and healthcare facilities in the U.S. The program, “Project Nightingale,” which began last year, provides Google with detailed information on patients in 21 states, including names, dates of birth, lab results, diagnoses, hospitalization records and more. Together, the information gives Google a patient’s complete health record. Google is using the information to design AI-based tools to assist in patient diagnostics.

    Despite the fact the agreement is likely legal under the Health Insurance Portability and Accountability Act of 1996, Google is facing backlash in the wake of reports on the project. Even Jim Cramer, co-founder of TheStreet.com, questioned the wisdom of Google’s actions, saying the company “did things we regard as being unauthorized by some, so therefore a U.S. Attorney or someone is going to look into it….The country is hyper-sensitive to what Google does and Facebook does. So why aren’t they a little more thoughtful?”

    Google’s own reaction to the backlash has done little to improve the situation, with a cloud executive penning the initial blog responding to the story, rather than any of the health-care professionals on the company’s payroll. In addition, as CNBC reports, Google’s secrecy and use of cryptic code-names only adds fuel to the flames of suspicion that the company is up to something underhanded. As a result, the Department of Health and Human Services is launching an inquiry into Project Nightingale.

    Whatever the outcome, there can be no denying that Project Nightingale represents another privacy misstep for Google, right as the company is trying to expand into other privacy-sensitive industries and markets.

  • New 5G Security Flaws Discovered, Threatening Privacy and Security

    New 5G Security Flaws Discovered, Threatening Privacy and Security

    Companies around the world are working to roll out 5G networks, facing regulatory, logistic, economic and technical hurdles along the way. Now, according to WIRED, researchers have discovered a number of new flaws in the specification, adding yet another challenge to successful deployment.

    Researchers from Purdue University and the University of Iowa have discovered 11 new flaws in 5G protocols. Alarmingly, these flaws are all part of the 5G specification itself, rather than any one carrier’s implementation. The vulnerabilities can “expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.”

    Although one of the benefits of 5G is supposed to be greater protection of phone identifiers, such as the international mobile subscriber identity (IMSI), so-called downgrade attacks bypass that security by forcing a device to operate in 4G mode, or a limited service mode. Once the service is downgraded, the device can be forced to send its IMSI. Even the safeguards that are in place, such as Temporary Mobile Subscriber Identity (TMSI), can be overridden.

    The researchers also discovered “issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts.”

    The flaws have all been reported to the GSM Association, which downplayed the severity of the issue.

    “These scenarios have been judged as nil or low-impact in practice, but we appreciate the authors’ work to identify where the standard is written ambiguously, which may lead to clarifications in the future,” the GSMA told WIRED. “We are grateful to the researchers for affording industry the opportunity to consider their findings and welcome any research that enhances the security and user confidence of mobile services.”

  • Facebook App Caught Activating iPhone Camera Without Permission

    Facebook App Caught Activating iPhone Camera Without Permission

    People have long suspected the Facebook app of ignoring permissions and spying on its users. Now, it would seem, a website designer has caught Facebook in the act.

    Joshua Maddox discovered the issue when transitioning between different Pages within the app. As Mr. Maddox tapped on a profile picture and then slid it down the screen, the camera could be seen plainly active in the background.

    Mr. Maddox shared a video of his experience on Twitter, an experience that has been reproduced by other users.

    “Found a @facebook #security & #privacy issue. When the app is open it actively uses the camera. I found a bug in the app that lets you see the camera open behind your feed. Note that I had the camera pointed at the carpet.”

    Mr. Maddox said he has confirmed the behavior on five different iPhones, all running 13.2.2. Notably, iPhones running iOS 12 did not display the behavior although, as Mr. Maddox points out, that doesn’t mean the app is not accessing the camera on older version of iOS. He also pointed out a legitimate concern about the degree to which the app is accessing cameras.

    “It’s how @facebook accesses your camera and microphone… This is proof that they are accessing your back camera. They may also be accessing the front camera. If they process that through a facial recognition they could see your actual reaction to posts.”

    Facebook VP Guy Rosen responded with a tweet of his own, downplaying the issue as an innocent bug.

    “We recently discovered our iOS app incorrectly launched in landscape. In fixing that last week in v246 we inadvertently introduced a bug where the app partially navigates to the camera screen when a photo is tapped. We have no evidence of photos/videos uploaded due to this.”

    Whatever the cause or reason behind this issue, it comes from a company that has long since used up any goodwill it has on the privacy front. No matter how many assurances it provides, it’s safe to say that many users will view this as an unacceptable violation of their privacy.

  • Secret Google Program Amasses Treasure Trove of Patient Health Data

    Secret Google Program Amasses Treasure Trove of Patient Health Data

    The Wall Street Journal is reporting that a secret Google program is collecting health data on millions of Americans—without patients or doctors knowing about it.

    The program, dubbed “Project Nightingale,” began last year with “St. Louis-based Ascension, a Catholic chain of 2,600 hospitals, doctors’ offices and other facilities.” The partnership provides Google with information for patients in 21 different states.

    The collected data includes “lab results, doctor diagnoses and hospitalization records, among other categories, and amounts to a complete health history, including patient names and dates of birth.”

    Google is evidently using the data to design machine learning and AI-based software to help tailor patients’ treatment, recommending specific changes based on their history. Underscoring the focus the company is placing on this, some Google Brain employees are among those who have access. Google Brain is a research science division that has been responsible from some of the company’s most important breakthroughs.

    Surprisingly, despite the volume and depth of data being collected, privacy experts say it’s likely legal. The Health Insurance Portability and Accountability Act of 1996 gives hospitals the right to share data with their business partners, so long as the data is “only to help the covered entity carry out its health care functions.” The law also allows hospitals to share the data without telling patients.

    Following the WSJ’s report on the program, Google and Ascension issued press releases stating that the program falls within federal guidelines and includes robust data protections. The fact that both companies issued press releases, however, may indicate they fear potential backlash in a climate where consumers are more concerned than ever with their privacy.

  • Uber Sues LA Department of Transportation Over Electric Scooter Data, Cites Privacy Concerns

    Uber Sues LA Department of Transportation Over Electric Scooter Data, Cites Privacy Concerns

    According to a report by The Verge, Uber has said it will not share real-time electric scooter data with the Los Angeles Department of Transportation (LADOT) and is filing a lawsuit against the department.

    The suit revolves around LA’s use of Mobility Data Specification (MDS), a program LADOT developed to monitor dockless scooters that are becoming commonplace in many cities. The data provided by MDS can be used by city planners to evaluate traffic patterns, add needed bike lanes and more. The promise of data that has previously been unavailable has led cities across the country to adopt and contribute to MDS. LA, as well as Austin, Chattanooga, Columbus, Louisville, Omaha, San Jose and Seattle are all making MDS participation a condition for companies to receive the necessary permits to operate.

    Privacy advocates, however, are concerned that MDS gives cities unprecedented insight into people’s activity, since every part of a scooter’s route is tracked and recorded. Uber—who acquired scooter company Jump—along with Lyft and Bird have objected to MDS from the beginning and vowed to challenge the legality of the software. In particular, the company is hoping the California Electronic Communications Privacy Act (CalECPA), which became law in 2015, will provide it the legal teeth necessary to challenge LA’s position.

    The state’s Legislative Council has ruled that MDS may run afoul of CalECPA, specifically as the law prohibits local governments from requiring real-time data in exchange for an operating permit. The only exception is if a specific rider waves their right to privacy, although it must be waved by the rider, not by the ride-sharing company acting as an intermediary.

    Uber and Lyft are trying to get a temporary restraining order prohibiting LA from revoking their licenses. In the long-term, however, the legal battle over MDS will have far-reaching repercussions for privacy-minded individuals and corporations.