"For those out of the loop, Xi has made it abundantly clear during his iconic speech that the Chinese blockchain community should rule the roost by setting policies and conventions globally, as BeInCrypto had reported previously.... the Chinese government is notorious for blatantly misusing technology to suppress dissent and infringe on the civil rights of nearly 1.5 billion people. Case in point — the mass surveillance system with highly sophisticated facial recognition, the Great Firewall, and the truly Orwellian social credit scoring system. Going by these past trends, it would be too presumptuous to think that President Xi’s government will refrain from reinforcing these draconian systems with blockchain technology and its offshoots. The likelihood of just the opposite unfolding is going stronger by the day with the government being ever so close to releasing its own digital currency. Despite all the obvious benefits, a cashless economy also has its fair share of drawbacks — especially when an authoritarian regime controls all facets of the digital monetary system. In the case of China, it’s soon-to-be-released will be a yuan-pegged digital currency built atop a permissioned ledger. That is quite unlike any blockchain-powered digital asset such as Bitcoin or Ethereum. Because the underlying ledger itself is permissioned and issued by a centralized authority, the Chinese government will enjoy total control over the network. Furthermore, the digital wallets required to store this digital currency will also be issued by the central bank, giving the government unrestricted access to all transaction data. Once the government has total command over this enforced-cashless economy, the use of blockchain for tightening its grip over the population becomes even easier. The government in China already controls the country’s cyberspace with an iron fist. State-sponsored censorship of content critical of the government is rampant and so is the unapologetic monitoring of online traffic. A blockchain-based system in the disguise of social welfare schemes can further add to these diabolical practices. For example, any such system can allow the government to store digital identities of citizens on a blockchain and then use the same system to conduct real-time monitoring of their movement, financial transactions, social media accounts, and other digital footprints. With a whole range of interconnected databases, any such network is likely to be a lot more comprehensive as compared to even the most intrusive surveillance programs in Western democracies, or for that matter, in most parts of the world. Worse even, a blockchain network capable of tracking citizens in real-time will add more to teeth to the Chinese government’s social credit score system, which basically ranks citizens based on their ‘social value’ and loyalty to the government."
China is Becoming a Blockchain-Powered Orwellian Dystopia
Beincrypto, 30 October 2019

"For more than half a decade, the vulnerability of our computers and computer networks has been ranked the number one risk in the US Intelligence Community’s Worldwide Threat Assessment – that’s higher than terrorism, higher than war. Your bank balance, the local hospital’s equipment, and the 2020 US presidential election, among many, many other things, all depend on computer safety. And yet, in the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world’s information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe.In the simplest terms, encryption is a method of protecting information, the primary way to keep digital communications safe. Every email you write, every keyword you type into a search box – every embarrassing thing you do online – is transmitted across an increasingly hostile internet. Earlier this month the US, alongside the UK and Australia, called on Facebook to create a “backdoor”, or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications. So far, Facebook has resisted this. If internet traffic is unencrypted, any government, company, or criminal that happens to notice it can – and, in fact, does – steal a copy of it, secretly recording your information for ever. If, however, you encrypt this traffic, your information cannot be read: only those who have a special decryption key can unlock it... When I came forward in 2013, the US government wasn’t just passively surveilling internet traffic as it crossed the network, but had also found ways to co-opt and, at times, infiltrate the internal networks of major American tech companies. At the time, only a small fraction of web traffic was encrypted: six years later, Facebook, Google and Apple have made encryption-by-default a central part of their products, with the result that today close to 80% of web traffic is encrypted. Even the former director of US national intelligence, James Clapper, credits the revelation of mass surveillance with significantly advancing the commercial adoption of encryption. The internet is more secure as a result. Too secure, in the opinion of some governments. Donald Trump’s attorney general, William Barr, who authorised one of the earliest mass surveillance programmes without reviewing whether it was legal, is now signalling an intention to halt – or even roll back – the progress of the last six years. WhatsApp, the messaging service owned by Facebook, already uses end-to-end encryption (E2EE): in March the company announced its intention to incorporate E2EE into its other messaging apps – Facebook Messenger and Instagram – as well. Now Barr is launching a public campaign to prevent Facebook from climbing this next rung on the ladder of digital security. This began with an open letter co-signed by Barr, UK home secretary Priti Patel, Australia’s minister for home affairs and the US secretary of homeland security, demanding Facebook abandon its encryption proposals. If Barr’s campaign is successful, the communications of billions will remain frozen in a state of permanent insecurity: users will be vulnerable by design. And those communications will be vulnerable not only to investigators in the US, UK and Australia, but also to the intelligence agencies of China, Russia and Saudi Arabia – not to mention hackers around the world. End-to-end encrypted communication systems are designed so that messages can be read only by the sender and their intended recipients, even if the encrypted – meaning locked – messages themselves are stored by an untrusted third party, for example, a social media company such as Facebook.The central improvement E2EE provides over older security systems is in ensuring the keys that unlock any given message are only ever stored on the specific devices at the end-points of a communication – for example the phones of the sender or receiver of the message – rather than the middlemen who own the various internet platforms enabling it. Since E2EE keys aren’t held by these intermediary service providers, they can no longer be stolen in the event of the massive corporate data breaches that are so common today, providing an essential security benefit. In short, E2EE enables companies such as Facebook, Google or Apple to protect their users from their scrutiny: by ensuring they no longer hold the keys to our most private conversations, these corporations become less of an all-seeing eye than a blindfolded courier. It is striking that when a company as potentially dangerous as Facebook appears to be at least publicly willing to implement technology that makes users safer by limiting its own power, it is the US government that cries foul. This is because the government would suddenly become less able to treat Facebook as a convenient trove of private lives....The true explanation for why the US, UK and Australian governments want to do away with end-to-end encryption is less about public safety than it is about power: E2EE gives control to individuals and the devices they use to send, receive and encrypt communications, not to the companies and carriers that route them. This, then, would require government surveillance to become more targeted and methodical, rather than indiscriminate and universal. What this shift jeopardises is strictly nations’ ability to spy on populations at mass scale, at least in a manner that requires little more than paperwork. By limiting the amount of personal records and intensely private communications held by companies, governments are returning to classic methods of investigation that are both effective and rights-respecting, in lieu of total surveillance. In this outcome we remain not only safe, but free."
Without encryption, we will lose all privacy. This is our new battleground
Guardian, 15 October 2019

"Tens of thousands of families are being tracked in a multi-million-pound government scheme to let tech firms access their smart meter data. At least 20 companies are being given a share of £20million to develop products that can be used alongside smart meters. Those involved say the aim is to help households make further energy savings — but one of the firms entrusted with taxpayers' money has previously boasted of being able to 'monetise' highly personalised consumer data. The same company is currently working with Amazon to enable customers to ask its virtual assistant Alexa how much power they have used and when. The Government wants all UK homes to have a smart meter to monitor power usage by 2024, but the bodged rollout is set to cost at least £13billion. It is running three trials to develop technology that analyses smart meter data. Tech firms team up with energy suppliers to bid for funds after getting consent from customers."
The smart meter snoopers... already in homes as part of a little-known £20m plan to track energy habits
Mail, 15 October 2019

"With a trip to Google’s activity controls page, you can choose to purge that data on a rolling three-month or 18-month basis. The company pitches this tool, along with the ability to manually delete data through Google’s activity pages, as one of many ways users can control their privacy.... In reality, these auto-delete tools accomplish little for users, even as they generate positive PR for Google. Experts say that by the time three months rolls around, Google has already extracted nearly all the potential value from users’ data, and from an advertising standpoint, data becomes practically worthless when it’s more than a few months old. “Anything up to one month is extremely valuable,” says David Dweck, the head of paid search at digital ad firm WPromote. “Anything beyond one month, we probably weren’t going to target you anyway.”"
Google’s auto-delete tools are practically worthless for privacy
Fast Company, 15 October 2019

"It's an admission that appears to have caught Google's devices chief by surprise. After being challenged as to whether homeowners should tell guests smart devices - such as a Google Nest speaker or Amazon Echo display - are in use before they enter the building, he concludes that the answer is indeed yes. "Gosh, I haven't thought about this before in quite this way," Rick Osterloh begins. "It's quite important for all these technologies to think about all users... we have to consider all stakeholders that might be in proximity." And then he commits. "Does the owner of a home need to disclose to a guest? I would and do when someone enters into my home, and it's probably something that the products themselves should try to indicate.""
Google chief: I'd disclose smart speakers before guests enter my home
BBC, 15 October 2019

"The web giant Amazon has cornered more than a third of the lucrative UK market in storing and processing government-held information, including sensitive biometric details and tax records, figures leaked to The Telegraph suggest. The details come as Amazon is due to announce financial results this week that will highlight how important this part of the business, known as Amazon Web Services, is to the profitability of a company much better known for its online superstore. In the first six months of this year, for example, AWS made $4.3bn (£3.33bn) on global revenues of $16bn, while the more famous part of Amazon made only $3.1bn on global revenues of $107bn. AWS profits have been driven by rocketing demand for its “cloud” services – where customers pay to store data or buy processing power on computers owned and run by Amazon. AWS revenues from UK government contracts grew by more than 50pc last year, the leaked figures suggest. Such is the pace of the growth that some critics claim that the UK Government’s reliance on AWS poses a systemic risk, should AWS servers crash. Last year, a Lloyd’s of London report estimated that even a temporary shutdown at a major cloud provider like AWS could wreak almost $20bn in business losses. Amazon says its service is designed to diffuse the potential for systemic risk and minimise downtime. There are also questions about Amazon’s tax status. AWS recently created a Luxembourg-based subsidiary whose accounts for 2018 show it paid just €10m (£8.6m) tax on €1.9bn revenues. In the same year, HMRC business to AWS was worth £15m....In Britain, its leading position in cloud provision to the public sector, including government departments like the Home Office, Department of Work and Pensions, and the Cabinet Office, as well as NHS Digital and the National Crime Agency, is also entrenched. Figures obtained by The Sunday Telegraph suggest that AWS has captured more than a third of the UK public sector market with revenues of more than £100m in the last financial year."
Special report: Amazon's extraordinary grip on British data
Te1egraph, 9 October 2019

"France is poised to become the first European country to use facial recognition technology to give citizens a secure digital identity -- whether they want it or not. Saying it wants to make the state more efficient, President Emmanuel Macron’s government is pushing through plans to roll out an ID program, dubbed Alicem, in November, earlier than an initial Christmas target. The country’s data regulator says the program breaches the European rule of consent and a privacy group is challenging it in France’s highest administrative court. It took a hacker just over an hour to break into a “secure” government messaging app this year, raising concerns about the state’s security standards.... With the move, France will join states around the world rushing to create “digital identities” to give citizens secure access to everything from their taxes and banks to social security and utility bills. Singapore uses facial recognition and has signed an accord to help the U.K. prepare its own ID system. India uses iris scans. France says the ID system won’t be used to keep tabs on residents. Unlike in China and Singapore, the country won’t be integrating the facial recognition biometric into citizens’ identity databases. In fact, the interior ministry, which developed the Alicem app, says the facial recognition data collected will be deleted when the enrollment process is over. That hasn’t stopped people from worrying about its potential misuse. “Rushing into facial recognition at this point is a major risk” because of uncertainties on its final use, said Didier Baichere, a governing-party lawmaker who sits on the Parliament’s “future technologies” commission and is the author of a July report on the subject. Allowing mass-usage before putting in place proper checks and balances is “ludicrous,” he said.... The Android-only app with the blazon of the French republic, which Bloomberg was able to consult, will be the only way for residents to create a legal digital ID and facial recognition will be its sole enabler. An ID will be created through a one-time enrollment that works by comparing a user’s photo in their biometric passport to a selfie video taken on the app that will capture expressions, movements and angles. The phone and the passport will communicate through their embedded chips. Opponents say the app potentially violates Europe’s General Data Protection Regulation, which makes free choice mandatory. Emilie Seruga-Cau, who heads the law enforcement unit at the CNIL, the country’s independent privacy regulator, said it has made its concerns “very clear.” Opposition lawmakers worry about the integration of facial recognition into laws to track violent protesters like during Yellow Vests demonstrations. Drago, who’s challenging government plans on privacy and consent issues, said the absence of a debate “lets the state move ahead, without roadblocks.” Meanwhile, facial recognition tests are multiplying. Live camera surveillance in the streets of Wales was judged legal this month by a London court. Germany, The Netherlands and Italy use it for fast tracking borders checks. In August, Sweden’s Data Protection Authority fined the municipality of Skelleftea for testing facial recognition on high school students to measure attendance. Apple Inc. trivialized its use as a biometric to unlock mobile phones. The EU’s new Commission, whose mandate begins in November, has among its goals the building of a “Europe fit for the Digital Age.” An internal policy document by the Commission detailed the steps the EU should take to master Artificial Intelligence technologies, including facial recognition."
France Set to Roll Out Nationwide Facial Recognition ID Program
Bloomberg, 3 October 2019

"Electronic Frontier Foundation (EFF) and the American Civil Liberties Union Foundation of Southern California (ACLU SoCal) have reached an agreement with Los Angeles law enforcement agencies under which the police and sheriff’s departments will turn over license plate data they indiscriminately collected on millions of law-abiding drivers in Southern California. The data, which has been deidentified to protect drivers’ privacy, will allow EFF and ACLU SoCal to learn how the agencies are using automated license plate reader (ALPR) systems throughout the city and county of Los Angeles and educate the public on the privacy risks posed by this intrusive technology. A weeks’ worth of data, composed of nearly 3 million data points, will be examined...ALPR systems include cameras mounted on police cars and at fixed locations that scan every license plate that comes into view—up to 1,800 plates per minute. They record data on each plate, including the precise time, date, and place it was encountered. The two Los Angeles agencies scan about 3 million plates every week and store the data for years at a time. Using this data, police can learn where we were in the past and infer intimate details of our daily lives such as where we work and live, who our friends are, what religious or political activities we attend, and much more."
EFF Wins Access to License Plate Reader Data to Study How Law Enforcement Uses the Privacy Invasive Technology
EFF, 3 October 2019

"Millions of vehicles across the country have had their license plates scanned by police—and more than 99% of them weren’t associated with any crimes. Yet law enforcement agencies often share ALPR information with their counterparts in other jurisdictions, as well as with border agents,  airport security, and university police. EFF and ACLU SoCal reached the agreement with the Los Angeles Police and Sheriff’s Departments after winning a precedent-setting decision in 2017 from the California Supreme Court in our public records lawsuit against the two agencies. The court held that the data are not investigative records under the California Public Records Act that law enforcement can keep secret....The California Supreme Court ruling has significance beyond the ALPR case. It set a groundbreaking precedent that mass, indiscriminate data collection by the police can’t be withheld just because the information may contain some data related to criminal investigations."
Victory! EFF Wins Access to License Plate Reader Data to Study How Law Enforcement Uses the Privacy Invasive Technology
EFF, 3 October 2019

"Amazon's low-power, low-cost wireless standard was introduced to us via the first Sidewalk reference design, the Ring Fetch dog tracker, which will alert you when your dog leaves your geofenced garden when it launches in 2020. Compared to the nugget buried in Apple's most recent keynote, though, this could be viewed as hyperbole. Apple's U1 chip - which allows precise, indoor positional tracking via the latest iPhones and will power, at the very least, directional AirDrop file-sharing - popped up on screen but was never even mentioned. The interest-piquing phrase "GPS at the scale of your living room" was saved for the online iPhone product pages rather than the bombast of the Steve Jobs Theater. As modest at these two announcements were, then, it's clear that both Amazon and Apple have embarked on similar missions to extend their control of their customers' connectivity in and around the home. Amazon's Sidewalk, which operates on the 900MHz band typically used for amateur radio and emergency services, and Apple's close-range, ultra-wideband positioning with the U1 are designed to get Amazon out of the home and Apple inside it....Why so muted then from the two tech giants?... It could be that with the privacy-focused techlash of recent years, both are treading carefully in the launch stages. Just look at how Amazon's acquisition of mesh networking company eero was received earlier this year or the widespread interest in Huawei's level of involvement with 5G networks."
Amazon and Apple are quietly building networks that know the location of everything
Wired, 28 September 2019

"Attention airline bathroom loiterers: The next generation of Airbus aircraft will track how long you’ve been in there. It’s all part of an effort to make commercial cabins a digitally aware domain. The program is Airbus’s bid to raise the Internet of Things — that buzz-phrase for connected household gadgets — to cruising altitude. The Airbus Connected Experience aims to give flight attendants a more detailed survey of the cabin..."
The next generation of aircraft will track your bathroom visits
Bloomberg, 12 September 2019

"Period tracker apps are sending deeply personal information about women’s health and sexual practices to Facebook, new research has found. UK-based advocacy group Privacy International, sharing its findings exclusively with BuzzFeed News, discovered period-tracking apps including MIA Fem and Maya sent women’s use of contraception, the timings of their monthly periods, symptoms like swelling and cramps, and more, directly to Facebook.... The data sharing with Facebook happens via Facebook’s Software Development Kit (SDK), which helps app developers incorporate particular features and collect user data so Facebook can show them targeted ads, among other functions.... The app also shares data users enter about their use of contraception, the analysis found, as well as their moods. It also asks users to enter information about when they’ve had sex and what kind of contraception they used, and also includes a diarylike section for users to write their own notes. That information is also shared with Facebook. Advertisers are often interested in people’s moods because it helps them strategically target ads to them at times they might be more likely to buy."
Period Tracker Apps Used By Millions Of Women Are Sharing Incredibly Sensitive Data With Facebook
Buzzfeed, 9 September 2019

"With the new Nest Hub Max, Google is adding an eye to its talking artificial intelligence. When I flash my palm at the device, a camera spots me and immediately pauses my music. Talk to the hand, robot! When I walk by a Hub Max, the Google Assistant greets me on its screen, "Good afternoon, Geoffrey." This wizardry is made possible by facial recognition. The $230 Nest Hub Max offers a glimpse of how this controversial tech might be used in our homes - if people aren't too turned off by the privacy implications. Living with Google's latest creation for a few days embodied the cognitive dissonance of being a gadget guy in 2019. You can appreciate the fun and wonder of new technology that you also know brings new concerns. I kept wondering: Do any of these camera functions make it worth bringing face surveillance inside my home? ... the Hub Max suffers from the same affliction as many new Google products: It's frighteningly advanced technology that hasn't identified the problem in our lives that needs solving. None of the camera functions the Hub Max offers today make it worth bringing surveillance inside my house. Google and all the other companies pushing face tech are going to have to keep working on uses that cross the chasm from creepy to can't-live-without-it."
Google is always listening. Now it's watching, too, with the Nest Hub Max
Washington Post (Geoffrey Fowler), 9 September 2019

"A number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims, TechCrunch has learned. Sources familiar with the matter said the websites were part of a state-backed attack — likely China — designed to target the Uyghur community in the country’s Xinjiang state. It’s part of the latest effort by the Chinese government to crack down on the minority Muslim community in recent history. In the past year, Beijing has detained more than a million Uyghurs in internment camps, according to a United Nations human rights committee."
Sources say China used iPhone hacks to target Uyghur Muslims
Techcrunch, 31 August 2019

"An unprecedented iPhone hacking operation, which attacked 'thousands of users a week' until it was disrupted in January, has been revealed by researchers at Google’s external security team. The operation, which lasted two and a half years, used a small collection of hacked websites to deliver malware on to the iPhones of visitors. Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones. Once hacked, the user’s deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database. The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: “Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”
Google says hackers have put ‘monitoring implants’ in iPhones for years
Guardian, 30 August 2019

"After a long delay, Facebook is releasing a tool that will allow people to see what kind of information it has collected about their online activity beyond its borders — from the news they read to the shopping websites they visit to the porn they watch — along with an option to dissociate that data from their accounts. Facebook collects information about its users in two ways: first, through the information you input into its website and apps, and second, by tracking which websites you visit while you’re not on Facebook. That’s why, after you visit a clothing retailer’s website, you’ll likely see an ad for it in your Facebook News Feed or Instagram feed. Basically, Facebook monitors where you go, all across the internet, and uses your digital footprints to target you with ads. But Facebook users have never been able to view this external data Facebook collected about them, until now. Facebook tracks your browsing history via the “Login with Facebook” button, the “like” button, Facebook comments, and little bits of invisible code, called the Facebook pixel, embedded on other sites (including BuzzFeed News). Today the company will start to roll out a feature called “Off-Facebook Activity” that allows people to manage that external browsing data — finally delivering on a promise it made over a year ago when CEO Mark Zuckerberg announced at a company event that it would develop a feature then called “Clear History.”... However, it’s important to note that neither Facebook’s announcement nor screenshots of the feature mention the word “delete” — and that’s because the browsing information isn’t being deleted, it’s simply dissociated from your Facebook account, according to a Facebook spokesperson. In other words, Facebook will still hold on to the data but will anonymize it rather than pair it with your profile. For example, although your browsing history won’t be used to advertise a discount to an online store you’ve visited before, the activity will still appear in aggregated audience data shown to developers using Facebook’s analytics tools.... the data isn’t being removed from Facebook servers. Just as Facebook still collects aggregated, anonymous browsing information from people who are logged out or don’t have Facebook accounts, Facebook will treat people who have opted out of external website tracking similarly, a Facebook spokesperson confirmed to BuzzFeed News."
You Can Finally See All Of The Info Facebook Collected About You From Other Websites
Buzzfeed, 20 August 2019

"Breaking a long silence about a high-profile National Security Agency program that sifts records of Americans’ telephone calls and text messages in search of terrorists, the Trump administration on Thursday acknowledged for the first time that the system has been indefinitely shut down — but asked Congress to extend its legal basis anyway. In a letter to Congress delivered on Thursday and obtained by The New York Times, the administration urged lawmakers to make permanent the legal authority for the National Security Agency to gain access to logs of Americans’ domestic communications, the USA Freedom Act. The law, enacted after the intelligence contractor Edward J. Snowden revealed the existence of the program in 2013, is set to expire in December, but the Trump administration wants it made permanent."
Trump Administration Asks Congress to Reauthorize N.S.A.’s Deactivated Call Records Program
New York Times, 15 August 2019

"Researchers from SMU’s Darwin Deason Institute for Cybersecurity found that acoustic signals, or sound waves, produced when we type on a computer keyboard can successfully be picked up by a smartphone. The sounds intercepted by the phone can then be processed, allowing a skilled hacker to decipher which keys were struck and what they were typing. The researchers were able to decode much of what was being typed using common keyboards and smartphones – even in a noisy conference room filled with the sounds of other people typing and having conversations.... The study was published in the June edition of the journal Interactive, Mobile, Wearable and Ubiquitous Technologies. Co-authors of the study are Tyler Giallanza, Travis Siems, Elena Sharp, Erik Gabrielsen and Ian Johnson – all current or former students at the Deason Institute. It might take only a couple of seconds to obtain information on what you’re typing, noted lead author Mitch Thornton, director of SMU’s Deason Institute and professor of electrical and computer engineering.... The researchers wanted to create a scenario that would mimic what might happen in real life. So they arranged several people in a conference room, talking to each other and taking notes on a laptop. Placed on the same table as their laptop or computer, were as many as eight mobile phones, kept anywhere from three inches to several feet feet away from the computer, Thornton said. Study participants were not given a script of what to say when they were talking, and were allowed to use shorthand or full sentences when typing. They were also allowed to either correct typewritten errors or leave them, as they saw fit.... There are some caveats, though. “An attacker would need to know the material type of the table,” Larson said, because different tables create different sound waves when you type.  For instance, a wooden table like the kind used in this study sounds different than someone typing on a metal tabletop. Larson said, “An attacker would also need a way of knowing there are multiple phones on the table and how to sample from them.” A successful interception of this sort could potentially be very scary, Thornton noted, because “there’s no way to know if you’re being hacked this way.”"
Attackers could be listening to what you type
SMU, 12 August 2019

"Most people don’t think twice about picking up a phone charging cable and plugging it in. But one hacker’s project wants to change that and raise awareness of the dangers of potentially malicious charging cables. A hacker who goes by the online handle MG took an innocent-looking Apple USB Lightning cable and rigged it with a small Wi-Fi-enabled implant, which, when plugged into a computer, lets a nearby hacker run commands as if they were sitting in front of the screen. Dubbed the O.MG cable, it looks and works almost indistinguishably from an iPhone charging cable. But all an attacker has to do is swap out the legitimate cable for the malicious cable and wait until a target plugs it into their computer. From a nearby device and within Wi-Fi range (or attached to a nearby Wi-Fi network), an attacker can wirelessly transmit malicious payloads on the computer, either from pre-set commands or an attacker’s own code. Once plugged in, an attacker can remotely control the affected computer to send realistic-looking phishing pages to a victim’s screen, or remotely lock a computer screen to collect the user’s password when they log back in. MG focused his first attempt on an Apple Lightning cable, but the implant can be used in almost any cable and against most target computers. “This specific Lightning cable allows for cross-platform attack payloads, and the implant I have created is easily adapted to other USB cable types,” MG said. “Apple just happens to be the most difficult to implant, so it was a good proof of capabilities.”.... “Suddenly we now have victim-deployed hardware that may not be noticed for much longer periods of time,” he explained. “This changes how you think about defense tactics. We have seen that the NSA has had similar capabilities for over a decade, but it isn’t really in most people’s threat models because it isn’t seen as common enough.” “Most people know not to plug in random flash drives these days, but they aren’t expecting a cable to be a threat,” he said. “So this helps drive home education that goes deeper."”
This hacker’s iPhone charging cable can hijack your computer
Techcrunch, 12 August 2019

"Elizabeth Denham, who runs the Information Commissioner's Office, has signed a statement alongside counterparts in the US, Canada, Australia and the European Union. The statement said they have "shared concerns" over "privacy risks posed". Banking chiefs, regulators and US President Donald Trump have also expressed doubts about the currency. Monday's statement from the privacy chiefs calls on Facebook to provide more details about how the tech giant will protect user data. Libra, and its digital wallet Calibra, were announced in June by a group of companies backing it, led by Facebook.Ms Denham said: "The ambition and scope of the Libra project has the potential to change the online payment landscape, and to offer benefits to consumers. "But that ambition must work in tandem with people's privacy expectations and rights. "Facebook's involvement is particularly significant, as there is the potential to combine Facebook's vast reserves of personal information with financial information and cryptocurrency, amplifying privacy concerns about the network's design and data-sharing arrangements." She said that, while Facebook has opened talks with financial regulators, there was little detail about how the social media company will handle customer information. Data protection must be a key part of the dialogue over Libra."
Facebook: UK privacy chief joins warning about cryptocurrency
BBC, 5 August 2019

"A consumer advocacy group has warned that automakers are rolling out new vehicles increasingly vulnerable to hackers, which could result in thousands of deaths in the event of a mass cyberattack. In a new report entitled "Kill Switch: Why Connected Cars Can Be Killing Machines And How To Turn Them Off," Los Angeles-based Consumer Watchdog said cars connected to the internet are quickly becoming the norm but constitute a national security threat. "The troubling issue for industry technologies is that these vehicles' safety-critical systems are being linked to the internet without adequate security and with no way to disconnect them in the event of a fleet-wide hack," the report said. It said industry executives were aware of the risk but were nonetheless pushing ahead in deploying the technology in new vehicles, putting corporate profit ahead of safety. The report was based on a five-month study with the help of more than 20 whistleblowers from within the car industry. The group of car industry technologists and experts speculated that a fleet-wide hack at rush hour could leave about 3,000 people dead. "You can control all sorts of aspects of your car from your smartphone, including starting the engine, starting the air conditioning, checking on its location," said one of the whistleblowers, who were not identified. "Well, if you can do it with your smartphone anybody else can over the internet." The report recommends all connected vehicles be equipped with an internet kill switch and that all new designs should completely isolate safety-critical systems from internet-connected infotainment systems or other networks. "Connecting safety-critical systems to the internet is inherently dangerous design," said Jamie Court, president of Consumer Watchdog. "American car makers need to end the practice or Congress must step in to protect our transportation system and our national security." Representatives from several of the car companies mentioned in the report, including GM, Toyota and Ford, could not immediately be reached for comment."
New Cars Vulnerable To Hacks That Could Leave Thousands Dead
Agence France Presse, 2 August 2019

"San Diego has installed thousands of microphones and cameras in so-called smart streetlamps in recent years as part of a program to assess traffic and parking patterns throughout the city. However, the technology over the last year caught the attention of law enforcement. When police officers picked up Hernandez last summer, they had never used a streetlamp camera in an investigation. Today, such video has been viewed in connection with more than 140 police investigations. Officers have increasingly turned to the footage to help crack cases, as frequently as 20 times a month. Police department officials have said that the video footage has been crucial in roughly 40 percent of these cases.... Privacy groups have voiced concerns about a lack of oversight, as law enforcement has embraced the new technology. Groups, such as the American Civil Liberties Union, have pushed city councils across the country to adopt surveillance oversight ordinances that create strict rules around using everything from license plate readers to gunshot-detection systems to streetlamp cameras.... Authorities said that direct access is currently restricted to roughly 100 investigative officers in the sex crimes, robbery, traffic, internal affairs and homicide units. Other members of the department’s more than 1,800 sworn officers can request access but must be cleared by a designated authority before they view footage. This arrangement has disturbed Matt Cagle, technology and civil liberties attorney with the ACLU. “This sounds like the quote, ‘just trust us’ approach to surveillance technology, which is a recipe for invasive uses and abuse of these systems,” he said. “There needs to be meaningful oversight and accountability. “Decisions about how to use surveillance technology should not be made unilaterally by law enforcement or another city agency,” he added San Diego Mayor Kevin Faulconer declined an interview for this story, but a spokesperson for his office said in an email that a citywide policy to regulate use of the microphones and cameras in streetlamps is “under development.”... Thirteen cities and counties in the United States have adopted a version of the ACLU’s proposed surveillance oversight legislation, including San Francisco, Oakland and Seattle, according to the group’s website. California is also considering a statewide bill. Suggested guidelines include mandating a public process to review technology before it’s implemented, as well as conducting regular audits of existing systems to document how the surveillance technologies are being used and potentially abused.... the cameras do not record private property or use facial recognition or license plate reading technology. The video is stored on the device and erased every five days if not downloaded for an investigation. The smart streetlamps are also not recording audio, Jordon said, although they do have the capability. He said they could be used as part of the gunshot-detection system known as ShotSpotter, but that would be subject to council approval. While video has been shared with federal agents involved in local task forces, Jordon has assured elected leaders that the footage has never been used to enforce immigration rules."
San Diego Police Department ramps up use of streetlamp video cameras, ACLU raises surveillance concerns
San Diego Union-Tribune, 5 August 2019

"British, American and other intelligence agencies from English-speaking countries have concluded a two-day meeting in London amid calls for spies and police officers to be given special, backdoor access to WhatsApp and other encrypted communications. The meeting of the “Five Eyes” nations – the UK, US, Australia, Canada and New Zealand – was hosted by new home secretary, Priti Patel, in an effort to coordinate efforts to combat terrorism and child abuse. Dealing with the challenge faced by increasingly effective encryption was one of the main topics at the summit, officials said, at a time when technology companies want to make their services more secure after a range of security breaches. The meetings, however, were held in private with no agenda being made public, making it difficult to conclude exactly what had been discussed by the ministers, officials and intelligence agencies from the countries involved. However, British ministers have privately voiced particular concerns about WhatsApp, the widely used Facebook-owned messenger service, which was used by, among others, the three plotters in the London Bridge terror attack.... GCHQ, the UK agency which monitors and breaks into communications, has suggested that Silicon Valley companies could develop technology that would silently add a police officer or intelligence agent to conversations or group chats. The controversial so-called “ghost protocol” has been fiercely opposed by companies, civil society organisations and some security experts – but intelligence and law enforcement agencies continue to lobby for it. Police said they had not been able to see or crack open hundreds of WhatsApp messages sent by at least one of those involved in the London Bridge attacks because an acquaintance of theirs had refused to hand over his phone. WhatsApp has also been improving its security after it emerged earlier this year that a flaw had been exploited by an Israeli spyware company, which allowed special software used by intelligence agencies to covertly take control of a person’s phone.... The Five Eyes summit is an annual event, first held in 2013. The anglophone security network has become increasingly important at a time when the UK is planning to leave the European Union."
Calls for backdoor access to WhatsApp as Five Eyes nations meet
Guardian, 30 July 2019

"NSO Group is able to secretly scrape data from the servers of the technology giants in order to steal a person's location information, photos or messages, The Financial Times reported after speaking to people familiar with the firm's sales pitch.In 2018, NSO was accused of placing spyware on the smartphone of murdered Saudi journalist Jamal Khashoggi, though the Israeli firm denies the accusations. According to a lawsuit filed by a friend of Khashoggi, Saudo Arabia used NSO's software to bug the Washington Post columnist's phone and intercept his calls and messages."
Hackers can steal all your private data from Apple, Google, Facebook and Amazon with new malware, report claims
Independent, 20 July 2019

"The Israeli company whose spyware hacked WhatsApp has told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch. NSO Group’s flagship smartphone malware, nicknamed Pegasus, has for years been used by spy agencies and governments to harvest data from targeted individuals’ smartphones. But it has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration. The documents raise difficult questions for Silicon Valley’s technology giants, which are trusted by billions of users to keep critical personal information, corporate secrets and medical records safe from potential hackers. NSO denied promoting hacking or mass-surveillance tools for cloud services. However, it did not specifically deny that it had developed the capability described in the documents. The company has always maintained that its software, which is designated by Israel as a weapon, is only sold to responsible governments to help prevent terrorist attacks and crimes. But Pegasus has been traced by researchers to the phones of human rights activists and journalists around the world, raising allegations that it is being abused by repressive regimes. The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location. This grants open-ended access to the cloud data of those apps without “prompting 2-step verification or warning email on target device”, according to one sales document. It works on any device that Pegasus can infect, including many of the latest iPhones and Android smartphones, according to the documents, and allows ongoing access to data uploaded to the cloud from laptops, tablets and phones — even if Pegasus is removed from the initially targeted smartphone. One pitch document from NSO’s parent company, Q-Cyber, which was prepared for the government of Uganda earlier this year, advertised the ability of Pegasus to “retrieve the keys that open cloud vaults” and “independently sync-and-extract data”. Having access to a “cloud endpoint” means eavesdroppers can reach “far and above smartphone content”, allowing information about a target to “roll in” from multiple apps and services, the sales pitch claimed. It is not yet clear if the Ugandan government purchased the service, which costs millions of dollars. Security teams at the Silicon Valley companies potentially affected are now investigating the method, which appears to target the industry-wide authentication techniques that have, until now, been thought to be secure. ... Meanwhile, the $1bn company faces lawsuits in Israel and Cyprus that allege that it shares liability for the abuse of its software by repressive regimes. In May, the FT reported that the company used a vulnerability in Facebook’s WhatsApp messaging system to insert Pegasus on smartphones."
Israeli group’s spyware ‘offers keys to Big Tech’s financial
Financial Times, 19 July 2019

"Schools in the central German state of Hesse have been have been told it's now illegal to use Microsoft Office 365.The state's data-protection commissioner has ruled that using the popular cloud platform's standard configuration exposes personal information about students and teachers "to possible access by US officials". That might sound like just another instance of European concerns about data privacy or worries about the current US administration's foreign policy. But in fact the ruling by the Hesse Office for Data Protection and Information Freedom is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all. Besides the details that German users provide when they're working with the platform, Microsoft Office 365 also transmits telemetry data back to the US. Last year, investigators in the Netherlands discovered that that data could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines. All of which contravenes the EU's General Data Protection Regulation, or GDPR, the Dutch said. Germany's own Federal Office for Information Security also recently expressed concerns about telemetry data that the Windows operating system sends. To allay privacy fears in Germany, Microsoft invested millions in a German cloud service, and in 2017 Hesse authorities said local schools could use Office 365. If German data remained in the country, that was fine, Hesse's data privacy commissioner, Michael Ronellenfitsch, said. But in August 2018 Microsoft decided to shut down the German service. So once again, data from local Office 365 users would be data transmitted over the Atlantic. Several US laws, including 2018's CLOUD Act and 2015's USA Freedom Act, give the US government more rights to ask for data from tech companies. It's actually simple, Austrian digital-rights advocate Max Schrems, who took a case on data transfers between the EU and US to the highest European court this week, tells ZDNet. School pupils are usually not able to give consent, he points out. "And if data is sent to Microsoft in the US, it is subject to US mass-surveillance laws. This is illegal under EU law." Even if it weren't, public institutions in Germany – such as schools – have a particular responsibility for what they do with personal data, and how transparent they are about that, Hesse's Ronellenfitsch explained in a statement."
Microsoft Office 365: Banned in German schools over privacy fears
ZDNet, 19 July 2019

"Facebook has become synonymous with privacy violations in the year since Cambridge Analytica came to light. Now in the same week that details of the record $5 billion FTC fine emerged, an Australian cyber researcher has reopened a years-old debate as to whether the social media giant is embedding "hidden codes" in photos uploaded by users onto the site. "Facebook is embedding tracking data inside photos you download," Edin Jusupovic claimed on Twitter, explaining he had "noticed a structural abnormality when looking at a hex dump of an image file from an unknown origin only to discover it contained what I now understand is an IPTC special instruction." The IPTC (International Press Telecommunications Council) sets technical publishing standards, including those for image metadata. Jusupovic described this as a "shocking level of tracking," adding that "the take from this is that they can potentially track photos outside of their own platform with a disturbing level of precision about who originally uploaded the photo (and much more)."
Facebook Embeds 'Hidden Codes' To Track Who Sees And Shares Your Photos
Forbes, 14 July 2019

"The FBI wants to gather more information from social media. Today, it issued a call for contracts for a new social media monitoring tool. According to a request-for-proposals (RFP), it's looking for an "early alerting tool" that would help it monitor terrorist groups, domestic threats, criminal activity and the like. The tool would provide the FBI with access to the full social media profiles of persons-of-interest. That could include information like user IDs, emails, IP addresses and telephone numbers. The tool would also allow the FBI to track people based on location, enable persistent keyword monitoring and provide access to personal social media history. According to the RFP, "The mission-critical exploitation of social media will enable the Bureau to detect, disrupt, and investigate an ever growing diverse range of threats to U.S. National interests." But a tool of this nature is likely to raise a few red flags, despite the FBI's call for "ensuring all privacy and civil liberties compliance requirements are met." The government doesn't have the best track record with regard to social media surveillance. Early this year, the ACLU sued the government over its use of social media surveillance of immigrants, and the Trump administration has proposed allowing officials to snoop on the social media accounts of Social Security disability recipients."
The FBI plans more social media surveillance
Endgadget, 12 July 2019

"Agents with the Federal Bureau of Investigation and Immigration and Customs Enforcement have turned state driver’s license databases into a facial-recognition gold mine, scanning through millions of Americans’ photos without their knowledge or consent, newly released documents show. Thousands of facial-recognition requests, internal documents and emails over the past five years, obtained through public-records requests by researchers with Georgetown Law’s Center on Privacy and Technology and provided to The Washington Post, reveal that federal investigators have turned state departments of motor vehicles databases into the bedrock of an unprecedented surveillance infrastructure. Police have long had access to fingerprints, DNA and other “biometric data” taken from criminal suspects. But the DMV records contain the photos of a vast majority of a state’s residents, most of whom have never been charged with a crime. Neither Congress nor state legislatures have authorized the development of such a system, and growing numbers of Democratic and Republican lawmakers are criticizing the technology as a dangerous, pervasive and error-prone surveillance tool.... San Francisco and Somerville, Mass., have banned their police and public agencies from using facial-recognition software, citing concerns about governmental overreach and a breach of public trust, and the subject is being hotly debated in Washington.... The records show the technology already is tightly woven into the fabric of modern law enforcement.... Vermont officials said they stopped using facial-recognition software in 2017. That year, a local chapter of the American Civil Liberties Union revealed records showing that the state DMV had been conducting the searches in violation of a state law that banned technology involving “the use of biometric identifiers.” The state’s governor and attorney general came out against the face-scanning software, citing a need to balance public safety with residents’ privacy rights."
FBI, ICE find state driver’s license photos are a gold mine for facial-recognition searches
Washington Post, 7 July 2019

"Tesco, a UK firm doing business in 11 countries, is testing a cashierless store design that goes beyond Amazon's Go. Tesco is not dependent on bar codes, RFID smart tags, or customer scanning [but on in store cameras]."
Pick and Go: Scanning No Longer Required, Supermarkets Swap Cashiers for Cameras
Mish Talk, 7 July 2019

"Sen. Chris Coons, a Democrat from Delaware, sent a letter to Amazon CEO Jeff Bezos in May, demanding answers on Alexa and how long it kept voice recordings and transcripts, as well as what the data gets used for. The letter came after CNET's report that Amazon kept transcripts of interactions with Alexa, even after people deleted the voice recordings. The deadline for answers was June 30, and Amazon's vice president of public policy, Brian Huseman, sent a response on June 28. In the letter, Huseman tells Coons that Amazon keeps transcripts and voice recordings indefinitely, and only removes them if they're manually deleted by users. Huseman also noted that Amazon had an "ongoing effort to ensure those transcripts do not remain in any of Alexa's other storage systems." But there are still records from some conversations with Alexa that Amazon won't delete, even if people remove the audio, the letter revealed.Privacy concerns aren't just limited to voice assistants, not with smart technology finding its way into more household items like doorbells and locks. And tech companies aren't always up front about what kind of data they collect or how much control you have over it.  .... In the letter to Coons, Amazon noted that for Alexa requests that involve a transaction, like ordering a pizza or hailing a rideshare, Amazon and the skill's developers can keep a record of that transaction. That means that there's a record of nearly every purchase you make on Amazon's Alexa, which can be considered personal information. Other requests, including setting reminders and alarms, would also remain saved, Huseman noted, saying that this was a feature customers wanted. ... Amazon said it uses the transcripts for training its voice assistant, and also so customers can know what Alexa thought it heard for voice commands. Those transcripts aren't anonymized --  Amazon explained that they're associated with every user's account."
Amazon Alexa keeps your data with no expiration date, and shares it too
Cnet, 2 July 2019

"A legal challenge to the UK’s controversial mass surveillance regime has revealed shocking failures by the main state intelligence agency, which has broad powers to hack computers and phones and intercept digital communications, in handling people’s information. The challenge, by rights group Liberty, led last month to an initial finding that MI5 had systematically breached safeguards in the UK’s Investigatory Powers Act (IPA) — breaches the Home Secretary, Sajid Javid, euphemistically couched as “compliance risks” in a carefully worded written statement that was quietly released to parliament. Today Liberty has put more meat on the bones of the finding of serious legal breaches in how MI5 handles personal data, culled from newly released (but redacted) documents that it says describe the “undoubtedly unlawful” conduct of the UK’s main security service which has been retaining innocent people’s data for years. The series of 10 documents and letters from MI5 and the Investigatory Powers Commissioner’s Office (IPCO), the body charged with overseeing the intelligence agencies’ use of surveillance powers, show that the spy agency has failed to meet its legal duties for as long as the IPA has been law, according to Liberty. The controversial surveillance legislation passed into UK law in November 2016 — enshrining a system of mass surveillance of digital communications which includes a provision that logs of all Internet users’ browsing activity be retained for a full year, accessible to a wide range of government agencies (not just law enforcement and/or spy agencies). The law also allows the intelligence agencies to maintain large databases of personal information on UK citizens, even if they are not under suspicion of any crime. And sanctions state hacking of devices, networks and services, including bulk hacking on foreign soil. It also gives U.K. authorities the power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service. In a statement, Liberty’s lawyer, Megan Goulding, said: “These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history. “It is unacceptable that the public is only learning now about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the Government’s surveillance regime. And, despite a light being shone on this deplorable violation of our rights, the Government is still trying to keep us in the dark over further examples of MI5 seriously breaching the law.”"
Liberty’s challenge to UK state surveillance powers reveals shocking failures
TechCrunch, 11 June 2019

"The Driver and Vehicle Licensing Agency (DVLA) could face an inquiry by the information watchdog after it emerged that it released personal details of 23 million motorists last year. The Information Commissioner’s Office (ICO) has confirmed that it is looking into issues around the sharing of driver data to third parties after motoring groups questioned the scale of information sharing and the legitimacy of some of the requests. According to the Times, half of the requests were made by local councils but the DVLA also made almost £20 million in 2018 from sharing vehicle keeper details with other groups such as private parking firms, bailiffs and private investigators. The data represents the records of almost two thirds of vehicle owners in the country and the level of sharing has led to questions about whether it abides by the General Data Protection Regulation (GDPR) introduced last year. Anyone can request information about a vehicle or its keeper if they have “reasonable cause” such as trying to find out who was responsible for an accident, issuing parking tickets or tracing the keeper of an abandoned vehicle. As well as councils, bailiffs chasing unpaid traffic fines were responsible for 1.9m record requests and private parking firms for 6.8m last year."
DVLA could face watchdog inquiry into sharing of driver details
inews, 10 June 2019

"Security experts have clashed with the new reviewer of terrorism laws over his fears that relying on technology to stop atrocities puts civil liberties at risk. Jonathan Hall, QC, said that police and the security services were increasingly turning to artificial intelligence and algorithms to predict when, where and by whom terrorist attacks might be committed. In his first interview since assuming the role Mr Hall told The Times that “a large amount of our liberty” had been sacrificed by citizens after “we’ve given all our data to big tech companies”. Anti-terrorism specialists said that his views were deeply unsettling. They claimed that in a world where terrorists were using technology, the police and security services should not be hampered by misplaced liberal ideology."
Experts clash with terror chief over AI threat to civil liberties
Times, 8 June 2019

"The Open Technology Institute (OTI) has responded to GCHQ/NCSC's article on 'Principles for a More Informed Exceptional Access Debate' with an 'Open Letter to GCHQ on the Threats Posed by the Ghost Proposal'. 'Exceptional access' is the law enforcement term for accessing encrypted messages -- the so-called government backdoor into end-to-end encryption services. 'Going dark' is the term law enforcement uses to describe its inability to access encrypted messages between subjects of interest that increasingly use encryption. 'Ghost proposal' is OTI's term for GCHQ's proposed method to prevent going dark.... The authors then propose possible methods of gaining access while conforming to the principles. Encrypted cloud backups are conceptually easy: "If those backups are encrypted, maybe we can do password guessing on big machines," suggest the authors. It would be focused and could be given judicial oversight and legitimacy relatively easy. Of more interest, however, is the proposed possible route into encrypted chats in real time. "It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who's who and which devices are involved -- they're usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there's an extra 'end' on this particular communication." This is the so-called 'ghost user' solution. The authors state very clearly that this does not interfere with encryption. "We're not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we're normally talking about suppressing a notification on a target's device, and only on the device of the target and possibly those they communicate with." In its open letter (PDF) to GCHQ, the OTI acknowledges that vendors' encryption algorithms will not be manipulated, but suggest that implementing the ghost user will create significant other problems. For example, while the encryption itself does not need to be redeveloped, the method of authenticating users (the check codes to ensure that the chat is between expected users) will have to be rewritten. Susan Landau points out that the ghost proposal "involves changing how the encryption keys are negotiated in order to accommodate the silent listener, creating a much more complex protocol -- raising the risk of an error." On top of this, GCHQ's own principal of transparency over when the option is invoked will demonstrate that it is being invoked -- meaning that users of encryption (for very legitimate purposes such as journalism, conversations between vulnerable people, and more) will never know, nor be able to trust, that their conversations are genuinely confidential."
Inside GCHQ's Proposed Backdoor Into End-to-End Encryption
Security Week, 3 June 2019

"Visa applicants to the United States are required to submit any information about social media accounts they have used in the past five years under a State Department policy that started on Friday. Such account information would give the government access to photos, locations, dates of birth, dates of milestones and other personal data commonly shared on social media. “We already request certain contact information, travel history, family member information, and previous addresses from all visa applicants,” the State Department said in a statement. “We are constantly working to find mechanisms to improve our screening processes to protect U.S. citizens, while supporting legitimate travel to the United States.”.... “This seems to be part and parcel of the same effort to have an extraordinary broad surveillance of citizens and noncitizens,” Elora Mukherjee, director of the Immigrants’ Rights Clinic at Columbia Law School, said on Sunday of the latest development. “Given the scope of the surveillance efforts, it is hard to find a rational basis for the broad surveillance the Department of State and the Department of Homeland Security have been doing for almost two years.” The added requirement could dissuade visa applicants, who may see it as a psychological barrier to enter the United States. “This is a dangerous and problematic proposal, which does nothing to protect security concerns but raises significant privacy concerns and First Amendment issues for citizens and immigrants,” Hina Shamsi, the director of the American Civil Liberties Union’s National Security Project, said on Sunday. “Research shows that this kind of monitoring has chilling effects, meaning that people are less likely to speak freely and connect with each other in online communities that are now essential to modern life.” The social media web today is a map of our contacts, associations, habits and preferences. This kind of requirement will result in suspicion of surveillance of travelers and their networks of friends, families and business associates, Ms. Shamsi said, adding that the government had failed to explain how it would use this information."
U.S. Requiring Social Media Information From Visa Applicants
New York Times, 2 June 2019

"As data collection systems continue to proliferate throughout everyday life, it’s likely that networked bar ID surveillance systems like PatronScan will roll out in even more cities. And with the addition of more biometric tools, demographic data gathering, and machine learning, your favorite bar could soon wave you in to your favorite seat and hand you your favorite cocktail, all without glancing at your ID. To some onlookers, PatronScan’s product raises a number of concerns about privacy, surveillance, and discrimination. PatronScan’s reports reveal the company logged where customers live, the household demographics for that area, how far each customer travelled to a bar, and how many different bars they had visited. According to the company’s own policies, the company readily shares the information it collects on patrons, both banned and not, at the request of police. In addition to selling its kiosks to individual bars and nightlife establishments, PatronScan also advertises directly to cities, suggesting that they mandate the adoption of their service. PatronScan represents an extreme example of the growing adoption of data collection at bars and restaurants... once a bar adopts an ID scanning system, even innocent patrons may never know where their ID data will end up, or how it will be used....Like many similar systems, the PatronScan kiosk scans a government-issued ID’s barcode to make sure it’s legitimate and that it hasn’t already been used by another customer at the bar. The company claims that its system can recognize 5,000 different types of ID from around the world. ... In its marketing materials, PatronScan includes price quotes for widescale ID scanning implementation in Austin, Seattle, and Charleston. Representatives for Austin and Seattle said those cities had no such contract or mandate. Officials from Charleston did not respond to requests for comment. Among other municipalities, Sacramento and Pomona, California both require certain bars to use ID scanners. The entire state of Utah also requires an ID scan of any customer who appears to be under 35. But the majority of states do not have laws specifically regulating how and when IDs can be scanned, or how that data can be retained or used..... In 2018, California passed a law that updated existing rules limiting the data collection powers of ID scanner services and the businesses that use them. The legislation was written and championed by Assemblymember Jim Cooper, who was alarmed by PatronScan’s roll-out in Sacramento. ..... PatronScan is far from the only company hawking restaurant and nightlife surveillance services, but other firms in the sector mostly focus on business services rather than law enforcement aid. Several competing ID scanner services and point of sale system add-ons, such as TokenWorks and Vemos, also allow a venue to create and maintain internal digitized ban lists.... Handing over an ID for inspection and scanning is data collection laid far more bare than usual. But in the context of bar-hopping, it’s become almost wholly normalized. After all, people already give up their information in exchange for access and convenience several times every day, readily and witlessly, obviously and obliviously. They might, one day, just as easily let your health insurer, your boss, and the police know that you’re there — and whether you were suddenly, and unfortunately, eighty-sixed."
This ID Scanner Company is Collecting Sensitive Data on Millions of Bargoers
OneZero, 29 May 2019

"NSA whistleblower Edward Snowden said Thursday that people in systems of power have exploited the human desire to connect in order to create systems of mass surveillance. Snowden appeared at Dalhousie University in Halifax, Nova Scotia via livestream from Moscow to give a keynote address for the Canadian university's Open Dialogue Series. Right now, he said, humanity is in a sort of "atomic moment" in the field of computer science. "We're in the midst of the greatest redistribution of power since the Industrial Revolution, and this is happening because technology has provided a new capability," Snowden said. "It's related to influence that reaches everyone in every place," he said. "It has no regard for borders. Its reach is unlimited, if you will, but its safeguards are not." Without such defenses, technology is able to affect human behavior.... Institutions can "monitor and record private activities of people on a scale that's broad enough that we can say it's close to all-powerful," said Snowden. They do this through "new platforms and algorithms," through which "they're able to shift our behavior. In some cases they're able to predict our decisions—and also nudge them—to different outcomes. And they do this by exploiting the human need for belonging."... "And now," he added, "these institutions, which are both commercial and governmental, have built upon that and... have structuralized that and entrenched it to where it has become now the most effective means of social control in the history of our species." "Maybe you've heard about it," Snowden said. "This is mass surveillance." Listen to Snowden's full remarks below. (He begins speaking around the 25-minute mark.)"
Edward Snowden: With Technology, Institutions Have Made 'Most Effective Means of Social Control in the History of Our Species'
Common Dreams, 31 May 2019

"The world’s lawmakers have a duty to protect children from being turned into “voodoo dolls” by the “surveillance capitalism” of major high-tech companies, says the Canadian chair of the international grand committee on big data, privacy and democracy. Conservative MP Bob Zimmer offered that summary as the multinational group of legislators wrapped its third and final day of hearings on Parliament Hill on Wednesday. The committee is examining the role of internet giants in safeguarding privacy and democratic rights. Over three days, the MPs have grilled representatives from Facebook, Amazon and other tech titans, and they lamented the fact the household names that head those and other organizations ignored requests to testify. They were replaced by lower-level officials who, in some cases, declined to answer questions because they said they didn’t have the big-picture knowledge of their celebrity bosses. Zimmer said the hearings have been useful as he watches his own four children, aged 15 to 21, “getting more and more addicted to these phones.” “When you see from surveillance capitalism, the whole drive, the whole business model is to keep them glued to that phone despite the bad health that that brings to those children – our kids. It’s all for a buck,” said Zimmer. “We’re responsible to do something about that. We care about our kids. We don’t want to see them turned into voodoo dolls, to be controlled by the almighty dollar and capitalism.” Liberal and New Democrat MPs on the committee shared that view in a rare show of domestic political unity. That was evident across international lines as well. British MP Damian Collins, the committee co-chair, said the hearings have shown how the companies were “unwilling to answer direct questions about how they gather data and how they use it.” That includes testimony by witnesses who couldn’t explain how Facebook and Amazon interact, or how data from the LinkedIn networking site and Microsoft (which bought it in 2016) are integrated, said Collins. “I don’t understand why companies are unwilling to talk openly about the tools they put in place. People may consent to use these tools but do they understand the extent of the data they’re sharing when they do,” said Collins. The privacy implications of one popular online tool came under scrutiny during Wednesday’s testimony. A security executive for the internet-browser company Mozilla said he was shocked by the recordings of his family that were collected and retained by Amazon’s popular Alexa voice-activated interactive speakers. Alan Davidson, Mozilla’s vice-president of global policy, trust and security, said the Amazon Echo, the hardware that runs the Alexa service, is a wonderful product but when he recently examined what his family had recorded and stored, he found the archive included conversations among his young children. “I was shocked, honestly, and my family was shocked to see these recordings of our young children from years ago that are in the cloud and stored about us. It’s not to say that something was done wrong, or unlawfully,” Davidson said. “But users have no idea – they have no idea this data is out there and they don’t know how it’s going to be used in the future either.”"
Big data committee wraps up third and final day of hearings on Parliament Hill
Globe and Mail, 30 May 2019

"Next week, a school district in western New York will become the first in the United States to pilot a facial recognition system on its students and faculty. On Monday, June 3, the Lockport City School District will light up its Aegis system as part of a pilot project that will make it broadly operational by Sept. 1, 2019. The district has eight schools.The Lockport pilot comes amid increased scrutiny of facial recognition’s efficacy across the US, including growing civil rights concerns and worries that the tech may serve to further entrench societal biases. Earlier this month, San Francisco banned police from using facial recognition, and similar bills in the US hope to do the same. Amazon has endured persistent pressure — including from its own shareholders — for its aggressive salesmanship of its facial Rekognition system to law enforcement agencies. Rep. Alexandria Ocasio-Cortez expressed concern that facial recognition could be used as a form of social control in a congressional hearing on the technology last week....After Lockport’s initial announcement, the New York Civil Liberties Union investigated the effort and wrote letters to the New York State Education Department, asking it to intervene and block the project. “This is opening the floodgates,“ Stefanie Coyle, education counsel for NYCLU, told BuzzFeed News in an interview. “San Francisco banned this tech, and it’s this major city closest to all the people who understand this tech the best. Why in the world would we want this to come to New York, and in a place where there are children?”
The First Public Schools In The US Will Start Using Facial Recognition Next Week
Buzzfeed, 29 May 2019

"It’s 3 a.m. Do you know what your iPhone is doing? Mine has been alarmingly busy. Even though the screen is off and I’m snoring, apps are beaming out lots of information about me to companies I’ve never heard of. Your iPhone probably is doing the same — and Apple could be doing more to stop it. On a recent Monday night, a dozen marketing companies, research firms and other personal data guzzlers got reports from my iPhone. At 11:43 p.m., a company called Amplitude learned my phone number, email and exact location. At 3:58 a.m., another called Appboy got a digital fingerprint of my phone. At 6:25 a.m., a tracker called Demdex received a way to identify my phone and sent back a list of other trackers to pair up with. And all night long, there was some startling behavior by a household name: Yelp. It was receiving a message that included my IP address -— once every five minutes." Our data has a secret life in many of the devices we use every day, from talking Alexa speakers to smart TVs. But we’ve got a giant blind spot when it comes to the data companies probing our phones. You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, “What happens on your iPhone stays on your iPhone.” My investigation suggests otherwise. IPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy. And your iPhone doesn’t only feed data trackers while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T. “This is your data. Why should it even leave your phone? Why should it be collected by someone when you don’t know what they’re going to do with it?” says Patrick Jackson, a former National Security Agency researcher who is chief technology officer for Disconnect. He hooked my iPhone into special software so we could examine the traffic. “I know the value of data, and I don’t want mine in any hands where it doesn’t need to be,” he told me. In a world of data brokers, Jackson is the data breaker. He developed an app called Privacy Pro that identifies and blocks many trackers. If you’re a little bit techie, I recommend trying the free iOS version to glimpse the secret life of your iPhone. Yes, trackers are a problem on phones running Google’s Android, too. Google won’t even let Disconnect’s tracker-protection software into its Play Store. .... Jackson’s biggest concern is transparency: If we don’t know where our data is going, how can we ever hope to keep it private?... Privacy policies don’t necessarily provide protection. Citizen, the app for location-based crime reports, published that it wouldn’t share “your name or other personally identifying information.” Yet when I ran my test, I found it repeatedly sent my phone number, email and exact GPS coordinates to the tracker Amplitude....The problem is, the more places personal data flies, the harder it becomes to hold companies accountable for bad behavior — including inevitable breaches....What disappoints me is that the data free-for-all I discovered is happening on an iPhone. Isn’t Apple supposed to be better at privacy?"
It’s the middle of the night. Do you know who your iPhone is talking to?
Washington Post, 28 May 2019

"For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. But here is what frustrated city employees and residents do not know: A key component of the malware that cybercriminals used in the attack was developed at taxpayer expense a short drive down the Baltimore-Washington Parkway at the National Security Agency, according to security experts briefed on the case. Since 2017, when the N.S.A. lost control of the tool, EternalBlue, it has been picked up by state hackers in North Korea, Russia and, more recently, China, to cut a path of destruction around the world, leaving billions of dollars in damage. But over the past year, the cyberweapon has boomeranged back and is now showing up in the N.S.A.’s own backyard. It is not just in Baltimore. Security experts say EternalBlue attacks have reached a high, and cybercriminals are zeroing in on vulnerable American towns and cities, from Pennsylvania to Texas, paralyzing local governments and driving up costs. The N.S.A. connection to the attacks on American cities has not been previously reported, in part because the agency has refused to discuss or even acknowledge the loss of its cyberweapon, dumped online in April 2017 by a still-unidentified group calling itself the Shadow Brokers. Years later, the agency and the Federal Bureau of Investigation still do not know whether the Shadow Brokers are foreign spies or disgruntled insiders. Thomas Rid, a cybersecurity expert at Johns Hopkins University, called the Shadow Brokers episode “the most destructive and costly N.S.A. breach in history,” more damaging than the better-known leak in 2013 from Edward Snowden, the former N.S.A. contractor. “The government has refused to take responsibility, or even to answer the most basic questions,” Mr. Rid said. “Congressional oversight appears to be failing. The American people deserve an answer.”" The N.S.A. and F.B.I. declined to comment. Since that leak, foreign intelligence agencies and rogue actors have used EternalBlue to spread malware that has paralyzed hospitals, airports, rail and shipping operators, A.T.M.s and factories that produce critical vaccines. Now the tool is hitting the United States where it is most vulnerable, in local governments with aging digital infrastructure and fewer resources to defend themselves. Before it leaked, EternalBlue was one of the most useful exploits in the N.S.A.’s cyberarsenal. According to three former N.S.A. operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. Initially, they referred to it as EternalBluescreen because it often crashed computers — a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligence-gathering and counterterrorism missions. EternalBlue was so valuable, former N.S.A. employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.... Today, Baltimore remains handicapped as city officials refuse to pay, though workarounds have restored some services. Without EternalBlue, the damage would not have been so vast, experts said. The tool exploits a vulnerability in unpatched software that allows hackers to spread their malware faster and farther than they otherwise could. North Korea was the first nation to co-opt the tool, for an attack in 2017 — called WannaCry — that paralyzed the British health care system, German railroads and some 200,000 organizations around the world. Next was Russia, which used the weapon in an attack — called NotPetya — that was aimed at Ukraine but spread across major companies doing business in the country. The assault cost FedEx more than $400 million and Merck, the pharmaceutical giant, $670 million.".... Until a decade or so ago, the most powerful cyberweapons belonged almost exclusively to intelligence agencies — N.S.A. officials used the term “NOBUS,” for “nobody but us,” for vulnerabilities only the agency had the sophistication to exploit. But that advantage has hugely eroded, not only because of the leaks, but because anyone can grab a cyberweapon’s code once it’s used in the wild. Some F.B.I. and Homeland Security officials, speaking privately, said more accountability at the N.S.A. was needed. A former F.B.I. official likened the situation to a government failing to lock up a warehouse of automatic weapons."
In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc
New York Times, 25 May 2019

"The maker of vehicle license plate readers used extensively by the US government and cities to identify and track citizens and immigrants has been hacked. Its internal files were pilfered, and are presently being offered for free on the dark web to download. Tennessee-based Perceptics prides itself as "the sole provider of stationary LPRs [license plate readers] installed at all land border crossing lanes for POV [privately owned vehicle] traffic in the United States, Canada, and for the most critical lanes in Mexico." In fact, Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed "a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California." On Thursday this week, however, an individual using the pseudonym "Boris Bullet-Dodger" contacted The Register, alerting us to the hack, and provided a list of files exfiltrated from Perceptics' corporate network as proof. We're assuming this is the same "Boris" involved in the CityComp hack last month. Boris declined to answer our questions. The file names and accompanying directories – numbering almost 65,000 – fit with the focus of the surveillance technology biz. They include .xlsx files named for locations and zip codes, .jpg files with names that refer to "driver" and "scene," .docx files associated with presumed government clients like ICE, and date-and-time stamped .jpgs and .mp4 files. And there many other types of files: .htm, .html, .txt, .doc, .asp, .tdb, .mdb, .json, .rtf, .xls, and .tif among others. Many of the image files, we're guessing, are license plate captures."
Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online
The Register, 23 May 2019

"The use of "dystopian" new facial recognition technology by British police is to be challenged in the courts for the first time. Liberty, the human rights group, has launched a case against South Wales police, the UK force which has pioneered technology capable of mapping faces and comparing them to a database in real time. Supporters claim facial recognition technology will boost the safety of citizens and could help police catch criminals and potential terrorists. Critics have labelled it "Orwellian" and say police have not been transparent about how it will use people's data."
Police use of 'Orwellian' facial recognition technology faces UK legal challenge
Telegraph, 21 May 2019

"UK Home Secretary Sajid Javid has announced an Espionage Bill, charging ahead with new laws intended to criminalise any British copycats of Edward Snowden – and allowing a future crackdown on Huawei. The bill, said Javid, "will bring together new and modernised powers, giving our security services the legal authority they need" to tackle foreign spies operating on UK soil. "The areas this work will consider includes whether we follow allies in adopting a form of foreign agent registration and how we update our Official Secrets Acts for the 21st century," the Home Secretary said at New Scotland Yard earlier today. He also called for new treason laws, which he said would be aimed at people who "betray" Britain, whether at home or abroad. Announced during a wide-ranging speech delivered to police and spy agency personnel at the Metropolitan Police's London HQ, few details were given about the proposed Espionage Bill's contents. Much more, however, can be found in a Law Commission consultation dating back to 2015, titled Protection of Official Data, and discussing what was then considered a potential future Espionage Bill. Although it was supposed to be published back in 2017, having been closed to new submissions years ago, the commission's final report on that bill has been stuck in limbo for the last two years. Now, it seems, we know why. Most of the commission's full consultation (a 326-page PDF accessible via the link above) is concerned with what the British state calls "unauthorised disclosures", as well as a truly obscene section (between PDF pages 146-149) discussing legal ways and means of letting state prosecutors carry out "authorised checks" on juries sitting in national security and terrorism cases. These, it is stated, should be done with a view to throwing out any jurors who might return the wrong verdict by sympathising with the accused."
UK's planned Espionage Act will crack down on Snowden-style Brit whistleblowers, suspected backdoored gear (cough, Huawei)
The Register, 20 May 2019

"Civil Liberties Activists trying to inspire alarm about the authoritarian potential of facial recognition technology often point to China, where some police departments use systems that can spot suspects who show their faces in public. A report from Georgetown researchers on Thursday suggests Americans should also focus their concern closer to home. The report says agencies in Chicago and Detroit have bought real-time facial recognition systems. Chicago claims it has not used its system; Detroit says it is not using its system currently. But no federal or state law would prevent use of the technology. According to contracts obtained by the Georgetown researchers, the two cities purchased software from a South Carolina company, DataWorks Plus, that equips police with the ability to identify faces from surveillance footage in real time. A description on the company’s website says the technology, called FaceWatch Plus, “provides continuous screening and monitoring of live video streams.” DataWorks confirmed the existence of the systems, but did not elaborate further. Facial recognition has long been used on static images to identify arrested suspects and detect driver’s license fraud, among other things. But using the technology with real-time video is less common. It has become practical only through recent advances in AI and computer vision, although it remains significantly less accurate than facial recognition under controlled circumstances. Privacy advocates say ongoing use of the technology in this way would redefine the traditional anonymity of public spaces. “Historically we haven’t had to regulate privacy in public because it’s been too expensive for any entity to track our whereabouts,” says Evan Selinger, a professor at the Rochester Institute of Technology. “This is a game changer.”"
Cities Are Adopting Real-Time Facial Surveillance Systems
Technocracy News and Trends, 20 May 2019

"Among the mega-corporations that surveil you, your cellphone carrier has always been one of the keenest monitors, in constant contact with the one small device you keep on you at almost every moment. A confidential Facebook document reviewed by The Intercept shows that the social network courts carriers, along with phone makers — some 100 different companies in 50 countries — by offering the use of even more surveillance data, pulled straight from your smartphone by Facebook itself. Offered to select Facebook partners, the data includes not just technical information about Facebook members’ devices and use of Wi-Fi and cellular networks, but also their past locations, interests, and even their social groups. This data is sourced not just from the company’s main iOS and Android apps, but from Instagram and Messenger as well. The data has been used by Facebook partners to assess their standing against competitors, including customers lost to and won from them, but also for more controversial uses like racially targeted ads. Some experts are particularly alarmed that Facebook has marketed the use of the information — and appears to have helped directly facilitate its use, along with other Facebook data — for the purpose of screening customers on the basis of likely creditworthiness. Such use could potentially run afoul of federal law, which tightly governs credit assessments. Facebook said it does not provide creditworthiness services and that the data it provides to cellphone carriers and makers does not go beyond what it was already collecting for other uses. Facebook’s cellphone partnerships are particularly worrisome because of the extensive surveillance powers already enjoyed by carriers like AT&T and T-Mobile: Just as your internet service provider is capable of watching the data that bounces between your home and the wider world, telecommunications companies have a privileged vantage point from which they can glean a great deal of information about how, when, and where you’re using your phone. AT&T, for example, states plainly in its privacy policy that it collects and stores information “about the websites you visit and the mobile applications you use on our networks.” Paired with carriers’ calling and texting oversight, that accounts for just about everything you’d do on your smartphone."
Thanks to Facebook, Your Cellphone Company Is Watching You More Closely Than Ever
The Intercept, 20 May 2019

"Cars produced today are essentially smartphones with wheels. For drivers, this has meant many new features: automatic braking, turn-by-turn directions, infotainment. But for all the things we’re getting out of our connected vehicles, carmakers are getting much, much more: They’re constantly collecting data from our vehicles. Today’s cars are equipped with telematics, in the form of an always-on wireless transmitter that constantly sends vehicle performance and maintenance data to the manufacturer. Modern cars collect as much as 25 gigabytes of data per hour, the consulting firm McKinsey estimates, and it’s about much more than performance and maintenance. Cars not only know how much we weigh but also track how much weight we gain. They know how fast we drive, where we live, how many children we have — even financial information. Connect a phone to a car, and it knows who we call and who we text. But who owns and, ultimately, controls that data? And what are carmakers doing with it? The issue of ownership is murky. Drivers usually sign away their rights to data in a small-print clause buried in the ownership or lease agreement. It’s not unlike buying a smartphone. The difference is that most consumers have no idea vehicles collect data. We know our smartphones, Nests and Alexas collect data, and we’ve come to accept an implicit contract: We trade personal information for convenience. With cars, we have no such expectation."
Your Car Knows When You Gain Weight
New York Times, 20 May 2019

"Google has been quietly keeping track of nearly every single online purchase you’ve ever made, thanks to purchase receipts sent to your personal Gmail account, according to a new report today from CNBC. Even stranger: this information is made available to you via a private web tool that’s been active for an indeterminate amount of time.....Google, like Facebook, knows an immense amount of information about you, your personal habits, and, yes, what you buy on the internet. And like the social network it dominates the online advertising industry alongside, Google gets this information mostly through background data collection using methods and tools its users may not be fully aware of, like Gmail purchase receipts."
Google has been tracking nearly everything you buy online — see for yourself with this tool
The Verge, 17 May 2019

"Google tracks a lot of what you buy, even if you purchased it elsewhere, like in a store or from Amazon. Last week, CEO Sundar Pichai wrote a New York Times op-ed that said “privacy cannot be a luxury good.” But behind the scenes, Google is still collecting a lot of personal information from the services you use, such as Gmail, and some of it can’t be easily deleted. A page called “Purchases ” shows an accurate list of many — though not all — of the things I’ve bought dating back to at least 2012. I made these purchases using online services or apps such as Amazon, DoorDash or Seamless, or in stores such as Macy’s, but never directly through Google. But because the digital receipts went to my Gmail account, Google has a list of info about my buying habits. Google even knows about things I long forgot I’d purchased... "
Google uses Gmail to track a history of things you buy — and it’s hard to delete
CNBC, 17 May 2019

"As San Francisco’s Board of Supervisors prepared to vote Tuesday on an ordinance forbidding city agencies to use facial recognition technology, some proponents of the measure were uncertain if they had the necessary support. Two of the legislators who were for it had called in sick. But Brian Hofer, a paralegal who had drafted the ordinance, seemed unfazed. Sitting in the back of a chamber in City Hall, he wrote and rewrote a draft of a post for Twitter in which he would proclaim victory after the ban passed.... Mr. Hofer is little known outside California, but his anti-surveillance measures have been making waves in the state. He successfully pressed the Northern California cities of Richmond and Berkeley, which have sanctuary policies, to end their contracts with tech companies like Amazon and Vigilant Solutions that do business with Immigration and Customs Enforcement. In Santa Clara County, in Oakland and elsewhere, he has secured transparency laws around surveillance technology. His campaigns are just beginning. In Berkeley and Oakland, Mr. Hofer is pushing for more facial recognition bans. He has two additional privacy proposals winding their way through the state’s legislative process, focused on reining in surveillance technology. And he is establishing a nonprofit, Secure Justice, that will grapple with technology issues. “My primary concern is when the state abuses its power, and because of the age we live in, it’s probably going to occur through technology and data mining,” Mr. Hofer said. “That’s where I see the most potential harm occurring. So I just wanted to jump right in.”... Mr. Hofer started to hold technology accountable in 2014 when he heard about a new surveillance system in Oakland. The system, the Domain Awareness Center, was designed to aggregate data from security cameras, license plate readers, gunshot detectors and other technology....Mr. Hofer took on a range of anti-surveillance initiatives. He began drafting legislation that would force cities to be transparent about the surveillance systems they deployed, or to cut technological ties with ICE. He said he did not consider himself anti-tech and was just trying to prevent the authorities from abusing the power of technology. The facial recognition bans are Mr. Hofer’s latest cause, partly because he sees an opportunity to cut off the technology before it becomes widespread and entrenched, he said. “On balance, it’s such a dramatic shift in power that for the first time, aggressively, I want to say this is where we draw the line,” said Mr. Hofer, who worked with the American Civil Liberties Union and others to push the San Francisco ordinance through.Last Thanksgiving, Mr. Hofer experienced the surveillance technology he has been examining firsthand. Police officers in Contra Costa County, using an automated license plate reader tool, pulled him over and accused him of stealing the rental car he was driving. Mr. Hofer said he had recognized the tool — it was made by Vigilant Solutions, a target of his sanctuary city ordinances. “It showed me the real-world consequences of these sometimes speculative, hypothetical arguments that I’ve been making,” he said. Eventually, the officers realized that the car had been stolen months earlier and that, when it was recovered, its plates were not removed from a list of stolen vehicles, Mr. Hofer said. He was released and is suing the Contra Costa County sheriff’s department, claiming civil rights violations. On Tuesday, Catherine Stefani was the lone supervisor to vote against the ban, which passed 8 to 1. The legislation was “well intentioned” but required more work before it could be put into effect, she said. She worried that city departments would need to hire new staff to manage the transparency requirements and that the ordinance would create budget problems. After the vote, Mr. Hofer and other supporters huddled in the hallway to debrief. He sent his victory tweet, crediting Mr. Peskin for championing the ban and noting that it was the first of its kind. Matt Cagle, an attorney with the A.C.L.U. who worked with Mr. Hofer on the ordinance, said he had already received phone calls from regulators across the country who were curious about it. “The desire not to be tracked when you walk down the street or watch-listed by a secret algorithm, these are shared values across the United States,” Mr. Cagle said. “We fully expect this vote and this ordinance to inspire other communities to take control of these important decisions.”
The Man Behind San Francisco’s Facial Recognition Ban Is Working on More. Way More.
New York Times, 15 May 2019

"An Israeli firm accused of supplying tools for spying on human-rights activists and journalists now faces claims that its technology can use a security hole in WhatsApp, the messaging app used by 1.5 billion people, to break into the digital communications of iPhone and Android phone users. Security researchers said they had found so-called spyware — designed to take advantage of the WhatsApp flaw — that bears the characteristics of technology from the company, the NSO Group. WhatsApp engineers worked around the clock to patch the vulnerability and released a patch on Monday. They encouraged customers to update their apps as quickly as possible.....The spyware was used to break into the phone of a London lawyer who has been involved in lawsuits that accused the company of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists, the researchers said. There may have been other targets, they said. Digital attackers could use the vulnerability to insert malicious code and steal data from an Android phone or an iPhone simply by placing a WhatsApp call, even if the victim did not pick up the call. As WhatsApp’s engineers examined the vulnerability, they concluded that it was similar to other tools from the NSO Group, because of its digital footprint. The lawyer, who spoke on the condition of anonymity because he feared retribution, said he had grown suspicious that his phone had been hacked when he started missing WhatsApp video calls from Norwegian telephone numbers at odd hours. The lawyer contacted Citizen Lab at the Munk School of Global Affairs at the University of Toronto, which has helped uncover the use of NSO Group products in attacks on journalists, dissidents and activists. Ten days ago, as Citizen Lab was looking into the incident, engineers at WhatsApp discovered what they described as abnormal voice calling activity on their systems, said a WhatsApp employee familiar with the investigation, who spoke on the condition of anonymity because the investigation was continuing. WhatsApp alerted human-rights organizations about the threat and learned from Citizen Lab that the vulnerability had been used to target the lawyer. WhatsApp said it had alerted the Justice Department to the attack. The WhatsApp flaw was first reported Monday by The Financial Times. The products of the NSO Group, which operated in secret for years, were found in 2016 as part of a spying campaign on the iPhone of a now-jailed human-rights activist in the United Arab Emirates through undisclosed Apple security vulnerabilities. Since then, the NSO Group’s spyware has been found on the iPhones of journalists, dissidents and even nutritionists. The company has long advertised that its products are sold to government agencies solely for fighting terrorism and aiding law enforcement investigations. The NSO Group said in a statement on Monday that its spyware was strictly licensed to government agencies and that it would investigate any “credible allegations of misuse.” The company said it would not be involved in identifying a target for its technology, including the lawyer at the center of the latest accusations. NSO’s response is consistent with previous responses from the Israeli firm, which claims to have an in-house ethics committee that decides whether or not to sell to countries based on their human-rights records. But increasingly, NSO’s spyware has been discovered in use by governments with questionable human-rights records like the United Arab Emirates, Saudi Arabia and Mexico. The Israeli company sold a stake to Novalpina, a British private equity firm, in a leveraged buyout deal last year that valued it at nearly $1 billion."
Israeli Firm Tied to Tool That Uses WhatsApp Flaw to Spy on Activists|
New York Times, 13 May 2019

"A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack. WhatsApp is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, a person familiar with the issue said. As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method. Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to the same vulnerability that WhatsApp was trying to patch. NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data. NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. NSO was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital. In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.... Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the ministry of defence to cancel NSO’s export licence. “NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech. “The Israeli ministry of defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk."”
WhatsApp voice calls used to inject Israeli spyware on phones
Financial Times, 13 May 2019

"In a very short time, China’s surveillance capability has become immensely sophisticated and now extends beyond keeping tabs on political dissidents to developing a system for monitoring the behavior of the entire population. You could, in fact, argue that the technologies that once promised to be a liberating force are now just as easily deployed to stifle dissent, entrench authoritarianism and shame and prosecute those the Orwellian government of President Xi Jinping deems out of line..... While we once hoped the internet would deliver us freedom of expression, the ability to communicate freely across borders and even be a channel for dissenting views, we now see the very opposite is occurring. Worse, the Chinese model is now being exported. Wired magazine has reported that China is “exporting its techno-dystopian model to other counties … Since January 2017, Freedom House counted 38 countries where Chinese firms have built internet infrastructure, and 18 countries using AI surveillance developed by the Chinese.” The scale of China’s domestic surveillance apparatus is extraordinary. The country is in the process of developing a “social credit” system which has been described as Big Brother, Black Mirror and every dystopian future sci-fi writers have ever dreamed up all rolled into one, and which is due to be operational next year. The social credit system will enable the government and others to access details of people’s behavior, rate them and make them publicly available. The potential to “name and shame” people for minor lapses such as late-paying of bills is obvious but so is the way such ratings could also be employed to deny citizens employment or to justify detaining them for political reasons. Both in the west and in China, the use of the internet to track individuals is facilitating oppression and paving the way towards authoritarianism. The scale of China’s domestic surveillance apparatus is extraordinary. The country is in the process of developing a “social credit” system which has been described as Big Brother, Black Mirror and every dystopian future sci-fi writers have ever dreamed up all rolled into one, and which is due to be operational next year....What is happening in Orwellian China today is a warning to us in the west that the freedoms we have so blithely taken for granted are already being compromised...."
Is Chinese-style surveillance coming to the west?
Guardian, 7 May 2019

"Apple CEO Tim Cook is calling out fellow tech industry titans for violating users’ privacy rights and expressing concern about he much time iPhone customers and their children are spending using Apple products. Cook also mentioned Facebook and Google after criticizing sites that sell people’s data, saying such sites can obtain more information in secret than a ‘peeping Tom.’ His highly-critical comments were made during an exclusive ABC News interview with Diane Sawyer that aired on Friday. ....Cook previously denounced Facebook and other tech companies for hoarding ‘industrial’ amounts of users’ private data during a privacy conference at the European Parliament in Brussels in October.  He characterized the issue of online privacy as a ‘crisis’ on Friday. ‘Privacy in itself has become a crisis. I think it’s a crisis,’ he said."
Apple CEO Tim Cook slams ‘Peeping Tom’ website
Infosurhoy, 7 May 2019

"A NEW commodity spawns a lucrative, fast-growing industry, prompting antitrust regulators to step in to restrain those who control its flow. A century ago, the resource in question was oil. Now similar concerns are being raised by the giants that deal in data, the oil of the digital era. These titans—Alphabet (Google’s parent company), Amazon, Apple, Facebook and Microsoft—look unstoppable. They are the five most valuable listed firms in the world. Their profits are surging: they collectively racked up over $25bn in net profit in the first quarter of 2017. Amazon captures half of all dollars spent online in America. Google and Facebook accounted for almost all the revenue growth in digital advertising in America last year. Such dominance has prompted calls for the tech giants to be broken up, as Standard Oil was in the early 20th century. This newspaper has argued against such drastic action in the past. Size alone is not a crime. The giants’ success has benefited consumers.... But there is cause for concern. Internet companies’ control of data gives them enormous power. Old ways of thinking about competition, devised in the era of oil, look outdated in what has come to be called the “data economy” (see Briefing). A new approach is needed. What has changed? Smartphones and the internet have made data abundant, ubiquitous and far more valuable. Whether you are going for a run, watching TV or even just sitting in traffic, virtually every activity creates a digital trace—more raw material for the data distilleries. As devices from watches to cars connect to the internet, the volume is increasing: some estimate that a self-driving car will generate 100 gigabytes per second. Meanwhile, artificial-intelligence (AI) techniques such as machine learning extract more value from data. Algorithms can predict when a customer is ready to buy, a jet-engine needs servicing or a person is at risk of a disease. Industrial giants such as GE and Siemens now sell themselves as data firms. This abundance of data changes the nature of competition. Technology giants have always benefited from network effects: the more users Facebook signs up, the more attractive signing up becomes for others. With data there are extra network effects. By collecting more data, a firm has more scope to improve its products, which attracts more users, generating even more data, and so on. The more data Tesla gathers from its self-driving cars, the better it can make them at driving themselves—part of the reason the firm, which sold only 25,000 cars in the first quarter, is now worth more than GM, which sold 2.3m. Vast pools of data can thus act as protective moats.... The nature of data makes the antitrust remedies of the past less useful. Breaking up a firm like Google into five Googlets would not stop network effects from reasserting themselves: in time, one of them would become dominant again. A radical rethink is required—and as the outlines of a new approach start to become apparent, two ideas stand out. The first is that antitrust authorities need to move from the industrial era into the 21st century. When considering a merger, for example, they have traditionally used size to determine when to intervene. They now need to take into account the extent of firms’ data assets when assessing the impact of deals. The purchase price could also be a signal that an incumbent is buying a nascent threat. On these measures, Facebook’s willingness to pay so much for WhatsApp, which had no revenue to speak of, would have raised red flags. ... The second principle is to loosen the grip that providers of online services have over data and give more control to those who supply them. More transparency would help: companies could be forced to reveal to consumers what information they hold and how much money they make from it. Governments could encourage the emergence of new services by opening up more of their own data vaults or managing crucial parts of the data economy as public infrastructure, as India does with its digital-identity system, Aadhaar."
The world’s most valuable resource is no longer oil, but data
Economist, 6 May 2017

"Apple CEO Tim Cook called online privacy a "crisis" in an interview with ABC News, reaffirming the company's stance on privacy as companies like Facebook and Google have come under increased scrutiny regarding their handling of consumer data. "Privacy in itself has become a crisis," Cook told ABC's Diane Sawyer. "It's of that proportion — a crisis." Unlike companies such as Google and Facebook, Apple's business isn't focused on advertising, and therefore it does not benefit from collecting data to improve ad targeting. "You are not our product," he said. "Our products are iPhones and iPads. We treasure your data. We wanna help you keep it private and keep it safe." Cook cited the vast amount of personal information available online when explaining why privacy has become such an important issue to address. "The people who track on the internet know a lot more about you than if somebody's looking in your window," he said. "A lot more." "
Apple CEO Tim Cook says digital privacy 'has become a crisis'
Business Insider, 4 May 2019

"The intelligence community’s annual transparency report revealed a spike in the number of warrantless searches of Americans’ data in 2018. The data, published Tuesday by the Office of the Director of National Intelligence (ODNI), revealed a 28% rise in the number of targeted search terms used to query massive databases of collected Americans’ communications. Some 9,637 warrantless search queries of the contents of Americans’ calls, text messages, emails and other communications were conducted by the NSA during 2018, up from 7,512 searches on the year prior, the report said....The NSA conducts these searches under its so-called Section 702 powers, reauthorized in 2018 despite heated opposition by a bipartisan group of pro-privacy senators. These powers allow the NSA to collect intelligence on foreigners living overseas by tapping into the phone networks and undersea cables owned by U.S. phone companies. The powers also allow the government to obtain data in secret from U.S. tech companies. But the massive data collection effort also inadvertently vacuums up Americans’ data, who are typically protected from unwarranted searches under the Fourth Amendment. The report also noted a 27% increase in the number of foreigners whose communications were targeted by the NSA during the year. In total, an estimated 164,770 foreign individuals or groups were targeted with search terms used by the NSA to monitor their communications, up from 129,080 on the year prior. It’s the largest year-over-year leap in foreign surveillance to date. The report also said the NSA collected at most 434.2 million phone records on Americans, down from 534.3 million records on the year earlier. The government said the figures likely had duplicates. The phone records collection program was the first classified NSA program disclosed by whistleblower Edward Snowden, which revealed a secret court order compelling Verizon — which owns TechCrunch — to turn over daily phone records on millions of Americans. The program was later curtailed following the introduction of the Freedom Act. Earlier this month, the NSA reportedly asked the White House to end the program altogether, citing legal troubles. Despite the apparent rollback of the program, the NSA still reported 164,770 queries of Americans’ phone records, more than a five-fold increase on the year earlier. Last week, the Trump administration revealed it had been denied 30 surveillance applications by the Foreign Intelligence Surveillance Court, a specialist closed-door court that grants the government authority to spy inside the U.S., where surveillance is typically prohibited. Since figures were made available in 2015 following the Edward Snowden disclosures, the number of denials has trended upwards."
NSA says warrantless searches of Americans’ data rose in 2018
TechCrunch, 30 April 2019

"In a blow to consumers' privacy, the addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found. The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify the owner of the database, which until Monday was online and required no password to access. Some of the information was coded, like gender, marital status and income level. Names, ages and addresses were not coded. The data didn't include payment information or Social Security numbers. The 80 million households affected make up well over half of the households in the US, according to Statista.... It's one more example of a widespread problem with cloud data storage, which has revolutionized how we store valuable information. Many organizations don't have the expertise to secure the data they keep on internet-connected servers, resulting in repeated exposures of sensitive data. Earlier in April, a researcher revealed that patient information from drug addiction treatment centers was exposed on an unsecured database. Another researcher found a giant cache of Facebook user data stored by third-party companies on another database that was publicly visible.... The cache of demographic information included data about adults aged 40 and older. Many people listed are elderly, which Rotem said could put them at risk from scammers tempted to use the information to try to defraud them."
Cloud database removed after exposing details on 80 million US households
Cnet, 29 April 2019

"Eyeing that can of soda in the supermarket cooler? Or maybe you're craving a pint of ice cream? A camera could be watching you. But it's not there to see if you're stealing. These cameras want to get to know you and what you're buying. It's a new technology being trotted out to retailers, where cameras try to guess your age, gender or mood as you walk by. The intent is to use the information to show you targeted real-time ads on in-store video screens. Companies are pitching retailers to bring the technology into their physical stores as a way to better compete with online rivals like Amazon that are already armed with troves of information on their customers and their buying habits. With store cameras, you may not even realize you are being watched unless you happen to notice the penny-sized lenses. And that has raised concerns over privacy. "The creepy factor here is definitely a 10 out of 10," said Pam Dixon, the executive director of the World Privacy Forum, a nonprofit that researches privacy issues....Jon Reily, vice president of commerce strategy at consultancy Publicis.Sapient, said retailers risk offending customers who may be shown ads that are aimed at a different gender or age group. Nonetheless, he expects the embedded cameras to be widely used in the next four years as the technology gets more accurate, costs less and shoppers become used to it. For now, he said, "we are still on the creepy side of the scale."
Kroger, Walgreens testing cameras that guess your age, sex
Associated Press, 23 April 2019

"The US immigration system was designed to track who comes into the country, not who leaves. For more than two decades, authorities have been trying to find an effective way to keep tabs on departing foreigners—and those who overstay their visas. US Customs and Border Protection (CBP) now says it’s found a solution: facial recognition. It expects to be able to scan 97% of commercial passengers within the next four years, according to a report released by the Department of Homeland Security today.... Critics say this CBP use of artificial intelligence is an invasion to privacy. They worry about how the information could be used. CBP says the images are encrypted and that it only keeps them for a brief period of time."
The US wants to scan the faces of all air passengers leaving the country
Quartz, 17 April 2019

"If you're one of the millions of people with a Google account, you have a Google Maps Timeline. It might be blank — it's tied to the Location History setting that caused more confusion than needed because of its name, and it checks in periodically on every mobile device tied to your account once you've agreed and opted in. For some people, this is helpful for things like calculating mileage, for others, it may be a cool thing to see where you've been. For law enforcement, though, it's become a way to cast a very wide net when looking to see just who might have been around during a crime according to an eye-opening piece by the New York Times. It's not a foolproof way to catch the bad guys and a lot of the details about how officials can use the information is a bit cryptic. But a recent case in Phoenix sheds a little light on how the service is being used, or abused, depending on your point of view. Google, like every company in the U.S., has to provide any information that is accompanied by a lawful subpoena. The company has a fairly good history of fighting these subpoenas, but in the end, a lot of data gets handed over when requested. Google's database of where you've been, internally known as Sensorvault, helps the company show you location based interests and ads. A new breed of warrant, which the NYT aptly calls geofence warrants, taps into the Sensovault database in a way that would make the framers of the fourth amendment shiver. Law enforcement can take the location and time of a crime and have Google tell them who was in the area. Google has a novel way to attempt to anonymize the data — the company provides a set of tokens that portray an account that police can track and then ask for more precise and identifying data for the ones that fit the scope of an investigation based on other evidence, such as video or eye-witnesses. The case profiled by the Times shows how this can backfire — a man who lent his car to a person who committed a crime and was unlucky enough to be in the vicinity when it was committed was arrested and spent a week in jail as a suspect in a murder case."
Police are using the Google Maps Timeline to collect location information for cases
Android Central, 14 April 2019

"Sneezes and homophones – words that sound like other words – are tripping smart speakers into allowing strangers to hear recordings of your private conversations. These strangers live an eerie existence, a little like the Stasi agent in the movie The Lives of Others. They're contracted to work for the device manufacturer – machine learning data analysts – and the snippets they hear were never intended for third-party consumption. Bloomberg has unearthed the secrets of Amazon's analysts in Romania, reporting on their work for the first time. "A global team reviews audio clips in an effort to help the voice-activated assistant respond to commands," the newswire wrote. Amazon has not previously acknowledged the existence of this process, or the level of human intervention. The Register asked Apple, Microsoft and Google, which all have smart search assistants, for a statement on the extent of human involvement in reviewing these recordings – and their retention policies. None would disclose the information by the time of publication."
As Alexa's secret human army is revealed, we ask: Who else has been listening in on you?
Register, 11 April 2019

"China has quite the reputation for monitoring its citizens, and it feels like various parts of the country are constantly figuring out new ways to use gadgets to that end — RFID chips in cars, facial recognition sunglasses, and location-tracking uniforms for students each made headlines in the past year. Now, you can add sanitation workers with GPS-equipped tracking bracelets to the list. On April 3rd, news broke that sanitation workers in Nanjing, China’s Hexi district were being required to wear GPS-tracking smart bracelets to not only monitor their location at all times, but audibly prod them if they stopped moving for more than 20 minutes. Just one day later, the South China Morning Post reports, public pressure had mounted to the point that the local sanitation company decided to walk things back a bit — but only by removing the most obnoxious part of the system. Now, the bracelets will no longer say “please continue working” if a worker decides to stay in one place, but they’ll reportedly still track workers just the same."
These Chinese sanitation workers have to wear location-tracking bracelets now
The Verge, 6 April 2019

"The European Commission is onboard with new road-safety regulations that will mandate that vehicles are equipped with life-saving tech, which it says could have as much impact as laws forcing car makers to install seat belts. The new laws would require auto-makers to equip new vehicles with cameras and sensors to control speed, assist drivers with lane keeping and reversing, and monitor drowsiness and distractions from smartphones.  The laws would also mandate that cars, vans, trucks and buses are equipped with an aircraft-like 'blackbox' to retain data about accidents after they occur.  Safety features covered under the proposal are already available in many luxury models from the likes of Tesla and BMW, but the rules would force manufacturers to include them in cheaper vehicles, too.... As per The Guardian, despite Brexit, the UK intends to adopt the EU regulations if they're approved, which is likely to happen at the European Parliament in September. The speed limiter, known as intelligent speed adaption (ISA), relies on GPS and online maps to restrict the speed of a vehicle to the road speed limit.... The cameras would also detect if a driver is distracted, monitoring for example whether they're looking at a smartphone rather than keeping their eyes on the road."
Mandatory speed limiters for all cars: Europe just agreed to change driving forever
ZDNet, 27 March 2019

"Speed limiting technology looks set to become mandatory for all vehicles sold in Europe from 2022, after new rules were provisionally agreed by the EU. The Department for Transport said the system would also apply in the UK, despite Brexit. The idea that cars will be fitted with speed limiters - or to put it more accurately, "intelligent speed assistance" - is likely to upset a lot of drivers. Many of us are happy to break limits when it suits us and don't like the idea of Big Brother stepping in... Under the ISA system, cars receive information via GPS and a digital map, telling the vehicle what the speed limit is. This can be combined with a video camera capable of recognising road signs.....Safety measures approved by the European Commission included intelligent speed assistance (ISA), advanced emergency braking and lane-keeping technology.... Under the ISA system, cars receive information via GPS and a digital map, telling the vehicle what the speed limit is. This can be combined with a video camera capable of recognising road signs. It's already coming into use. Ford, Mercedes-Benz, Peugeot-Citroen, Renault and Volvo already have models available with some of the ISA technology fitted."
Road safety: UK set to adopt vehicle speed limiters
BBC Online, 27 March 2019

"About 1,600 people have been secretly filmed in motel rooms in South Korea, with the footage live-streamed online for paying customers to watch, police said Wednesday. Two men have been arrested and another pair investigated in connection with the scandal, which involved 42 rooms in 30 accommodations in 10 cities around the country. Police said there was no indication the businesses were complicit in the scheme. In South Korea, small hotels of the type involved in this case are generally referred to as motels or inns. Cameras were hidden inside digital TV boxes, wall sockets and hairdryer holders and the footage was streamed online, the Cyber Investigation Department at the National Police Agency said in a statement. The site had more than 4,000 members, 97 of whom paid a $44.95 monthly fee to access extra features, such as the ability to replay certain live streams. Between November 2018 and this month, police said, the service brought in upward of $6,000. "There was a similar case in the past where illegal cameras were (secretly installed) and were consistently and secretly watched, but this is the first time the police caught where videos were broadcast live on the internet," police said. South Korea has a serious problem with spy cameras and illicit filming. In 2017, more than 6,400 cases of illegal filming were reported to police, compared to around 2,400 in 2012. Last year, tens of thousands of women took to the streets of Seoul and other cities to protest against the practice and demand action, under the slogan "My Life is Not Your Porn." In response, Seoul launched a special squad of women inspectors who have been conducting regular inspections of the city's 20,000 or so public toilets to search for spy cameras, though some critics have denounced the move as a superficial response to a societal issue."
Hundreds of motel guests were secretly filmed and live-streamed online
CNN, 21 March 2019

"Tim Berners-Lee is credited with creating the World Wide Web March 12, 1989, which means this week it hits its 30th birthday. Monday, the eve of the anniversary, Berners-Lee spoke to a group of reporters, according to AFP, discussing the flaws surrounding his invention, such as misinformation, scams and cybercrime, and the struggle for control over personal data. "You should have complete control of your data. It's not oil. It's not a commodity," Berners-Lee told reporters at CERN, according to AFP. Berners-Lee predicted a grim reality if the public becomes disengaged in the battle for privacy protection. "There is a possible future you can imagine (in which) your browser keeps track of everything that you buy," Berners-Lee warns. He continues by saying in this situation, browsers will hold more information than Amazon. In response to the growing personal data concern, where information could be bought or sold without consent from the owner, Berners-Lee spearheaded the Solid project. “Solid empowers users and organizations to separate their data from the applications that use it. It allows people to look at the same data with different apps at the same time. It opens brand new avenues for creativity, problem-solving, and commerce,” according to project’s website. Users will be able to decide, according to AFP, key factors like where and how they would share their own data. However, during Berners-Lee’s Monday talk with reporters, he expressed the most sensitive of data, like genetic information, would need help from legislation for robust protection. "Sometimes it has to be legislation which says personal data, you know, genetic data, should never be used," Berners-Lee says."
The Web Turns 30, and Its Inventor Strives to Protect Your Personal Data
ECN, 13 March 2019

"Philadelphia is the first major U.S. city to ban cashless stores, placing it at the forefront of a debate that pits retail innovation against lawmakers trying to protect all citizens’ access to the marketplace. Starting in July, Philadelphia’s new law will require most retail stores to accept cash. A New York City councilman is pushing similar legislation there, and New Jersey’s legislature recently passed a bill banning cashless stores statewide. A spokesman for New Jersey Gov. Phil Murphy, a Democrat, declined to comment..."
Philadelphia Is First U.S. City to Ban Cashless Stores
Wall St Journal, 7 March 2019

"The National Security Agency is preparing to potentially abandon a controversial surveillance program exposed by former intelligence contractor Edward Snowden, the agency’s director indicated. Paul Nakasone, head of both the NSA and U.S. Cyber Command, vaguely discussed the future of the government’s once-secretive system for obtaining and analyzing domestic telephone records, or metadata, in light of a senior congressional aide recently claiming that it was quietly suspended. “We are in a deliberative process right now,” Mr. Nakasone said Wednesday at the RSA security conference in San Francisco, attendees reported. “We’ll work very, very closely with the administration and Congress to make recommendations on what authority should be reauthorized.” Following the terrorist attacks of Sept. 11, 2001, the NSA began secretly ordering U.S. telecommunication companies to give the government copies of metadata detailing effectively every call and text placed over domestic networks. The efforts were made public through documents leaked to the media by Mr. Snowden in 2013 prior to being significantly reformed through legislation passed by Congress in 2015, the USA Freedom Act, slated to sunset at the end of the year. Luke Murry, a national security adviser to House Minority Leader Kevin McCarthy, California Republican, said during an interview last week that the NSA stopped using the system six months earlier and that it is not guaranteed to be reauthorized by Congress before expiring. NSA representatives previously declined to comment on Mr. Murry’s remarks. Mr. Nakasone said he was “aware” of related reporting on Wednesday but neither confirmed nor denied whether the surveillance program is currently operational, The Daily Beast reported. The Justice Department brought criminal charges against Mr. Snowden, 35, shortly after he identified himself as the source of leaked NSA documents published by news outlets in 2013. He was charged while traveling abroad, granted political asylum by Russia and has not returned."
NSA in 'deliberate process' over future of surveillance program, says spy chief
Washington Times, 7 March 2019

"Is technological progress bad for human autonomy? That’s the question posed by Shoshana Zuboff in “The Age of Surveillance Capitalism,” a book that recounts the ways in which corporations and governments are using technology to influence our behavior. Zuboff is just the latest to chime in on “totalitarian technology” (or “total tech”), a term that describes devices and algorithms by which individuals forfeit their privacy and autonomy for the benefit of either themselves or some third party. In the United States, total tech can be sorted into three different categories, or “spheres” of life: consumer services, the workplace, and government and politics. Total tech is pervasive in the increasingly data-driven world of retail. Many shopping apps tap into your phone’s GPS to access your location, allowing retailers to send you advertisements the moment you’re walking past their storefront. Personalized pricing enables retailers to charge you the exact maximum that you would be willing to pay for a given product. Your personal data isn’t safe at home, either: Digital assistants like Amazon Alexa store your query history, meaning they know everything from your unique shopping history to your travel patterns to your music preferences. Employers are also using total tech to track and monitor their workers. A growing number of companies use biometric time cards that scan an employee’s fingerprint, hand shape, retina, or iris. UPS outfits its trucks with sensors that track the opening and closing of doors, the engine of the vehicle, and the clicking of seat belts. Amazon is patenting an electronic wristband that would be used to track hand movements—making sure, for instance, that a warehouse worker stays busy moving boxes. Global freelancing platform Upwork runs a digital “Work Diary” program that counts keystrokes and takes screenshots of workers’ monitors. Uptake of total tech has been particularly striking in government and politics. The New Orleans Police Department runs a “predictive policing” program that uses Big Data to compile a heat list of potential criminal offenders. The TSA operates its own total tech program, called Quiet Skies, which monitors and flags travelers based on “suspicious” behavior patterns. Travelers can land themselves on the Quiet Skies list by changing their clothes in the restroom, being the last person to board their flight, or even inspecting their reflection in a terminal window. More nefariously, software developed at Stanford University enables anyone to manipulate video footage in real time. Now, anyone with a grudge could alter the facial expressions of a prominent politician making a speech, and then dub in new audio that completely changes the speech’s contents. Abroad, China is the poster child for extreme total tech programs. By 2020, China’s “social credit system” will monitor the behavior of each and every citizen, keeping tabs on everything from speeding tickets to social media posts critical of the state. Everyone will then be assigned their own unique “sincerity score”; a high score will be a requirement for anyone hoping to get the best housing, install the fastest Internet speeds, put their kids into the most prestigious schools, and land the most lucrative jobs."
The Rise Of Totalitarian Technology
Forbes, 6 March 2019

"The Mail Cover Program allows postal employees to photograph and send to federal law enforcement organizations (FBI, DHS, Secret Service, etc.) the front and back of every piece of mail the Post Office processes. It also retains the information digitally and provides it to any government agency that wants it—without a warrant. In 2015, the USPS Inspector General issued a report saying that, “Agencies must demonstrate a reasonable basis for requesting mail covers, send hard copies of request forms to the Criminal Investigative Service Center for processing, and treat mail covers as restricted and confidential…A mail cover should not be used as a routine investigative tool. Insufficient controls over the mail cover program could hinder the Postal Inspection Service’s ability to conduct effective investigations, lead to public concerns over privacy of mail, and harm the Postal Service’s brand.” Not only were the admonitions ignored, the mail cover program actually expanded after the report’s release. Indeed, in the months after that report was issued, there were 6,000 requests for mail cover collection. Only 10 were rejected, according to the Feb. 2019 edition of Prison Legal News (P.34-35) . I have some personal experience with the Mail Cover Program. I served 23 months in prison for blowing the whistle on the CIA’s illegal torture program. After having been locked up for two months, I decided to commission a card from a very artistically-inclined prisoner for my wife’s 40th birthday. I sent it about two weeks early, but she never received it. Finally, about four months later, the card was delivered back to me with a yellow “Return to Sender – Address Not Known” sticker on it. But underneath that sticker was a second yellow sticker. That one read, “Do Not Deliver. Hold For Supervisor. Cover Program.” Why was I under Postal Service Surveillance? I have no idea. I had had my day in court. The case was over. But remember, the Postal Service doesn’t have to answer to anybody – my attorneys, my judge, even its own Inspector General. It doesn’t need a warrant to spy on me (or my family) and it doesn’t have to answer even to a member of Congress who might inquire as to why the spying was happening in the first place. The problem is not just the sinister nature of a government agency (or quasi-government agency) spying on individuals with no probable cause or due process, although those are serious problems. It’s that the program is handled so poorly and so haphazardly that in some cases surveillance was initiated against individuals for no apparent law enforcement reason and that surveillance was initiated by Postal Service employees not even authorized to do so. Again, there is no recourse because the people under surveillance don’t even know that any of this is happening. Perhaps an even more disturbing aspect of the program is the fact that between 2000 and 2012, the Postal Service initiated an average of 8,000 mail cover requests per year. But in 2013, that number jumped to 49,000. Why? Nobody knows and the Postal Service doesn’t have to say. The question, though, is not how many cases are opened under the Mail Cover Program or even how many requests there are for the information. The real question is, “How is this constitutional?” Perhaps a secondary question is, “Why hasn’t anybody challenged the program in the courts?” In general, Americans don’t–or at least haven’t–objected to a gradual loss of civil liberties and constitutional rights. That has to stop. When even the Post Office is spying on you, you know the republic is in trouble."
JOHN KIRIAKOU: Neither Rain, Sleet, nor Snow Will Stop the Post Office From Spying on You
Consortium News, 28 February 2019

"A U.N. human rights expert has published a draft list of questions to measure countries’ privacy safeguards, a first step toward ranking the governments that are potentially doing the most snooping on their own citizens. Cannataci’s role investigating digital privacy was created by the council in 2015 after Edward Snowden’s revelations about U.S. surveillance, and he has strongly criticized surveillance activities by the United States and other countries. As the first person in the job, Cannataci set out an action plan for tackling the task and said he planned to take a methodical approach to monitoring surveillance and privacy laws to help him to decide which countries to investigate..... The last question asks: “Does your country have a police and/or intelligence service which systematically profiles and maintains surveillance on large segments of the population in a manner comparable to that of the STASI in the 1955-1990 GDR (East Germany)?” Any country answering “yes” to that would forfeit 1,000 points and should abolish its system and start again, he wrote."
How much does your government spy on you? U.N. may rank the snoopers
Reuters, 28 February 2019

"If you shop at Westfield, you’ve probably been scanned and recorded by dozens of hidden cameras built into the centres’ digital advertising billboards. The semi-camouflaged cameras can determine not only your age and gender but your mood, cueing up tailored advertisements within seconds, thanks to facial detection technology. Westfield’s Smartscreen network was developed by the French software firm Quividi back in 2015. Their discreet cameras capture blurry images of shoppers and apply statistical analysis to identify audience demographics. And once the billboards have your attention they hit record, sharing your reaction with advertisers. Quividi says their billboards can distinguish shoppers’ gender with 90% precision, five categories of mood from “very happy to very unhappy” and customers’ age within a five-year bracket. Surveillance fears grow after Taylor Swift uses face recognition tech on fans. Mood is a particularly valuable insight for advertisers, revealing shoppers’ general sentiment towards a brand and how they feel in particular stores at certain times of the day. Unlike gender and age, mood is harder to determine, sitting at around 80% accuracy. There are now more than 1,600 billboards installed into 41 Westfield centres across Australia and New Zealand. Scentre Group, Westfield Australia’s parent company, emphasises that all data collected is anonymous and that they are using facial detection, not facial recognition technology (FRT). This means generic information such as a shopper’s age and gender is collected rather than the technology using photo-matching databases to identify who customers are. A spokesperson would not confirm whether or not Westfield would consider using FRT in the future. Retail companies are increasingly turning to facial detection and facial recognition software to attract and engage a distracted audience. Quividi’s host of international clients include Telstra, 7-Eleven, Coca-Cola, oOH Media and HSBC bank. Terry Hartmann, vice president of Cognitec Asia Pacific, the company that develops “market-leading face recognition technologies for customers and government agencies around the world”, says using facial detection commercially is no different to Facebook’s manipulation of users’ online search history for targeted advertising. “You’re not identifying who that person is, you’re just identifying the characteristics of that person. That’s no different to Facebook popping up ads you might be interested in and social media picking up people based on their clicking habits or the shopping that they’ve done.” While facial detection could be considered relatively benign, it is a step closer to the more problematic FRT. Dr Dong Xu is the chair in computer engineering at the University of Sydney. He says that under optimum lighting and using high-quality photo data bases, FRT is more accurate than humans at identifying faces and can now recognise an individual from millions of photographs."
Are you being scanned? How facial recognition technology follows you, even as you shop
Guardian, 24 February 2019

"Now there is one more place where cameras could start watching you — from 30,000 feet. Newer seat-back entertainment systems on some airplanes operated by American Airlines, United Airlines and Singapore Airlines have cameras, and it’s likely they are also on planes used by other carriers. American, United and Singapore all said Friday that they have never activated the cameras and have no plans to use them. However, companies that make the entertainment systems are installing cameras to offer future options such as seat-to-seat video conferencing, according to an American Airlines spokesman. A passenger on a Singapore flight posted a photo of the seat-back display last week, and the tweet was shared several hundred times and drew media notice. Buzzfeed first reported that the cameras are also on some American planes. A United spokeswoman repeatedly told a reporter Friday that none of its entertainment systems had cameras before apologizing and saying that some did. Delta did not respond to repeated questions about some of its entertainment systems, which appear to be identical to those on American and United. The airlines stressed that they didn’t add the cameras — manufacturers embedded them in the entertainment systems. American’s systems are made by Panasonic, while Singapore uses Panasonic and Thales, according to airline representatives. Neither Panasonic nor Thales responded immediately for comment."
There Are Seat-Back Cameras On Some American And United Air Flights Now
Associated Press, 23 February 2019

"The Chinese government blocked 17.5 million would-be plane passengers from buying tickets last year as a punishment for offences including the failure to pay fines, it emerged. Some 5.5 million people were also barred from travelling by train under a controversial “social credit” system which the ruling Communist Party claims will improve public behaviour. The penalties are part of efforts by president Xi Jinping‘s government to use data-processing and other technology to tighten control on society. Human rights activists warn the system is too rigid and may lead to people being unfairly blacklisted without their knowledge, while US vice-president Mike Pence last year denounced it as “an Orwellian system premised on controlling virtually every facet of human life”."
China blocks 17.5 million plane tickets for people without enough 'social credit'
Independent, 22 February 2019

"It was a crowded primary field and Tony Evers, running for governor, was eager to win the support of officials gathered at a Wisconsin state Democratic party meeting, so the candidate did all the usual things: he read the room, he shook hands, he networked. Then he put an electronic fence around everyone there. The digital fence enabled Evers’ team to push ads onto the iPhones and Androids of all those attending the meeting. Not only that, but because the technology pulled the unique identification numbers off the phones, a data broker could use the digital signatures to follow the devices home. Once there, the campaign could use so-called cross-device tracking technology to find associated laptops, desktops and other devices to push even more ads. Welcome to the new frontier of campaign tech — a loosely regulated world in which simply downloading a weather app or game, connecting to Wi-Fi at a coffee shop or powering up a home router can allow a data broker to monitor your movements with ease, then compile the location information and sell it to a political candidate who can use it to surround you with messages. “We can put a pin on a building, and if you are in that building, we are going to get you,” said Democratic strategist Dane Strother, who advised Evers. And they can get you even if you aren’t in the building anymore, but were simply there at some point in the last six months. Campaigns don’t match the names of voters with the personal information they scoop up — although that could be possible in many cases. Instead, they use the information to micro-target ads to appear on phones and other devices based on individual profiles that show where a voter goes, whether a gun range, a Whole Foods or a town hall debate over Medicare. The spots would show up in all the digital places a person normally sees ads — whether on Facebook or an internet browser such as Chrome. As a result, if you have been to a political rally, a town hall, or just fit a demographic a campaign is after, chances are good your movements are being tracked with unnerving accuracy by data vendors on the payroll of campaigns. The information gathering can quickly invade even the most private of moments. Antiabortion groups, for example, used the technology to track women who entered waiting rooms of abortion clinics in more than a half dozen cities. RealOptions, a California-based network of so-called pregnancy crisis centers, along with a partner organization, had hired a firm to track cell phones in and around clinic lobbies and push ads touting alternatives to abortion. Even after the women left the clinics, the ads continued for a month. That effort ended in 2017 under pressure from Massachusetts authorities, who warned it violated the state’s consumer protection laws. But such crackdowns are rare. Data brokers and their political clients operate in an environment in which technology moves much faster than Congress or state legislatures, which are under pressure from Silicon Valley not to strengthen privacy laws. The RealOptions case turned out to be a harbinger for a new generation of political campaigning built around tracking and monitoring even the most private moments of people’s lives. “It is Orwellian,” said Los Angeles City Attorney Mike Feuer, whose office last month filed a lawsuit against the makers of the Weather Channel app, alleging that the app surreptitiously monitors where users live, work and visit 24-hours a day and sells the information to data brokers. The apps on iPhones and Androids are the most prolific spies of user whereabouts and whatabouts. But they aren’t the only ones. Take televisions. In the 2016 election, campaigns began targeting satellite-television ads to particular households. That technology was credited with helping Sen. Bernie Sanders target voters to eke out a surprise victory over Hillary Clinton in Michigan’s presidential primary. Now, a person’s television may be telling candidates a lot more than many people would care to share. Some newer smart-television systems, including units made by Vizio, can monitor everything a person watches and send the information to data brokers. Campaigns can buy that information and use it to beam ads that either complement a narrative broadcast by such networks as FOX News or MSNBC — or counter-program against it. Or a campaign might look for frequent watchers of a particular program — bass fishing championships, perhaps, or maybe “The Bachelor.” Campaigns have long targeted viewers of particular programs as likely to support their positions and have bought ads to air during those shows. Now, however, knowing that a person watches a specific program, a campaign can beam ads to the person’s television that would show up the next time the device is turned on, even if the viewer was watching some other show. Feuer said he was surprised to learn from a reporter that political consulting firms are an eager market for tracking information. “It means suddenly a campaign knows whether you are going to a doctor, an Alcoholics Anonymous meeting, where you worship and who knows what else,” Feuer said. At a time foreign agents are commandeering American campaign tools and using them to sow confusion and distrust among voters, Feuer said, the shift toward more tracking and monitoring is particularly concerning.... Just as the antiabortion organizations did around clinics, political campaigns large and small are building “geo-fences” around locations from which they can fetch the unique identifying information of the smartphones of nearly everyone who attended an event. “I don’t think a lot of people are aware their location data is being sent to whomever,” said Justin Croxton, a managing partner at Propellant Media, an Atlanta-area digital firm that works with political campaigns. “The good news is a lot of those people can opt out,” Croxton said. Privacy advocates, however, say opting out can be nearly impossible, as most device users are not even aware of which apps and phone settings are causing them to be surreptitiously monitored, much less in position to understand the intricacies of disabling all the tracking technology. “It is often embedded in apps you would not expect to be spying on you,” said Sean O’Brien, a technology and privacy scholar at Yale Law School. “There is a question of how much people know is being grabbed from an ethical standpoint, even if from a legal standpoint you have technically agreed to this without knowing it.” Once a data broker has identifying information from one device in hand, they can quickly capture information about other, associated devices, such as routers, laptops and smart televisions. Data brokers collect so much location information off phones that they can track a person’s whereabouts months into the past.... The fences can also be used to narrowly target messages into small geographic areas. “If we are sending out a piece of fundraising mail, we will fence the homes where it is being sent for an entire week before,” McShane said. Alternatively, McShane said, his firm might use a fence to build an “echo chamber” for an advocacy group lobbying politicians. Fences can be built around the homes, workplaces, and hangouts of legislators and their families, enabling a campaign to bombard their devices with a message and leave the impression that a group’s campaign is much bigger in scope than it actually is. There is also now a tool to grab a phone’s ID number as its user approaches a digital billboard, so that a custom-tailored message can be transmitted. Which political campaigns and other clients receive all that tracking information can’t be traced. A group of computer scientists at UC Berkeley monitoring tens of thousands of apps has tried. Serge Egelman, research director of the Usable Security & Privacy Group at UC Berkeley’s International Computer Science Institute, said his team can unearth which opaque data brokerages are amassing information, but not which political campaigns or interest groups buy it from them. “There are a lot of industries buying this data for things that most people are not expecting,” Egelman said. Some might be trying to get you to purchase a Volvo, while others aim to manipulate your vote. But none disclose what they know about you and how. “That is the fundamental problem,” Egelman said. “People can’t find that out.”"
Your phone and TV are tracking you, and political campaigns are listening in
Los Angeles Times, 20 February 2019

"Google has acknowledged that it made an error in not disclosing that one of its home alarm products contained a microphone. Product specifications for the Nest Guard, available since 2017, had made no mention of the listening device. But earlier this month, the firm said a software update would make Nest Guard voice-controlled. On Twitter, concerned Nest owners were told the microphone "has not been used up to this point”. Business Insider was first to report the development. The Nest Guard is one component in the Nest Secure range of home security products. The system includes various sensors that can be monitored remotely by the user. Nest Guard is an all-in-one alarm, keypad, and motion sensor but, despite being announced well over a year ago, the word “microphone” was only added to the product’s specification this month. The change coincided with the announcement that it was now compatible with Google Assistant."
Google admits error over hidden microphone
BBC, 20 February 2019

"A Chinese surveillance firm is tracking the movements of more than 2.5 million people in the far-western Xinjiang region, according to a data leak flagged by a Dutch internet expert. An online database containing names, ID card numbers, birth dates and location data was left unprotected for months by Shenzhen-based facial-recognition technology company SenseNets Technology Ltd, according to Victor Gevers, co-founder of non-profit organization GDI.Foundation, who first noted the vulnerability in a series of social media posts last week. Exposed data also showed about 6.7 million location data points linked to the people which were gathered within 24 hours, tagged with descriptions such as “mosque”, “hotel,” “internet cafe” and other places where surveillance cameras were likely to be found. “It was fully open and anyone without authentication had full administrative rights. You could go in the database and create, read, update and delete anything,” said Gevers.  China has faced an outcry from activists, scholars, foreign governments and U.N. rights experts over what they call mass detentions and strict surveillance of the mostly Muslim Uighur minority and other Muslim groups who call Xinjiang home.(tinyurl.com/y9zzouss). According to its website, SenseNets works with China’s police across several cities. Its Shenzhen-listed parent company NetPosa Technologies Ltd has offices in a majority of Chinese provinces and regions, including Xinjiang."
China surveillance firm tracking millions in Xinjiang: researcher
Reuters, 17 February 2019

"Some apps may track your activity over time, even when you tell them to forget the past. And there's nothing you can do about it. Roughly 17,000 Android apps collect identifying information that creates a permanent record of the activity on your device, according to research from the International Computer Science Institute that was shared with CNET. The data collection appears to violate the search giant's policy on collecting data that can be used to target users for advertising in most cases, the researchers said. The apps can track you by linking your Advertising ID -- a unique but resettable number used to tailor advertising -- with other identifiers on your phone that are difficult or impossible to change. Those IDs are the device's unique signatures: the MAC address, IMEI and Android ID. Less than a third of the apps that collect identifiers take only the Advertising ID, as recommended by Google's best practices for developers. "Privacy disappears" when apps collect those persistent identifiers, said Serge Egelman, who led the research. He said his team, which reported the findings to Google in September, observed most of the apps sending identifying information to advertising services, an apparent violation of Google's policies. The company's policies allow developers to collect the identifiers but forbid them from combining the Advertising ID with hardware IDs without explicit consent of the user, or from using the identifiers that can't be reset, to target ads. What's more, Google's best practices for developers recommend collecting only the Advertising ID. The behavior fits into the tech industry's long history of creating privacy measures that websites and app developers quickly learn to bypass. Adobe, for instance, was forced to address Flash cookies in 2011 after complaints that the snippets of software could survive in your web browser even after you cleared all your cookies. Similar complaints arose in 2014 over Verizon's and AT&T's use of so-called "supercookies," which tracked users across multiple devices and couldn't be cleared. In 2012, Microsoft accused Google of circumventing its P3P web privacy standard, which let users of the Internet Explorer browser set their preferences for cookies....Data collected by mobile apps has provoked even broader scrutiny because of the explosion of smartphones and tablets. In January, Facebook and Google were both found to have used a developer tool to circumvent Apple's privacy rules and build iOS apps that collect user information. Facebook's Cambridge Analytica scandal in 2018 and other privacy controversies have sparked greater scrutiny over how data is being collected and used.... Egelman's team, which previously found around 6,000 children's apps improperly collecting data, said Thursday that big-name apps for adults are sending permanent identifiers to advertising services. The apps included included Angry Birds Classic, the popular smartphone game, as well as Audiobooks by Audible and Flipboard. Clean Master, Battery Doctor and Cheetah Keyboard, all utilities developed by Cheetah Mobile, were also found to send permanent info to advertising networks. All of these apps have been installed on at least 100 million devices. Clean Master, a phone utility that includes antivirus and phone optimization services, has been installed on 1 billion devices.... A Cheetah Mobile spokesman said in an email that its apps send a device's Android ID to a company that helps it track installations of its products. The information isn't used for targeted ads, and the company complies with all relevant Google policies and laws, the spokesman said. He added that the version of Battery Doctor tested by the researchers was out of date; Cheetah Mobile updated the app in 2018 to no longer collect the IMEI....The data collection identified by Egelman and his team is similar to an issue that got Uber in trouble with Apple in 2015. According to The New York Times, Apple CEO Tim Cook was furious to learn that Uber was collecting iOS users' hardware identifiers against Apple's policies and threatened to remove the Uber app from the App Store.... The researchers configured a version of Android that let them track which identifiers an app collected and then ran thousands of apps on the modified software. Egelman said that changing your Advertising ID should serve the same function as clearing out your web browsing data. When you clear cookies, websites you visited in the past won't recognize you. That stops them from building up data about you over time. But you can't reset other identifiers, like the MAC address and IMEI. The MAC address is a unique identifier that your device broadcasts to internet connections like Wi-Fi routers. The IMEI is an identifier for your specific device. Both identifiers can sometimes be used to prevent stolen phones from accessing a cellular network. The Android ID is another identifier that's unique to each device. It can be reset, but only if you run a factory reset of your device."
These Android apps have been tracking you, even when you say stop
CNet, 14 February 2019

"As Amazon.com Inc. and Google work to place their smart speakers at the center of the internet-connected home, both technology giants are expanding the amount of data they gather about customers who use their voice software to control other gadgets. For several years, Amazon and Google have collected data every time someone used a smart speaker to turn on a light or lock a door. Now they’re asking smart-home gadget makers such as Logitech and Hunter Fan Co. to send a continuous stream of information. In other words, after you connect a light fixture to Alexa, Amazon wants to know every time the light is turned on or off, regardless of whether you asked Alexa to toggle the switch. Televisions must report the channel they’re set to. Smart locks must keep the company apprised whether or not the front door bolt is engaged. This information may seem mundane compared with smartphone geolocation software that follows you around or the trove of personal data Facebook Inc. vacuums up based on your activity. But even gadgets as simple as light bulbs could enable tech companies to fill in blanks about their customers and use the data for marketing purposes. Having already amassed a digital record of activity in public spaces, critics say, tech companies are now bent on establishing a beachhead in the home. “You can learn the behaviors of a household based on their patterns,” says Brad Russell, who tracks smart home products for researcher Parks Associates Inc. “One of the most foundational things is occupancy. There’s a lot they could do with that.”.... Smart speakers are among the fastest growing categories of consumer electronics, led by Amazon’s Echo and Google’s Home devices. That’s pushed the companies and their Alexa and Assistant software deeper into debates about the tradeoffs between useful services and the harvesting of personal data."
Your Smart Light Can Tell Amazon and Google When You Go to Bed
Bloomberg, 13 February 2019

"... one of the stories we were able to report using the Snowden documents, one that received less attention that it should have, is an active NSA program to collect the online sex activities, including browsing records of porn site and sex chats, of people regarded by the U.S. Government as radical or radicalizing in order to use their online sex habits to destroy their reputations. This is what and who the NSA, CIA and FBI are and long have been. If [Amazon's Jeff] Bezos were the political victim of surveillance state abuses, it would be scandalous and dangerous. It would also be deeply ironic. That’s because Amazon, the company that has made Bezos the planet’s richest human being, is a critical partner for the U.S. Government in building an ever-more invasive, militarized and sprawling surveillance state. Indeed, one of the largest components of Amazon’s business, and thus one of the most important sources of Bezos’ vast wealth and power, is working with the Pentagon and the NSA to empower the U.S. Government with more potent and more sophisticated weapons, including surveillance weapons. In December, 2017, Amazon boasted that it had perfected new face-recognition software for crowds, which it called Rekognition. It explained that the product is intended, in large part, for use by governments and police forces around the world. The ACLU quickly warned that the product is “dangerous” and that Amazon “is actively helping governments deploy it.” “Powered by artificial intelligence,” wrote the ACLU, “Rekognition can identify, track, and analyze people in real time and recognize up to 100 people in a single image. It can quickly scan information it collects against databases featuring tens of millions of faces.” The group warned: “Amazon’s Rekognition raises profound civil liberties and civil rights concerns.” In a separate advisory, the ACLU said of this face-recognition software that Amazon’s “marketing materials read like a user manual for the type of authoritarian surveillance you can currently see in China.” BuzzFeed obtained documents showing details of Amazon’s work in implementing the technology with the Orlando Police Department, ones that “reveal the accelerated pace at which law enforcement is embracing facial recognition tools with limited training and little to no oversight from regulators or the public.”Numerous lawmakers, including Congress’ leading privacy advocates, wrote a letter in July, 2018, expressing grave concerns about how this software and similar mass-face-recognition programs would be used by government and law enforcement agencies. They posed a series of questions based on their concern that “this technology comes with inherent risks, including the compromising of Americans’ right to privacy, as well as racial and gender bias.” In a separate article about Amazon’s privacy threats, the ACLU explained that the group “and other civil rights groups have repeatedly warned that face surveillance poses an unprecedented threat to civil liberties and civil rights that must be stopped before it becomes widespread.” Amazon’s extensive relationship with the NSA, FBI, Pentagon and other surveillance agencies in the west is multi-faceted, highly lucrative and rapidly growing. Last March, the Intercept reported on a new app that Amazon developers and British police forces have jointly developed to use on the public in police work, just “the latest example of third parties aiding, automating, and in some cases, replacing, the functions of law enforcement agencies — and raises privacy questions about Amazon’s role as an intermediary.”...Then there are the serious privacy dangers posed by Amazon’s “Ring” camera products, revealed in the Intercept last month by Sam Biddle. As he reported, Amazon’s Ring, intended to be a home security system, has “a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging to any person: a live, high-definition feed from around — and perhaps inside — their house.”... Bezos’ relationship with the military and intelligence wings of the U.S. Government is hard to overstate. Just last October, his company, Blue Origin, won a $500 million contract from the U.S. Air Force to help develop military rockets and spy satellites. Bezos personally thanked them in a tweet, proclaiming how “proud” he is “to serve the national security space community.”.... Then there’s the patent Amazon obtained last October, as reported by the Intercept, “that would allow its virtual assistant Alexa to decipher a user’s physical characteristics and emotional state based on their voice.” In particular, it would enable anyone using the product to determine a person’s accent and likely place of origin: “The algorithm would also consider a customer’s physical location — based on their IP address, primary shipping address, and browser settings — to help determine their accent.”... Bezos’ relationship with the military and spying agencies of the U.S. Government, and law enforcement agencies around the world, predates his purchase of the Washington Post and has become a central prong of Amazon’s business growth. Back in 2014, Amazon secured a massive contract with the CIA when the spy agency agreed to pay it $600 million for computing cloud software. As the Atlantic noted at the time, Amazon’s software “will begin servicing all 17 agencies that make up the intelligence community.”... Jeff Bezos is as entitled as anyone else to his personal privacy. The threats from the National Enquirer are grotesque. If Bezos’ preemptive self-publishing of his private sex material reduces the unwarranted shame and stigma around adult consensual sexual activities, that will be a societal good. But Bezos, given how much he works and profits to destroy the privacy of everyone else (to say nothing of the labor abuses of his company), is about the least sympathetic victim imaginable of privacy invasion. In the past, hard-core surveillance cheerleaders in Congress such as Dianne Feinstein, Pete Hoekstra, and Jane Harman became overnight, indignant privacy advocates when they learned that the surveillance state apparatus they long cheered had been turned against them. Perhaps being a victim of privacy invasion will help Jeff Bezos realize the evils of what his company is enabling. Only time will tell. As of now, one of the world’s greatest privacy invaders just had his privacy invaded. As the ACLU put it: “Amazon is building the tools for authoritarian surveillance that advocates, activists, community leaders, politicians, and experts have repeatedly warned against.'”
Jeff Bezos Protests the Invasion of His Privacy, as Amazon Builds a Sprawling Surveillance State for Everyone Else
The Intercept, 8 February 2019