A reviewer at Android Police reports that he discovered the Google Home Mini unit he was testing was recording nearly everything he said while in its vicinity, because the device erroneously thought he was holding down the button which acts as an alternative to its wake word. Google has now pushed a software patch which disables that button entirely for the time being, to ensure that doesn’t happen to others. Given that many people already feel uncomfortable with the idea of an always-listening device in their home, the idea that it could be recording and transmitting to Google’s servers everything that’s being said because of a bug will not instill confidence. This is something of a nightmare scenario for these devices, and the fact that Google turned off a feature of the device to fix it indicates just how seriously it’s taking the issue. Reviews of the Mini have dribbled out here and there and have mostly been positive, while this is the first mention I’ve seen of this issue, but it’s certainly not a great start for the Mini.
via Android Police
A developer named Felix Krause has surfaced an issue that’s been present in Apple’s iOS for a long time and which I’ve often wondered about myself, which is that the operating system periodically pops up what appear to the user to be random dialog boxes asking users to supply their Apple ID passwords. Because of the seemingly random times and places these dialogs show up, they train users to enter their passwords when using apps, which means that apps could at least theoretically recreate these dialogs with their own and thereby phish users’ Apple ID details, creating a security vulnerability. The post Krause wrote about this suggests several fixes, the most of obvious of which is that these dialogs should direct users to the Settings app rather than prompting for a password directly. In my opinion, it would also be nice if the dialogs explained why the user suddenly had to re-enter their password – the lack of explanation is another long-standing niggle I have with these dialogs. But this feels like a rare goof by Apple, which is normally so strong on privacy and security but has here created a situation which could easily be exploited by malicious parties. It’s easily fixed, though, and hopefully Apple will do so soon.
via Felix Krause
The Yahoo breach reported before its acquisition by Verizon closed, and which had been said to affect 1 billion accounts, is now reported to have affected all 3 billion accounts Yahoo had. That could be a bit of a misleading number, given that there’s no way Yahoo had 3 billion separate customers – many of these accounts were likely dormant and duplicates of other accounts, so the actual number of people affected is likely far smaller, and the number who will have had sensitive information shared even smaller. But it’s still a staggering number. However, I’d bet that with the ongoing chatter about the Equifax hack (including the former CEO’s testimony in Congress this week), as well as the broad political story around tech companies and Russian election meddling, this will blow over really quickly and the additional fallout for Verizon and/or the Yahoo brand will be minimal. That may be sad, but no less true for that.
As new versions of Apple’s operating systems and new iPhone hardware roll out, Apple has updated its website’s privacy section to reflect some of the recent changes and especially to deal with questions users may have about the Face ID feature on the upcoming iPhone X. The site starts with big picture statements about Apple’s commitment to privacy, starting with the assertion that “At Apple, we believe privacy is a fundamental human right” and moves on to more detailed descriptions of Apple’s approach to privacy. In a nutshell, the policy described there is that Apple isn’t interested in your personal data, enables you to determine with whom to share it, and also provides tools for you to protect your information and devices. Apple also addresses its use of differential privacy, which has been in the news lately for a couple of different reasons, including a recent study which asserted that it’s weaker as a privacy protection than Apple says, but also because of changes to Safari data gathering in macOS High Sierra.
For Apple, the key is that it has no reason to infringe on its users’ privacy, because its business model is best served by protecting that privacy rather than gathering data on its users. That’s a meaningful differentiator for at least some Apple customers, and reinforcing these values will be important to them, but for many other customers Apple, Google, Microsoft, and other companies’ privacy policies are not a matter of significant moment. That could of course change in time as these companies have potential access to more and more personal data including health data, but for now the surveys I’ve seen suggest that trust levels are broadly similar between big companies and most people don’t avoid companies like Google because of their business models and approach to data gathering.
Wired reports on a third party study which claims that Apple’s approach to differential privacy – the method Apple says it uses to obfuscate individuals’ data when uploading it to the cloud – is inadequate to really protect those users’ privacy. That study dug into Apple’s code and on that basis makes claims about the degree to which Apple has added noise to the data, that degree being the single biggest factor in determining how obscured the individual’s private information is. The authors claim that Apple’s differential privacy approach adds far too little noise to data to preserve privacy, while Apple has pushed back, saying that the approach used assumed that it treats all data the same way and that aggregating data across multiple categories would reveal more about users than looking at single data points, assertions Apple disputes.
One of the most telling lines in the article has one of the researchers saying that the DP approach is based on the assumption that companies will always behave badly, something Apple would clearly dispute too – it prides itself on protecting users’ privacy, generally doesn’t use business models which require it to collate data about users to target advertising, and requires users to opt in to any of this data gathering in the first place. As such, some of the assumptions being made by the researchers may be reasonable in general but not as applicable to Apple as to other companies. The fundamental issue here, though, is that Apple isn’t transparent about its approach, something I would guess it would attribute to competitive sensitivity, but which – like all company claims about privacy – requires users to take many of their privacy claims on trust. Whether you’re OK with Apple’s approach should therefore depend less on claims like those made by these third party researchers and more on whether you trust Apple overall when it comes to privacy. Surveys I’ve been involved with have generally shown high levels of trust on that point among Apple users and the population in general.
Though the headline on the Recode piece linked below says Apple is facing questions from the US Senate on its new Face ID feature, the reality is that the questions are coming from one Senator: former comedian Al Franken, who’s always taken an interest in tech issues and tends to use them to raise his public profile. A number of the questions he’s posing have already been addressed by Apple (including in its public announcement of the feature) while others suggest Franken thinks Apple is Google or some other company which regularly uses data on its customers to target advertising. All of which suggests he either hasn’t taken time to understand the feature properly, or is simply grandstanding, which frankly feels more likely. Apple’s stance on privacy and security is abundantly clear at this point, as demonstrated by its approach to the Touch ID feature (which Franken previously investigated in a similar way). None of that will stop people freaking out about the feature, and coincidentally or not the Economist magazine’s cover story this week is about the dangers of companies collecting facial data. But Apple is storing this data on the device in ways inaccessible to anyone but the user or for purposes other than those intended by Apple and approved by the user.
Instagram Says Error Allowed Hackers to Obtain Celebrity Email Addresses, Phone Numbers (Aug 30, 2017)
Uber Stops Tracking User Locations After Dropoffs (Aug 29, 2017)
Based on observations of the new method in the wild, Marketing Land says Facebook appears to be testing showing people ads on Facebook based on the physical retail stores they have recently visited, leveraging location data from the Facebook app. If people already think that being retargeted on Facebook based on shopping on other sites is creepy, this is going to blow their minds, especially because many people may not realize that Facebook is even able to track their location when they’re not actively using the app. That background location tracking is used to power some services in the app, and in the iOS privacy settings, Facebook can be set only to use location while in the app, but there doesn’t seem to be a similar option on Android, where all I can see is a single on-off location toggle per app at an OS level. None of this should surprise us, however: the name of the game in advertising is targeting, and the more available the better as far as these companies are concerned. As long as there’s some disclosure somewhere of what’s being gathered and why, and consumers have an opt-out option, they’ll feel they’re covered. But between Snapchat’s recent moves in the opposite direction and this testing by Facebook, it feels like we may be about to wade into our first real set of privacy concerns around major social networks in several years, after companies pulled back significantly a few years back following something of a backlash. Users have been like the proverbial frogs in boiling water since, with the erosion of privacy so subtle and incremental as to never present a single step big enough to warrant objections, but I suspect that may be about to change.
via Marketing Land