Narrative: Declining Privacy & Security
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
FCC and FTC Heads Outline Policy on Internet Privacy (Apr 5, 2017)
In an op-ed in the Post this morning, the chair of the FCC and acting chair of the FTC write up their views on the internet privacy debate that’s been roaring in online tech publications over the last few weeks. As I’ve said previously (and discussed in depth in last week’s News Roundup podcast), the reaction on this topic has been overblown, and understanding poor, though the major players on the other side haven’t really helped themselves. The major ISPs only began communicating on the topic after the congressional vote was over, and only now are the FCC and FTC chairs communicating clearly about the issue. But the reality is that this issue of internet privacy can only really be resolved by new regulation from the FTC, which will end up once again having responsibility for online privacy as it did until 2015.
via FCC and FTC Chairs’ Editorial in The Washington Post
Samsung’s TV and watch OS is reportedly full of security holes – The Verge (Apr 4, 2017)
We’re talking here about Tizen, Samsung’s alternative operating system which it uses for smartwatches, TVs, and to a lesser extent phones, and some security researchers are claiming there are widespread security vulnerabilities in that software. Some of the characterizations in this article seem like a bit of a stretch – it would be very odd indeed if Samsung had done as little to provide security in Tizen as the researcher quoted suggests. But these allegations are becoming part of a pattern recently in relation to Samsung, between the Wikileaks smart TV story, the more recent (and more serious) story on smart TV hacking through broadcast signals, and now this. It’s particularly problematic for Samsung because it has worked so hard over the last few years to develop Knox, its enterprise security solution, which is best in class in the Android world. It simply can’t afford to get a reputation for poor security when it’s trying to become the de facto standard for Android devices in the enterprise, and needs to address these vulnerabilities – and the broader claims – quickly and definitively.
via The Verge
Samsung Smart TV Hacked With Manipulated Broadcast Signal – Variety (Apr 3, 2017)
Whereas the CIA / Wikileaks stories about Samsung smart TVs being hacked were somewhat overblown (they largely affected older TVs and required physical access to sets), this hack is more worrying because it would affect newer TVs and could be delivered remotely. However, for any kind of widespread effect, it would require hacking into a broadcast or IPTV stream, which in itself would be no mean feat, and of course would only work on TVs that happened to be accessing that stream during the time when it was compromised. Still, the broader worry here is, once again, that any device connected to the internet is at least theoretically vulnerable to hacking, and devices such as TVs with less sophisticated security systems than computers and smartphones are often the most vulnerable and hardest to patch.
via Variety
EFF withdraws Verizon spyware claims – CNET (Mar 31, 2017)
This is an example of the hysteria we’re all being subjected to around the recent overturning of privacy rules regarding ISPs by the US Congress, and the dangerous places it can lead. The EFF, a consumer rights group particularly concerned with privacy, first wrote and then essentially entirely withdrew a post hyperventilating about a new app Verizon is testing on one obscure smartphone, once it gave Verizon a chance to respond and it provided an entirely reasonable response. In and of itself, this story isn’t that important, but it is symptomatic of a lot of the overblown rhetoric we’ve seen in the past week about carriers selling browser histories. The reality is that, because the new rules never actually went into effect, this week’s congressional action changed absolutely nothing from the status quo. And carriers no more have any intention of literally selling anyone’s browser history than Google or anyone else does – what they may do is use your browsing history to target advertising or their own products, just as Google, Facebook, and many other entities already do. Reasonable people can disagree on whether that’s a good thing or not, but it’s a fact of life for all of us already if we use these services. To pretend that what’s happened this week is the beginning of what EFF calls the privacy apocalypse is a total disservice to everyone involved, a form of crying wolf which is likely to make it much harder to get real attention onto real issues in the future.
via CNET (EFF’s withdrawn post here)
Apple Extortionists Seemingly Trading Media Exposure for More Accounts – Motherboard (Mar 28, 2017)
This story has been somewhat misreported, although this article does a decent job. It appears a hacking collective is claiming to have lots of username / password sets for iCloud accounts, though it appears that the source of the data is a hack of some other site or sites rather than any of Apple’s own. That breach then seems to have allowed the hackers to take iCloud.com email addresses and the passwords used on other sites and use them to access iCloud services as well. In other words, this isn’t an Apple hack at all, and is only effective because people are reusing passwords on multiple sites. Using two-factor authentication and unique passwords is therefore still the best defense against this kind of thing, although Apple still has to deal with the headache of both false claims and threats from this hacking group.
via Motherboard
After the London terror attack, a top U.K. official says Facebook needs to open up WhatsApp – Recode (Mar 27, 2017)
This is a worrying (though not altogether unexpected) resurfacing of the arguments from early 2016, when the FBI was trying to get into an iPhone owned by one of the San Bernardino shooters. In this case, UK Home Secretary Amber Rudd (whose role has no direct counterpart in the US, but is responsible for domestic law enforcement and counter-terrorism among many other things) has made calls for WhatsApp to “open up” and specifically referred to encryption. That’s because WhatsApp was allegedly one of the apps used by the terrorist behind last week’s attack in London, though there’s no evidence yet that he used it to plan the attack or coordinate with others. The bigger issue, as with last year’s Apple-FBI fight, is of course that once the government can get in, there’s no guarantee others won’t use the same methods, whether that’s because of hacks like the one that hit Cellebrite a few weeks ago, or exposures of government tools like the Wikileaks CIA hack. Encryption is a fact of life at this point, and essential for secure communication and protection of privacy for millions of law-abiding users, and no government back door can solve the law enforcement problem without also compromising that essential function. And the Rudd quote in the closing paragraph of this story suggests she doesn’t actually understand the FBI-Apple situation at all, which is not surprising from a government official but worrisome nonetheless.
via Recode
Facebook Messenger update helps you keep tabs on your friend’s location – Mashable (Mar 27, 2017)
Google introduced its own location-sharing feature last week, but Facebook’s is far more limited – it works within the context of a Messenger interaction, and only for an hour at a time, which feels a good bit less prone to accidental over-sharing. It also feels more useful in the messaging context, where you’d be likely to share messages with someone about meeting up, than in a Maps app, which might mean dipping out of a conversation to check the location (even if it might be useful when meeting at a new spot). As I mentioned last week, it’s interesting to see location sharing making a comeback when both Google and Facebook had previously backed away from this kind of thing over privacy concerns – that suggests a certain confidence over privacy issues that wasn’t there a few years ago, although both companies still seem to be approaching this more narrowly than in the past.
via Mashable
Senate Republicans voted today to kill federal privacy rules – Recode (Mar 23, 2017)
I’ll refer readers back to last week’s comment on this topic, even though the news has moved on a little. That item was about telcos lobbying for a change in laws regarding user data, whereas today’s news is about the Senate pushing through a bill that would enact the change, but the issues are the same. At root, the telcos have argued that they shouldn’t be regulated more tightly than the internet companies that already gather and sell lots of data on users, and that therefore regulations introduced last year should be overturned. Of course, both web companies and other entities like data brokers already gather, aggregate, and sell masses of user data, so there’s some merit to the argument that telcos shouldn’t be the only ones singled out here. ISPs have also argued that they’ve voluntarily agreed to codes of conduct which would bind them in similar ways without this regulation. Regardless, the optics of a move such as this bill are terrible both for the ISPs and for the (mostly Republican) senators who have backed it.
via Recode
Google Maps will let you share your location with friends and family for a specific period of time – TechCrunch (Mar 22, 2017)
Location sharing is one of those really thorny privacy issues, and Google has gone back and forth on it over time precisely for this reason. In this case, it’s now opening the feature back up, though now in the Google Maps mobile app, and with some sensible limits, such as time- and person-based sharing. I can see a lot of utility in sharing my location with someone temporarily if we’re planning to meet up or if I’m on my way home and want to share an ETA. On the other hand, sharing that information with friends or family members means sharing it with Google too, and presumably also means your Google Maps app has to be running and tracking your location in the background, which has battery implications. For some people, those will be non-issues, but for others they make it less palatable to use these features. And of course the more openly you share your location (and the more companies track it) the more ways there are for hackers (and law enforcement) to access it too.
via TechCrunch
ISPs say your Web browsing and app usage history isn’t “sensitive” – Ars Technica (Mar 20, 2017)
CTIA, which is the industry association that represents the largest US wireless carriers, is arguing before the FCC that it shouldn’t be subjected to new rules on sharing data it collects on its users. The carriers have argued that Google and other online service providers aren’t subject to the same rules (those companies are regulated primarily by the FTC rather than the FCC) and so for consistency’s sake the carriers should be treated the same way. This is really about a technical definition of the word “sensitive” – clearly the kind of data being talked about here is indeed enormously sensitive, but the real question is how disclosure of that data is regulated. This matters because, for example, AT&T as a fiber broadband carrier in certain parts of the country has offered a service discount for customers who consent to tracking of their web browsing history and so on, something which it argues Google does all the time without explicitly asking for users’ permission to do. What the carriers are arguing here is that it should be allowed to continue to do this kind of thing without having to ask users to opt in first. The carriers look likely to win given the current hands-off policy stance of the FCC, which means more erosion of user privacy for users, but the proper approach would be for the FTC and FCC to work together to craft a set of consistent rules that would apply to all players that get access to similar data, rather than each regulating in a vacuum.
via Ars Technica