Narrative: Declining Privacy & Security
Each narrative page (like this) has a page describing and evaluating the narrative, followed by all the posts on the site tagged with that narrative. Scroll down beyond the introduction to see the posts.
US Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts (Mar 15, 2017)
The stories that broke immediately before this press conference and announcement from the US DoJ suggested only that Russian nationals were involved, but the formal announcement makes clear that these were Russian agents and not just citizen hackers. That’s a good reminder that state-sponsored attacks are among the biggest things all online service companies have to worry about in our day and age, whether the state behind the hacking is Russia, China, North Korea, or some other country. Yes, ordinary hackers will still try and occasionally succeed in breaching these systems, but state sponsorship can put massively more resourced behind a hack like this and often have more success. That, in turn, raises the bar for companies vulnerable to this kind of hacking in terms of their security defenses, but should also make users think about what information they’re entrusting to these systems.
Apple Joins Group of Companies Supporting Google in Foreign Email Privacy Case – Mac Rumors (Mar 14, 2017)
Given the way other big tech companies had weighed in on the related Microsoft case over the past few years, it was a little odd that more hadn’t sprung to Google’s defense in this one, but it’s good to see that they are now doing so. These cases have far-reaching consequences not just for user privacy but for the ability of US companies to do business in overseas markets, and those companies need to defend themselves vigorously. The final outcome of both cases is therefore worth watching closely.
via Mac Rumors
Google’s Allo app can reveal to your friends what you’ve searched – Recode (Mar 14, 2017)
Now that I’ve finally got around to writing this up, it appears Google has patched the specific issue highlighted in this piece, but it’s still worth talking about for a couple of different reasons. For one, anytime you bring a virtual assistant into an existing conversation between two or more human beings, there’s a tension between the bot knowing as much as possible about each participant and using that to be helpful on the one hand, and avoiding exposing personal information about the participants on the other. Google appears to have screwed that up here in a way that could have been damaging or embarrassing for users, though it has now been patched. Secondly, this kind of thing can only happen when you collect and keep enormous amounts of data on your users in the first place – a company that neither collects nor retains such data in a profile could never expose it. It’s clear that Google didn’t intentionally do so here, but it was able to do so anyway because of its business model. Competitors such as Apple might argue that not collecting such data, or keeping it secured on a device rather than in the cloud, would make it impossible for a cloud service to share it with others. We’re going to have to work through lots more of these scenarios in the years to come, and the competition between companies that strictly preserve privacy and those that use personal data to improve services will be a critical facet of that evolution.
via Recode
FBI Director Comey Criticizes Encryption Again – BuzzFeed (Mar 8, 2017)
If ever there were a terrible week for the FBI to restate its case against encryption, this would have to be it, given the Wikileaks CIA leak which demonstrated that the CIA regularly engages in hacking of electronic devices, and claims to have the code for the tools themselves. Any backdoor for the government would be subject to the same sort of breach that has clearly affected the CIA and its hacking tools, so there is no reason to believe that the FBI would be able to protect these tools adequately if they existed. And the broader statement which is in the BuzzFeed headline here about privacy is chilling too. The reality is that there have always been aspects of citizens’ lives which have been inaccessible to law enforcement, not least their private conversations which happen outside earshot of bugs and wiretaps, and protections against self-incrimination, which should logically extend to things like smartphones too. And any tools created for or by the government to bypass such protections are inevitably going to fall into the wrong hands eventually.
via BuzzFeed
Wikileaks Could Still Release CIA Hacking Tool Code – USA Today (Mar 8, 2017)
Though the CIA leaks from Wikileaks earlier this week are worrisome in their scope and bad news for the vendors whose devices and platforms have been compromised, there’s at least some comfort in the knowledge that these tools have at least theoretically been subject to due process in the past. However, Wikileaks claims that it has the code for the hacking tools themselves and is debating releasing that code, which would make it available to any hacker who wanted to use it, dramatically increasing the potential for misuse for hacking regular individuals. Again, Apple has said (and Google also confirmed this evening finally) that most of the vulnerabilities have already been patched in recent versions of their respective software, so that should be some defense. But as I’ve said already this week, what a vindication of Apple’s refusal to cooperate with the FBI a year ago over hacking an iPhone.
via USA Today
Apple says it’s already fixed many WikiLeaks security issues – USA Today (Mar 8, 2017)
I suggested this was the case in my coverage of the leak yesterday, but Apple has now issued an official statement to that effect as well. I would guess Apple is still digesting all the information leaked – there’s a lot of it – but it has said that most of the vulnerabilities outlined have already been patched in the latest versions of its software, and fixes for the rest should be coming soon. Samsung has also issued a statement on its TV vulnerabilities, but it’s far less reassuring – it only says it’s aware of and is looking into these hacks. In fairness, though, the Samsung hack appears to require a USB stick plugged into the TV to install it, which means that if you’re a victim you likely have far bigger things to worry about than your TV listening to you – this isn’t a large-scale remote hack that would affect the population as a whole.
via USA Today
Self-driving cars are watching us and recording our data whether or not we’re watching the road — Quartz (Mar 7, 2017)
This article is part good reporting, part opinion, and comes with a clear point of view (which I’d articulate as “carmakers are collecting too much data on us and our driving behavior with insufficient transparency and opt-outs”). But the reporting is well worth reading whether or not you agree with that point of view: the piece does a good job of spelling out all the data that’s being collected by various automakers old and new, and what it’s being used for. And indeed, this data is critical for developing both ADAS and autonomous driving systems, because it’s only by measuring real-world human driver behavior at massive scale that cars can be taught both how to drive like human beings (which is important for trust and comfort) and how to drive better than human beings (which is important for safety). The legacy carmakers obviously have a big advantage here because they have many more cars on the road and hitting the road each year than newcomers like Tesla, let alone non-carmakers like Uber and Google. But it’s how that data is collected and used that makes all the difference here – putting advanced sensors in cars is critical to getting the rich data needed, but it also raises big privacy concerns which I suspect we’re going to hear a lot more about in the coming years.
via Quartz
No, WikiLeaks Didn’t Just Reveal That The Government Has Access To Your Secure Messaging Apps – BuzzFeed (Mar 7, 2017)
This is one of those stories where lots of publications are rushing to publish the most frightening headline without doing their reporting first, so kudos for BuzzFeed here for debunking right away one of the big tropes that’s doing the rounds. There’s nothing about secure messaging apps being compromised in the documents – rather, devices have allegedly been compromised, and of course once a device is compromised everything on it is too. However, even those claims of devices being broadly compromised are being disputed by some security experts – see here, for example. And Business Insider also argues that those on the latest version of iOS (79% on iOS 10 and another 16% on iOS 9) are safe from all the exploits listed. I suspect there will be lots more to come here, and as usual being on the latest version of Android is a lot harder than on iOS so the same protections don’t necessarily apply, but everyone should be trying to understand first, publish second when it comes to this data dump. And of course all this just reinforces arguments Apple and others have made about not trusting the government with back doors for encryption and the like.
via BuzzFeed
Cellebrite director says firm now doing ‘lawful’ extraction of data through iPhone 6 – AppleInsider (Feb 23, 2017)
This is the same firm that was recently hacked, supposedly exposing some of the tools it uses to crack iPhones, and now it’s boasting that it can crack iPhone 6 models in addition to the earlier models it has long been able to crack. I’ve still never seen any kind of official commentary on the hack of Cellebrite itself, but if that really did happen the fact that the company is getting ever better at hacking iPhones while leaving itself open to hacking should be worrying to lots of people. And if US law enforcement is still regularly paying Cellebrite to do this work without ensuring that it is able to keep the hacks secure, then it shares part of the blame by funding this work which ultimately puts regular users at risk.
via AppleInsider
Vizio to Pay Fines Over Unlawful Tracking and Selling of User Data (Feb 7, 2017)
It turns out Vizio has been collecting extremely granular data on users of its smart TVs, and then matching its IP data with offline data about individuals and households (essentially everything short of actual names). And it’s done all this without making users properly aware that this was what it was doing. The data related to everything consumers watched on the TVs, whether the content came through Vizio’s own smart TV apps or merely through one of its inputs from another box or antenna. Something I’d forgotten was that Vizio filed an S-1 in preparation to go public back in 2015 – it never actually went public because Chinese player LeEco decided to acquire them (a deal due to close shortly). Aside from talking about how many TVs the company sells, the S-1 makes a big deal of of the “up to 100 billion viewing data points daily” it collects from 8 million TVs, and touts its InScape data services, which package up this data for advertisers, although it says this data is “anonymized”, which feels like an alternative fact at this point. The risk factors in the filing even mention possible regulatory threats to such data gathering, so it’s probably fair to say that Vizio shared more information with its potential investors about the data it was collecting than it did with end users. To settle the case, Vizio has to pay a total of $3.7m in fines to the FTC and the state of New Jersey (whose AG brought the suit with the FTC), discontinue the practice, and disclose it to consumers. I can’t wait to see how it manages that last point – imagine turning on your Vizio TV one day and seeing a message pop up about the fact that it’s been tracking your every pixel for the last several years. Assuming that’s done right, it could be the most damaging part of it this for Vizio, which made over $3 billion in revenue in its most recently reported financial years. Meanwhile, yet another headache for LeEco to manage.