Trump Administration Asks States to Hand Over Voter Rolls

Elections, Exposure, Voting

Election officials across the 50 states received a letter this week from Kris Kobach, Kansas Secretary of State and the vice chairman of a White House commission looking into voter fraud. The commission is chaired by Pence and was established by Trump after his claims that 5 million people voted illegally in the election that brought him into office. Requested in the letter: names, addresses, dates of birth, political party, last 4 digits of SSN, and which elections each person voted in in since 2006. For all voters. In the country. Kobach is known for advocating that state voter data be compared to auxiliary sources to pick out non-citizens or people otherwise ineligible to register.

Voter advocacy groups argue that such a comparison process is flawed and will result in legitimate voters being barred from the vote. CA’s Secretary of State, Alex Padilla, responded that he would not provide sensitive voter information to the commission. Democrats are wary of Kobach’s motives in seeking these data, as well as those of the commission, claiming that the lack of transparency is evidence of efforts to suppress votes.

Source: NPR

Snapchat’s New Snap Map–How It Shares Location

Exposure, Online privacy, Smartphones, Social Media

Last week, the social media application Snapchat released a new location sharing feature: Snap Map. Snaps can be added to the “Our Story” map, which is public, and is intended to show snaps related to world events. Snap locations can also be shared with friends. Location sharing is opt-in, as the app defaults users to “Ghost Mode,” meaning that location is not shared. However, Snapchat gives the impression in its introductory video that location is shared when a user posts a story. In reality, if a user is not in Ghost Mode, location is shared to the map (visible to the users’ friends) each time the app is opened. This results in the routine sharing of users’ home locations. It is inherently risky for those who frequently open Snapchat on the go, thereby leaking breadcrumbs of their daily trajectories.

Some additional details: While only mutual friends can see each other on the Snap Map, Snapchat is clearly collecting all of this data on user locations. The company claims to delete the location data after a short period of time, but does not specify the duration of this time period. If a user does not open the app for 8 hours, the last shared location disappears from the map.

Source: The Verge

Canada’s Supreme Court Strikes Down Clause of Facebook’s Terms of Use

Advertising, Exposure, Legislation, Online privacy, Social Media

A class action suit has been brought against Facebook in Canada. A Vancouver woman initially sued Facebook for featuring her name and photos in “Sponsored Stories” advertising, after she “liked” various company pages. The class action suit covers an estimated 1.8 million residents of British Columbia who had their names or photos used in Facebook’s Sponsored Stories. The suit encountered an initial hurdle in that Facebook’s terms of use include a clause of forum selection and “choice-of-law,” meaning that all disputes against the company must be reviewed in California, where it is headquartered. In a 4-3 decision, the Canada Supreme Court found that the clause is not enforceable in Canada. The ruling clears the way for the privacy case to now be tried in B.C. to evaluate the merits of the claim. The original suit seeks damages from Facebook for violation of the B.C. Privacy Act.

Source: CTV News

100 Years Under the Espionage Act

Exposure, Legislation

Yesterday marked 100 years since the Espionage Act was passed on June 15, 1917. This law was created amid the widespread xenophobic and anti-immigrant sentiment that shrouded World War I. Its purpose was to tackle draft evasion and anti-state activity that was seen as subversive to American democracy. The law was upheld in 1919 in Schenck v. United States, in which it was ruled that mailing anti-draft letters is not protected by the First Amendment. This was upheld again in Debs v. United States (1919), after which Eugene V. Debs, a Socialist Party leader, protested involvement in WWI during a speech and was found guilty of violating the act. The Espionage Act resurfaced in the 40s and 50s during the Red Scare, in which it was used to suppress communist and left-wing influences. Most recently, the Espionage Act has been applied to leaking confidential government information and used to prosecute whistleblowers including Daniel Ellsberg, Chelsea Manning, and Edward Snowden. The Justice Department is now looking into prosecuting entities that disseminate documents, such as WikiLeaks or journalistic organizations, in addition to individuals who leak classified information, under the act. Supporting this development, CIA Director Mike Pompeo recently described WikiLeaks as a “non-state hostile intelligence service” which is not protected by the First Amendment.

Source: EFF

MIT Study Finds Students Will Give Away Friends’ Emails for Pizza

Exposure, Online privacy, Surveys

If you were asked to provide the email addresses of your closest friends in exchange for a free pizza to share with them, would you do it?

Would you give their real emails?

A study of 3,108 MIT students (Athey, Catalini, and Tucker 2017) found that 98% were willing to give up the email addresses to get the pizza, and 94% were still willing to do so for no incentive. Within these high percentages, there is some evidence of masking. The collected email addresses were checked for validity against a MIT directory to tell whether or not they were fake. In the group that did not receive a pizza incentive (at first), 6% provided fake email addresses. To count as deliberate masking, all the addresses the students provided had to be mismatches with the database, in order to rule out any inadvertent typos. The researchers found that when students are offered the pizza incentive, there is a 54% reduction in the probability that they will provide all fake email addresses. There were no significant differences in the results by gender, technology preferences, year of study, or even stated privacy preferences. Even those who were considered “privacy-sensitive” by their reported privacy concerns did not respond differently to the pizza incentive than the rest of their peers. This is solid continued evidence of the privacy paradox: that our privacy behaviors contradict our privacy attitudes.

Your Paper Printouts Are Not Anonymous

Exposure, Police, Surveillance

The recent arrest of Reality Winner, the 25-year-old NSA contractor accused of leaking classified documents on Russian efforts to hack U.S. voting systems, has brought light to tracking embedded in paper printouts. Security professionals believe that Winner was caught due to tiny yellow dots printed on the documents–and on every piece of paper that goes through particular printers. These dots, which can be revealed by shining a blue light or by digital magnification, typically include the date/time of the printout and a printer serial number. It is speculated that the information revealed from the yellow dots was used to tie Winner’s work printer history to the documents. EFF has previously decoded the yellow dots for some printers, and has created a guide.

One argument for the inclusion of the tracking dots is to prevent counterfeiting, such as attempts to print money. EFF writes that printed page tracking is a result of the government asking printer companies to include it without the law’s requirement and that it represents a lack of transparency.

Sources: EFF, The Atlantic

Dating Website Members Targeted With Explicit Spam After Emails Leaked

Exposure, Online privacy

Members of the Guardian newspaper’s Soulmates dating service were victims of a data breach where user IDs and email addresses were exposed online due to “human error.” Soulmates users report being targeted with sexually explicit email referring to information only available on their dating profiles. Once adversaries had access to the email and user ID, they could then obtain information on users’ public profiles, including physical descriptions, relationship categories sought, and photos. The Guardian blamed a third party contractor for the data breach, which has now been reportedly patched up. Some users who were no longer active and no longer paying for the site were surprised to find that they were included in the targeted spam, indicating that Guardian Soulmates did not actually delete their profiles, and so they were still susceptible to data breaches.

Source: BBC

Account Info for 100,000+ Credit Cards Left Online for Six Months

Exposure, Online privacy

Austin-based pet store left details of 110,400 credit cards available through its website for at least 6 months. The data exposed included names, addresses, emails, phone and credit card numbers, and passwords. This happened because the server for FuturePets was insecure and from its use of rsync, a protocol used to copy files between computers. The website was built by DataWeb, Inc., which has developed other pet store sites. Security researchers at Kromtech discovered the database in November, but the information leak has only recently been patched up. This is relevant as hackers are increasingly targeting smaller companies whose data may be less secure. The exposure can do more to topple small businesses than with giant companies that are better cushioned from failure.