Last week, Google banned 20 Android apps from its Play Store for their extraction of users’ emails, texts, location, and calls. The apps “rooted” devices with older Android operating systems, meaning they were able to bypass newer security protections. The expelled apps generally advertised as cleanup tech for unwanted files or as backup utilities. It is suspected that the apps were developed by Equus Technologies, a cyber arms company, and had been installed on 100 phones. Google is calling these apps “Lipizzan.” The same day Google announced the banning of these apps, antivirus company Sophos disclosed two Android apps surreptitiously collecting text messages: an app store shortcut and a skin care magazine. These have been downloaded up to 500,000 times.
Last week, the social media application Snapchat released a new location sharing feature: Snap Map. Snaps can be added to the “Our Story” map, which is public, and is intended to show snaps related to world events. Snap locations can also be shared with friends. Location sharing is opt-in, as the app defaults users to “Ghost Mode,” meaning that location is not shared. However, Snapchat gives the impression in its introductory video that location is shared when a user posts a story. In reality, if a user is not in Ghost Mode, location is shared to the map (visible to the users’ friends) each time the app is opened. This results in the routine sharing of users’ home locations. It is inherently risky for those who frequently open Snapchat on the go, thereby leaking breadcrumbs of their daily trajectories.
Some additional details: While only mutual friends can see each other on the Snap Map, Snapchat is clearly collecting all of this data on user locations. The company claims to delete the location data after a short period of time, but does not specify the duration of this time period. If a user does not open the app for 8 hours, the last shared location disappears from the map.
Source: The Verge
The European Commission has drafted amendments to the 2002 ePrivacy regulations that would ban the creation of backdoors for reading encrypted communications. This is a win for privacy in light of widespread calls by law enforcement and governments to establish access to end-to-end encrypted (E2EE) messages, most recently by the UK (for Signal and WhatsApp, which use E2EE).
The draft proposal, which would outlaw backdoor encryption, states:
Member states shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services.
…when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited…
The proposed amendments are more in line with the new General Data Protection Regulation (GDPR), but will have to pass through the European parliament and European council to go into effect.
Source: The Guardian
Former U.S. Director of National Intelligence (under the Obama administration) James Clapper spoke in Australia last week, calling on Silicon Valley to develop encryption that allows law enforcement to access the encrypted content while investigating criminal acts. He claims that technology companies have a “social responsibility” to provide this access to the government. Clapper likened full encryption to giving a “pass” to “criminals, terrorists, rapids, murderers, et cetera.” The encryption debate came to widespread public attention following the 2015 San Bernardino shooting, after which Apple refused to unlock the iPhone 5c used by the shooter. The FBI sidestepped Apple by working with a third party to unlock the phone. Clapper also called for filtering out “some of the more egregious material that appears on social media.” At the same time, the former intelligence chief has also been outspoken in his criticism of Trump, stating last week that the Watergate scandal “pales” in comparison with Trump’s strong pro-Russia stance in the face of evidence of Russian interference in the 2016 election.
Director of National Intelligence Dan Coats promised at his confirmation hearing to obtain and reveal the number of Americans affected by NSA surveillance. At a hearing this week before the Senate Intelligence Committee, Coats reversed course on this, claiming that it is infeasible to provide such an estimate. He argued that revealing this statistic would potentially violate privacy by verifying subject identities [I don’t follow…]. Section 702 of the Foreign Intelligence Surveillance Act (FISA), which is used to justify “upstream” mass collection of email and phone call data, is set to expire this year. The Trump administration is looking to make this surveillance statute permanent. In a strange twist, NSA Director Mike Rogers argued this week that Section 702 surveillance allowed the NSA to generate “insights” on Russian interference with the 2016 election [what are those insights?].
The president of Uber’s business relations in the Asia Pacific region, Eric Alexander, has been fired after a report surfaced that he obtained the medical records of a woman in India who had been raped by an Uber driver. Alexander may also face criminal charges for obtaining these records without the patient’s consent, as well as for sharing her medical information with other employees, including CEO Travis Kalanick. While Indian law is still being developed with respect to medical privacy, rules issued by the Medical Council of India require the patient’s written consent and an explanation of intended use as a prerequisite to access such records. Alexander allegedly sought the records as evidence that the victim had not truly been raped and that the incident was engineered by Ola, a ride-share competitor in India. The fallout from the initial reporting of the rape resulted in Uber shutting down in New Delhi for several months. This story of medical privacy invasion comes amidst yesterday’s firing of 20 other Uber employees as a result of a sexual harassment investigation.
Source: The Verge
A wrongful termination suit brought by a former forensic investigator for Uber has brought to light Uber’s specific data fields used to track ride-hailers. Ward Spangenberg, who brought the suit, claims that employees inappropriately used application data to track exes and celebrities, such as Beyoncé. The Uber argument is that the company collects only just enough data to do the job. However, the evidence presented in the suit includes a list of 500 variables derived by Uber about riders.
Spreadsheet posted by Gizmodo
The term “greyball” in the above figure may refer to the deceptive program that gives some riders a modified app, different from the regular Uber app. The Justice Department is currently investigating whether Uber “greyballed” Portland officials so that they could not hail rides under UberX, a service that was illegal under local laws.
Here are some of the data Uber extracts from your location and payment history: GPS points for trips you often take, how often you’ve cancelled, and how often you’ve changed a credit card. Data such as these are then used to populate fields like “suspected_clique_rider” and “potential_rider_driver_collusion” based on the frequency of trips you take with the same driver.
Uber is also under scrutiny for a program called Hell, in which it tracked Lyft drivers by creating fake Lyft driver accounts, which essentially gave them a map of other drivers.
Second, Uber is one of the companies relying on receipt data from email inboxes for competitive intelligence. Uber purchased the services of a company called Slice Intelligence to collect Lyft email receipts. Slice Intelligence boasts a panel of 4.2 million online shoppers and is able to comb through receipt data at the item level and report trends.
Or, What I Should Have Done to Protect My Phone from Surveillance at Today’s March for Science (and What I Will Do at Future Protests)
Fantastic video by the Intercept highlighting the very real possibility of being tracked on our cellphones today at the worldwide marches for science.
Tips for Protesters
- Lock your phone with a passcode. This entry key is more difficult to extract from you against your will than your fingerprint if you are apprehended by police.
- Make sure your phone is encrypted. Turn encryption on in your security settings.
- Use Signal by Open Whisper to communicate with your friends. This end-to-end encryption will prevent prying eyes from reading your messages.
- Remember that it is your right to film police.
- Turn off your phone if you are arrested.
- Know that it is your legal right to refuse to have the digital contents of your phone searched.
A Teen Vogue article from March highlights the importance of using 2-factor authentication (2FA), likening the technology to having two locks on your door. 2FA is now supported by Facebook, Snapchat, Twitter, Instagram, WhatsApp, and Google, among others. The two factors in most cases are 1) your password and 2) a one-time-use security code sent to your phone via SMS. However, SMS messages can still be intercepted, so there are backups for this second factor: one-time-only codes you print off and keep in a safe place, authentication apps that will generate codes for you, and physical keys, such as YubiKey, which you plug in to your device. For apps that do not yet support 2FA, the EFF (interviewed in this piece) recommends devising strong passwords or using password managers KeePass or 1Password to make them for you. Why the hassle? Having your account hacked could put you in danger, cost you money, or leak your private messages–embarrassing!