Daily Archives: September 18, 2019

Spotify wants to know where you are and will be checking in

Posted on by

Spotify knows a lot about its users — their musical tastes, their most listened-to artists and their summer anthems. Spotify will also want to know where you live or to obtain your location data. It’s part of an effort to detect fraud and abuse of its Premium Family program.

Premium Family is a $15-a-month plan for up to six people. The only condition is that they all live at the same address. But the streaming music giant is concerned about people abusing that plan to pay as little as $2.50 for its services. So in August, the company updated its terms and conditions for Premium Family subscribers, requiring that they provide location data “from time to time” to ensure that customers are actually all in the same family.

You have 30 days to cancel after the new terms went into effect, which depends on where you are. The family plan terms rolled out first on Aug. 19 in Ireland and on Sept. 5 in the US.

The company tested this last year and asked for exact GPS coordinates but ended the pilot program after customers balked, according to TechCrunch. Now it intends on rolling the location data requests out fully, reigniting privacy concerns and raising the question of how much is too much when it comes to your personal information.

“The changes to the policy allow Spotify to arbitrarily use the location of an individual to ascertain if they continue to reside at the same address when using a family account, and it’s unclear how often Spotify will query users’ devices for this information,” said Christopher Weatherhead, technology lead for UK watchdog group Privacy International, adding that there are “worrying privacy implications.”

Source: Spotify wants to know where you live and will be checking in – CNET

Windows 7’s July 2019 Security Patch Includes Telemetry – but you can disable it in task scheduler

Posted on by

To the surprise of Windows watchers, the latest Windows 7 “security-only” update includes telemetry. The telemetry in question is Microsoft’s “Compatibility Appraiser,” which checks PCs for problems that could prevent upgrading to Windows 10.

As Woody Leonhard points out on Computerworld, this is pretty odd on Microsoft’s part—the telemetry code was previously available and is probably installed on your system already if you use Windows 7. But, it was restricted to the normal “cumulative” update rollups. As Ed Bott explains on ZDNet:

What was surprising about this month’s Security-only update, formally titled the “July 9, 2019—KB4507456 (Security-only update),” is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10.

It’s hard to say exactly why Microsoft is trying to install the telemetry on all Windows 7 PCs now, but extended support for Windows 7 expires on January 14, 2020. Windows 7 users don’t have much time left before they should upgrade—just six months. Windows 7 is already nagging users about updates. Microsoft may want to understand how many Windows 7 machines are left in the wild and whether they have compatibility problems with new software.

When Ed Bott asked Microsoft why it added the telemetry code to this update, he received a “no comment.” As usual, Microsoft is making itself look bad by refusing to be transparent and explain what it’s doing. The security update doesn’t seem to bundle any code for upgrading to Windows 10.

We still always recommend installing security patches for your PC. After installation, you can stop the telemetry from running, if you like. As abbodi86 advises on the Ask Woody forums:

Disabling (or deleting) these scheduled tasks after installation (before reboot) should be enough to turn off the appraiser

\Microsoft\Windows\Application Experience\ProgramDataUpdater
\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser
\Microsoft\Windows\Application Experience\AitAgent

If you don’t want this code running. head to the Task Scheduler and disable these scheduled tasks. If you disable them before a reboot after running the update, they won’t even run once.

Source: Windows 7’s July 2019 Security Patch Includes Telemetry

Congress Is Investigating Apple’s Repair Monopoly

Posted on by

The United States House of Representatives’ Judiciary Committee is launching an antitrust investigation into Apple and its anti-competitive behavior.

Part of the investigation will focus on Apple’s repair monopoly, which for years has given the company control over the useful life of its products. In a letter to Apple, the committee asked Apple to turn over all internal communications from 14 top executives at the company—including CEO Tim Cook—relating to “Apple’s restrictions on third-party repairs,” among dozens of other topics.

In particular, the committee wants information about:

  • “Apple’s restrictions on third-party repairs, including but not limited to any rules with which Apple Authorized Service Providers (AASPs) must comply, such as rules restricting or prohibiting AASPs from making any specific repairs.”
  • “Apple’s decision in December 2017 to offer iPhone battery replacements at a discounted price, or the actual or projected effects of this decision, including but not limited to, effects on iPhone sales.”
  • “Apple’s decision to introduce the ‘Independent Repair Provider Program,’ including but not limited to, decisions covering which specific repair parts Apple will make available through the program and at what price.”
  • “Apple’s decision in 2018 to enter into an agreement with Amazon to sell Apple products on Amazon and to limit the resellers that can sell Apple products on Amazon.”

This is huge news for the independent repair community (and nice for me; the committee cited two Motherboard articles I wrote about Apple’s repair restrictions.)

For years, the independent repair community has said that Apple has engaged in anticompetitive behavior by refusing to sell parts to repair shops who are not “authorized” by the company. The company has also lobbied heavily against so called right-to-repair legislation, which would require it and other electronics companies to sell parts and tools to the general public. It has sued independent repair companies for using aftermarket and refurbished parts and worked with the Department of Homeland Security to seize unauthorized repair parts from small businesses both at customs and from individual shops. And, as the committee’s letter notes, Apple cut a deal with Amazon that restricted who is allowed to sell refurbished Apple devices on Amazon.

Source: Congress Is Investigating Apple’s Repair Monopoly – VICE

Since I gave my talk on breaking up monopolies earlier this year, a whole spate of these investigations are starting!

Millions of Americans’ medical images and data are available on the Internet

Posted on by

Medical images and health data belonging to millions of Americans, including X-rays, MRIs, and CT scans, are sitting unprotected on the Internet and available to anyone with basic computer expertise.

The records cover more than 5 million patients in the United States and millions more around the world. In some cases, a snoop could use free software programs—or just a typical Web browser—to view the images and private data, an investigation by ProPublica and the German broadcaster Bayerischer Rundfunk found.

We identified 187 servers—computers that are used to store and retrieve medical data—in the US that were unprotected by passwords or basic security precautions. The computer systems, from Florida to California, are used in doctors’ offices, medical-imaging centers, and mobile X-ray services.

The insecure servers we uncovered add to a growing list of medical records systems that have been compromised in recent years. Unlike some of the more infamous recent security breaches, in which hackers circumvented a company’s cyber defenses, these records were often stored on servers that lacked the security precautions that long ago became standard for businesses and government agencies.

“It’s not even hacking. It’s walking into an open door,” said Jackie Singh, a cybersecurity researcher and chief executive of the consulting firm Spyglass Security. Some medical providers started locking down their systems after we told them of what we had found.

Our review found that the extent of the exposure varies, depending on the health provider and what software they use. For instance, the server of US company MobilexUSA displayed the names of more than a million patients—all by typing in a simple data query. Their dates of birth, doctors, and procedures were also included.

[…]

All told, medical data from more than 16 million scans worldwide was available online, including names, birthdates, and, in some cases, Social Security numbers.

[…]

The issue should not be a surprise to medical providers. For years, one expert has tried to warn about the casual handling of personal health data. Oleg Pianykh, the director of medical analytics at Massachusetts General Hospital’s radiology department, said medical imaging software has traditionally been written with the assumption that patients’ data would be secured by the customers’ computer security systems.

But as those networks at hospitals and medical centers became more complex and connected to the Internet, the responsibility for security shifted to network administrators who assumed safeguards were in place. “Suddenly, medical security has become a do-it-yourself project,” Pianykh wrote in a 2016 research paper he published in a medical journal.

ProPublica’s investigation built upon findings from Greenbone Networks, a security firm based in Germany that identified problems in at least 52 countries on every inhabited continent. Greenbone’s Dirk Schrader first shared his research with Bayerischer Rundfunk after discovering some patients’ health records were at risk. The German journalists then approached ProPublica to explore the extent of the exposure in the United States.

Source: Millions of Americans’ medical images and data are available on the Internet | Ars Technica

Logging into NL gov costs in incredible 14 cents per time!

Posted on by

Logius is absolutely minting it, considering that almost every interaction with the government, locality, insurance company is done through DigiID. Unbelievably, this price is down from EUR 3,50 in 2006, but up from last years’ 12 cents per login.

So now we know why government IT projects cost such an inane amount of money – if they can ask this amount for just a login server, even after having been paid to develop the system! Which idiot at government level negotiated this contract?

Source: Gebruik DigiID iets duurder – Emerce