Daily Archives: September 26, 2020

Spain’s highway agency is monitoring speeding hotspots using bulk phone location data – is that even allowed here?

Posted on by

Spain’s highways agency is using bulk mobile phone data for monitoring speeding hotspots, according to local reports.

Equipped with data on customers handed over by local mobile phone operators, Spain’s Directorate-General for Traffic (DGT) may be gathering data on “which roads and at what specific kilometer points the speed limits are usually exceeded,” according to Granadan newspaper Ideal (en español).

“In fact, Traffic has data on this since the end of last year when the National Statistics Institution (INE) reached an agreement with mobile operators to obtain information about the movements of citizens,” reported the paper.

The data-harvesting agreement was first signed late last year to coincide with a national census (as El Reg reported at the time) and is now being used to monitor drivers’ speeds.

National newspaper El Pais reported in October 2019 that the trial would involve dividing Spain “into 3,500 cells with a minimum of 5,000 people in each of them” with the locations of phones being sampled continuously between 9am and 6pm, with further location snapshots being taken at 12am and 6am.

The newspaper explained: “With this information it will be possible to know how many citizens move from a dormitory municipality to a city; how many people work in the same neighbourhood where you live or in a different one; where do the people who work in an area come from, or how the population fluctuates in a box throughout the day.”

The INE insisted that data collected back then had been anonymised and was “aimed at getting a better idea of where Spaniards go during the day and night”, as the BBC summarised the scheme. Mobile networks Vodafone, Movistar, and Orange were all said to be handing over user data to the INE, with the bulk information fetching €500,000 – a sum split between all three firms.

Let me interject here that it’s practically impossible to anonymise data – and location data is incredibly personal, private and dangerous as seen by the US military having secret bases being exposed.

In April the initiative was reactivated for the so-called DataCovid plan, where the same type of bulk location data was used to identify areas where Spaniards were ignoring COVID-19 lockdown laws.

“The goal is to analyse the effect which the (confinement) measures have had on people’s movements, and see if people’s movements across the land are increasing or decreasing,” Spain’s government said at the time, as reported by expat news service The Local’s Iberian offshoot.

The DGT then apparently hit on the idea of using speed data derived from cell tower pings (in the same way that Google Maps, Waze, and other online services derive average road speed and congestion information) to identify locations where drivers may have been breaking the speed limit.

The Ideal news website seemed to put the obvious fears to bed in its report of the traffic police initiative when it posed the obvious, rhetorical, question: whether drivers can be fined based on mobile data.

“The answer is clear and direct: it is not possible,” it concluded. “The DGT can only fine us through the fixed and mobile radars that it has installed throughout the country.”

While the direction of travel here seems obvious to anyone with any experience of living in a western country that implements this type of dragnet mass surveillance, so far there is little evidence of an explicit link between mobile phone data-slurping and speed cameras or fines.

Back in 2016, TfL ran a “trial” tracking people’s movements by analysing where their MAC addresses popped up within the Tube network, also hoping to use this data to get higher prices for advertising spots at busy areas inside Tube stations. Dedicated public Wi-Fi spots on train platforms is now a permanent fixture in all but a few of the London Underground stations. The service is operated by Virgin Media, which is “free” to use by customers of the four mobile network operators, but collects your mobile number at the point of signing up.

And here you can see the ease with which mission creep comes out and people start using your data for all kinds of non-related things once they have it. This is why we shouldn’t allow governments or anyone else to get their grubby little hands on it and why we should be glad that at least at EU level, data privacy is taken seriously with GDPR and other laws.

Source: Spain’s highway agency is monitoring speeding hotspots using bulk phone location data • The Register

Twitter warns of possible API keys leak through browser caching

Posted on by

Twitter is notifying developers today about a possible security incident that may have impacted their accounts.

The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers.

The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Twitter account.

In an email sent to developers today, Twitter said that its developer.twitter.com website told browsers to create and store copies of the API keys, account access token, and account secret inside their cache, a section of the browser where data is saved to speed up the process of loading the page when the user accessed the same site again.

This might not be a problem for developers using their own browsers, but Twitter is warning developers who may have used public or shared computers to access the developer.twitter.com website — in which case, their API keys are now most likely stored in those browsers.

“If someone who used the same computer after you in that temporary timeframe knew how to access a browser’s cache, and knew what to look for, it is possible they could have accessed the keys and tokens that you viewed,” Twitter said.

“Depending on what pages you visited and what information you looked at, this could have included your app’s consumer API keys, as well as the user access token and secret for your own Twitter account,” Twitter said.

Source: Twitter warns of possible API keys leak | ZDNet

Apple backs down on taking 30% cut of paid online events on Facebook – for a few months

Posted on by

Facebook has temporarily shamed Apple out of taking a 30 percent cut of paid online events organized by small businesses and hosted on Facebook—things like cooking classes, workout sessions, and happy hours. Demand for these kinds of online events has soared during the COVID-19 pandemic.

Apple says that it has a longstanding policy that digital products must be purchased using Apple’s in-app payments system—and hence pay Apple’s 30 percent tax. In contrast, companies selling physical goods and services are not only allowed but required to use other payment methods (options here include Apple Pay, which doesn’t take such a big cut).

For example, an in-person cooking class is not a digital product, so a business selling cooking class tickets via an iPhone app wouldn’t have to give Apple a 30 percent cut. But if the same business offers a virtual cooking class, Apple considers that to be a digital product and demands a 30 percent cut—at least if the customer pays for the class using an iOS device.

Last month, Facebook announced it would start offering a new feature for small businesses to host paid online events. Facebook has waived any fees for the first year, allowing small businesses to pocket 100 percent of the revenue. But Apple refused to budge on its 30 percent take.

The issue came to a head in late August when Facebook revealed that Apple wouldn’t even allow Facebook to inform users about Apple’s 30 percent take. Facebook wanted to have a message on the checkout screen that said “Apple takes 30 percent of this purchase.” But Apple deemed this message “irrelevant” and forced Facebook to remove it before approving Facebook’s update.

The reprieve is only temporary. Apple says it has given Facebook until the end of the year to switch from Facebook Pay to in-app purchases—and hence start paying Apple 30 percent—for online events. Apple is extending the same courtesy to Airbnb and ClassPass.

However, this grace period isn’t available for Gaming Creators, which Apple argues are not brick-and-mortar businesses that have been affected by COVID-19.

Source: Apple backs down on taking 30% cut of paid online events on Facebook | Ars Technica

Yay! Monopolies bitch slapping each other a little bit

It’s Not Just You, a Ton of Google Services Just Went Down between 2100 – 2230

Posted on by

If you’ve been experiencing issues trying to access Google or YouTube, you’re not alone. Around 9 p.m. ET on Thursday evening, tons of users worldwide reported problems with Google and the many services under the tech giant’s umbrella, including Google Drive, Gmail, Stadia, the Play Store, and even Nest.

Some, such as Gmail, were taking significantly more time to load while other services like Google’s Play Store and Calendar seemed to be on an endless boot-up loop and wouldn’t load at all. DownDetector currently shows outages for just about all of Google’s services in areas all over the world. According to the site, the bulk of reports are coming from Australia, the U.S., and east Asia, with users primarily having issues logging in.

We’ve reached out to Google for more info. Honestly, a worldwide Google outage is absolutely on-brand for the year we’re having so far, so I’m hardly surprised.

Update: 9/24/2020; 11:17 p.m. ET: Luckily, the problem appears to have been short-lived. An update from Google’s Cloud status dashboard showed that the issue across had been resolved “for most traffic” across Google’s services shortly after 10:30 p.m. ET.

Source: It’s Not Just You, a Ton of Google Services Just Went Down (Update: Phew, They’re Back Up)

Yay, cloud

Cambridge Analytica boss disqualified from running a company for 7 years

Posted on by

Alexander James Ashburner Nix (45), from Holland Park, West London, has signed a disqualification undertaking, accepted by the Secretary of State on 14 September 2020.

Within the undertaking, Alexander Nix did not dispute that he caused or permitted SCL Elections Ltd or associated companies to market themselves as offering potentially unethical services to prospective clients; demonstrating a lack of commercial probity.

Effective from 5 October 2020, Alexander Nix is disqualified for seven years from acting as a director or directly or indirectly becoming involved, without the permission of the court, in the promotion, formation or management of a company.

Alexander Nix was a director of SCL Elections Ltd, a company that provided data analytics, marketing and communication services to political and commercial customers. He was also a director of five other connected UK companies: SCL Group Ltd, SCL Social Ltd, SCL Analytics Ltd, SCL Commercial Ltd, and Cambridge Analytica (UK) Ltd.

From 2016, SCL Elections Ltd was included in a rebranding of associated companies which then operated under the trading names Cambridge Analytica, CA Political (Global) and CA Commercial.

SCL Elections and the five connected companies, however, ceased trading following allegations in the UK and United States media which created substantial adverse publicity.

Some of the accusations against the companies related to allegedly offering potential clients unethical services.

All six companies entered into administration in May 2018 before entering into compulsory liquidation in April 2019. The companies’ insolvencies brought them to the attention of the Insolvency Service, who conducted investigations into the conduct of the directors.

Investigators’ enquiries confirmed that Alexander Nix had caused or permitted SCL Elections or associated companies to act with a lack of commercial probity.

The unethical services offered by the companies included bribery or honey trap stings, voter disengagement campaigns, obtaining information to discredit political opponents and spreading information anonymously in political campaigns.

Source: 7-year disqualification for Cambridge Analytica boss – GOV.UK

Looks Like the Windows XP Source Code Just Leaked on 4chan

Posted on by

Would you believe more than 1% of computers worldwide are still using Windows XP? Incredibly, there are still millions of people using 19-year-old operating system. And a recent development — if it bears out — is another reason  people need to make the switch to something newer.

On Thursday, users on 4chan posted what they claimed was the source code of Windows XP.

Posting an image of a screenshot allegedly of the source code in front of Window’s XP iconic Bliss background, one user wrote ‘sooooo Windows XP Source code leaked’. Another Redditor helpfully has uploaded the code as a torrent, assisting in its spread.

While there is no confirmation that this code is definitely Windows XP, independent researchers have begun to pick through the source code and believe it stands up to scrutiny.

[…]

 

Source: Looks Like the Windows XP Source Code Just Leaked on 4chan