Daily Archives: January 25, 2024

Dutch COVID-19 testing firm Coronalab exposed 1.3 million patient records

Posted on by

A password-less database containing an estimated 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet, and it’s not clear if anyone is taking responsibility.

Among the information revealed in the publicly accessible and seemingly insecurely configured database were 118,441 coronavirus test certificates, 506,663 appointment records, 660,173 testing samples and “a small number” of internal files. A bevy of personally identifiable information was included in the records – including patient names, dates of birth, passport numbers, email addresses, and other information.

The leaky database was discovered by perennial breach sniffer Jeremiah Fowler, who reckoned it belongs to one of the Netherlands’ largest commercial COVID-19 test providers, CoronaLab – a subsidiary of Amsterdam-based Microbe & Lab. The US Embassy in the Netherlands lists CoronaLab as one of its recommended commercial COVID-19 test providers in the country.

If someone with malicious intent managed to find the database they could do some serious damage, Fowler warned.

“Criminal[s] could potentially reference test dates, locations, or other insider information that only the patient and the laboratory would know,” he wrote. “Any potential exposure involving COVID test data combined with PII could potentially compromise the personal and medical privacy of the individuals listed in the documents.”

Will the responsible party please stand up?

The CoronaLab data exposure report reads in many ways like any other accidental data exposure news: It was found, and now the offending database is offline. But this one isn’t that simple.

According to Fowler, no-one at CoronaLab or Microbe & Lab ever responded to his repeated attempts to reach out and inform them of the exposure.

“I sent multiple responsible disclosure notices and did not receive any reply, and several phone calls also yielded no results,” Fowler claimed. “The database remained open for nearly three weeks before I contacted the cloud hosting provider and it was finally secured from public access.”

The Register has asked Microbe & Lab to get more information about the incident – and we haven’t heard back either.

Without more information from Microbe & Lab or CoronaLab itself, it’s impossible to know how long the database was actually exposed online. The CoronaLab website is down as of this writing – it’s not clear if the outage is related to the database exposure, or if the service will be brought back online.

Because no-one at the organization whose records were exposed can be reached, it’s also not clear if customers or patients are aware that their data was exposed online. Nor, importantly, do we know if European data protection authorities have been informed.

Per article 33 of the EU General Data Protection Regulation (GDPR), data breaches must be reported to local officials within 72 hours of detection, and notifications also have to be made to affected individuals. We reached out to the Dutch Data Protection Authority to learn if it had been notified of the CoronaLab data exposure, and didn’t immediately hear back.

Source: COVID-19 testing firm ‘exposed 1.3 million patient records’ • The Register

Hubble finds water vapor in small exoplanet’s atmosphere

Posted on by

Astronomers using the NASA/ESA Hubble Space Telescope observed the smallest exoplanet where water vapor has been detected in its atmosphere. At only approximately twice Earth’s diameter, the planet GJ 9827d could be an example of potential planets with water-rich atmospheres elsewhere in our galaxy.

GJ 9827d was discovered by NASA’s Kepler Space Telescope in 2017. It completes an orbit around a every 6.2 days. The star, GJ 9827, lies 97 light-years from Earth in the constellation Pisces.

“This would be the first time that we can directly show through an atmospheric detection that these with water-rich atmospheres can actually exist around other stars,” said team member Björn Benneke of the Université de Montréal. “This is an important step toward determining the prevalence and diversity of atmospheres on .”

The study is published in The Astrophysical Journal Letters.

However, it remains too early to tell whether Hubble spectroscopically measured a small amount of in a puffy hydrogen-rich atmosphere, or if the planet’s atmosphere is mostly made of water, left behind after a primeval hydrogen/helium atmosphere evaporated under stellar radiation.

[…]

At present the team is left with two possibilities. The planet is still clinging to a hydrogen-rich envelope laced with water, making it a mini-Neptune. Alternatively, it could be a warmer version of Jupiter’s moon Europa, which has twice as much water as Earth beneath its crust. “The planet GJ 9827d could be half water, half rock. And there would be a lot of water vapor on top of some smaller rocky body,” said Benneke.

[…]

More information: Pierre-Alexis Roy et al, Water Absorption in the Transmission Spectrum of the Water World Candidate GJ 9827 d, The Astrophysical Journal Letters (2023). DOI: 10.3847/2041-8213/acebf0

Source: Hubble finds water vapor in small exoplanet’s atmosphere

The US really really wants private companies out of EU AI Human Rights treaty – because you can trust them more than governments?

Posted on by

[…] The Council of Europe (CoE), an international human rights body with 46 member countries, is approaching the finalisation of the Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law.

Since the beginning, the United States, the homeland of the world’s leading AI companies, has been pushing to exclude the private sector from the treaty, which, if ratified, would be binding for the signature country.

The United States is not a CoE member but participates in the process with an observer status. In other words, Washington does not have voting rights, but it can influence the discussion by saying it will not sign the convention.

[…]

By contrast, the European Commission, representing the EU in the negotiations, has opposed this carve out for the private sector. Two weeks ago, Euractiv revealed an internal note stating that “the Union should not agree with the alternative proposal(s) that limit the scope of the convention.”

However, in a consequent meeting of the Working Party on Telecommunications and Information Society, the technical body of the EU Council of Ministers in charge of digital policy, several member states asked the Commission to show more flexibility regarding the convention’s scope.

In particular, for countries like Germany, France, Spain, Czechia, Estonia, Ireland, Hungary and Romania, the intent of the treaty was to reach a global agreement, hence securing more signatories should be a priority as opposed to a broad convention with more limited international support.

Being composed of 27 countries out of the 46 that are part of the Council of Europe, the position of the bloc can in itself swing the balance inside the human rights body, where the decisions are taken by consensus.

The European Commission is preparing to push back on a US-led attempt to exempt the private sector from the world’s first international treaty on Artificial Intelligence while pushing for as much alignment as possible with the EU’s AI Act.

Limiting the convention’s scope would be a significant blow to the Commission’s global ambitions, which sees the treaty as a vehicle to set the EU’s AI Act, the world’s first comprehensive law on Artificial Intelligence, as the global benchmark in this area.

Indeed, the Commission’s mandate to negotiate on behalf of the Union is based on the AI Act, and the EU executive has shown little appetite to go beyond the AI regulation even in areas where there is no direct conflict, despite the fact the two initiatives differ significantly in nature.

As part of the alignment with the AI Act, the Commission is pushing for broad exemptions for AI uses in national security, defence and law enforcement. Thus, if the treaty was limited to only public bodies, with these carve-outs, there would be very little left.

In addition, Euractiv understands that such a major watering down of the AI treaty after several years of engagement from the countries involved might also discourage future initiatives in this area.

[…]

a paragraph has been added stressing that “to preserve the international character of the convention, the EU could nevertheless be open to consider the possibility for a Party to make a reservation and release itself from the obligation to apply the convention to private actors that are not acting on behalf of or procuring AI systems for public authorities, under certain conditions and limitations”.

The Commission’s proposal seems designed to address Washington’s argument that they cannot commit to anything beyond their national legal framework.

In October, US President Joe Biden signed an executive order setting out a framework for federal agencies to purchase and use AI tools safely and responsibly, hence the reference to companies not working with the public sector.

More precisely, the Commission is proposing an ‘opt-out’ option with temporal limitations, that can be revised at any time and with some guarantees that it is not abused. This approach would be the opposite of what the US administration proposed, namely exempting the private sector by default with an ‘opt-in’ possibility for signatories.

Still, the original ‘opt-in’ option was designed to avoid the embarrassment of the US administration having to exempt private companies from a human rights treaty. Euractiv understands Israel and Japan would not sign if the ‘opt-out’ approach made it into the final text, whereas the UK and Canada would follow the US decision.

Source: EU Commission’s last-minute attempt to keep private companies in world’s first AI treaty – Euractiv

So the US basically wants to make a useful treaty useless because they are run by self serving, profit seeking companies that want to trample on human rights. Who would have thought? Hopefully the EU can show some backbone and do what is right instead of what is being financially lobbied for (here’s looking at you, France!). It’s this kind of business based decision making that has led to climate change, cancer deaths, and many many more huge problems that could have been nipped in the bud.

iPhone Apps Secretly Harvest Data When They Send You Notifications, Researchers Find

Posted on by

iPhone apps including Facebook, LinkedIn, TikTok, and X/Twitter are skirting Apple’s privacy rules to collect user data through notifications, according to tests by security researchers at Mysk Inc., an app development company. Users sometimes close apps to stop them from collecting data in the background, but this technique gets around that protection. The data is unnecessary for processing notifications, the researchers said, and seems related to analytics, advertising, and tracking users across different apps and devices.

It’s par for the course that apps would find opportunities to sneak in more data collection, but “we were surprised to learn that this practice is widely used,” said Tommy Mysk, who conducted the tests along with Talal Haj Bakry. “Who would have known that an innocuous action as simple as dismissing a notification would trigger sending a lot of unique device information to remote servers? It is worrying when you think about the fact that developers can do that on-demand.”

These particular apps aren’t unusual bad actors. According to the researchers, it’s a widespread problem plaguing the iPhone ecosystem.

This isn’t the first time Mysk’s tests have uncovered data problems at Apple, which has spent untold millions convincing the world that “what happens on your iPhone, stays on your iPhone.” In October 2023, Mysk found that a lauded iPhone feature meant to protect details about your WiFi address isn’t as private as the company promises. In 2022, Apple was hit with over a dozen class action lawsuits after Gizmodo reported on Mysk’s finding that Apple collects data about its users even after they flip the switch on an iPhone privacy setting that promises to “disable the sharing of device analytics altogether.”

The data looks like information that’s used for “fingerprinting,” a technique companies use to identify you based on several seemingly innocuous details about your device. Fingerprinting circumvents privacy protections to track people and send them targeted ads

[…]

For example, the tests showed that when you interact with a notification from Facebook, the app collects IP addresses, the number of milliseconds since your phone was restarted, the amount of free memory space on your phone, and a host of other details. Combining data like these is enough to identify a person with a high level of accuracy. The other apps in the test collected similar information. LinkedIn, for example, uses notifications to gather which timezone you’re in, your display brightness, and what mobile carrier you’re using, as well as a host of other information that seems specifically related to advertising campaigns, Mysk said.

[…]

Apps can collect this kind of data about you when they’re open, but swiping an app closed is supposed to cut off the flow of data and stop an app from running whatsoever. However, it seems notifications provide a backdoor.

Apple provides special software to help your apps send notifications. For some notifications, the app might need to play a sound or download text, images, or other information. If the app is closed, the iPhone operating system lets the app wake up temporarily to contact company servers, send you the notification, and perform any other necessary business. The data harvesting Mysk spotted happened during this brief window.

[…]

Source: iPhone Apps Secretly Harvest Data When They Send You Notifications, Researchers Find