Last week, I ran an ad on Facebook that was targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways. I was helping him test the theory by targeting him in a way Facebook had previously told me wouldn’t work. I directed the ad to display to a Facebook account connected to the landline number for Alan Mislove’s office, a number Mislove has never provided to Facebook. He saw the ad within hours.

One of the many ways that ads get in front of your eyeballs on Facebook and Instagram is that the social networking giant lets an advertiser upload a list of phone numbers or email addresses it has on file; it will then put an ad in front of accounts associated with that contact information. A clothing retailer can put an ad for a dress in the Instagram feeds of women who have purchased from them before, a politician can place Facebook ads in front of anyone on his mailing list, or a casino can offer deals to the email addresses of people suspected of having a gambling addiction. Facebook calls this a “custom audience.”

You might assume that you could go to your Facebook profile and look at your “contact and basic info” page to see what email addresses and phone numbers are associated with your account, and thus what advertisers can use to target you. But as is so often the case with this highly efficient data-miner posing as a way to keep in contact with your friends, it’s going about it in a less transparent and more invasive way.

Facebook is not content to use the contact information you willingly put into your Facebook profile for advertising. It is also using contact information you handed over for security purposes and contact information you didn’t hand over at all, but that was collected from other people’s contact books, a hidden layer of details Facebook has about you that I’ve come to call “shadow contact information.”

[…]

Giridhari Venkatadri, Piotr Sapiezynski, and Alan Mislove of Northeastern University, along with Elena Lucherini of Princeton University, did a series of tests that involved handing contact information over to Facebook for a group of test accounts in different ways and then seeing whether that information could be used by an advertiser.

[…]

They found that when a user gives Facebook a phone number for two-factor authentication or in order to receive alerts about new log-ins to a user’s account, that phone number became targetable by an advertiser within a couple of weeks. So users who want their accounts to be more secure are forced to make a privacy trade-off and allow advertisers to more easily find them on the social network.

[…]

The researchers also found that if User A, whom we’ll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we’ll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call “shadow contact information,” about a month later.

[…]

“I think that many users don’t fully understand how ad targeting works today: that advertisers can literally specify exactly which users should see their ads by uploading the users’ email addresses, phone numbers, names+dates of birth, etc,” said Mislove. “In describing this work to colleagues, many computer scientists were surprised by this, and were even more surprised to learn that not only Facebook, but also Google, Pinterest, and Twitter all offer related services. Thus, we think there is a significant need to educate users about how exactly targeted advertising on such platforms works today.”

Source: Facebook Is Giving Advertisers Access to Your Shadow Contact Information

Before Windows 10, a clean install of Windows only included the bare essentials a user would need to get started using their PC. That included software built by Microsoft, such as Mail, Paint, and its web browser, and it never included “bloatware” or “trialware” that one might find on hardware purchased from a third-party OEM that preloaded all kinds of crapware.

The clean install process was simple. With Windows 7, you’d do the install, and once you hit the desktop, that was it. All the programs that were preinstalled were Microsoft-made and were often considered essentials. This changed with Windows 8, with the addition of auto-updating apps such as Travel, News and more. Still, these were acceptable, preinstalled Windows apps and were not really classed as bloatware.

With Windows 10, a clean install stays that way for about two minutes, because the second you hit the desktop, the Microsoft Store immediately starts trying to download third-party apps and games. And these apps keep trying to install themselves even after you cancel the downloads.

Six too many

There are six such apps, which is six too many. These apps are often random, but right now they include things like Candy Crush, Spotify, and Disney Magic Kingdoms. You should not see any of these apps on a fresh install of Windows 10, yet they are there every single time.

There are policies you can set that disable these apps from automatically installing, but that’s not the point. On a fresh, untouched, clean install of Windows 10, these apps will download themselves onto your PC. Even if you cancel the installation of these apps before they manage to complete the download, they will retry at a later date, without you even noticing.

The only way I’ve found that gets rid of them permanently is to let them install initially, without canceling the download, and then uninstall the apps from the Start menu. If you cancel the initial download of the bloatware apps before they complete their first install, the Microsoft Store will just attempt to redownload them later and will keep doing so until that initial install is complete.

Source: Hey, Microsoft, stop installing third-party apps on clean Windows 10 installs! | Windows Central

Zoho .com was pulled offline on Monday after the company’s domain registrar received phishing complaints, the company’s chief executive said.

The web-based office suite company, which also provides customer relationship and invoicing services to small businesses, tweeted that the site was “blocked” earlier in the day by TierraNet, which administers its domain name.

In an email to TechCrunch, Zoho boss Sridhar Vembu said that TierraNet “took our domain down without any notice to us” after receiving complaints about phishing emails from Zoho-hosted email accounts.

In doing so, thousands of businesses that rely on Zoho for their operations couldn’t access their email, documents and files, and other business-critical software during the day. Zoho counts Columbia University, Netflix, Citrix, Air Canada and the Los Angeles Times as customers.

“They kept pointing us back to their legal, even when I tried to call their senior management,” said Vembu in the email.

Source: Zoho pulled offline after phishing complaints, CEO says | TechCrunch

Members of the European Parliament voted Wednesday to approve a sweeping overhaul of the EU’s copyright laws that includes two controversial articles that threaten to hand more power to the richest tech companies and generally break the internet.

Overall, MEPs voted in favor of the EU Copyright Directive with a strong majority of 438 to 226. But the process isn’t over. There are still more parliamentary procedures to go through, and individual countries will eventually have to decide how they intend to implement the rules. That’s part of the reason that it’s so difficult to raise public awareness on this issue.

Momentum to oppose the legislation built up earlier this summer, culminating with Parliament deciding to open it up for amendments in July. Many people may have thought the worst was over. It wasn’t—but make no mistake, today’s vote in favor of the directive was extremely consequential.

The biggest issue with this legislation has been Articles 11 and 13. These two provisions have come to be known as the “link tax” and “upload filter” requirements, respectively.

In brief, the link tax is intended to take power back from giant platforms like Google and Facebook by requiring them to pay news outlets for the privilege of linking or quoting articles. But critics say this will mostly harm smaller websites that can’t afford to pay the tax, and the tech giants will easily pay up or just decide not link to news. The latter outcome has already happened when this was tried in Spain. On top of inhibiting the spread of news, the link tax could also make it all but impossible for Wikipedia and other non-profit educational sources to do their work because of their reliance on links, quotes, and citation.

The upload filter section of the legislation demands that all platforms aside from “small/micro enterprises” use a content ID system of some sort to prevent any copyrighted works from being uploaded. Sites will face all copyright liabilities in the event that something makes it past the filter. Because even the best filtering systems, like YouTube’s, are still horrible, critics say that the inevitable outcome is that over-filtering will be the default mode of operation. Remixing, meme-making, sharing of works in the public domain, and other fair use practices would likely all fall victim to platforms that would rather play it safe, just say no to flagged content, and avoid legal battles. Copyright trolls will likely be able to fraudulently claim ownership of intellectual property with little recourse for their victims.

We’ve gone further in-depth on all of the implications of the copyright directive, but the fact is, it’s full of vagaries and blind spots that make it impossible to say just how it will shake out. Joe McNamee, executive director of digital rights association EDRi, recently told The Verge, “The system is so complicated that last Friday the [European Parliament] legal affairs committee tweeted an incorrect assessment of what’s happening. If they don’t understand the rules, what hope the rest of us?” As we come closer to living parallel lives online and IRL, such sweeping legislation is dangerous to play with.

Source: Article 11, Article 13: EU’s Dangerous Copyright Bill Advances

Facebook is asking more banks to join Messenger and bring their users’ financial information along with them.

The Wall Street Journal reported on Monday Facebook was asking banks for users’ financial information, like credit card transactions and checking account balances. The data would be used for Messenger features including account balance updates and fraud alerts, but not for Facebook’s other platforms. The news comes at a sensitive time for Facebook as it battles privacy concerns and adjusts its policy regarding user data.

Facebook does currently have access to financial data from some companies in order to facilitate services like customer service chats and account management. Users give Facebook permission to access their information, the company added.

“Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates,” the statement said. “The idea is that messaging with a bank can be better than waiting on hold over the phone – and it’s completely opt-in. We’re not using this information beyond enabling these types of experiences – not for advertising or anything else. A critical part of these partnerships is keeping people’s information safe and secure.”

Source: Facebook is asking more financial institutions to join Messenger

Google has admitted that its option to “pause” the gathering of your location data doesn’t apply to its Maps and Search apps – which will continue to track you even when you specifically choose to halt such monitoring.

Researchers at Princeton University in the US this week confirmed on both Android handhelds and iPhones that even if you go into your smartphone’s settings and turn off “location history”, Google continues to snoop on your whereabouts and save it to your personal profile.

That may seem contradictory, however, Google assured the Associated Press that it is all fine and above-board because the small print says the search biz will keep tracking you regardless.

“There are a number of different ways that Google may use location to improve people’s experience, including: Location History, Web and App Activity, and through device-level Location Services,” the giant online ad company told AP, adding: “We provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”

The mistake people make is wrongly assuming that turning off an option called “location history” actually turns off the gathering of location data – which is obviously ridiculous because if people really wanted Google not to know where they are every second of every day, they would of course go to “Web and App Activity” and “pause” all activity there, even though it makes no mention of location data.

Besides, in the pop-up explanation that appears in order to make you confirm that you want your location data turned off, Google is entirely upfront when it says, in the second paragraph: “This setting does not affect other location services on your device, like Google Location Services and Find My Device. Some location data may be saved as part of your activity on other Google services, like Search and Maps.”

Of course by “may be saved,” Google means “will be saved,” and it forgets to tell you that “Web and App Activity” is where you need to go to stop Search and Maps from storing your location data.

Misdirection

Of course, there’s no reason to assume that works either since Google makes no mention of turning off location when you “pause” web and app activity. Instead, it just tells you why that’s a bad idea: “Pausing additional Web & App Activity may limit or disable more personalized experiences across Google services. For example, you may stop seeing helpful recommendations based on the apps and sites you use.”

But it gets even weirder than that: because if you expect that turning off “Web and App Activity” would actually stop web and app activity in the same way turning off location history would turn off location data – then you’ve ended up in the wrong place again.

In that web and app activity pop-up: “If your Android usage & diagnostics setting is turned on, your device will still share information with Google, like battery level, how often you use your device and apps, and system errors. View Google settings on your Android device to change this setting.”

So if you want to turn off location, you need to go Web and App Activity.

And if you want to turn off web and app activity, you need to go to Google settings – although where precisely it’s not clear.

Source: Google keeps tracking you even when you specifically tell it not to: Maps, Search won’t take no for an answer • The Register

A former government contractor who pleaded guilty to leaking U.S. secrets about Russia’s attempts to hack the 2016 presidential election was sentenced Thursday to five years and three months in prison.

It was the sentence that prosecutors had recommended — the longest ever for a federal crime involving leaks to the news media — in the plea deal for Reality Winner, the Georgia woman at the center of the case. Winner was also sentenced to three years of supervised release and no fine, except for a $100 special assessment fee.

The crime carried a maximum penalty of 10 years. U.S. District Court Judge J. Randal Hall in Augusta, Georgia, was not bound to follow the plea deal, but elected to give Winner the amount of time prosecutors requested.

Source: Reality Winner sentenced to more than 5 years for leaking info about Russia hacking attempts

Last year, we launched an investigation into how Facebook’s People You May Know tool makes its creepily accurate recommendations. By November, we had it mostly figured out: Facebook has nearly limitless access to all the phone numbers, email addresses, home addresses, and social media handles most people on Earth have ever used. That, plus its deep mining of people’s messaging behavior on Android, means it can make surprisingly insightful observations about who you know in real life—even if it’s wrong about your desire to be “friends” with them on Facebook.

In order to help conduct this investigation, we built a tool to keep track of the people Facebook thinks you know. Called the PYMK Inspector, it captures every recommendation made to a user for however long they want to run the tool. It’s how one of us discovered Facebook had linked us with an unknown relative. In January, after hiring a third party to do a security review of the tool, we released it publicly on Github for users who wanted to study their own People You May Know recommendations. Volunteers who downloaded the tool helped us explore whether you’ll show up in someone’s People You Know after you look at their profile. (Good news for Facebook stalkers: Our experiment found you won’t be recommended as a friend just based on looking at someone’s profile.)

Facebook wasn’t happy about the tool.

The day after we released it, a Facebook spokesperson reached out asking to chat about it, and then told us that the tool violated Facebook’s terms of service, because it asked users to give it their username and password so that it could sign in on their behalf. Facebook’s TOS states that, “You will not solicit login information or access an account belonging to someone else.” They said we would need to shut down the tool (which was impossible because it’s an open source tool) and delete any data we collected (which was also impossible because the information was stored on individual users’ computers; we weren’t collecting it centrally).

We argued that we weren’t seeking access to users’ accounts or collecting any information from them; we had just given users a tool to log into their own accounts on their own behalf, to collect information they wanted collected, which was then stored on their own computers. Facebook disagreed and escalated the conversation to their head of policy for Facebook’s Platform, who said they didn’t want users entering their Facebook credentials anywhere that wasn’t an official Facebook site—because anything else is bad security hygiene and could open users up to phishing attacks. She said we needed to take our tool off Github within a week.

Source: Facebook Wanted Us to Kill This Investigative Tool

Facebook is pushing back against a report in Monday’s Wall Street Journal that the company is asking major banks to provide private financial data.

The social media giant has reportedly had talks with JPMorgan Chase, Wells Fargo, Citigroup, and US Bancorp to discuss proposed features including fraud alerts and checking account balances via Messenger.

Elisabeth Diana, a Facebook spokeswoman, told Ars that while the WSJ reported that Facebook has “asked” banks “to share detailed financial information about their customers, including card transactions and checking-account balances,” this isn’t quite right.

“Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management,” she said in a statement on behalf of the social media giant. “Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates. The idea is that messaging with a bank can be better than waiting on hold over the phone—and it’s completely opt-in. We’re not using this information beyond enabling these types of experiences—not for advertising or anything else.”

Diana further explained that account linking is already live with PayPal, Citi in Singapore, and American Express in the United States.

“We’re not shoring up financial data,” she added.

In recent months, Facebook has been scrutinized for its approach to user privacy.

Late last month, Facebook CFO David Wehner said, “We are also giving people who use our services more choices around data privacy, which may have an impact on our revenue growth.”

Source: Facebook: We’re not asking for financial data, we’re just partnering with banks | Ars Technica

But should you opt in, your financial data just happens to then belong to Facebook to do with as they please…

Denuvo’s notorious anti-piracy tech used to be seen as uncrackable. It held up against hackers’ best efforts for years, contorting itself into obtuse new shapes every time anybody broke through. In 2016, a Bulgarian hacker calling himself Voksi came along with a breakthrough that revitalized the whole Denuvo cracking scene. He’s been a pillar of it ever since. Now he’s in deep trouble.

In a post today on CrackWatch, a subreddit dedicated to removing DRM and other copy protection software from games, Voksi explained the sudden outage of the website of his hacker group, REVOLT. Yesterday, he got arrested, and the police raided his house.

“It finally happened,” Voksi wrote. “I can’t say it wasn’t expected. Denuvo filed a case against me to the Bulgarian authorities. Police came yesterday and took the server PC and my personal PC. I had to go to the police afterwards and explain myself.”

In a statement sent to Kotaku, Denuvo said that Voksi’s arrest came about through the dual efforts of Denuvo parent company Irdeto and the Bulgarian Cybercrime Unit. “The swift action of the Bulgarian police on this matter shows the power of collaboration between law enforcement and technology providers and that piracy is a serious offence that will be acted upon,” said Irdeto VP of cybersecurity services Mark Mulready.

Denuvo’s statement also included a quote from the Bulgarian Cybercrime Unit, which said: “We can confirm that a 21-year-old man was arrested on Tuesday on suspicion of offenses related to cybercrime and that computing equipment was confiscated. Our investigations are ongoing.”

Source: Renowned Hacker Arrested For Cracking Denuvo Anti-Piracy Tech

It’s a bit bizarre when the guys making locks start arresting the guys making keys. DRM is a bad idea anyway, but arresting people for breaking it shows you’d rather sweep your problems under a rug than fixing them. If you arrest enough people, pretty soon you will find there are a lot more problems in your software. This has been proven time and again and won’t change now.

Maybe the authorities should arrest the Denuvo people on charges of installing unwanted software along with your game on your PC.