We believe privacy and security are fundamental human rights, so we also provide a free version of ProtonVPN to the public. Unlike other free VPNs, there are no catches. We don’t serve ads or secretly sell your browsing history. ProtonVPN Free is subsidized by ProtonVPN paid users. If you would like to support online privacy, please consider upgrading to a paid plan for faster speeds and more features.

Source: ProtonVPN: Secure and Free VPN service for protecting your privacy

Hosted in Switzerland, so privacy invasions are covered by criminal law

Facebook doesn’t only know what its 2 billion users “Like.”

It now knows where millions of humans live, everywhere on Earth, to within 15 feet.

The company has created a data map of the human population by combining government census numbers with information it’s obtained from space satellites, according to Janna Lewis, Facebook’s head of strategic innovation partnerships and sourcing. A Facebook representative later told CNBC that this map currently covers 23 countries, up from 20 countries mentioned in this blog post from February 2016.

The mapping technology, which Facebook says it developed itself, can pinpoint any man-made structures in any country on Earth to a resolution of five meters.

Facebook is using the data to understand the precise distribution of humans around the planet.

That will help the company determine what types of internet service — based either on land, in the air or in space — it can use to reach consumers who now have no (or very low quality) internet connections.

Source: Facebook has mapped populations in 23 countries as it explores satellites to expand internet

Whilst an impressive feat, it’s pretty damn scary big brother wise!

In response to a chorus of complaints from its users, Uber is revamping privacy settings that it rolled out last fall.

Beginning this week, Uber riders using the iOS version of the ride-hailing company’s app will find a new series of privacy prompts that includes the ability to deny Uber the right to track your whereabouts. Uber is working on similar tweaks to the Android version of its app.

The new options for Uber app users are: Always (Uber is allowed to collect rider location information from the moment the app is opened until the trip ends), While Using The App (information flows to Uber while the app is visible on the screen) and Never (no info is transmitted but riders have to manually input their pick-up and drop-off locations).

One of the old privacy features that gave many users pause was Uber’s ability to track the whereabouts of riders up to 5 minutes after a ride was completed.

Uber says the 5-minute feature was never activated on the iOS version of its app, and that it was disabled a few months after being initiated on the Android version.

Source: Uber riders can make their trips more private

Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic – reveals that even when data from devices is encrypted, the metadata can help identify both the device and what it is signaling.

Some devices such as the Nest indoor camera directly communicate with identifiable domain names – in this case ‘dropcam.com.’ That immediately identifies what the product is, and it is then possible to infer from that and the resulting signal what is happening: whether it has detected motion or whether it is live streaming.

Likewise the Sense sleep monitor, TP‑Link smart plug, and Amazon Echo. Even when the devices communicate with a generic DNS server – like Amazon’s AWS service – they typically have a specific IP address that can be used to identify the sensor (the Belkin WeMo switch for example communicated with the very-specific prod1-fs-xbcs-net-1101221371.us-east-1.elb.amazonaws.com address).

By digging into each device’s signal, the team was able to figure out with some certainty exactly what was happening: someone was waking up, someone was turning on a light switch, someone had walked into the kitchen, and so on.

Source: How the CIA, Comcast can snoop on your sleep patterns, sex toy usage

Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the No. 3 most downloaded free software title for iPhones and iPads.

Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.

Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing of the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again.

Source: Hit App Sarahah Quietly Uploads Your Address Book

The callous way companies like this, Sonos, Uber, Google, Microsoft etc etc etc handle your privacy like it’s dogshit is completely incredible.

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.

We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router’s MAC address and public data.

Source: AccuWeather caught sending user location data — even when location sharing is off

Around the same time Sonos is ignoring privacy as well, it looks like everyone is basically just taking the piss with your privacy.

Bad news, Sonos customers: to lay the groundwork for its upcoming voice assistant support, the company is asking users to agree to an updated privacy policy, one that includes both mandatory data collection rules and a mention about future device functionality. Should you disagree with said policy update, your device’s basic functions could stop working, according to Consumerist.

Source: How to Stop Your Sonos From Collecting (As Much) Personal Data

In a blog post, Sonos claimed the update was necessary to “improve your listening experience” and identify issues by analyzing collected error information. Its earlier privacy policy (you can check it out here) allowed users to choose whether or not they wanted to register their device with Sonos for data collection. The new one says that opting out of “Functional Data collection” is not an option.
Data Collection is Mandatory

Data collected previously included information about equalizer usage, playback errors, and time spent listening to local or streaming music. Its new privacy policy, however, collects what the company is calling “Functional Data,” information Sonos claims is “absolutely necessary for your Sonos System to perform its basic functions in a secure way.” Functional Data includes personal information like location data, IP addresses, and more:

Registration data:

This data includes your email address, location, language preference, Product serial number, IP address, and Sonos account login information (as described above).

System data:

This data includes things like product type, controller device type, operating system of controller, software version information, content source (audio line in), signal input (for example, whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about wifi antennas, audio settings (such as equalization or stereo pair), Product orientation, room names you have assigned to your Sonos Product, whether your product has been tuned using Sonos Trueplay technology, and error information.

Sonos is also trying to collect performance and activity information shown below, otherwise known as Additional Usage Data:

Performance Information:

This includes things like temperature of your Product, Wi-Fi information such as signal strength, what music services you have connected to your Sonos system (including, for some services, your login username – but not password – for such service), information about how often you use the Sonos app versus another control mechanism, flow of interactions within the Sonos app, how often you use the physical controls on the unit, and location data when the Sonos app is in use, and duration of Sonos Product use.

Activity Information:

This includes duration of music service use, Product or room grouping information; command information such as play, pause, change volume, or skip tracks; information about track, playlist, or station container data; and Sonos playlist or Sonos favorites information; each correlated to individual Sonos Products.

How to (Partially) Protect Yourself

For now, as long as you don’t enable voice assistant support, you can opt out of sharing the aforementioned Additional Usage Data with Sonos by adjusting some settings in your apps.

Sonos for iOS or Android:

From the Sonos music menu, tap Settings.
Tap Advanced Settings.
Tap Usage Data then Turn off Usage Data Sharing.

Sonos for Mac:

From the menu bar at the top of your screen click Sonos then Preferences.
On the left side of the window, click Advanced.
Click Improve Sonos.
Check the box that reads Turn usage data sharing off.

Sonos for PC:

From the menu bar at the top of the Sonos app click Manage then Settings.
On the left side of the window, click Advanced.
Click Improve Sonos.
Check the box that reads Turn usage data sharing off.

If you’re concerned about the data Sonos may have already collected, you can edit or delete it by accessing your Sonos account online or going through the Sonos app, though deleting personal data could render your Sonos device useless. You can also shoot Sonos an email and ask them to delete your personal data, if you’re into that.

And the US high courts still say that accepting these kind of terms of service is legal. Sonos hardware is expensive and forcing people to change the terms of their use after the financial investment makes it even worse than the disgrace that this kind of behavior is already.

Microsoft claims seven out of ten Windows 10 users are happy with Redmond gulping loads of telemetry from their computers – which isn’t that astounding when you realize it’s a default option.

In other words, 30 per cent of people have found the switch to turn it off, and the rest haven’t, don’t realize it’s there, or are genuinely OK with the data collection.
[…]
Essentially, if you’re on Home or Pro, you can’t tell your OS to not phone home. And, sure, this information – from lists of hardware and apps installed to pen gestures – is useful to Microsoft employees debugging code that’s running in the field. But we’re all adults here, and some folks would like the option to not have any information leaving their systems.

Source: 70% of Windows 10 users are totally happy with our big telemetry slurp, beams Microsoft

Nice spin, to say people “choose” the default option, when it isn’t a choice people actually can make!

This is why I am leaving Windows for what it is and moving to Linux Mint.

A federal class action lawsuit filed last week in California alleges that the Walt Disney Company is violating privacy protection laws by collecting children’s personal information from 42 of its apps and sharing the data with advertisers without parental consent.

The lawsuit targets Disney and three software companies — Upsight, Unity, and Kochava — alleging that the companies created mobile apps aimed at children that contained embedded software to track, collect, and then export their personal information along with information about their online behavior. The plaintiff, a San Francisco woman named Amanda Rushing, says she was unaware that information about her child, “L.L.,” was collected while playing mobile game Disney Princess Palace Pets, and that data was then sold to third parties for ad targeting.

The Verge

US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation.

The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015.

The order was signed to help authorities track 26 individuals suspected of involvement with illegal drug and narcotic-related activities in Pennsylvania.

The wiretap cost the authorities $335,000 to conduct and led to a dozen arrests.

But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.

Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician.

The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather “clickstreams”.

These are detailed records of everywhere that people go online.

The researchers argue such data – which some firms scoop up and use to target ads – should be protected.
[…]
The pair found that 95% of the data they obtained came from 10 popular browser extensions.
[…]
The public information included links people shared via Twitter, YouTube videos they reported watching, news articles they passed on via social media or when they posted online photos of items they bought or places they visited.

In many cases, he said, it was even easier to de-anonymise because the clickstreams contained links to people’s personal social media admin pages which directly revealed their identity.

Source: It is easy to expose users’ secret web habits, say researchers – BBC News

G Suite’s Gmail is already not used as input for ads personalization, and Google has decided to follow suit later this year in our free consumer Gmail service. Consumer Gmail content will not be used or scanned for any ads personalization after this change. This decision brings Gmail ads in line with how we personalize ads for other Google products. Ads shown are based on users’ settings. Users can change those settings at any time, including disabling ads personalization. G Suite will continue to be ad free.

Source: As G Suite gains traction in the enterprise, G Suite’s Gmail and consumer Gmail to more closely align

This is what is called a phyrric victory

[As you fill out a form] You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.[…]Your email address and phone number have already been sent to a server at “murdoog.com,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the “Submit” button.

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.
[…]
Only one site of the dozens we reviewed, Gardeners.com, explicitly revealed in its privacy policy what it was doing, the site was about how to have a great garden and make it look better with glow in the dark pebbles and other accesories. It read, “Information you enter is collected even if you cancel or do not complete an order.” The rest of the sites had the usual legalese in their policies about using standard tracking tech such as cookies and Web beacons, which did not describe the way this particular information capture works.

Source: Before You Hit ‘Submit,’ This Company Has Already Logged Your Personal Data

Not only are they saving your data without your consent, they boast that they can send you post within 2 days. Once Gizmodo tested a few of the sites with their technology enabled, they denied everything, even though Gizmodo was sitting on the proof. Scumbags.