Most of Amazon’s properties including Amazon.com, WholeFoods.com and Zappos.com are preventing Google’s tracking system FLoC — or Federated Learning of Cohorts — from gathering valuable data reflecting the products people research in Amazon’s vast e-commerce universe, according to website code analyzed by Digiday and three technology experts who helped Digiday review the code.

Amazon declined to comment on this story.

As Google’s system gathers data about people’s web travels to inform how it categorizes them, Amazon’s under-the-radar move could not only be a significant blow to Google’s mission to guide the future of digital ad tracking after cookies die — it could give Amazon a leg up in its own efforts to sell advertising across what’s left of the open web.

[…]

Digiday watched last week as Amazon added code to its digital properties to block FLoC from tracking visitors using Google’s Chrome browser. For example, while earlier in the week WholeFoods.com and Woot.com did not include code to block FLoC, by Thursday Digiday saw that those sites did feature code telling Google’s system not to include activities of their visitors to inform cohorts or assign IDs. But Amazon’s blocking appears scattered.

[..]

Source: Amazon is blocking Google’s FLoC — and that could seriously weaken the system

Apple has paid a multimillion-dollar settlement to an unnamed Oregon college student after one of its outsourced repair facilities posted explicit pictures and videos of her to her Facebook page.

According to legal documents obtained by The Telegraph, the incident occurred in 2016 at a Pegatron-owned repair centre in Sacramento, California. The student had mailed in her device to have an unspecified fault fixed.

While it was at the facility, two technicians published a series of photographs showing the complainant unclothed to her Facebook account, as well as a “sex video.” The complaint said the post was made in a way that impersonated the victim, and was only removed after friends informed her of its existence.

The two men responsible were fired after an investigation. It is not known if the culprits faced criminal charges.

Much of the details of the case, as well as the exact size of the settlement, were sealed. Lawyers for the plaintiff sought a $5m payout. The settlement included non-disclosure provisions that prevented the student from revealing details about the case, or the exact size of the compensation.

Counsel for the victim threatened to sue for infliction of emotional distress, as well as invasion of privacy. The filings show they warned Apple that any lawsuit would result in inevitable negative publicity for the company.

Pegatron settled with the victim separately, per the filings.

In its fight against the right to repair, Apple has argued that allowing independent third-party businesses to service its computers and smartphones would present an unacceptable risk to user privacy and security.

This incident, which occurred at the facilities of an authorised contractor, has undercut that argument somewhat.

It follows a similar incident in November 2019, where a Genius Bar employee texted himself an explicit image taken from an iPhone he was repairing. After the victim complained, the employee was fired.

[…]

Source: Apple settles with student after authorized repair workers leaked her naked pics to her Facebook page • The Register

Plans by the German government to allow the police to deploy malware on any target’s devices, and force the tech world to help them, has run into some opposition, funnily enough.

In an open letter this month, the Chaos Computer Club – along with Google, Facebook, and others – said they are against proposals to dramatically expand the use of so-called state trojans, aka government-made spyware, in Germany. Under planned legislation, even people not suspected of committing a crime can be infected, and service providers will be forced to help. Plus all German spy agencies will be allowed to infiltrate people’s electronics and communications.

The proposals bypass the whole issue of backdooring or weakening encryption that American politicians seem fixated on. Once you have root access on a person’s computer or handheld, the the device can be an open book, encryption or not.

“The proposals are so absurd that all of the experts invited to the committee hearing in the Bundestag sharply criticized the ideas,” the CCC said.

“Even Facebook and Google – so far not positively recognized as pioneers of privacy – speak out vehemently against the project. Protect security and trust online – against an unlimited expansion of surveillance and for the protection of encryption.”

Source: Google, Facebook, Chaos Computer Club join forces to oppose German state spyware • The Register

Google’s approach to Android privacy is coming under fire following revelations from Arizona’s antitrust lawsuit over phone tracking. As Insider reports, freshly unredacted documents in the case suggest Google made Android privacy settings harder to find. When Google tested OS releases that surfaced privacy features, the company reportedly saw greater use of those features as a “problem” and aimed to put them deeper into the menu system.

The tech giant also “successfully pressured” phone brands like LG to bury location settings as they were popular, according to Arizona’s attorneys. Google personnel further acknowledged that it was difficult to stop the company from determining your home and work locations, and complained that there was “no way” to give third-party apps your location without also handing them to Google.

[…]

Source: Google reportedly made it harder to find Android privacy settings | Engadget

WhatsApp initially threatened to revoke core functions for users that refused to accept its controversial new privacy policy, only to walk back the severity of those consequences earlier this month amid international backlash, and now, it’s doing away with them altogether (for the time being, at least).

In a reversal, the company clarified on Friday that it won’t restrict any functionality even if you haven’t accepted the app’s updated privacy policy yet, TNW reports.

“Given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update,” a WhatsApp spokesperson said in a statement to the Verge. They added that this is the plan moving forward indefinitely.

In an update to the company’s FAQ page, WhatsApp clarifies that no users will have their accounts deleted or lose functionality if they don’t accept the new policies. That being said, WhatsApp will still send these users reminders to update “from time to time,” WhatsApp told the Verge. On its support page, WhatsApp claims that the majority of users who have seen the update have accepted.

Source: WhatsApp Won’t Limit Functionality if You Refuse Privacy Policy

Data rights groups have filed complaints in the UK, France, Austria, Greece and Italy against Clearview AI, claiming its scraped and searchable database of biometric profiles breaches both the EU and UK General Data Protection Regulation (GDPR).

The facial recognition company, which is based in the US, claims to have “the largest known database of 3+ billion facial images”. Clearview AI’s facial recognition tool is trained on images harvested from YouTube, Facebook, Twitter and attempts to match faces fed into its machine learning software with results from its multi-billion picture database. The business then provides a link to the place it found the “match”.

Google, Twitter, Facebook and even Venmo all sent cease and desist letters to Clearview AI last year asking that it stop scraping people’s photos from their websites. The firm’s CEO defended its business model at the time by saying: “Google can pull in information from all different websites. So if it’s public and it’s out there and could be inside Google’s search engine, it can be inside ours as well.”

The US firm was sued last year by the American Civil Liberties Union. The ACLU also sued the US Department of Homeland Security and its law enforcement agencies last month for failing to respond to Freedom of Information Act requests about their use of Clearview’s tech.

[…]

Back in January this year, [PDF], Chaos Computer Club member Matthias Marx managed to get Clearview to delete the hash value representing his biometric profile – although not the actual images or metadata – after filing a complaint with the Hamburg data protection authorities.

The decision by the Hamburg DPA was that Clearview AI had added his biometric profile to its searchable database without his knowledge or consent. It did not order the deletion of the photographs, however.

“It is long known that Clearview AI has not only me, but many, probably thousands of Europeans in its illegal face database. An order by the European data protection authorities to remove the faces of all Europeans is long overdue,” Marx told The Reg via email. “It is not a solution that every person has to file [their] own complaint.”

[…]

 

Source: Facial recog firm Clearview hit with complaints in France, Austria, Italy, Greece and the UK • The Register

Senator Wyden’s office asked the Department of Defense (DoD), which includes various military and intelligence agencies such as the National Security Agency (NSA) and the Defense Intelligence Agency (DIA), for detailed information about its data purchasing practices after Motherboard revealed special forces were buying location data. The responses also touched on military or intelligence use of internet browsing and other types of data, and prompted Wyden to demand more answers specifically about warrantless spying on American citizens.

Some of the answers the DoD provided were given in a form that means Wyden’s office cannot legally publish specifics on the surveillance; one answer in particular was classified. In the letter Wyden is pushing the DoD to release the information to the public.

[…]

“Are any DoD components buying and using without a court order internet metadata, including ‘netflow’ and Domain Name System (DNS) records,” the question read, and asked whether those records were about “domestic internet communications (where the sender and recipient are both U.S. IP addresses)” and “internet communications where one side of the communication is a U.S. IP address and the other side is located abroad.”

Netflow data creates a picture of traffic flow and volume across a network. DNS records relate to when a user looks up a particular domain, and a system then converts that text into the specific IP address for a computer to understand; essentially a form of internet browsing history.

Wyden’s new letter to Austin urging the DoD to release that answer and others says “Information should only be classified if its unauthorized disclosure would cause damage to national security. The information provided by DoD in response to my questions does not meet that bar.”

[…]

“Other than DIA, are any DoD components buying and using without a court order location data collected from phones located in the United States?” one of Wyden’s questions reads. The answer to that is one that Wyden is urging the DoD to release.

The DIA memo said the agency believes it does not require a warrant to obtain such information. Following this, Wyden also asked the DoD which other DoD components have adopted a similar interpretation of the law. One response said that each component is itself responsible to make sure they follow the law.

Wyden is currently proposing a new piece of legislation called The Fourth Amendment Is Not For Sale Act which would force some agencies to obtain a warrant for location and other data.

[…]

Source: Pentagon Surveilling Americans Without a Warrant, Senator Reveals

Facebook Inc. was ordered to stop collecting German users’ data from its WhatsApp unit, after a regulator in the nation said the company’s attempt to make users agree to the practice in its updated terms isn’t legal.

Johannes Caspar, who heads Hamburg’s privacy authority, issued a three-month emergency ban, prohibiting Facebook from continuing with the data collection. He also asked a panel of European Union data regulators to take action and issue a ruling across the 27-nation bloc. The new WhatsApp terms enabling the data scoop are invalid because they are intransparent, inconsistent and overly broad, he said.

“The order aims to secure the rights and freedoms of millions of users which are agreeing to the terms Germany-wide,” Caspar said in a statement on Tuesday. “We need to prevent damage and disadvantages linked to such a black-box-procedure.”

The order strikes at the heart of Facebook’s business model and advertising strategy. It echoes a similar and contested step by Germany’s antitrust office attacking the network’s habit of collecting data about what users do online and merging the information with their Facebook profiles. That trove of information allows ads to be tailored to individual users — creating a cash cow for Facebook.

Facebook’s WhatsApp unit called Caspar’s claims “wrong” and said the order won’t stop the roll-out of the new terms. The regulator’s action is “based on a fundamental misunderstanding” of the update’s purpose and effect, the company said in an emailed statement.

Read more: Facebook Faces German Bid to Halt WhatsApp Data Collection

The U.S. tech giant has faced global criticism over the new terms that WhatsApp users are required to accept by May 15. Caspar said Facebook may already be wrongfully handling data and said it’s important to prevent misuse of the information to influence the German national election in September.

Source: Facebook Ordered to Stop German WhatsApp Users’ Data Collection – Bloomberg

The Department of Justice quietly seized phone records and tried to obtain email records for three Washington Post reporters, ostensibly over their coverage of then-U.S. Attorney General Jeff Sessions and Russia’s role in the 2016 presidential election, according to officials and government letters reviewed by the Post.

Justice Department regulations typically mandate that news organizations be notified when it subpoenas such records. However, though the Trump administration OK’d the decision, officials apparently left the notification part for the Biden administration to deal with. I guess they just never got around to it. Probably too busy inspiring an insurrection and trying to overthrow the presidential election.

In three separate letters dated May 3 addressed to reporters Ellen Nakashima, Greg Miller, and former reporter Adam Entous, the Justice Department wrote they were “hereby notified that pursuant to legal process the United States Department of Justice received toll records associated with the following telephone numbers for the period from April 15, 2017 to July 31, 2017,” according to the Post. Listed were Miller’s work and cellphone numbers, Entous’ cellphone number, and Nakashima’s work, cellphone, and home phone numbers. These records included all calls to and from the phones as well as how long each call lasted but did not reveal what was said.

According to the letters, the Post reports that prosecutors also secured a court order to seize “non content communications records” for the reporters’ email accounts, which would disclose who emailed whom and when the emails were sent but not their contents. However, officials ultimately did not obtain these records, the outlet said.

[…]

“We are deeply troubled by this use of government power to seek access to the communications of journalists,” said the Post’s acting executive editor Cameron Barr. “The Department of Justice should immediately make clear its reasons for this intrusion into the activities of reporters doing their jobs, an activity protected under the First Amendment.”

Frustratingly, the letters apparently don’t go into why the Department of Justice seized this data. A department spokesperson told the outlet that the decision to do so was made in 2020 during the Trump administration. (It’s worth noting that former President Donald Trump has made it crystal clear that he despises news media and the government leakers that provide them their scoops.)

Based on the time period cited in the letters and what the reporters covered during those months, the Post speculates that their investigations into Sessions and Russian interference could be why the department wanted to get its hands on their phone data.

[…]

Source: Justice Department Quietly Seized Washington Post Reporters’ Phone Records During Trump Era

After facing international backlash over impending updates to its privacy policy, WhatsApp has ever-so-slightly backtracked on the harsh consequences it initially planned for users who don’t accept them—but not entirely.

In an update to the company’s FAQ page, WhatsApp clarifies that no users will have their accounts deleted or instantly lose app functionality if they don’t accept the new policies. It’s a step back from what WhatsApp had been telling users up until this point. When this page was first posted back in February, it specifically told users that those who don’t accept the platform’s new policies “won’t have full functionality” until they do. The threat of losing functionality is still there, but it won’t be automatic.

“For a short time, you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app,” WhatsApp wrote at the time. While the deadline to accept was initially early February, the blowback the company got from, well, just about everyone, caused the deadline to be postponed until May 15—this coming Saturday.

After that, folks that gave the okay to the new policy won’t notice any difference to their daily WhatsApp experience, and neither will the people that didn’t—at least at first. “After a period of several weeks, the reminder [to accept] people receive will eventually become persistent,” WhatsApp wrote, adding that users getting these “persistent” reminders will see their app stymied pretty significantly: For a “few weeks,” users won’t be able to access their chat lists, but will be able to answer incoming phone and video calls made over WhatsApp. After that grace period, WhatsApp will stop sending messages and calls to your phone entirely (until you accept).

[…]

It’s worth mentioning here that if you keep the app installed but still refuse to accept the policy for whatever reason, WhatsApp won’t outright delete your account because of that. That said, WhatsApp will probably delete your account due to “inactivity” if you don’t connect for 120 days, as is WhatsApp policy.

[…]

While the company has done the bare minimum in explaining what this privacy policy update actually means, the company hasn’t done much to assuage the concerns of lawyers, lawmakers, or really anyone else. And it doesn’t look like these new “reminders” will put them at ease, either.

Source: WhatsApp’s New Update: What It Means for Your Account

Chinese television maker Skyworth has issued an apology after a consumer found that his set was quietly collecting a wide range of private data and sending it to a Beijing-based analytics company without his consent.

A network traffic analysis revealed that a Skyworth smart TV scanned for other devices connected to the same local network every 10 minutes and gathered data that included device names, IP addresses, network latency and even the names of other Wi-Fi networks within range, according to a post last week on the Chinese developer forum V2EX.

The data was sent to the Beijing-based firm Gozen Data, the forum user said. Gozen is a data analytics company that specialises in targeted advertising on smart TVs, and it calls itself China‘s first “home marketing company empowered by big data centred on family data”.

[…]

“Isn’t this already the criminal offence of spying on people?” asked one user on Sina.com, a Chinese financial news portal. “Whom will the collected data be sold to, and who is the end user of this data?”

The reaction online eventually prompted Skyworth to respond.

The Shenzhen-based TV and set-top box maker issued a statement on April 27, saying it had ended its “cooperation” with Gozen and demanded the firm delete all its “illegally” collected data. Skyworth also said it had stopped using the Gozen app on its televisions and was looking into the issue.

Gozen issued a statement on its website on the same day, saying its Gozen Data Android app could be disabled on Skyworth TVs, but it did not address the likelihood that users would be aware of this functionality. The company also apologised for “causing user concerns about privacy and security”.

On its official WeChat account, Gozen said in a post from 2019 that it has been working with Skyworth since 2014. Its latest post, which included its apology, said the company collected data for viewership research that includes “television ratings for households and individuals, viewership analysis, advertising analysis and optimisation”. Neither company provided information on the scope and depth of the data collection.

[…]

The revelations about Skyworth and Gozen come amid a national crackdown on the rampant collection and use of user data. Beijing recently introduced new regulations for protecting personal data and curbing its collection through mobile apps.

New rules introduced in March

define for the first time

personal information considered “necessary” for apps in 39 different categories, including messaging and e-commerce. Users should be able to decline to provide data that is not necessary for an app to function, according to the new rules. Users of live-streaming and short-video apps, for example, should be able to use such apps without providing any personal information.

[…]

There have been no reports that Skyworth or Gozen are being investigated. Still, the disclosure and corporate statements have fanned fears among users in China, where Skyworth was the third biggest TV brand by sales volume in 2020, behind

Xiaomi

and

Hisense

, making up more than 13 per cent of the market. Globally, the company was the fifth-largest TV maker, according to data from Trendforce, behind Samsung Electronics, LG Electronics, TCL and Hisense.

Source: Chinese TV maker Skyworth under fire for excessive data collection that users call spying | South China Morning Post

For a second year, the nation’s surveillance court has pointed with concern to “widespread violations” by the F.B.I. of rules intended to protect Americans’ privacy when analysts search emails gathered without a warrant — but still signed off on another year of the program, a newly declassified ruling shows.

In a 67-page ruling issued in November and made public on Monday, James E. Boasberg, the presiding judge on the Foreign Intelligence Surveillance Court, recounted several episodes uncovered by an F.B.I. audit where the bureau’s analysts improperly searched for Americans’ information in emails that the National Security Agency collected without warrants.

Rather than a new problem, however, those instances appeared largely to be additional examples of an issue that was already brought to light in a December 2019 ruling by Judge Boasberg. The government made it public in September.

The F.B.I. has already sought to address the problem by rolling out new system safeguards and additional training, although the coronavirus pandemic has hindered the bureau’s ability to assess how well they are working. Still, Judge Boasberg said he was willing to issue a legally required certification for the National Security Agency’s warrantless surveillance program to operate for another year.

“While the court is concerned about the apparent widespread violations of the querying standard,” Judge Boasberg wrote, “it lacks sufficient information at this time to assess the adequacy of the F.B.I. system changes and training, post-implementation.”

Because of that, he added, the court concluded that “the F.B.I.’s querying and minimization procedures meet statutory and Fourth Amendment requirements.”

[…]

Source: Court Chides F.B.I., but Re-Approves Warrantless Surveillance Program – The New York Times

WordPress announced today that they are treating Google’s new FLoC tracking technology as a security concern and may block it by default on WordPress sites.

For some time, browsers have begun to increasingly block third-party browser cookies [1, 2, 3] used by advertisers for interest-based advertising.

In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web.

After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google’s FLoC implementation just replaces one privacy risk with another one.

[…]

“WordPress powers approximately 41% of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code,” says WordPress.

WordPress plans to disable FLoC using the following four lines of code, which will cause the blogging platform to issue a HTTP request header tells the browser that FLoC should be disabled for the site.

function disable_floc($headers) {
    $headers['Permissions-Policy'] = 'interest-cohort=()';
    return $headers;
  }
 
add_filter('wp_headers', 'disable_floc');

WordPress explains that though some admins will likely want to enable this technology, those admins probably have the tech know-how to override the above code. WordPress also indicated that they might add a setting that allows admins to control whether FLoC is permitted.

However, WordPress’s concern is that those unaware of this new tracking technology will automatically opt into it without fully understanding what it entails. Therefore, it is in these users’ best interest for WordPress to automatically disable the technology.

[…]

Source: WordPress may automatically disable Google FLoC on websites

Let’s hope they implement this, but if not, then at least we know how to implement it ourselves.

The law enforcement arm of the U.S. Postal Service has been quietly running a program that tracks and collects Americans’ social media posts, including those about planned protests, according to a document obtained by Yahoo News.

The details of the surveillance effort, known as iCOP, or Internet Covert Operations Program, have not previously been made public. The work involves having analysts trawl through social media sites to look for what the document describes as “inflammatory” postings and then sharing that information across government agencies.

[…]

The government’s monitoring of Americans’ social media is the subject of ongoing debate inside and outside government, particularly in recent months, following a rise in domestic unrest. While posts on platforms such as Facebook and Parler have allowed law enforcement to track down and arrest rioters who assaulted the Capitol on Jan. 6, such data collection has also sparked concerns about the government surveilling peaceful protesters or those engaged in protected First Amendment activities.

[…]

The Postal Service isn’t the only part of government expanding its monitoring of social media. In a background call with reporters last month, DHS officials spoke about that department’s involvement in monitoring social media for domestic terrorism threats. “We know that this threat is fueled mainly by false narratives, conspiracy theories and extremist rhetoric read through social media and other online platforms,” one of the officials said. “And that’s why we’re kicking off engagement directly with social media companies.”

[…]

Source: The Postal Service is running a running a ‘covert operations program’ that monitors Americans’ social media posts

Pew Research Center reports that “91% of adults agree or strongly agree that consumers have lost control of how personal information is collected.”

That incredibly-high statistic must describe victims under authoritarian governments like China, Russia, or North Korea, right?

Wrong.

That study was about US citizens. You know, the land of the free.

91%

That’s the percentage of adults living in the US who agree that consumers have lost control of how personal information is collected and used by companies.

The sad truth is that governments of every shape and size are ramping up mass surveillance with little-to-no objection.

We live on the internet. But does that interconnection work in their favor, providing more opportunities to pierce our online privacy?

The simplest way to settle that score is to compare how the espionage efforts of the United States and their allies compare to other oppressive regimes.

[…]

Source: Internet Privacy in the Age of Surveillance | CyberGhostVPN Privacy Hub – Latest Privacy and Security News

Well, the US and the UK don’t come out favoribly.

Country / Region	Requests received and processed	URLs requested	URLs accepted	URLs rejected	Percentage of URLs accepted
Austria	45	103	67	36	65%
Belgium	49	421	105	316	25%
Bulgaria	4	10	8	2	80%
Croatia	3	8	4	4	50%
Cyprus	2	2	0	2	0%
Czech Republic	12	20	13	7	65%
Denmark	24	33	19	14	58%
Estonia	8	49	33	16	67%
Finland	32	112	42	70	38%
France	895	2,495	1,065	1,426	43%
Germany	460	1,705	897	807	53%
Greece	5	43	0	43	0%
Hungary	2	3	3	0	100%
Ireland	28	126	85	41	67%
Italy	178	625	417	208	67%
Latvia	13	32	16	16	50%
Lithuania	2	2	1	1	50%
Luxembourg	2	5	1	4	20%
Malta	2	3	1	2	33%
Netherlands	152	854	596	257	70%
Norway	24	50	22	28	44%
Poland	19	172	116	56	67%
Portugal	4	20	10	10	50%
Romania	7	62	28	34	45%
Russia	23	33	17	16	52%
Slovakia	1	2	2	0	100%
Slovenia	8	13	8	5	62%
Spain	143	383	134	242	35%
Sweden	113	315	126	189	40%
Switzerland	68	273	153	120	56%
United Kingdom	539	2,306	1,256	1,026	54%
Total	2,867	10,280	5,245	4,998	51%

Note: This table shows the number of URLs that were accepted and rejected for European and Russian requests received between July 1 and December 31, 2020 that were processed as of February 15, 2021. The number of URLs accepted and rejected may not reflect requests still pending review as of February 15, 2021. For example, processing delays may result if more information is needed to complete the review on a request.

Cumulative “Right to be forgotten” requests, May 2014 – December 2020

 

	Requests received and processed	URLs requested	URLs accepted	URLs rejected	Percentage of URLs accepted
Total	41,613	133,972	62,373	71,562	47%

Note: This table shows the number of URLs that were accepted and rejected for European and Russian requests received between May 2014 and December 31, 2020 that were processed as of February 15, 2021. The number of URLs accepted and rejected may not reflect requests still pending review as of February 15, 2021. For example, processing delays may result if more information is needed to complete the review on a request.

Source: Content Removal Request Report | Microsoft CSR

In some countries apparently it is normal for a single request to make sweeping right to be forgotten deletion requests.

Microsoft has had a busy six months if its latest biannual digital trust report is anything to go by as law enforcement agencies crept closer to making 25,000 legal requests.

Requests for consumer data reached 24,798 during the second half of 2020, up from 24,093 during the previous six-month period, and quite a jump from the 21,781 for the same period in 2019.

“Non-content data” requests, which require a subpoena (or local equivalent), accounted for just over half of disclosures and were slightly down on the same period in 2019. Microsoft rejected 25.81 per cent of requests in the last six months of 2020, up on the 20.14 per cent of the same period in 2019.

As for where those requests came from, Microsoft highlighted a handful of countries including Brazil, France, Germany, the United Kingdom, and the United States. The US was the worst offender (going by quantity of requests) accounting for 5,682 (up from 4,315 for same period in 2019). Germany was not far behind with 4,976 (up from 3,310) while the UK submitted 3,558 requests (a small increase from 3,312 for the same period in 2019).

As well as consumer data, Microsoft received 109 requests from law enforcement agencies for enterprise cloud customer data in the second half of 2020. It was unable to bat back 40, where the company was “compelled” to provide some information. “19 cases,” it said, “required the disclosure of some customer content, and in 21 of the cases we were compelled to disclose non-content information only.”

Still, while that 25,000 figure may seem a little worrying, it is considerably less than the first sets of figures made available by Microsoft. For the latter half of 2013 the total requests were above 35,000.

Away from the criminal side of things, Microsoft also received a comparatively small number of emergency and civil legal requests. Of the latter, it rejected just over 75 per cent in the latter half of 2020.

The report makes for fascinating reading and, while the company is to be applauded for publishing it, the accompanying Privacy Report is an occasionally grim reminder of just how much information Microsoft can slurp from users. Particularly if the customer concerned decides to be helpful and check that Optional diagnostic data box.

[…]

Source: Microsoft received almost 25,000 requests for consumer data from law enforcement over the last six months • The Register

A database containing the phone numbers of more than half a billion Facebook users is being freely traded online, and Facebook is trying to pin the blame on everyone but themselves.

A blog post titled “The Facts on News Reports About Facebook Data,” published Tuesday evening, is designed to silence the growing criticism the company is facing for failing to protect the phone numbers and other personal information of 533 million users after a database containing that information was shared for free in low level hacking forums over the weekend, as first reported by Business Insider.

Facebook initially dismissed the reports as irrelevant, claiming the data was leaked years ago and so the fact it had all been collected into one uber database containing one in every 15 people on the planet—and was now being given away for free—didn’t really matter.

[…]

But, instead of owning up to its latest failure to protect user data, Facebook is pulling from a familiar playbook: just like it did during the Cambridge Analytica scandal in 2018, it’s attempting to reframe the security failure as merely a breach of its terms of service.

So instead of apologizing for failing to keep users’ data secure, Facebook’s product management director Mike Clark began his blog post by making a semantic point about how the data was leaked.

“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote.

This is the identical excuse given in 2018, when it was revealed that Facebook had given Cambridge Analytica the data of 87 million users without their permission, for use in political ads.

Clark goes on to explain that the people who collected this data—sorry, “scraped” this data—did so by using a feature designed to help new users find their friends on the platform.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” Clark explains.

The contact importer feature allowed new users to upload their contact lists and match those numbers against the numbers stored on people’s profiles. But like most of Facebook’s best features, the company left it wide open to abuse by hackers.

“Effectively, the attacker created an address book with every phone number on the planet and then asked Facebook if his ’friends’ are on Facebook,” security expert Mikko Hypponen explained in a tweet.

Clark’s blog post doesn’t say when the “scraping” took place or how many times the vulnerability was exploited, just that Facebook fixed the issue in August 2019. Clark also failed to mention that Facebook was informed of this vulnerability way back in 2017, when Inti De Ceukelaire, an ethical hacker from Belgium, disclosed the problem to the company.

And, the company hasn’t explained why a number of users who have deleted their accounts long before 2018 have seen their phone numbers turn up in this database.

[…]

“While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly,” Clark wrote.

“In this case, updating the ‘How People Find and Contact You’ control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.”

It’s an audacious move for a company worth over $300 billion, with $61 billion cash on hand, to ask its users to secure their own information, especially considering how byzantine and complex the company’s settings menus can be.

Thankfully for the half a billion Facebook users who’ve been impacted by the breach, there’s a more practical way to get help. Troy Hunt, a cyber security consultant and founder of Have I Been Pwned has uploaded the entire leaked database to his website that allows anyone to check whether their phone number is listed in the leaked database.

[…]

 

Source: Facebook Says It’s Your Fault That Hackers Got Half a Billion User Phone Numbers

Austrian privacy activist Max Schrems has filed a complaint against Google in France alleging that the US tech giant is illegally tracking users on Android phones without their consent.

Android phones generate unique advertising codes, similar to Apple’s Identifier for Advertisers (IDFA), that allow Google and third parties to track users’ browsing behavior in order to better target them with advertising.

In a complaint filed on Wednesday, Schrems’ campaign group Noyb argued that in creating and storing these codes without first obtaining explicit permission from users, Google was engaging in “illegal operations” that violate EU privacy laws.

Noyb urged France’s data privacy regulator to launch a probe into Google’s tracking practices and to force the company to comply with privacy rules. It argued that fines should be imposed on the tech giant if the watchdog finds evidence of wrongdoing.

“Through these hidden identifiers on your phone, Google and third parties can track users without their consent,” said Stefano Rossetti, privacy lawyer at Noyb. “It is like having powder on your hands and feet, leaving a trace of everything you do on your phone—from whether you swiped right or left to the song you downloaded.”

[…]

Last year, Schrems won a landmark case at Europe’s highest court that ruled a transatlantic agreement on transferring data between the bloc and the US used by thousands of corporations did not protect EU citizens’ privacy.

Source: Google illegally tracking Android users, according to new complaint | Ars Technica