At least one server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of accounts of both parents and children.

The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.

Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn’t require parents to obtain the consent of their children.

But the Los Angeles, Calif.-based company left its servers, hosted on Amazon’s cloud, unprotected and accessible by anyone without a password.

Source: Teen phone monitoring app leaked thousands of user passwords | ZDNet

Which basically means that other than nasty parents spying in on their children, anyone else was doing so also.

LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.

Source: Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site — Krebs on Security

Scarily this means it can still be used to track anyone if you’re willing to pay for the service.

As face recognition in public places becomes more commonplace, Big Brother Watch is especially concerned with false identification. In May, South Wales Police revealed that its face-recognition software had erroneously flagged thousands of attendees of a soccer game as a match for criminals; 92 percent of the matches were wrong. In a statement to the BBC, Matt Jukes, the chief constable in South Wales, said “we need to use technology when we’ve got tens of thousands of people in those crowds to protect everybody, and we are getting some great results from that.”

If someone is misidentified as a criminal or flagged, police may engage and ask for further identification. Big Brother Watch argues that this amounts to “hidden identity checks” that require people to “prove their identity and thus their innocence.” 110 people were stopped at the event after being flagged, leading to 15 arrests.

Simply walking through a crowd could lead to an identity check, but it doesn’t end there. South Wales reported more than 2,400 “matches” between May 2017 and March 2018, but ultimately made only 15 connecting arrests. The thousands of photos taken, however, are still stored in the system, with the overwhelming majority of people having no idea they even had their photo taken.

Source: UK Watchdog Calls for Face Recognition Ban Over 90 Percent False-Positive Rate

Facebook’s apology-and-explanation machine grinds on, with The Social Network™ posting detail on one of its most controversial activities – how it tracks people who don’t use Facebook.

The company explained that the post is a partial response to questions CEO Mark Zuckerberg was unable to answer during his senate and Congressional hearings.

It’s no real surprise that someone using their Facebook Login to sign in to other sites is tracked, but the post by product management director David Baser goes into (a little) detail on other tracking activities – some of which have been known to the outside world for some time, occasionally denied by Facebook, and apparently mysteries only to Zuck.

When non-Facebook sites add a “Like” button (a social plugin, in Baser’s terminology), visitors to those sites are tracked: Facebook gets their IP address, browser and OS fingerprint, and visited site.

If that sounds a bit like the datr cookie dating from 2011, you wouldn’t be far wrong.

Facebook denied non-user tracking until 2015, at which time it emphasised that it was only gathering non-users’ interactions with Facebook users. That explanation didn’t satisfy everyone, which was why The Social Network™ was told to quit tracking Belgians who haven’t signed on earlier this year.

Source: Facebook admits it does track non-users, for their own good • The Register

Plenty of people have voluntarily uploaded their DNA to GEDmatch and other databases, often with real names and contact information. It’s what you do if you’re an adopted kid looking for a long-lost parent, or a genealogy buff curious about whether you have any cousins still living in the old country. GEDmatch requires that you make your DNA data public if you want to use their comparison tools, although you don’t have to attach your real name. And they’re not the only database that has helped law enforcement track people down without their knowledge.

How DNA Databases Help Track People Down

We don’t know exactly what samples or databases were used in the Golden State Killer’s case; the Sacramento County District Attorney’s office gave very little information and hasn’t confirmed any further details. But here are some things that are possible.

Y chromosome data can lead to a good guess at an unknown person’s last name.

Cis men typically have an X and a Y chromosome, and cis women two X’s. That means the Y chromosome is passed down from genetic males to their offspring—for example, from father to son. Since last names are also often handed down the same way, in many families you’ll share a surname with anybody who shares your Y chromosome.

A 2013 Science paper described how a small amount of Y chromosome data should be enough to identify surnames for an estimated 12 percent of white males in the US. (That method would find the wrong surname for 5 percent, and the rest would come back as unknown.) As more people upload their information to public databases, the authors warned, the success rate will only increase.

This is exactly the technique that genealogical consultant Colleen Fitzpatrick used to narrow down a pool of suspects in an Arizona cold case. She seems to have used short tandem repeat (STR) data from the suspect’s Y chromosome to search the Family Tree DNA database, and she saw the name Miller in the results.

The police already had a long list of suspects in the Arizona case, but based on that tip they zeroed in on one with the last name Miller. As with the Golden State Killer case, police confirmed the DNA match by obtaining a fresh DNA sample directly from their subject—the Sacramento office said they got it from something he discarded. (Yes, this is legal, and it can be an item as ordinary as a used drinking straw.)

The authors of the Science paper point out that surname, location, and year of birth are often enough to find an individual in census data.

 SNP files can find family trees.

When you download your “raw data” after mailing in a 23andme or Ancestry test, what you get is a list of locations on your genome (called SNPs, for single nucleotide polymorphisms) and two letters indicating your status for each. For example, at a certain SNP you may have inherited an A from one parent and a G from the other.

Genetic testing sites will have tools to compare your DNA with others in their database, but you can also download your raw data and submit it to other sites, including GEDmatch or Family Tree DNA. (23andme and Ancestry allow you to download your data, but they don’t accept uploads.)

But you don’t have to send a spit sample to one of those companies to get a raw data file. The DNA Doe project describes how they sequenced the whole genome of an unidentified girl from a cold case and used that data to construct a SNP file to upload to GEDmatch. They found someone with enough of the same SNPs that they were probably a close cousin. That cousin also had an account at Ancestry, where they had filled out a family tree with details of their family members. The tree included an entry for a cousin of the same age as the unidentified girl, and whose death date was listed as “missing—presumed dead.” It was her.

Your DNA Is Not Just Yours

When you send in a spit sample, or upload a raw data file, you may only be thinking about your own privacy. I have nothing to hide, you might tell yourself. Who cares if somebody finds out that I have blue eyes or a predisposition to heart disease?

But half of your DNA belongs to your biological mother, and half to your biological father. Another half—cut a different way—belongs to each of your children. On average, you share half your DNA with a sibling, and a quarter with a half-sibling, grandparent, aunt, uncle, niece or nephew. You share about an eighth with a first cousin, and so on. The more of your extended family who are into genealogy, the more likely you are to have your DNA in a public database, already contributed by a relative.

In the cases we mention here, the breakthrough came when DNA was matched, through a public database, to a person’s real name. But your DNA is, in a sense, your most identifying information.

For some cases, it may not matter whether your name is attached. Facebook reportedly spoke with a hospital about exchanging anonymized data. They didn’t need names because they had enough information, and good enough algorithms, that they thought they could identify individuals based on everything else. (Facebook doesn’t currently collect DNA information, thank god. There is a public DNA project that signs people up using a Facebook app, but they say they don’t pass the data to Facebook itself.)

And remember that 2013 study about tracking down people’s surnames? They grabbed whole-genome data from a few high-profile people who had made theirs public, and showed that the DNA files were sometimes enough information to track down an individual’s full name. It may be impossible for DNA to be totally anonymous.

Can You Protect Your Privacy While Using DNA Databases?

If you’re very concerned about privacy, you’re best off not using any of these databases. But you can’t control whether your relatives use them, and you may be looking for a long-lost family member and thus want to be in a database while minimizing the risks.

Source: The Golden State Killer Suspect’s DNA Was in a Publicly Available Database, and Yours Might Be Too

Chinese authorities revealed over the weekend that they have the capability of retrieving deleted messages from the almost universally used WeChat app. The admission doesn’t come as a surprise to many, but it’s rare for this type of questionable data collection tactic to be acknowledged publicly.As noted by the South China Morning Post, an anti-corruption commission in Hefei province posted Saturday to social media that it has “retrieved a series of deleted WeChat conversations from a subject” as part of an investigation.The post was deleted Sunday, but not before many had seen it and understood the ramifications. Tencent, which operates the WeChat service used by nearly a billion people (including myself), explained in a statement that “WeChat does not store any chat histories — they are only stored on users’ phones and computers.”The technical details of this storage were not disclosed, but it seems clear from the commission’s post that they are accessible in some way to interested authorities, as many have suspected for years. The app does, of course, comply with other government requirements, such as censoring certain topics.There are still plenty of questions, the answers to which would help explain user vulnerability: Are messages effectively encrypted at rest? Does retrieval require the user’s password and login, or can it be forced with a “master key” or backdoor? Can users permanently and totally delete messages on the WeChat platform at all?

Source: Chinese government admits collection of deleted WeChat messages | TechCrunch

The Whois public database of domain name registration details is dead.

In a letter [PDF] sent this week to DNS overseer ICANN, Europe’s data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.

The letter also has harsh words for ICANN’s proposed interim solution, criticizing its vagueness and noting it needs to include explicit wording about what can be done with registrant data, as well as introduce auditing and compliance functions to make sure the data isn’t being abused.

ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.

ICANN has already acknowledged it has no chance of doing so: a blog post by the company in response to the letter warns that without being granted a special temporary exemption from the law, the system will fracture.

“Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain Whois,” it warns. “Without resolution of these issues, the Whois system will become fragmented.”

We spoke with the president of ICANN’s Global Domains Division, Akram Atallah, and he told us that while there was “general agreement that having every thing public is not the right way to go”, he was hopeful that the letter would not result in the Whois service being turned off completely while a replacement was developed.

Source: Whois is dead as Europe hands DNS overlord ICANN its arse • The Register

It’s an important and useful tool – hopefully they will resolve this one way or another.

In 2004, one of the world’s most popular social networks, Orkut, was founded by a former Google employee named Orkut Büyükkökten. Later that year, a Harvard University student named Mark Zuckerberg launched ‘the Facebook’, which over the course of a year became ubiquitous in Ivy League universities and was eventually called Facebook.com.

Orkut was shut down by Google in 2014, but in its heyday, the network had hit 300 million users around the world. Facebook took five years to achieve that feat. At a time when the #DeleteFacebook movement is gaining traction worldwide in light of the Cambridge Analytica scandal, Orkut has made a comeback

“Hello.com is a spiritual successor of Orkut.com,” Büyükkökten told BloombergQuint. “The most important thing about Orkut was communities, because they brought people together around topics and things that interested them and provided a safe place for people to exchange ideas and share genuine passions and feelings. We have built the entire ‘Hello’ experience around communities and passions and see it as Orkut 2.0.”

Orkut has decided to make a comeback when Mark Zuckerberg, founder and CEO of Facebook, has been questioned by U.S. congressmen and senators about its policies and data collection and usage practices. That came after the Cambridge Analytica data leak which impacted nearly 87 million users, including Zuckerberg himself.

“People have lost trust in social networks and the main reason is social media services today don’t put the users first. They put advertisers, brands, third parties, shareholders before the users,” Büyükkökten said. “They are also not transparent about practices. The privacy policy and terms of services are more like black boxes. How many users actually read them?”

Büyükkökten said users need to be educated about these things and user consent is imperative in such situations when data is shared by such platforms. “On Hello, we do not share data with third parties. We have our own registration and login and so the data doesn’t follow you anywhere,”he said. “You don’t need to sell user data in order to be profitable or make money.”

Source: Orkut Hello: The Man Behind Orkut Says His ‘Hello’ Platform Doesn’t Sell User Data – Bloomberg Quint

I am very curious what his business model is then

Facebook has admitted that some apps had access to users’ private messages, thanks to a policy that allowed devs to request mailbox permissions.

The revelation came as current Facebook users found out whether they or their friends had used the “This Is Your Digital Life” app that allowed academic Aleksandr Kogan to collect data on users and their friends.

Users whose friends had been suckered in by the quiz were told that as a result, their public profile, Page likes, birthday and current city were “likely shared” with the app.

So far, so expected. But, the notification went on:

A small number of people who logged into “This Is Your Digital Life” also shared their own News Feed, timeline, posts and messages which may have included post and messages from you. They may also have shared your hometown.

That’s because, back in 2014 when the app was in use, developers using Facebook’s Graph API to get data off the platform could ask for read_mailbox permission, allowing them access to a person’s inbox.

That was just one of a series of extended permissions granted to devs under v1.0 of the Graph API, which was first introduced in 2010.

Following pressure from privacy activists – but much to the disappointment of developers – Facebook shut that tap off for most permissions in April 2015, although the changelog shows that read_mailbox wasn’t deprecated until 6 October 2015.

Facebook confirmed to The Register that this access had been requested by the app and that a small number of people had granted it permission.

“In 2014, Facebook’s platform policy allowed developers to request mailbox permissions but only if the person explicitly gave consent for this to happen,” a spokesborg told us.

“According to our records only a very small number of people explicitly opted into sharing this information. The feature was turned off in 2015.”

Source: Facebook admits: Apps were given users’ permission to go into their inboxes • The Register

Facebook launched a tool yesterday that you can use to find out whether you or your friends shared information with Cambridge Analytica, the Trump-affiliated company that harvested data from a Facebook app to support the then-candidate’s efforts in the 2016 presidential election.

If you were affected directly—and you have plenty of company, if so—you should have already received a little notification from Facebook. If you missed that in your News Feed (or you’ve already sworn off Facebook, but want to check and see if your information was compromised), Facebook also has a handy little Cambridge Analytica tool you can use.

The problem? While the tool can tell you if you or your friends shared your information via the spammy “This is Your Digital Life” app, it won’t tell you who among your friends was foolish enough to give up your information to a third party. You have lost your ability to publicly shame them, yell at them, or go over to where they live (or fire up a remote desktop session) to teach them how to … not do that ever again.

So, what can you do now?

Even though your past Facebook data might already be out there in the digital ether somewhere, you can now start locking down your information a bit more. Once you’re done checking the Cambridge Analytica tool, go here (Facebook’s Settings page). Click on Apps and Websites. Up until recently, Facebook had a setting (under “Apps Others Use”) that you could use to restrict the information that your friends could share about you to apps they were using. Now, you’ll see this message instead:

“These outdated settings have been removed because they applied to an older version of our platform that no longer exists.

To see or change the info you currently share with apps and websites, review the ones listed above, under ‘Logged in with Facebook.’”

Sounds ominous, right? Well, according to Facebook, these settings haven’t really done much of anything for years, anyway. As a Facebook spokesperson recently told Wired:

“These controls were built before we made significant changes to how developers build apps on Facebook. At the time, the Apps Others Use functionality allowed people to control what information could be shared to developers. We changed our systems years ago so that people could not share friends’ information with developers unless each friend also had explicitly granted permission to the developer.”

Instead, take a little time to review (again) the apps you’ve allowed to access your Facebook information. If you’re not using the app anymore, or if it sounds a little fishy, remove it—heck, remove as many apps as you can in one go.

Source: How to Check if Cambridge Analytica Had Your Facebook Data

Facebook is suspending a data analytics firm called CubeYou from the platform after CNBC notified the company that CubeYou was collecting information about users through quizzes.

CubeYou misleadingly labeled its quizzes “for non-profit academic research,” then shared user information with marketers. The scenario is eerily similar to how Cambridge Analytica received unauthorized access to data from as many as 87 million Facebook user accounts to target political marketing.

CubeYou, whose CEO denies any deception, sold data that had been collected by researchers working with the Psychometrics Lab at Cambridge University, similar to how Cambridge Analytica used information it obtained from other professors at the school for political marketing.

The CubeYou discovery suggests that collecting data from quizzes and using it for marketing purposes was far from an isolated incident. Moreover, the fact that CubeYou was able to mislabel the purpose of the quizzes — and that Facebook did nothing to stop it until CNBC pointed out the problem — suggests the platform has little control over this activity.

[…]

CubeYou boasts on its website that it uses census data and various web and social apps on Facebook and Twitter to collect personal information. CubeYou then contracts with advertising agencies that want to target certain types of Facebook users for ad campaigns.

CubeYou’s site says it has access to personally identifiable information (PII) such as first names, last names, emails, phone numbers, IP addresses, mobile IDs and browser fingerprints.

On a cached version of its website from March 19, it also said it keeps age, gender, location, work and education, and family and relationship information. It also has likes, follows, shares, posts, likes to posts, comments to posts, check-ins and mentions of brands/celebrities in a post. Interactions with companies are tracked back to 2012 and are updated weekly, the site said.

Source: CubeYou Cambridge-like app collected data on millions from Facebook

A website that allowed Gindr’s gay-dating app users to see who blocked them on the service says that by using the company’s API it was able to view unread messages, email addresses, deleted photos, and—perhaps most troubling—location data, according to a report published Wednesday.

The website, C*ckblocked, boasts of being the “first and only way to see who blocked you on Grindr.” The website’s owner, Trever Faden, told NBC that, by using Grindr’s API, he was able to access a wealth of personal information, including the location data of users—even for those who had opted to hide their locations.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden told NBC. But before he could access this information, Grindr users first had to supply C*ckblocked with their usernames and passwords, meaning that they voluntarily surrendered access to their accounts.

Grindr said that, once notified by Faden, it moved quickly to resolve the issue. The API that allowed C*ckblocked to function was patched on March 23rd, according to the website.

Source: Grindr’s API Surrendered Location Data to a Third-Party Website—Even After Users Opted Out

This extension helps you control more of your web activity from Facebook by isolating your identity into a separate container. This makes it harder for Facebook to track your activity on other websites via third-party cookies.

Rather than stop using a service you find valuable and miss out on those adorable photos of your nephew, we think you should have tools to limit what data others can collect about you. That includes us: Mozilla does not collect data from your use of the Facebook Container extension. We only know the number of times the extension is installed or removed.

When you install this extension it will delete your Facebook cookies and log you out of Facebook. The next time you visit Facebook it will open in a new blue-colored browser tab (aka “container tab”). In that tab you can login to Facebook and use it like you normally would. If you click on a non-Facebook link or navigate to a non-Facebook website in the URL bar, these pages will load outside of the container.

Source: Facebook Container Extension: Take control of how you’re being tracked | The Firefox Frontier

During an appearance before a committee of U.K. lawmakers today, Cambridge Analytica whistleblower Christopher Wylie breathed new life into longstanding rumors that the Facebook app listens to its users in order to target advertisements.Damian Collins, a member of parliament who chaired the committee, asked whether the Facebook app might listen to what users are discussing and use it to prioritize certain ads.

But, Wylie said in a meandering reply, it’s possible that Facebook and other smartphone apps are listening in for reasons other than speech recognition. Specifically, he said, they might be trying to ascertain what type of environment a user is in in order to “improve the contextual value of the advertising itself.”

“There’s audio that could be useful just in terms of, are you in an office environment, are you outside, are you watching TV, what are you doing right now?” Wylie said, without elaborating on how that information could help target ads.

Facebook has long denied that its app analyzes audio in order to customize ads. But users have often reported mentioning a product that they’ve never expressed an interest in online — and then being inundated with online ads for it. Reddit users, in particular, spend time collecting what they purport to be evidence that Facebook is listening to users in a particular way, such as “micro-samples” of a few seconds rather than full-on continuous natural language processing.

Source: Wylie: It’s possible that the Facebook app is listening to you | The Outline

Basically not only will they allow a huge amount of different agencies to tap your internet and phone and store it without any judicary procedures, checks or balances, they will also allow these agencies to share the data with whoever they want, including foreign agencies. Surprisingly the Dutch people voted against these far reaching breaches of privacy, so the government said they thought about it and would edit the law in six tiny places which completely miss the point and the problems people have with their privacy being destroyed.

Source: Kabinet scherpt Wet op de inlichtingen- en veiligheidsdiensten 2017 aan | Nieuwsbericht | Defensie.nl

Did you ever record a video on Facebook to post directly to your friend’s wall, only to discard the take and film a new version? You may have thought those embarrassing draft versions were deleted, but Facebook kept a copy. The company is blaming it on a “bug” and swears that it’s going to delete those discarded videos now. They pinkie promise this time.

Last week, New York’s Select All broke the story that social network was keeping the seemingly deleted old videos. The continued existence of the draft videos was discovered when several users downloaded their personal Facebook archives—and found numerous videos they never published. Today, Select All got a statement from Facebook blaming the whole thing on a “bug.” From Facebook via New York:

We investigated a report that some people were seeing their old draft videos when they accessed their information from our Download Your Information tool. We discovered a bug that prevented draft videos from being deleted. We are deleting them and apologize for the inconvenience. We appreciate New York Magazine for bringing the issue to our attention.

It was revealed last month that the data-harvesting firm (and apparent bribery consultants) Cambridge Analytica had acquired the information of about 50 million Facebook users and abused that data to help President Trump get elected. Specifically, the company was exploiting the anger of voters through highly-targeted advertising. And in the wake of the ensuing scandal, people have been learning all kinds of crazy things about Facebook.

Facebook users have been downloading some of the data that the social media behemoth keeps on them and it’s not pretty. For example, Facebook has kept detailed call logs from users with Android phones. The company says that Android users had to opt-in for the feature, but that’s a bullshit cop-out when you take a look at what the screen for “opting in” actually looks like.

Source: Facebook Blames a ‘Bug’ for Not Deleting Your Seemingly Deleted Videos

NEW DELHI — Seeking to build an identification system of unprecedented scope, India is scanning the fingerprints, eyes and faces of its 1.3 billion residents and connecting the data to everything from welfare benefits to mobile phones.

Civil libertarians are horrified, viewing the program, called Aadhaar, as Orwell’s Big Brother brought to life. To the government, it’s more like “big brother,” a term of endearment used by many Indians to address a stranger when asking for help.

For other countries, the technology could provide a model for how to track their residents. And for India’s top court, the ID system presents unique legal issues that will define what the constitutional right to privacy means in the digital age.

To Adita Jha, Aadhaar was simply a hassle. The 30-year-old environmental consultant in Delhi waited in line three times to sit in front of a computer that photographed her face, captured her fingerprints and snapped images of her irises. Three times, the data failed to upload. The fourth attempt finally worked, and she has now been added to the 1.1 billion Indians already included in the program.

[…]

The poor must scan their fingerprints at the ration shop to get their government allocations of rice. Retirees must do the same to get their pensions. Middle-school students cannot enter the water department’s annual painting contest until they submit their identification.

In some cities, newborns cannot leave the hospital until their parents sign them up. Even leprosy patients, whose illness damages their fingers and eyes, have been told they must pass fingerprint or iris scans to get their benefits.

The Modi government has also ordered Indians to link their IDs to their cellphone and bank accounts. States have added their own twists, like using the data to map where people live. Some employers use the ID for background checks on job applicants.

[…]

Although the system’s core fingerprint, iris and face database appears to have remained secure, at least 210 government websites have leaked other personal data — such as name, birth date, address, parents’ names, bank account number and Aadhaar number — for millions of Indians. Some of that data is still available with a simple Google search.

As Aadhaar has become mandatory for government benefits, parts of rural India have struggled with the internet connections necessary to make Aadhaar work. After a lifetime of manual labor, many Indians also have no readable prints, making authentication difficult. One recent study found that 20 percent of the households in Jharkand state had failed to get their food rations under Aadhaar-based verification — five times the failure rate of ration cards.

Source: ‘Big Brother’ in India Requires Fingerprint Scans for Food, Phones and Finances – The New York Times

Hookup fixer Grindr is on the defensive after it shared sensitive information, including HIV status and physical location, of its app’s users with outside organizations.

The quickie booking facilitator on Monday admitted it passed, via HTTPS, people’s public profiles to third-party analytics companies to process on its behalf. That means, yes, the information was handed over in bulk, but, hey, at least it didn’t sell it!

“Grindr has never, nor will we ever sell personally identifiable user information – especially information regarding HIV status or last test date – to third parties or advertisers,” CTO Scott Chen said in a statement.

Rather than apologize, Grindr said its punters should have known better than to give it any details they didn’t want passed around to other companies. On the one hand, the data was scraped from the application’s public profiles, so, well, maybe people ought to calm down. It was all public anyway. On the other hand, perhaps people didn’t expect it to be handed over for analysis en masse.

“It’s important to remember that Grindr is a public forum,” Chen said. “We give users the option to post information about themselves including HIV status and last test date, and we make it clear in our privacy policy that if you choose to include this information in your profile, the information will also become public.”

This statement is in response to last week’s disclosure by security researchers on the ways the Grindr app shares user information with third-party advertisers and partners. Among the information found to be passed around by Grindr was the user’s HIV status, something Grindr allows members to list in their profiles.

The HIV status, along with last test date, sexual position preference, and GPS location were among the pieces of info Grindr shared via encrypted network connections with analytics companies Localytics and Apptimize.

The revelation drew sharp criticism of Grindr, with many slamming the upstart for sharing what many consider to be highly sensitive personal information with third-parties along with GPS coordinates.

Source: Grindr: Yeah, we shared your HIV status info with other companies – but we didn’t charge them! • The Register

At this point, the social media company is just going for broke, telling the public it should just assume that “most” of the 2.2 billion Facebook users have probably had their public data scraped by “malicious actors.”

[…]

Meanwhile, reports have focused on a variety of issues that have popped up in just the last 24 hours. It’s hard to focus on what matters—and frankly, all of it seems to matter, so in turn, it ends up feeling like none of it does. This is the Trump PR playbook, and Facebook is running it perfectly. It’s the media version of too big to fail, call it too big to matter. Let us suggest that you just zero in on one detail from yesterday’s blog post about new restrictions on data access on the platform.

Mike Schroepfer, Facebook’s chief technology officer, explained that prior to yesterday, “people could enter another person’s phone number or email address into Facebook search to help find them.” This function would help you cut through all the John Smiths and locate the page of your John Smith. He gave the example of Bangladesh where the tool was used for 7 percent of all searches. Thing is, it was also useful to data-scrapers. Schroepfer wrote:

However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well.

The full meaning of that paragraph might not be readily apparent, but imagine you’re a hacker who bought a huge database of phone numbers on the dark web. Those numbers might have some use on their own, but they become way more useful for breaking into individual systems or committing fraud if you can attach more data to them. Facebook is saying that this kind of malicious actor would regularly take one of those numbers and use the platform to hunt down all publicly available data on its owner. This process, of course, could be automated and reap huge rewards with little effort. Suddenly, the hacker might have a user’s number, photos, marriage status, email address, birthday, location, pet names, and more—an excellent toolkit to do some damage.

In yesterday’s Q&A, Zuckerberg explained that Facebook did have some basic protections to prevent the sort of automation that makes this particularly convenient, but “we did see a number of folks who cycled through many thousands of IPs, hundreds of thousands of IP addresses to evade the rate-limiting system, and that wasn’t a problem we really had a solution to.” The ultimate solution was to shut the features down. As far as the impact goes, “I think the thing people should assume, given this is a feature that’s been available for a while—and a lot of people use it in the right way—but we’ve also seen some scraping, I would assume if you had that setting turned on, that someone at some point has accessed your public information in this way,” Zuckerberg said. Did you have that setting turned on? Ever? Given that Facebook says “most” accounts were affected, it’s safe to assume you did.

[…]

Mark Zuckerberg has known from the beginning that his creation was bad for privacy and security. Activists, the press, and tech experts have been saying it for years, but we the public either didn’t understand, didn’t care, or chose to ignore the warnings. That’s not totally the public’s fault. We’re only now seeing a big red example of what it means for one company, controlled by one man, to have control over seemingly limitless personal information. Even the NSA can’t keep its secret hacking tools on lockdown, why would Facebook be able to protect your information? In many respects, it was just giving it away.

Source: Facebook Just Made a Shocking Admission, and We’re All Too Exhausted to Notice

Cambridge Analytica whistleblower Christopher Wylie says the data the firm gathered from Facebook could have come from more than 87 million users and could be stored in Russia.
The number of Facebook users whose personal information was accessed by Cambridge Analytica “could be higher, absolutely,” than the 87 million users acknowledged by Facebook, Wylie told NBC’s Chuck Todd during a “Meet the Press” segment Sunday.
Wylie added that his lawyer has been contacted by US authorities, including congressional investigators and the Department of Justice, and says he plans to cooperate with them.
“We’re just setting out dates that I can actually go and sit down and meet with the authorities,” he said.
The former Cambridge Analytica employee said that “a lot of people” had access to the data and referenced a “genuine risk” that the harvested data could be stored in Russia.
“It could be stored in various parts of the world, including Russia, given the fact that the professor who was managing the data harvesting process was going back and forth between the UK and to Russia,” Wylie said.
Aleksander Kogan, a Russian data scientist who gave lectures at St. Petersburg State University, gathered Facebook data from millions of Americans. He then sold it to Cambridge Analytica, which worked with President Donald Trump’s 2016 presidential campaign.
When asked if he thought Facebook was even able to calculate the number of users affected, Wylie stressed that data can be copied once it leaves a database.
“I know that Facebook is now starting to take steps to rectify that and start to find out who had access to it and where it could have gone, but ultimately it’s not watertight to say that, you know, we can ensure that all the data is gone forever,” he said.

Source: Cambridge Analytica whistleblower: Facebook data could have come from more than 87 million users – CNNPolitics

Separate sources close to local and federal police investigations in New York and Ohio, who asked to remain anonymous as they weren’t authorized to speak on record, said it was now relatively common for fingerprints of the deceased to be depressed on the scanner of Apple iPhones, devices which have been wrapped up in increasingly powerful encryption over recent years. For instance, the technique has been used in overdose cases, said one source. In such instances, the victim’s phone could contain information leading directly to the dealer.

And it’s entirely legal for police to use the technique, even if there might be some ethical quandaries to consider. Marina Medvin, owner of Medvin Law, said that once a person is deceased, they no longer have a privacy interest in their dead body. That means they no longer have standing in court to assert privacy rights.

Relatives or other interested parties have little chance of stopping cops using fingerprints or other body parts to access smartphones too. “Once you share information with someone, you lose control over how that information is protected and used. You cannot assert your privacy rights when your friend’s phone is searched and the police see the messages that you sent to your friend. Same goes for sharing information with the deceased – after you released information to the deceased, you have lost control of privacy,” Medvin added.

Police know it too. “We do not need a search warrant to get into a victim’s phone, unless it’s shared owned,” said Ohio police homicide detective Robert Cutshall, who worked on the Artan case. In previous cases detailed by Forbes police have required warrants to use the fingerprints of the living on their iPhones.

[…]

Police are now looking at how they might use Apple’s Face ID facial recognition technology, introduced on the iPhone X. And it could provide an easier path into iPhones than Touch ID.

Marc Rogers, researcher and head of information security at Cloudflare, told Forbes he’d been poking at Face ID in recent months and had discovered it didn’t appear to require the visage of a living person to work. Whilst Face ID is supposed to use your attention in combination with natural eye movement, so fake or non-moving eyes can’t unlock devices, Rogers found that the tech can be fooled simply using photos of open eyes. That was something also verified by Vietnamese researchers when they claimed to have bypassed Face ID with specially-created masks in November 2017, said Rogers.

Secondly, Rogers discovered this was possible from many angles and the phone only seemed to need to see one open eye to unlock. “In that sense it’s easier to unlock than Touch ID – all you need to do is show your target his or her phone and the moment they glance it unlocks,” he added. Apple declined to comment for this article.

Source: Yes, Cops Are Now Opening iPhones With Dead People’s Fingerprints

Delta Airlines announced Monday that it’s rolling out biometric entry at its line of airport lounges. With the press of two fingers, Delta members will be able to enter any of Delta’s 50 exclusive lounges for drinks, comfortably unaware of the encroaching dystopian biometric surveillance structure closing around travel.

Thanks to a partnership with Clear, a biometrics company offering a “frictionless travel experience,” privileged jet-setters can use their fingerprints to enter Delta Sky Clubs.

[…]

But, this veneer of comfort masks that biometrics are a form of surveillance hotly contested by privacy and civil liberties experts. For example, face recognition in airports is consistently less accurate on women and people of color, yet are asymmetrically applied against them as they travel. Clear uses finger and iris data, but Delta was the nation’s first to use face recognition to verify passports, again via autonomized self-service kiosks.

At a time when people should be more wary of biometrics, airports are carefully rebranding surveillance as a luxury item. But, as people become more comfortable with being poked, prodded, fingerprinted, and scanned as they travel, privacy is becoming a fast-evaporating luxury.

Source: Great, Now an Airline Is Normalizing Casual Fingerprinting

Please remember that you can’t change your biometrics (easily), so beware about leaving them in some database secured who knows how and shared with who knows who.

Last week, a user found that Facebook had a record of the date, time, duration, and recipient of calls he had made from the past few years. A couple days later, Ars Technica published an account of several others — all Android users — who found similar records. Now, Slate Magazine is reporting that Facebook has acknowledged that it was collecting and storing these logs, “attributing it to an opt-in feature for those using Messenger or Facebook Lite on an Android device.” The company did however deny that it was collecting call or text history without a user’s permission. From the report: “This helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook,” the company said in a post Sunday. “People have to expressly agree to use this feature. We introduced this feature for Android users a couple of years ago. Contact importers are fairly common among social apps and services as a way to more easily find the people you want to connect with.”

Ars Technica refuted their claim that everyone knowingly opted in. Instead, Ars Technica’s Sean Gallagher claimed, that opt-in was the default setting and users were not separately alerted to it. Nor did Facebook ever say publicly that it was collecting that information. “Facebook says that the company keeps the data secure and does not sell it to third parties,” Gallagher wrote. “But the post doesn’t address why it would be necessary to retain not just the numbers of contacts from phone calls and SMS messages, but the date, time, and length of those calls for years.”

Source: Facebook Acknowledges It Has Been Keeping Records of Android Users’ Calls, Texts – Slashdot