The program began in 2012 as a partnership between New Orleans Police and Palantir Technologies, a data-mining firm founded with seed money from the CIA’s venture capital firm. According to interviews and documents obtained by The Verge, the initiative was essentially a predictive policing program, similar to the “heat list” in Chicago that purports to predict which people are likely drivers or victims of violence.

The partnership has been extended three times, with the third extension scheduled to expire on February 21st, 2018. The city of New Orleans and Palantir have not responded to questions about the program’s current status.

Predictive policing technology has proven highly controversial wherever it is implemented, but in New Orleans, the program escaped public notice, partly because Palantir established it as a philanthropic relationship with the city through Mayor Mitch Landrieu’s signature NOLA For Life program. Thanks to its philanthropic status, as well as New Orleans’ “strong mayor” model of government, the agreement never passed through a public procurement process.

In fact, key city council members and attorneys contacted by The Verge had no idea that the city had any sort of relationship with Palantir, nor were they aware that Palantir used its program in New Orleans to market its services to another law enforcement agency for a multimillion-dollar contract.

Even within the law enforcement community, there are concerns about the potential civil liberties implications of the sort of individualized prediction Palantir developed in New Orleans, and whether it’s appropriate for the American criminal justice system.

“They’re creating a target list, but we’re not going after Al Qaeda in Syria,” said a former law enforcement official who has observed Palantir’s work first-hand as well as the company’s sales pitches for predictive policing. The former official spoke on condition of anonymity to freely discuss their concerns with data mining and predictive policing. “Palantir is a great example of an absolutely ridiculous amount of money spent on a tech tool that may have some application,” the former official said. “However, it’s not the right tool for local and state law enforcement.”

Six years ago, one of the world’s most secretive and powerful tech firms developed a contentious intelligence product in a city that has served as a neoliberal laboratory for everything from charter schools to radical housing reform since Hurricane Katrina. Because the program was never public, important questions about its basic functioning, risk for bias, and overall propriety were never answered.
[…]
Palantir’s prediction model in New Orleans used an intelligence technique called social network analysis (or SNA) to draw connections between people, places, cars, weapons, addresses, social media posts, and other indicia in previously siloed databases. Think of the analysis as a practical version of a Mark Lombardi painting that highlights connections between people, places, and events. After entering a query term — like a partial license plate, nickname, address, phone number, or social media handle or post — NOPD’s analyst would review the information scraped by Palantir’s software and determine which individuals are at the greatest risk of either committing violence or becoming a victim, based on their connection to known victims or assailants.

The data on individuals came from information scraped from social media as well as NOPD criminal databases for ballistics, gangs, probation and parole information, jailhouse phone calls, calls for service, the central case management system (i.e., every case NOPD had on record), and the department’s repository of field interview cards. The latter database represents every documented encounter NOPD has with citizens, even those that don’t result in arrests. In 2010, The Times-Picayune revealed that Chief Serpas had mandated that the collection of field interview cards be used as a measure of officer and district performance, resulting in over 70,000 field interview cards filled out in 2011 and 2012. The practice resembled NYPD’s “stop and frisk” program and was instituted with the express purpose of gathering as much intelligence on New Orleanians as possible, regardless of whether or not they committed a crime.
[…]
NOPD then used the list of potential victims and perpetrators of violence generated by Palantir to target individuals for the city’s CeaseFire program. CeaseFire is a form of the decades-old carrot-and-stick strategy developed by David Kennedy, a professor at John Jay College in New York. In the program, law enforcement informs potential offenders with criminal records that they know of their past actions and will prosecute them to the fullest extent if they re-offend. If the subjects choose to cooperate, they are “called in” to a required meeting as part of their conditions of probation and parole and are offered job training, education, potential job placement, and health services. In New Orleans, the CeaseFire program is run under the broader umbrella of NOLA For Life, which is Mayor Landrieu’s pet project that he has funded through millions of dollars from private donors.

According to Serpas, the person who initially ran New Orleans’ social network analysis from 2013 through 2015 was Jeff Asher, a former intelligence agent who joined NOPD from the CIA. If someone had been shot, Serpas explained, Asher would use Palantir’s software to find people associated with them through field interviews or social media data. “This data analysis brings up names and connections between people on FIs [field interview cards], on traffic stops, on victims of reports, reporting victims of crimes together, whatever the case may be. That kind of information is valuable for anybody who’s doing an investigation,” Serpas said.
[…]
Of the 308 people who participated in call-ins from October 2012 through March 2017, seven completed vocational training, nine completed “paid work experience,” none finished a high school diploma or GED course, and 32 were employed at one time or another through referrals. Fifty participants were detained following their call-in, and two have since died.

By contrast, law enforcement vigorously pursued its end of the program. From November 2012, when the new Multi-Agency Gang Unit was founded, through March 2014, racketeering indictments escalated: 83 alleged gang members in eight gangs were indicted in the 16-month period, according to an internal Palantir presentation.
[…]
Call-ins declined precipitously after the first few years. According to city records, eight group call-ins took place from 2012 to 2014, but only three took place in the following three years. Robert Goodman, a New Orleans native who became a community activist after completing a prison sentence for murder, worked as a “responder” for the city’s CeaseFire program until August 2016, discouraging people from engaging in retaliatory violence. Over time, Goodman noticed more of an emphasis on the “stick” component of the program and more control over the non-punitive aspects of the program by city hall that he believes undermined the intervention work. “It’s supposed to be ran by people like us instead of the city trying to dictate to us how this thing should look,” he said. “As long as they’re not putting resources into the hoods, nothing will change. You’re just putting on Band-Aids.”

After the first two years of Palantir’s involvement with NOPD, the city saw a marked drop in murders and gun violence, but it was short-lived. Even former NOPD Chief Serpas believes that the preventative effect of calling in dozens of at-risk individuals — and indicting dozens of them — began to diminish.

“When we ended up with nearly nine or 10 indictments with close to 100 defendants for federal or state RICO violations of killing people in the community, I think we got a lot of people’s attention in that criminal environment,” Serpas said, referring to the racketeering indictments. “But over time, it must’ve wore off because before I left in August of ‘14, we could see that things were starting to slide”

Nick Corsaro, the University of Cincinnati professor who helped build NOPD’s gang database, also worked on an evaluation of New Orleans’ CeaseFire strategy. He found that New Orleans’ overall decline in homicides coincided with the city’s implementation of CeaseFire program, but the Central City neighborhoods targeted by the program “did not have statistically significant declines that corresponded with November 2012 onset date.”
[…]
The secrecy surrounding the NOPD program also raises questions about whether defendants have been given evidence they have a right to view. Sarah St. Vincent, a researcher at Human Rights Watch, recently published an 18-month investigation into parallel construction, or the practice of law enforcement concealing evidence gathered from surveillance activity. In an interview, St. Vincent said that law enforcement withholding intelligence gathering or analysis like New Orleans’ predictive policing work effectively kneecaps the checks and balances of the criminal justice system. At the Cato Institute’s 2017 Surveillance Conference in December, St. Vincent raised concerns about why information garnered from predictive policing systems was not appearing in criminal indictments or complaints.

“It’s the role of the judge to evaluate whether what the government did in this case was legal,” St. Vincent said of the New Orleans program. “I do think defense attorneys would be right to be concerned about the use of programs that might be inaccurate, discriminatory, or drawing from unconstitutional data.”

If Palantir’s partnership with New Orleans had been public, the issues of legality, transparency, and propriety could have been hashed out in a public forum during an informed discussion with legislators, law enforcement, the company, and the public. For six years, that never happened.

Source: Palantir has secretly been using New Orleans to test its predictive policing technology – The Verge

One of the big problems here is that there is no knowledge and hardly any oversight on the program. There is no knowledge if the system is being implemented fairly or cost effectively (costs are huge!) or even if it works. It seemed to have worked for a while but the effects seemed also to drop off after two years in operations, mainly because they used the “stick” method to counter crime but more and more got rid of the “carrot”. The amount of private data given to Palantir without any discussion or consent is worrying to say the least.

Thousands of FedEx customers were exposed after the company left scanned passports, drivers licenses, and other documentation on a publicly accessible Amazon S3 server.

The scanned IDs originated from countries all over the world, including the United States, Mexico, Canada, Australia, Saudi Arabia, Japan, China, and several European countries. The IDs were attached to forms that included several pieces of personal information, including names, home addresses, phone numbers, and zip codes.

The server, discovered by researchers at the Kromtech Security Center, was secured as of Tuesday.

According to Kromtech, the server belonged to Bongo International LLC, a company that aided customers in performing shipping calculations and currency conversations, among other services. Bongo was purchased by FedEx in 2014 and renamed FedEx Cross-Border International a little over a year later. The service was discontinued in April 2017.

Source: 119,000 Passports and Photo IDs of FedEx Customers Found on Unsecured Amazon Server

De MIVD tapte vorig jaar in totaal 348 keer. De AIVD plaatste dat jaar 3.205 taps. Vandaag publiceerden beide diensten de tapstatistieken over de periode 2002 tot en met 2017 op hun website.

Source: MIVD tapte vorig jaar 348 keer | Nieuwsbericht | Defensie.nl

And of course we have no idea how many of these taps led to arrests or action.

To turn off facial recognition on your computer, click on the down arrow at the top of any Facebook page and then select Settings. From there, click “Face Recognition” from the left column, and then click “Do you want Facebook to be able to recognize you in photos and videos?” Select Yes or No based on your personal preferences.

On mobile, click on the three dots below your profile pic labeled “More” then select “View Privacy Shortcuts” then “More Settings,” followed by “Facial Recognition.” Click on the “Do you want Facebook to be able to recognize you in photos and videos?” button and select “No” to disable the feature.
[…]
The setting isn’t available in all countries, and will only appear as an option in your profile if you’re at least 18 years old and have the feature available to you.

Source: How to Disable Facebook’s Facial Recognition Feature

One of the effects of GDPR — the new EU General Data Protection Regulation — is that we’re all going to be learning a lot more about who collects our data and what they do with it. Consider PayPal, that just released a list of over 600 companies they share customer data with. Here’s a good visualization of that data.

Is 600 companies unusual? Is it more than average? Less? We’ll soon know.

Source: The 600+ Companies PayPal Shares Your Data With – Schneier on Security

Madison Square Garden has quietly used facial-recognition technology to bolster security and identify those entering the building, according to multiple people familiar with the arena’s security procedures.

The technology uses cameras to capture images of people, and then an algorithm compares the images to a database of photographs to help identify the person and, when used for security purposes, to determine if the person is considered a problem. The technology, which is sometimes used for marketing and promotions, has raised concerns over personal privacy and the security of any data that is stored by the system.

Source: Madison Square Garden Has Used Face-Scanning Technology on Customers

Your entire online identity could be worth little more than £800, according to brand new research into the illicit sale of stolen personal info on the dark web (or just $1,200 if you are in the United States, according to the US edition of the index). While it may be no surprise to learn that credit card details are the most traded, did you know that fraudsters are hacking Uber, Airbnb, Spotify and Netflix accounts and selling them for little more than £5 each?

Everything has a price on the dark web it seems. Paypal accounts with a healthy balance attract the highest prices (£280 on average). At the other end of the scale though, hacked Deliveroo or Tesco accounts sell for less than £5. Cybercriminals can easily spend more on their lunchtime sandwich than buying up stolen credentials for online shopping accounts like Argos (£3) and ASOS (£1.50).

The average person has dozens of accounts that form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings on three of the most popular dark web markets, Dream, Point and Wall Street Market. These encrypted websites, which can only be reached using the Tor browser, allow criminals to anonymously sell stolen personal info, along with all sorts of other contraband, such as illicit drugs and weapons.

We focused on listings featuring stolen ID, hacked accounts and personal info relevant to the UK to create the Dark Web Market Price Index. We calculated average sale prices for each items and were shocked to see that £820 is all it would cost to buy up someone’s entire identity if they were to have all the listed items

Source: Dark Web Market Price Index (Feb 2018 – UK Edition) | Top10VPN.com

According to Media Play News, MoviePass CEO Mitch Lowe had some interesting things to say during his Hollywood presentation that took place late last week, entitled “New Oil: How Will MoviePass Monetize It?” Most notably, he openly admitted that his app tracks people’s location, even when they’re not actively using the app:

“We get an enormous amount of information… We know all about. We watch how you drive from home to the movies. We watch where you go afterwards.”

Lowe also commented on how they knew subscribers’ addresses, their demographics, and how they can track subs via the app and the phone’s GPS. This drew nervous laughter from the crowd—many of whom were MoviePass subscribers themselves—but Lowe assured them that this collecting of tracking data fits into their long-term revenue plan. He explained that their vision is to “build a night at the movies,” with MoviePass eventually directing subscribers to places to eat before movies, and places to grab drinks afterward (all for a cut from the vendors).

We knew MoviePass was collecting data on us from the start—that’s how they plan to make their money—so how is this any different? Well, subscribers are claiming they didn’t clearly disclose such persistent location tracking in their privacy policy. In regard to location tracking, the privacy policy mentions a “single request” in a section titled “Check ins” that’s used when you’re selecting a theater and movie to watch. However, the section also mentions real-time location data “as a means to develop, improve and personalize the service.” It’s a vague statement that could mean just about anything, but it’s understandable if users didn’t assume it meant watching them wherever they went, even when they’re not using the app.

Source: MoviePass Is Tracking Your Location

A company that sells spyware to regular consumers is “immediately and indefinitely halting” all of its services, just a couple of weeks after a new damaging hack.

Retina-X Studios, which sells several products marketed to parents and employers to keep tabs on their children and employees—but also used by jealous partners to spy on their significant others—announced that its shutting down all its spyware apps on Tuesday with a message at the top of its website.

“Regrettably Retina-X Studios, which offers cutting edge technology that helps parents and employers gather important information on devices they own, has been the victim of sophisticated and repeated illegal hackings,” read the message, which was titled “important note” in all caps.

Got a tip? You can contact Lorenzo Franceschi-Bicchierai securely on Signal on +1 917 257 1382 and Joseph Cox on Signal on +44 20 8133 5190. Details on our SecureDrop, a system to anonymously submit documents or information, can be found here.

The company sells subscriptions to apps that allow the operator to access practically anything on a target’s phone or computer, such as text messages, emails, photos , and location information. Retina-X is just one of a slew of companies that sell such services, marketing them to everyday users—as opposed to law enforcement or intelligence agencies. Some critics call these apps “Stalkerware.”

Source: ‘Stalkerware’ Seller Shuts Down Apps ‘Indefinitely’ After Getting Hacked Again – Motherboard

Picture this: You’re driving home from work, contemplating what to make for dinner, and as you idle at a red light near your neighborhood pizzeria, an ad offering $5 off a pepperoni pie pops up on your dashboard screen.

Are you annoyed that your car’s trying to sell you something, or pleasantly persuaded? Telenav Inc., a company developing in-car advertising software, is betting you won’t mind much. Car companies—looking to earn some extra money—hope so, too.

Automakers have been installing wireless connections in vehicles and collecting data for decades. But the sheer volume of software and sensors in new vehicles, combined with artificial intelligence that can sift through data at ever-quickening speeds, means new services and revenue streams are quickly emerging. The big question for automakers now is whether they can profit off all the driver data they’re capable of collecting without alienating consumers or risking backlash from Washington.

“Carmakers recognize they’re fighting a war over customer data,” said Roger Lanctot, who works with automakers on data monetization as a consultant for Strategy Analytics. “Your driving behavior, location, has monetary value, not unlike your search activity.”

Carmakers’ ultimate objective, Lanctot said, is to build a database of consumer preferences that could be aggregated and sold to outside vendors for marketing purposes, much like Google and Facebook do today.
[…]
Telenav, the Silicon Valley company looking to bring pop-up ads to your infotainment screen, has been testing a “freemium” model borrowed from streaming music services to entice drivers to share their data.

Say you can’t afford fancy features like embedded navigation or the ability to start your car through a mobile app. The original automaker will install them for free, so long as you’re willing to tolerate the occasional pop-up ad while idling at a red light. Owners of luxury cars won’t have to suffer such indignities, since the higher price tag paid likely would have already included an internet connection.
[…]
The pop-up car ads could generate an average of $30 annually per vehicle, to be split between Telenav and the automaker. He declined to say whether anyone has signed up for the software, which was just unveiled at CES, but added Telenav is in “deep discussions” with several manufacturers. Because of the long production cycles of the industry, it’ll be about three years before the ads will show up in new models.

Source: The Car of the Future Will Sell Your Data – Bloomberg

of course they bring in the fear factor, they wouldn’t be honest and talk about the profit factor. As soon as people start trying to scare you, you know they are trying to con you.

Auto executives emphasize that data-crunching will allow them to build a better driving experience—enabling cars to predict flat tires, find a parking space or charging station, or alert city managers to dangerous intersections where there are frequent accidents. Data collection could even help shield drivers from crime, Ford Motor Co.’s chief executive officer said last month at the CES technology trade show.

“If a robber got in the car and took off, would you want us to know where that robber went to catch him?” Jim Hackett asked the audience during a keynote in Las Vegas. “Are you willing to trade that?”

You spend huge amounts on a car, I really really don’t want it sending information back to the maker, much less having the maker sell that data!

In a decision (PDF) handed down yesterday, chief judge Janet DiFiore said that a court could ask someone to hand over any relevant materials as part of discovery ahead of a trial – even if they are private.

The threshold for disclosure in a court case “is not whether the materials sought are private but whether they are reasonably calculated to contain relevant information”, she said.

The ruling is the latest in an ongoing battle over whether a woman injured in a horse-riding accident should hand over privately posted pictures to the man she has accused of negligence in the accident.

Kelly Forman suffered spinal and brain injuries after falling from a horse owned by Mark Henkins, who she accuses of fitting her with a faulty stirrup.

Forman said the accident had led to memory loss and difficulty communicating, which she said caused her to become reclusive and have problems using a computer or composing coherent messages.

Because Forman said she had been a regular Facebook user before the accident, Henkins sought an order to gain access to posts and photos she made privately on Facebook before and after the accident, saying this would provide evidence on how her lifestyle had been affected.

For instance, the court noted he argued that “the timestamps on Facebook messages would reveal the amount of time it takes the plaintiff to write a post or respond to a message”.
[…]
The judge acknowledged Forman’s argument that disclosure of social media materials posted under private settings was an “unjustified invasion of privacy”, but said that other private materials relevant to litigation – including medical records – can be ordered for disclosure.

DiFiore also noted that, although the court was assuming, for the purposes of resolving the case, that setting a post to “private” meant that the they should be characterised as such, there was “significant controversy” about this.

“Views range from the position taken by plaintiff that anything shielded by privacy settings is private, to the position taken by one commentator that anything contained in a social media website is not ‘private’,” she pointed out in a footnote.

Source: Roses are red, Facebook is blue. Think private means private? More fool you • The Register

Millions of new cars sold in the US and Europe are “connected,” having some mechanism for exchanging data with their manufacturers after the cars are sold; these cars stream or batch-upload location data and other telemetry to their manufacturers, who argue that they are allowed to do virtually anything they want with this data, thanks to the “explicit consent” of the car owners — who signed a lengthy contract at purchase time that contained a vague and misleading clause deep in its fine-print.

Car manufacturers are mostly warehousing this data (leaving it vulnerable to leaks and breaches, search-warrants, government hacking and unethical employee snooping), and can’t articulate why they’re saving it or how they use it.

Much of this data ends up in “marketplaces” where data-sets from multiple auto-makers are merged, made uniform, and given identifiers that allow them to be cross-referenced with the massive corporate data-sets that already exist, and then offered on the open market to any bidder.

Source: Thanks to “consent” buried deep in sales agreements, car manufacturers are tracking tens of millions of US cars / Boing Boing

The software giant has produced a tool that’s claimed to show users how much personal information its Windows 10 operating system collects and sends back to Redmond for diagnostics.The application is dubbed Diagnostic Data Viewer, and is free from the Windows Store. It reveals that stuff like the computer’s device name, OS version, and serial number, as well as more detailed records such as installed apps, preference settings, and details on each application’s usage, are beamed back to Microsoft.
[…]
Microsoft says the Diagnostic Data Viewer will run separately from the Windows Privacy Dashboard that is bundled with Windows 10. That app will also be upgraded to provide users with more information on data collection, including activity history for the user’s Microsoft account.

Microsoft is also planning an update to the app to allow users to export dashboard reports, view media consumption information, and delete reported data (for some reason this isn’t already allowed).

The Dashboard and Data Viewer apps arrive after Microsoft was taken to task by governments for what many saw as overly intrusive data collection by Windows 10.

Source: Microsoft whips out tool so you can measure Windows 10’s data-slurping creepiness • The Register

The US House of Representatives has passed a six-year extension to the controversial Section 702 spying program, rejecting an amendment that would have required the authorities to get a warrant before searching for information on US citizens.

The 256-164 vote effectively retains the status quo and undermines a multi-year effort to bring accountability to a program that critics argue breaks the Constitution. A bipartisan substitute amendment put forward by House reps Justin Amash (R-MI) and Zoe Lofgren (D-CA) and supported by both ends of the political spectrum was defeated 233-183.< [...] The already tense atmosphere in Washington DC over the issue was heightened when President Trump tweeted his apparent support of critics of the program just moments after the Amash-Lofgren amendment was discussed on Fox News./blockquote>

Source: US House reps green-light Fourth Amendment busting spy program • The Register

OnePlus has admitted that the clipboard app in a beta build of its Android OS was beaming back mystery data to a cloud service in China.

Someone running the latest test version of OnePlus’s Oreo-based operating system revealed in its support forums that unusual activity from the builtin clipboard manager had been detected by a firewall tool.

Upon closer inspection, the punter found that the app had been transmitting information to a block of IP addresses registered to Alibaba, the Chinese e-commerce and cloud hosting giant.
[…]
This should not come as much of a shock to those who follow the China-based OnePlus. In October last year, researchers discovered that OnePlus handsets were collecting unusually detailed reports on user activities, although the manufacturer said at the time it was only hoarding the data for its internal analytics. One month later, it was discovered that some phones had apparently been shipped with a developer kit left active, resulting in the phones sporting a hidden backdoor.

And lest we forget, today’s desktop and mobile operating systems are pretty gung-ho in phoning home information about their users, with Microsoft catching flak for Windows 10 telemetry in particular. ®

Source: OnePlus Android mobes’ clipboard app caught phoning home to China

More than six million people use Slack daily, spending on average more than two hours each day inside the chat app. For many employees, work life is contingent on Slack, and surely plenty of us use it for more than just, say, work talk. You probably have a #CATS and a women-only channel, and you’ve probably said something privately that you wouldn’t want shared with your boss. But that’s not really up to you.

When you want to have an intimate or contentious chat, you might send a direct message. Or perhaps you and a few others have started a private channel, ensuring that whatever you say is only seen by a handful of people. This may feel like a closed circuit between you and another person—or small group of people—but that space and the little lock symbol aren’t actually emblematic of complete privacy.

Do Slack employees have access to your chats? The short answer is: sort of. The long answer is… below. Can your company peek at your private DMs? It’s entirely possible. Slack’s FAQ pages help elucidate some of these concerns, but at times the answers are frustratingly vague and difficult to navigate. So we dug into it for you. Read more to find out what Slack—and your company—is actually doing with your data.

Source: What’s Slack Doing With Your Data?

The short is:
Yes, there are slack employees that can view your data. Channel owners can see everything in a channel, also direct messages. Slack gives your data to law enforcement upon request and won’t inform you. They don’t (and say won’t) sell it to third parties. Deletion is deletion. Slack, like any other company, can be hacked. Caveat emptor.

That innocent-looking mobile game you just downloaded might just have an ulterior motive. Behind the scenes, hundreds of different apps could be using your smartphone’s microphone to figure out what you watch on TV, a new report from The New York Times reveals.
[…]
All of these apps need to get your permission before they can record in the background. So the easiest way is just to deny that permission. However, it’s possible that you might approved the request without realizing it, or your kid might do it while playing with your phone. In that case, switching it off is pretty easy.

Just head into Settings on your device and check the permissions for the app in question. If the app has microphone access when it doesn’t need to (why would a bowling game need to use your microphone?), just toggle that permission off.

Source: How to Stop Apps From Listening in on Your TV Habits

A group of researchers in France and Japan say RequestPolicyContinued and NoScript have the toughest policies, while Ghostery and uBlock Origin offer good blocking performance and a better user experience.

The study also gave a nod to the EFF’s Privacy Badger, which uses heuristics rather than block lists, but once trained is nearly as good as Ghostery or uBlock, demonstrating that its heuristics are reliable.

Source: Ghostery, uBlock lead the anti-track pack

Using only data that can be legally collected by an app developer without the consent of a cellphone’s owner, researchers have been able to produce a privacy attack that can accurately pinpoint a user’s location and trajectory without accessing the device’s Global Position System—GPS. And while the ramifications of this ability falling into the wrong hands are distressing, the way in which they pulled it off is nothing short of genius.
[…]
In fact, all you really need is your phone’s internal compass, an air pressure reading, a few free-to-download maps, and a weather report.

Your cellphone comes equipped with an amazing array of compact sensors that are more or less collecting information about your environment at all time. An accelerometer can tell how fast you’re moving; a magnetometer can detect your orientation in relation to true north; and a barometer can measure the air pressure in your surrounding environment. You phone also freely offers up a slew of non-sensory data such as your device’s IP address, timezone, and network status (whether you’re connected to Wi-Fi or a cellular network.)

All of this data can be accessed by any app you download without the type of permissions required to access your contact lists, photos, or GPS. Combined with publicly available information, such as weather reports, airport specification databases, and transport timetables, this data is enough to accurately pinpoint your location—regardless of whether you’re walking, traveling by plane, train, or automobile.
[…]
To track a user, you first need to determine what kind of activity they’re performing. It’s easy enough to tell if a person is walking versus riding in a car, speed being the discriminant factor; but also, when you’re walking you tend to move in one direction, while your phone is held in a variety of different positions. In a car, you make sudden stops (when you brake) and specific types of turns—around 90 degrees—that can be detected using your phone’s magnetometer. People who travel by plane will rapidly change time zones; the air pressure on a plane also changes erratically, which can be detected by a cellphone’s barometer. When you ride a train, you tend to accelerate in a direction that doesn’t significantly change. In other words, determining your mode of travel is relatively simple.

The fact that your cellphone offers up your time zone as well as the last IP address you were connected to really narrows things down—geolocating IP addresses is very easy to do and can at least reveal the last city you were in—but to determine your exact location, with GPS-like precision, a wealth of publicly-available data is needed. To estimate your elevation—i.e., how far you are above sea level—PinMe gathers air pressure data provided freely by the Weather Channel and compares it to the reading on your cellphone’s barometer. Google Maps and open-source data offered by US Geological Survey Maps also provide comprehensive data regarding changes in elevation across the Earth’s surface. And we’re talking about minor differences in elevation from one street corner to the next.

Upon detecting a user’s activity (flying, walking, etc.) the PinMe app uses one of four algorithms to begin estimating a user’s location, narrowing down the possibilities until its error rate drops to zero, according to the peer-reviewed research. Let’s say, the app decides you’re traveling by car. It knows your elevation, it knows your timezone, and if you haven’t left the city you’re in since you last connected to Wi-Fi, you’re pretty much borked.

With access to publicly available maps and weather reports, and a phone’s barometer and magnetometer (which provides a heading), it’s only a matter of turns. When PinMe detected one of the researchers driving in Philadelphia during a test-run, for example, the researcher only had to make 12 turns before the app knew exactly where they were in the city. With each turn, the number of possible locations of the vehicles dwindles. “[A]s the number of turns increases, PinMe collects more information about the user’s environment, and as a result it is more likely to find a unique driving path on the map,” the researchers wrote.

Source: How to Track a Cellphone Without GPS—or Consent

According to OMC’s data, a full 19 percent of all “conversational” email is now tracked. That’s one in five of the emails you get from your friends. And you probably never noticed.“Surprisingly, while there is a vast literature on web tracking, email tracking has seen little research,” noted an October 2017 paper published by three Princeton computer scientists. All of this means that billions of emails are sent every day to millions of people who have never consented in any way to be tracked, but are being tracked nonetheless. And Seroussi believes that some, at least, are in serious danger as a result.

Source: You Give Up a Lot of Privacy Just Opening Emails. Here’s How to Stop It | WIRED

The Google Home Mini is a super-affordable way to get Google Assistant in your life, but Google was forced to hobble the device shortly after launch because a sticky touch sensor caused Artem’s Mini to record everything he said. Part of that functionality is now coming back with a small tweak. Instead of tapping the top of the device, you’ll be able to long-press the side.

Source: New Google Home Mini update 1.29 restores top tap functionality with long-press on the side

Let me make this point dreadfully clear, though: Your family members do not need an Amazon Echo or a Google Home or an Apple HomePod or whatever that one smart speaker that uses Cortana is called. And you don’t either. You only want one because every single gadget-slinger on the planet is marketing them to you as an all-new, life-changing device that could turn your kitchen into a futuristic voice-controlled paradise. You probably think that having an always-on microphone in your home is fine, and furthermore, tech companies only record and store snippets of your most intimate conversations. No big deal, you tell yourself.

Actually, it is a big deal. The newfound privacy conundrum presented by installing a device that can literally listen to everything you’re saying represents a chilling new development in the age of internet-connected things. By buying a smart speaker, you’re effectively paying money to let a huge tech company surveil you. And I don’t mean to sound overly cynical about this, either. Amazon, Google, Apple, and others say that their devices aren’t spying on unsuspecting families. The only problem is that these gadgets are both hackable and prone to bugs.

Before getting into the truly scary stuff, though, let’s talk a little bit about utility. Any internet-connected thing that you bring into your home should make your life easier. Philips Hue bulbs, for instance, let you dim the lights in an app. Easy! A Nest thermostat learns your habits so you don’t have to turn up the heat as often. Cool! An Amazon Echo or a Google Home, well, they talk to you, and if you’re lucky, you might be able to figure out how to talk back in the right way and do random things around the house. Huh?

Source: Don’t Buy Anyone an Echo

A good and concise explanation of why these useless devices are something to be very afraid of.

For the past few years, Gingerich has been laying the groundwork for Sopranica, an open source, DIY cell network that allows smartphone owners to make calls, send texts and eventually browse the internet with total anonymity.In January, Gingerich published the code for the first part of Sopranica called JMP. This is essentially a way of using a secure instant messaging protocol called XMPP, better known as Jabber, to communicate over voice and text from an anonymous phone number. JMP is the first phase of the Sopranica network.The next phase—called WOM—will create the physical infrastructure for the cell network with a community radio network. This will essentially involve people hosting small, inexpensive radio devices in their home that plug into their routers to provide internet access points to Sopranica users in the area.
[…]
Getting set up with JMP is easy. First, you need to create a free and anonymous Jabber ID, which is like an email address. I had already created a Jabber ID with the Chaos Computer Club (a German hacking group), but there are a lot of other servers you can register with as well. The only difference will be the web address in your Jabber ID will be different—for example, motherboard@jabber.ccc.de or motherboard@xmpp.jp.

Next, you need to install a Jabber app on your phone. I use Android and opted for Xabber, but again, there are plenty of options to choose from (Conversations is a good choice if you want to use Sopranica for picture messaging, for instance). You’ll also need to install a Session Initiation Protocol (SIP) app, which allows your phone to make calls and send texts over the internet instead of the regular cellular network. For Android users, the best choice is probably CSipSimple and for iPhones your best bet is Linphone.

Finally, it’s time to get your phone number. If you navigate to Sopranica’s JMP website, there is a list of numbers at the bottom. These phone numbers are generated by Sopranica’s Voice Over IP (VOIP) provider which provides talk and text services over the internet. Click whichever number you want to be your new number on the Sopranica network and enter your Jabber ID. A confirmation code should be sent to your phone and will appear in your Jabber app.

Once you’ve entered this code, you’re ready to use your new, anonymous number. To do this, use your SIP app and send a text or dial a number just like you would otherwise. This communication will be made through your new Sopranica number, rather than whichever cell carrier you normally use.

In many ways, JMP is kind of like getting a free VOIP number with Google Voice and then using that number to register for an account on the encrypted messaging platform Signal.
The downside of this, of course, is that the VOIP number you get from Google is registered under your name with Google, so even if the people who you communicate with using that number can’t trace it to you, Google can. On the other hand, all aspects of JMP are anonymous—neither the Jabber ID nor the JMP phone number require identifying information to register.

Source: This Interview Was Conducted on an Anonymous, DIY Cell Phone Network – Motherboard

A California federal court has ordered Coinbase to turn over identifying records for all users who have bought, sold, sent, or received more than $20,000 through their accounts in a single year between 2013 and 2015. Coinbase estimates that 14,355 users meet the government’s requirements. The full order is embedded below.

For each account, the company has been asked to provide the IRS with the user’s name, birth date, address, and taxpayer ID, along with records of all account activity and any associated account statements. The result is both a definitive link to the user’s identity and a comprehensive record of everything they’ve done with their Coinbase account, including other accounts to which they’ve sent money.

Source: Coinbase ordered to report 14,355 users to the IRS – The Verge