Last month, the European Consumer Organization (BEUC) warned that smartwatches marketed to kids were a serious threat to children’s privacy. A report published by the Norwegian Consumer Council in mid-October revealed serious flaws in several of the devices that could easily allow hackers to seize control.

Doing so could grant attackers access to both real-time and historical locational data, as well as a wealth of personal information.

You have to wonder who thought attaching a low-cost, internet-enabled microphone and a GPS tracker to a kid would be a good idea in the first place. Almost none of the companies offering these “toys” implement reasonable security standards, nor do they typically promise that the data they collect—from your children—won’t be used be used for marketing purposes.

Gizmodo

The companies asked by the consumer protection authority are

de ANWB, Nuon en Oxfam Novib. De Bijenkorf stopte hier al eerder mee. Essent heeft toegezegd binnenkort te stoppen en KLM en Transavia heroverwegen hun aanpak. De Bankgiroloterij, FBTO, KPN/Telfort, Postcodeloterij, Vakantieveilingen, Vriendenloterij en de Persgroep blijven gewoon doorgaan. Van Heerlijk.nl, HelloFresh en Hotels.nl

To be fair, some were giving the data away encrypted.

Many people worried that Google was scanning users’ documents in real time to determine if they’re being mean or somehow bad. You actually agree to such oversight in Google G Suite’s terms of service.

Those terms include include personal conduct stipulations and copyright protection, as well as adhering to “program policies.” Who knows what made the program that checks for abuse and other violations of the G Suite terms of service to go awry. But something did.

And it’s not just Google that has such terms. Chances are you or your employees have signed similar terms in the many agreements that people accept without reading.

The big concern from enterprises this week was not being locked out of Google Docs for a time but the fact that Google was scanning documents and other files. Even though this is spelled out in the terms of service, it’s uncomfortably Big Brother-ish, and raises anew questions about how confidential and secure corporate information really is in the cloud.  

This is part of a workshop I have given several times: many companies do this happily. Oddly enough you won’t find their invasions in the privacy policy, but in their terms of service is where you find the interesting maneuvering. It’s actually worse than above: you generally give away copyright to all your documents as well 🙂

An investigation by 24 data protection regulators from around the world – led by the UK’s Information Commissioner’s Office – concluded that ‘there is significant room for improvement in terms of specific details contained in privacy communications’.The privacy notices, communications and practices of 455 websites and apps in sectors including retail, finance and banking, travel, social media, gaming/gambling, education and health were assessed to consider whether it was clear from a user’s perspective exactly what information was collected, for what purpose, and how it would be processed, used and shared.Overall, the Global Privacy Enforcement Network (GPEN) came to the following conclusions: Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses. The majority of organisations failed to inform the user what would happen to their information once it had been provided. Organisations were generally quite clear on what information they would collect from the user. Organisations generally failed to specify with whom data would be shared. Many organisations failed to refer to the security of the data collected and held – it was often unclear in which country data was stored or whether any safeguards were in place. Just over half the organisations examined made reference to how users could access the personal data held about them.

Source: GPEN Sweep 2017 – International enforcement operation finds website privacy notices are too vague and generally inadequate | Global Privacy Enforcement Network

Google snuck a questionable feature into the operating system with a recent update. A new permission called “activity recognition” may be tracking your physical activity and sharing it with third-party apps, and there’s no easy way to stop it.
What Is Activity Recognition?

The “activity recognition” permission was shared on Reddit earlier this week. Basically, it allows Google to track your physical activity (biking, running, standing still) using your phone’s built-in sensors and then share that information with third-party apps.
Imgur

SoundHound and Shazam both appear to be using the permission, though it’s unclear why. Activity recognition is also categorized in the list of “other” permissions, so it won’t show up when an app updates on your phone. The only way to check is to go into each app on your device and look at all of its permissions.
How to Deal With It

There’s also no way to revoke this specific permission either across the board or on an app-by-app basis. If it’s an app you don’t use that often you could always delete it off your phone to avoid sharing your personal information. One Reddit user also suggested preventing those apps from running in the background.

Unfortunately, there’s no easy way to deal with activity recognition for now. Hopefully Google will offer a fix eventually, but until then you may just have to accept that owning a smartphone means giving up a bit of your privacy.

Source: Android Is Quietly Sharing Your Physical Activity with Other Apps

Google is getting more and more invasive, with Google Maps tracking your location all the time and the Google play store, Inbox and Google Play services (among others) requiring microphone and body sensors permissions for proper operations. Why? Because privacy is dead to Google as well.

When you spit in a test tube in in hopes of finding out about your ancestry or health or that perfect, genetically optimized bottle of wine, you’re giving companies access to some very intimate details about what makes you, you. Your genes don’t determine everything about who you are, but they do contain revealing information about your health, relationships, personality, and family history that, like a social security number, could be easily abused. Not only that—your genes reveal all of that information about other people you’re related to, too.
[…]
Gizmodo slogged though every line of Ancestry.com, 23andMe, and Helix’s privacy, terms of service, and research policies with the help of experts in privacy, law and consumer protection. It wasn’t fun. We fell asleep at least once. And what we found wasn’t pretty.

“It’s basically like you have no privacy, they’re taking it all,” said Joel Winston, a consumer protection lawyer. “When it comes to DNA tests, don’t assume you have any rights.”
[…]
here’s what you need to know before giving away your genetic information.

Testing companies can claim ownership of your DNA

It’s unclear who has access to your DNA, or for what

Your anonymous genetic information could get leaked

If you sue and lose, you’re screwed

If companies get rich off your DNA, you get nothing

Source: What DNA Testing Companies’ Terrifying Privacy Policies Actually Mean

A very good article examining the privacy clauses of some genetic testing companies followed up by an analysis of what this means for the consumer. Be scared.

The idea is straightforward: Associate a series of ads with a specific individual as well as predetermined GPS coordinates. When those ads are served to a smartphone app, you know where that individual has been… It’s a surprisingly simple technique, and the researchers say you can pull it off for “$1,000 or less.” The relatively low cost means that digitally tracking a target in this manner isn’t just for corporations, governments, or criminal enterprises. Rather, the stalker next door can have a go at it as well… Refusing to click on the popups isn’t enough, as the person being surveilled doesn’t need to do so for this to work — simply being served the advertisements is all it takes.

Source: For Under $1,000, Mobile Ads Can Track Your Location – Slashdot

Cortana is a decent voice assistant. Hell, “she” is probably better than Apple’s woefully disappointing Siri, but that isn’t saying very much. Still, Microsoft’s assistant very much annoys me on Windows 10. I don’t necessarily want to use my desktop PC like my phone, and sometimes I feel like she is intruding on my computer. While some people like Cortana, I am sure others agree with me.

Depending on how you feel about Cortana, you will either hate or love Microsoft’s latest move to shoehorn the virtual woman into your life. You see, starting today, Cortana is coming to Skype on mobile for both Android and iOS. I don’t think anyone actually wanted her in Skype, but oh well, she is on the way. Unfortunately, there is one huge downside — Microsoft is using her to scan your private messages! Yup, the Windows-maker seems a lot like Google with this move.
[…]
In order for this magical “in-context” technology to work, Cortana is constantly reading your private conversations. If you use Skype on mobile to discuss private matters with your friends or family, Cortana is constantly analyzing what you type. Talking about secret business plans with a colleague? Yup, Microsoft’s assistant is reading those too.

Don’t misunderstand — I am not saying Microsoft has malicious intent by adding Cortana to Skype; the company could have good intentions. Still, there is the potential for abuse. Despite being opt-in, users won’t necessarily understand the privacy risks involved.

Microsoft could use Cortana’s analysis to spy on you for things like advertising or worse, and that stinks. Is it really worth the risk to have smart replies and suggested calendar entries? I don’t know about you, but I’d rather not have my Skype conversations read by Microsoft.

Source: Warning: Microsoft is using Cortana to read your private Skype conversations

Because yeah! why privacy!

Sonos’ policy change, outlined by chief legal officer Craig Shelburne, allows the gizmo manufacturer to slurp personal information about each owner, such as email addresses and locations, and system telemetry – collectively referred to as functional data – in order to implement third-party services, specifically voice control through Amazon’s Alexa software, and for its own internal use.

“If you choose not to provide the functional data, you won’t be able to receive software updates,” a Sonos spokesperson explained at the time. “It’s not like if you don’t accept it, we’d be shutting down your device or intentionally bricking it.”

A handful of customers, however, have managed to brick their Sonos speakers by refusing to accept the data harvesting terms accompanying version 7.4+ of the firmware and then subsequently updating their Sonos mobile app to a version out of sync with their legacy firmware.

In an email to The Register, a reader by the name of Dave wrote: “You should know that in the latest update it is now impossible to use the player without updating, effectively bricking my three devices. Numerous attempts to contact Sonos have met with silence on the issue, and the phone number in the app for support is no longer valid.”

Source: Rejecting Sonos’ private data slurp basically bricks bloke’s boombox

Incredible that a company can change the terms of their product so one-sidedly without you having any recourse. And it’s not like these players are cheap!

The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law.

To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn’t always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection—though this language still wasn’t explicit about what was collected and why—and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen.

In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10’s “Basic” telemetry setting. However, the company has not done so for the “Full” option, and the Full option remains the default.

The Windows 10 privacy options continue to be a work in progress for Microsoft. The Fall Creators Update, due for release on October 17, makes further changes to the way the operating system and applications collect data and the consent required to do so. Microsoft says that it will work with the DPA to “find appropriate solutions” to ensure that Windows 10 complies with the law. However, in its detailed response to the DPA’s findings, Microsoft disagrees with some of the DPA’s objections. In particular, the company claims that its disclosure surrounding the Full telemetry setting—both in terms of what it collects and why—is sufficient and that users are capable of making informed decisions.

The DPA’s complaint doesn’t call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to “end all violations,” but if the software company fails to do so, it faces sanctions.

Source: Dutch privacy regulator says Windows 10 breaks the law

Note: the DPA is fine with MS collecting your data, as long as you know what data it is you are collecting. For a product you buy, this seems insane to me, which is why I am running Linux Mint on a day to day basis nowadays.

Earlier this month, software engineer Christopher Moore discovered that Shenzen, China-based phone manufacturer OnePlus was secretly collecting a trove of data about users without their consent and communicating it to company servers. Moore had routed his OnePlus 2’s internet traffic through security tool OWASP ZAP for a holiday hack challenge, but noticed his device was regularly transmitting large amounts of data to a server at open.oneplus.net.

According to Moore’s analysis, captured information included his phone’s IMEI and serial number, phone numbers, MAC addresses, mobile network names and IMSI prefixes, and wireless network data. OnePlus was also collecting data on when its users were opening applications and what they were doing in those apps, including Outlook and Slack. With the cat out of the bag, OnePlus admitted to the non-consensual snooping in a post to its customer service forum on Friday, but said the intent of the program was improving user experience on its OxygenOS software.

“The reason we collect some device information is to better provide after-sales support,” OnePlus wrote. “If you opt out of the user experience program, your usage analytics will not be tied to your device information.”

“We’d like to emphasize that at no point have we shared this information with outside parties,” the company added. “The analytics we’re discussing in this post, which we only look at in aggregate, are collected with the intention of improving our product and service offerings.”

According to OnePlus, it will also stop collecting “telephone numbers, MAC Addresses and WiFi information,” and by the end of October, the company will clearly prompt all users on how and why it collects data and provide users with an option to not participate in its “user experience program.”

Multiple users responded by saying their concerns were not resolved, as some of the data collected—like telephone numbers and wireless network information—was of limited use from a support perspective and instead could have been mined for its value to marketers.

As TechCrunch noted, the opt-out provision also does not appear to actually stop the data collection, but simply removes tags linking the data to a specific device. So no matter which way you slice it, this is not a very good situation for OnePlus users to find themselves in. As Moore noted, there are few good options to stop the data collection entirely:

Source: OnePlus Admits It Was Snooping on OxygenOS Users, Says It Will Tweak Data Collection Program

Encrypted messaging app Telegram must pay 800,000 roubles for resisting Russia’s FSB’s demand that it help decrypt user messages.

The fine translates to just under US$14,000, making it less of a serious punishment and more a shot across the bows.
[…]
Telegram founder Pavel Durov has posted to Russian social site VK.com that it’s not possible to comply.

“In addition to the fact that the requirements of the FSB are not technically feasible, they contradict Article 23 of the Constitution of the Russian Federation: ‘Everyone has the right to privacy of correspondence, telephone conversations, postal, telegraphic and other communications,’” he wrote.

He indicated his intention to appeal, and keep doing so “until the claim of the FSB is considered by a judge familiar with the basic law of Russia – its Constitution”

Source: Russia tweaks Telegram with tiny fine for decryption denial

However, does this mean that Telegram is being seen to speak up for privacy whilst in reality it’s not?

We believe privacy and security are fundamental human rights, so we also provide a free version of ProtonVPN to the public. Unlike other free VPNs, there are no catches. We don’t serve ads or secretly sell your browsing history. ProtonVPN Free is subsidized by ProtonVPN paid users. If you would like to support online privacy, please consider upgrading to a paid plan for faster speeds and more features.

Source: ProtonVPN: Secure and Free VPN service for protecting your privacy

Hosted in Switzerland, so privacy invasions are covered by criminal law

Facebook doesn’t only know what its 2 billion users “Like.”

It now knows where millions of humans live, everywhere on Earth, to within 15 feet.

The company has created a data map of the human population by combining government census numbers with information it’s obtained from space satellites, according to Janna Lewis, Facebook’s head of strategic innovation partnerships and sourcing. A Facebook representative later told CNBC that this map currently covers 23 countries, up from 20 countries mentioned in this blog post from February 2016.

The mapping technology, which Facebook says it developed itself, can pinpoint any man-made structures in any country on Earth to a resolution of five meters.

Facebook is using the data to understand the precise distribution of humans around the planet.

That will help the company determine what types of internet service — based either on land, in the air or in space — it can use to reach consumers who now have no (or very low quality) internet connections.

Source: Facebook has mapped populations in 23 countries as it explores satellites to expand internet

Whilst an impressive feat, it’s pretty damn scary big brother wise!

In response to a chorus of complaints from its users, Uber is revamping privacy settings that it rolled out last fall.

Beginning this week, Uber riders using the iOS version of the ride-hailing company’s app will find a new series of privacy prompts that includes the ability to deny Uber the right to track your whereabouts. Uber is working on similar tweaks to the Android version of its app.

The new options for Uber app users are: Always (Uber is allowed to collect rider location information from the moment the app is opened until the trip ends), While Using The App (information flows to Uber while the app is visible on the screen) and Never (no info is transmitted but riders have to manually input their pick-up and drop-off locations).

One of the old privacy features that gave many users pause was Uber’s ability to track the whereabouts of riders up to 5 minutes after a ride was completed.

Uber says the 5-minute feature was never activated on the iOS version of its app, and that it was disabled a few months after being initiated on the Android version.

Source: Uber riders can make their trips more private

Spying on the Smart Home: Privacy Attacks and Defenses on Encrypted IoT Traffic – reveals that even when data from devices is encrypted, the metadata can help identify both the device and what it is signaling.

Some devices such as the Nest indoor camera directly communicate with identifiable domain names – in this case ‘dropcam.com.’ That immediately identifies what the product is, and it is then possible to infer from that and the resulting signal what is happening: whether it has detected motion or whether it is live streaming.

Likewise the Sense sleep monitor, TP‑Link smart plug, and Amazon Echo. Even when the devices communicate with a generic DNS server – like Amazon’s AWS service – they typically have a specific IP address that can be used to identify the sensor (the Belkin WeMo switch for example communicated with the very-specific prod1-fs-xbcs-net-1101221371.us-east-1.elb.amazonaws.com address).

By digging into each device’s signal, the team was able to figure out with some certainty exactly what was happening: someone was waking up, someone was turning on a light switch, someone had walked into the kitchen, and so on.

Source: How the CIA, Comcast can snoop on your sleep patterns, sex toy usage

Sarahah, a new app that lets people sign up to receive anonymized, candid messages, has been surging in popularity; somewhere north of 18 million people are estimated to have downloaded it from Apple and Google’s online stores, making it the No. 3 most downloaded free software title for iPhones and iPads.

Sarahah bills itself as a way to “receive honest feedback” from friends and employees. But the app is collecting more than just feedback messages. When launched for the first time, it immediately harvests and uploads all phone numbers and email addresses in your address book. Although Sarahah does in some cases ask for permission to access contacts, it does not disclose that it uploads such data, nor does it seem to make any functional use of the information.

Zachary Julian, a senior security analyst at Bishop Fox, discovered Sarahah’s uploading of private information when he installed the app on his Android phone, a Galaxy S5 running Android 5.1.1. The phone was outfitted with monitoring software, known as Burp Suite, which intercepts internet traffic entering and leaving the device, allowing the owner to see what data is sent to remote servers. When Julian launched Sarahah on the device, Burp Suite caught the app in the act of uploading his private data.

“As soon as you log into the application, it transmits all of your email and phone contacts stored on the Android operating system,” he said. He later verified the same occurs on Apple’s iOS, albeit after a prompt to “access contacts,” which also appears in newer versions of Android. Julian also noticed that if you haven’t used the application in a while, it’ll share all of your contacts again. He did some testing of the app on a Friday night, and when he booted the app on a Sunday morning, it pushed all of his contacts again.

Source: Hit App Sarahah Quietly Uploads Your Address Book

The callous way companies like this, Sonos, Uber, Google, Microsoft etc etc etc handle your privacy like it’s dogshit is completely incredible.

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.

We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router’s MAC address and public data.

Source: AccuWeather caught sending user location data — even when location sharing is off

Around the same time Sonos is ignoring privacy as well, it looks like everyone is basically just taking the piss with your privacy.

Bad news, Sonos customers: to lay the groundwork for its upcoming voice assistant support, the company is asking users to agree to an updated privacy policy, one that includes both mandatory data collection rules and a mention about future device functionality. Should you disagree with said policy update, your device’s basic functions could stop working, according to Consumerist.

Source: How to Stop Your Sonos From Collecting (As Much) Personal Data

In a blog post, Sonos claimed the update was necessary to “improve your listening experience” and identify issues by analyzing collected error information. Its earlier privacy policy (you can check it out here) allowed users to choose whether or not they wanted to register their device with Sonos for data collection. The new one says that opting out of “Functional Data collection” is not an option.
Data Collection is Mandatory

Data collected previously included information about equalizer usage, playback errors, and time spent listening to local or streaming music. Its new privacy policy, however, collects what the company is calling “Functional Data,” information Sonos claims is “absolutely necessary for your Sonos System to perform its basic functions in a secure way.” Functional Data includes personal information like location data, IP addresses, and more:

Registration data:

This data includes your email address, location, language preference, Product serial number, IP address, and Sonos account login information (as described above).

System data:

This data includes things like product type, controller device type, operating system of controller, software version information, content source (audio line in), signal input (for example, whether your TV outputs a specific audio signal such as Dolby to your Sonos system), information about wifi antennas, audio settings (such as equalization or stereo pair), Product orientation, room names you have assigned to your Sonos Product, whether your product has been tuned using Sonos Trueplay technology, and error information.

Sonos is also trying to collect performance and activity information shown below, otherwise known as Additional Usage Data:

Performance Information:

This includes things like temperature of your Product, Wi-Fi information such as signal strength, what music services you have connected to your Sonos system (including, for some services, your login username – but not password – for such service), information about how often you use the Sonos app versus another control mechanism, flow of interactions within the Sonos app, how often you use the physical controls on the unit, and location data when the Sonos app is in use, and duration of Sonos Product use.

Activity Information:

This includes duration of music service use, Product or room grouping information; command information such as play, pause, change volume, or skip tracks; information about track, playlist, or station container data; and Sonos playlist or Sonos favorites information; each correlated to individual Sonos Products.

How to (Partially) Protect Yourself

For now, as long as you don’t enable voice assistant support, you can opt out of sharing the aforementioned Additional Usage Data with Sonos by adjusting some settings in your apps.

Sonos for iOS or Android:

From the Sonos music menu, tap Settings.
Tap Advanced Settings.
Tap Usage Data then Turn off Usage Data Sharing.

Sonos for Mac:

From the menu bar at the top of your screen click Sonos then Preferences.
On the left side of the window, click Advanced.
Click Improve Sonos.
Check the box that reads Turn usage data sharing off.

Sonos for PC:

From the menu bar at the top of the Sonos app click Manage then Settings.
On the left side of the window, click Advanced.
Click Improve Sonos.
Check the box that reads Turn usage data sharing off.

If you’re concerned about the data Sonos may have already collected, you can edit or delete it by accessing your Sonos account online or going through the Sonos app, though deleting personal data could render your Sonos device useless. You can also shoot Sonos an email and ask them to delete your personal data, if you’re into that.

And the US high courts still say that accepting these kind of terms of service is legal. Sonos hardware is expensive and forcing people to change the terms of their use after the financial investment makes it even worse than the disgrace that this kind of behavior is already.

Microsoft claims seven out of ten Windows 10 users are happy with Redmond gulping loads of telemetry from their computers – which isn’t that astounding when you realize it’s a default option.

In other words, 30 per cent of people have found the switch to turn it off, and the rest haven’t, don’t realize it’s there, or are genuinely OK with the data collection.
[…]
Essentially, if you’re on Home or Pro, you can’t tell your OS to not phone home. And, sure, this information – from lists of hardware and apps installed to pen gestures – is useful to Microsoft employees debugging code that’s running in the field. But we’re all adults here, and some folks would like the option to not have any information leaving their systems.

Source: 70% of Windows 10 users are totally happy with our big telemetry slurp, beams Microsoft

Nice spin, to say people “choose” the default option, when it isn’t a choice people actually can make!

This is why I am leaving Windows for what it is and moving to Linux Mint.

A federal class action lawsuit filed last week in California alleges that the Walt Disney Company is violating privacy protection laws by collecting children’s personal information from 42 of its apps and sharing the data with advertisers without parental consent.

The lawsuit targets Disney and three software companies — Upsight, Unity, and Kochava — alleging that the companies created mobile apps aimed at children that contained embedded software to track, collect, and then export their personal information along with information about their online behavior. The plaintiff, a San Francisco woman named Amanda Rushing, says she was unaware that information about her child, “L.L.,” was collected while playing mobile game Disney Princess Palace Pets, and that data was then sold to third parties for ad targeting.

The Verge

US authorities intercepted and recorded millions of phone calls last year under a single wiretap order, authorized as part of a narcotics investigation.

The wiretap order authorized an unknown government agency to carry out real-time intercepts of 3.29 million cell phone conversations over a two-month period at some point during 2016, after the order was applied for in late 2015.

The order was signed to help authorities track 26 individuals suspected of involvement with illegal drug and narcotic-related activities in Pennsylvania.

The wiretap cost the authorities $335,000 to conduct and led to a dozen arrests.

But the authorities noted that the surveillance effort led to no incriminating intercepts, and none of the handful of those arrested have been brought to trial or convicted.