Images representing 117 million American adults – almost half the grownups in the country – can be found in the facial recognition databases maintained by US law enforcement agencies, according to a study conducted by the Center on Privacy and Technology at Georgetown Law School.

That figure is expected to grow as facial recognition technology becomes more capable and more commonplace. Yet such systems have very little oversight.
[…]
“Transparency makes a lot of the problems we’ve noticed easier to detect,” said Frankle.

Some of these problems include: the disproportionate representation of African Americans in US law enforcement databases; the potentially chilling effect of facial recognition on free speech; lack of reliable information on the accuracy of facial recognition systems; and unsettled questions about the circumstances under which facial recognition might violate Fourth Amendment protections against unreasonable searches.
[…]
At the same time, the utility of the technology remains open to question. Where public data about the efficacy of facial recognition searches exists, it’s not particularly compelling. “Of the FBI’s 36,420 searches of state license photo and mug shot databases, only 210 (0.6 per cent) yielded likely candidates for further investigations,” the study says. “Overall, 8,590 (4 per cent) of the FBI’s 214,920 searches yielded likely matches.”

What’s more, reliable metrics for the accuracy of facial recognition systems are scarce. For example, FaceFirst, facial recognition vendor, advertises “an identification rate above 95 per cent.” The CPT study claims this is misleading and cites a 2015 contract with the San Diego Association of Governments that disclaims any specific success rate: “FaceFirst makes no representations or warranties as to the accuracy and reliability of the product in the performance of its facial recognition capabilities.”
[…]
The study cites a facial recognition test conducted with real-time video in Mainz, Germany, from 2006 to 2007, where accuracy was 60 per cent during the day and 10 to 20 per cent at night.
[…]
“Face recognition can and should be used to respond to serious crimes and public emergencies,” the study concludes. “It should not be used to scan the face of any person, at any time, for any crime.”

Source: Meanwhile, in America: Half of adults’ faces are in police databases

Investigators in Lancaster, Calif., were granted a search warrant last May with a scope that allowed them to force anyone inside the premises at the time of search to open up their phones via fingerprint recognition, Forbes reported Sunday.The government argued that this did not violate the citizens’ Fifth Amendment protection against self incrimination because no actual passcode was handed over to authorities. Forbes was able to confirm with the residents of the building that the warrant was served, but the residents did not give any more details about whether their phones were successfully accessed by the investigators.”I was frankly a bit shocked,” said Andrew Crocker, a staff attorney at the Electronic Frontier Foundation (EFF), when he learned about the scope of search warrant. “As far as I know, this warrant application was unprecedented.”Crocker said that it’s both the fingerprint lock method and the wide reach of the warrant that are so surprising. Search warrants are typically required to be narrow and clear in scope, but this one was extended to include any phone that happens to be on the property, and all of the private data that that entails. He also described requiring phones to be unlocked via fingerprint, which does not technically count as handing over a self-incriminating password, as a “clever end-run” around constitutional rights.

Source: Using search warrants to get into fingerprint-locked phones

The mysterious Investigatory Powers Tribunal, which oversees Blighty’s snoops, has ruled that the bulk collection of personal data — conducted by GCHQ and MI5 between 1998 and 2015 — was illegal.

Responding to a claim brought by Privacy International, the 70-page judgment handed down this morning [PDF] found that the spooks’ surveillance activities had been taking place without adequate safeguards or supervision for over a decade; and as such were in breach of Article 8 of the European Convention on Human Rights.

[…]

There are huge risks associated with the use of bulk communications data. It facilitates the almost instantaneous cataloguing of entire populations’ personal data. It is unacceptable that it is only through litigation by a charity that we have learnt the extent of these powers and how they are used.

The public and Parliament deserve an explanation as to why everyone’s data was collected for over a decade without oversight in place and confirmation that unlawfully obtained personal data will be destroyed.

Source: Court finds GCHQ and MI5 engaged in illegal bulk data collection

One win for transparency. Will the UK gov care? Doubt it.

The Breast and Cosmetic Implant Registry (BCIR) is intended to prevent a repeat of faulty Poly Implant Prothèse (PIP) silicone breast implants scandal in 2010, in which fraudulently manufactured silicone gel implants affected thousands of women.

Its establishment is in response to recommendation 21 in Sir Bruce Keogh’s Review of the Regulation of Cosmetic interventions, which called for a cosmetic implant registry “to provide better monitoring of patient outcomes and device safety”.

[…]

The registry is expected to record more than 20,000 cases of implant surgery annually. Reporting of data will be done by the provider, via an online portal.

Source: New UK National silicone database will help avoid boobs

This makes no sense whatsoever to me, but for the life of me I can’t understand what other purpose the UK has in collecting such a specific set of surgery data.

Malicious code used to press-gang IoT connected devices into a botnet was leaked online over the weekend.The Mirai malware is a DDoS Trojan and targets Linux systems and, in particular, IoT devices. A botnet formed using the malware was used to blast junk traffic at the website of security researcher Brian Krebs last month in one of the largest such attacks ever recorded.The powerful zombie network that spawned a 620Gbps DDoS was created by relying on factory default or hard-coded usernames and passwords to compromise embedded devices. The availability of the Mirai source code makes it much easier for other hackers to take advantage of insecure routers, IP cameras, digital video recorders and other IoT devices to launch similar attacks.Security blogger Hacker Fantastic, who has put together an informative early analysis of the malware, summed up the feelings of several security researchers who have looked at the code. “If all it took to create biggest recorded DDoS attack in history was a telnet scanner and 36 weak credentials the net has a huge IoT problem,” he said on Twitter.

Source: Source code unleashed for junk-blasting Internet of Things botnet • The Register

Find the code here

Signal has resisted a FBI subpoena and gag order that demanded a wide range of information on two users resulted in a federal grand jury investigation in Virginia.

The makers of Signal, Open Whisper Systems, profoundly disappointed law enforcement. The app collects as little data as possible and therefore was unable to hand anything useful over to agents.

“The Signal service was designed to minimize the data we retain,” Moxie Marlinspike, the founder of Open Whisper Systems, told the New York Times.
The subpoena came with a yearlong gag order that was successfully challenged by the American Civil Liberties Union.

Such gag orders have been used against tech giants including Microsoft. Critics argue they violate the targets’ rights.

Signal’s creators challenged the gag order as unconstitutional, “because it is not narrowly tailored to a compelling government interest.” The challenge was successful. Encryption app Signal wins fight against FBI subpoena and gag order

Nice to see the good guys win for a change!

A thourough and scary analysis of what you can do with just metadata, applied to the hacking team leak.

A great case for mistrusting metadata storage by anyone.

https://labs.rs/en/metadata/

Nvidia’s GeForce Experience 3.0 is better than ever before, but you need to sign up to use it.

Source: Nvidia’s faster, better GeForce Experience 3.0 launches with mandatory registration | PCWorld

Sigh. We buy their products already, so they don’t actually need to monetise our private lives 🙁

The FCC has been formally regulating behavioural advertising since the 1990s. You’d think they’d be all over Google and Facebook, then, right? Actually, no. The FCC is now run by a former Obama fund-raiser, Tom Wheeler, and it can’t do enough for Silicon Valley, whether it’s collectivising songwriters rights or disaggregating TV.

What the FCC did this year, with little fanfare, was cripple telecoms companies and wireless networks from doing what Google and Facebook do. That’s a very odd decision. If behavioural advertising is so bad consumers need an opt-out, how come you can opt out of your ISP’s profiling, but not Google’s. How could that be?

Don’t count on “digital rights” groups to help you, dear citizen, when we discover that Google is funding them. Privacy lawsuits became cosy backroom carve-ups, with privacy NGOs greedy to pocket Google’s cash. Marc Rotenberg at EPIC is one of very few exceptions: the object to the conflict of interests raised by the cy pres settlements, that saw “digital rights” groups raise a privacy class action only to settle. Money laundering might be a better description.

Source: Google’s become an obsessive stalker and you can’t get a restraining order

Oddly enough, I had Google Maps ask me to take pictures of the restaurant I was in as a notification yesterday. That kind of freaked me out, as I wasn’t running maps at the time!

Users have reported battery life issues with the latest Android build, with many pointing the finger at Google Play – Google’s app store – and its persistent, almost obsessive need to check where you are.

Amid complaints that Google Play is always switching on GPS, it appears Google has made it impossible to prevent the app store from tracking your whereabouts unless you completely kill off location tracking for all applications.

You can try to deny Google Play access to your handheld’s location by opening the Settings app and digging through Apps -> Google Play Store -> Permissions, and flipping the switch for “location.” But you’ll be told you can’t just shut out Google Play services: you have to switch off location services for all apps if you want to block the store from knowing your whereabouts. It’s all or nothing, which isn’t particularly nice.

This is because Google Play services pass on your location to installed apps via an API. The store also sends your whereabouts to Google to process. Google doesn’t want you to turn this off.

It also encourages applications to become dependent on Google’s closed-source Play services, rather than use the interfaces in the open-source Android, thus ensuring that people continue to run Google Play on their devices.

Delete Google Maps? Go ahead, says Google, we’ll still track you

NO, there is no opt out! The Dutch government has passed a law allowing insurance companies to access medical files with a “suspicion of fraud” (whatever that is) and only have to tell the person who’s privacy has been infringed three months later.

Medical privacy is one of the last untouchable bastions of privacy, I would have thought, but no, it’s been smashed. Fuckheads.

Source: De Tweede Kamer heeft het medisch beroepsgeheim gisteren stilletjes afgeschaft

145 public authorities acquired data in 2015, and most of these requests came from the UK’s police forces and law enforcement agencies. Law enforcement officers acquired 93.7 per cent of all data requested by public authorities in 2015. Only 5.7 per cent of data was acquired by the intelligence agencies, and a mere 0.6 by public authorities such as the Financial Conduct Authority, which have the statutory ability to investigate criminal offences.

0.1 per cent of requests came from local authorities such as councils.
1,199 errors

IOCCO conducted 72 inspections in 2015, looking at approximately 15,000 randomly selected applications for communications data in detail, with a further 117,000 applications being subjected to query-based examinations; IOCCO has an internally-developed query method on the records of applications to allow the office to “identify trends, patterns and compliance issues across large volumes of applications.”
[…]
A whopping 1,199 errors were reported in 2015, a 20 per cent increase year-on-year. IOCCO reported:

The main causes for the overall rise are a larger number of incorrect identifiers being submitted by applicants on their applications or, both applications and [Single Points of Contact] acquiring data over the incorrect date or time period. Once again we highlight that a significant number of these errors relate to Internet Protocol addresses being incorrectly resolves to subscribers, which can have serious consequences.

23 of these errors were considered “serious” in 2015; nine of them caused by technical system errors and 14 were attributed to human error. The nine technical system errors resulted in “multiple consequences and a large number of erroneous disclosures (2036)” while the human errors were not dissimilar to those reported by IOCCO last year, in which a typo led to a police force raiding the wrong house.

There were 17 search warrants executed at the wrong premises in 2015, which resulted in 13 arrests, although IOCCO did not give any more details on the circumstances of those. Six of those serious consequences involved people unconnected to the investigations being “visited” by police, and on seven occasions—as happened last year—welfare checks on vulnerable people, including children, were delayed.

Joanna Cavan, the head of IOCCO who has just a few weeks left at the oversight body before joining GCHQ’s tech help desk, informed The Register that the most frequent error was caused by transposing the days and months when accommodating the American format of presenting the time.
[…]
Back in February last year IOCCO published an inquiry report [PDF] into police forces acquiring journalists’ communications data to identify and determine journalistic sources. […] IOCCO discovered it had been breached during four investigations, and in one case the commissioner, Sir Stanley Burton, determined that the conduct was serious and reckless.

Source: Brit spies and chums slurped 750k+ bits of info on you last year

Now that WhatsApp is sharing phone numbers with Facebook, it’s no longer the security oasis users relied on.

Source: WhatsApp’s Privacy Cred Just Took a Big Hit | WIRED

Since Facebook owns WhatsApp, it’s finally time for the purchase to pay off. Facebook now wants your WhatsApp data, including your phone number. Here’s how to opt out.

Source: How to opt out of WhatsApp sharing your information with Facebook

You have 30 days.

Why is this a problem, what have they done? What do we not know? Does it matter?Read here

To get started, head to facebook.com/ads/preferences. Here, you’ll find a large collection of “interests” Facebook thinks you have, sorted into categories. Click on “Lifestyle and Culture” to find, among other things, where you land politically. If you haven’t explicitly Liked the Facebook page of a particular politician, Facebook will guess and place that guess here.

The entire ad preferences page is a fascinating look into how Facebook analyzes and categorizes its users. If you don’t want a particular topic influencing the ads you see, you can remove it here. Obviously, you can’t turn it off entirely, but you can tweak it.

Source: Find Out How Facebook Thinks You Lean Politically With This Setting

Facebook knows more about your personal life than you probably realize. As part of the company’s increasingly aggressive advertising operation, Facebook goes to great lengths to track you across the web. The company compiles a list of personal details about every user that includes major life events and general interests. For years, details have been murky about how exactly the social network targets ads—but the company has finally given us a glimpse into how the secret sauce is made.
[…]
As The Washington Post points out, Facebook knows every time you visit a page with a “like” or “share” button. It also gives publishers a tool called Facebook Pixel that allows both parties to track visits from any Facebook user. It also works with companies like Epsilon and Acxiom who gather information from government records, warranties and surveys, and commercial sources (such as a magazine subscription lists) to learn more about Facebook users.
[…]
If you’re curious about all the data points Facebook is using to target ads to you, here’s the full list:

Location
Age
Generation
Gender
Language
Education level
Field of study
School
Ethnic affinity
Income and net worth
Home ownership and type
Home value
Property size
Square footage of home
Year home was built
Household composition
Users who have an anniversary within 30 days
Users who are away from family or hometown
Users who are friends with someone who has an anniversary, is newly married or engaged, recently moved, or has an upcoming birthday
Users in long-distance relationships
Users in new relationships
Users who have new jobs
Users who are newly engaged
Users who are newly married
Users who have recently moved
Users who have birthdays soon
Parents
Expectant parents
Mothers, divided by “type” (soccer, trendy, etc.)
Users who are likely to engage in politics
Conservatives and liberals
Relationship status
Employer
Industry
Job title
Office type
Interests
Users who own motorcycles
Users who plan to buy a car (and what kind/brand of car, and how soon)
Users who bought auto parts or accessories recently
Users who are likely to need auto parts or services
Style and brand of car you drive
Year car was bought
Age of car
How much money user is likely to spend on next car
Where user is likely to buy next car
How many employees your company has
Users who own small businesses
Users who work in management or are executives
Users who have donated to charity (divided by type)
Operating system
Users who play canvas games
Users who own a gaming console
Users who have created a Facebook event
Users who have used Facebook Payments
Users who have spent more than average on Facebook Payments
Users who administer a Facebook page
Users who have recently uploaded photos to Facebook
Internet browser
Email service
Early/late adopters of technology
Expats (divided by what country they are from originally)
Users who belong to a credit union, national bank or regional bank
Users who investor (divided by investment type)
Number of credit lines
Users who are active credit card users
Credit card type
Users who have a debit card
Users who carry a balance on their credit card
Users who listen to the radio
Preference in TV shows
Users who use a mobile device (divided by what brand they use)
Internet connection type
Users who recently acquired a smartphone or tablet
Users who access the Internet through a smartphone or tablet
Users who use coupons
Types of clothing user’s household buys
Time of year user’s household shops most
Users who are “heavy” buyers of beer, wine or spirits
Users who buy groceries (and what kinds)
Users who buy beauty products
Users who buy allergy medications, cough/cold medications, pain relief products, and over-the-counter meds
Users who spend money on household products
Users who spend money on products for kids or pets, and what kinds of pets
Users whose household makes more purchases than is average
Users who tend to shop online (or off)
Types of restaurants user eats at
Kinds of stores user shops at
Users who are “receptive” to offers from companies offering online auto insurance, higher education or mortgages, and prepaid debit cards/satellite TV
Length of time user has lived in house
Users who are likely to move soon
Users who are interested in the Olympics, fall football, cricket or Ramadan
Users who travel frequently, for work or pleasure
Users who commute to work
Types of vacations user tends to go on
Users who recently returned from a trip
Users who recently used a travel app
Users who participate in a timeshare

Source: All of the Creepy Things Facebook Knows About You

I’d quite like to know the answers Facebook has filled in to my datapoints myself!

Anti-Beacon is small, simple to use, and is provided free of charge. It was created to address the privacy concerns of users of Windows 10 who do not wish to have information about their PC usage sent to Microsoft. Simply clicking “Immunize” on the main screen of Anti-Beacon will immediately disable any known tracking features included by Microsoft in the operating system.

Source: Spybot Anti-Beacon for Windows

the plan’s not in action yet but has been agreed in principle. It’s hoped the scheme will be up and running in about six months, by which time you’ll only be able to buy trackable SIMs when you visit.

The good news is that if your phone roams, you’ll be exempt. And with roaming plans now catering to travellers there’s a good chance you can bring your phone to Phuket without taking a bath on roaming charges.

Resident aliens will be moved to the trackable SIMs. Many such folk move to Thailand to invest or bring expertise to the nation and are unlikely to be happy that their every move is observed. One small upside is that the nation’s telecoms regulators aren’t entirely sure how to make the tracking work, with cell connection data and GPS both under consideration.

Source: Thailand plans to track non-citizens with their mobile phones

A little-known web standard that lets site owners tell how much battery life a mobile device has left has been found to enable tracking online, a year after privacy researchers warned that it had the potential to do just that.

The battery status API was introduced in HTML5, the fifth version of the code used to lay out the majority of the web, and had already shipped in Firefox, Opera and Chrome by August 2015. It allows site owners to see the percentage of battery life left in a device, as well as the time it will take to discharge or the time it will take to charge, if connected to a power source.

Intended to allow site owners to serve low-power versions of sites and web apps to users with little battery capacity left, soon after it was introduced, privacy researchers pointed out that it could also be used to spy on users. The combination of battery life as a percentage and battery life in seconds provides offers 14m combinations, providing a pseudo-unique identifier for each device.
[…]
Now, two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to “fingerprint” a specific device, allowing them to continuously identify it across multiple contexts.

Source: Your battery status is being used to track you online | Technology | The Guardian

Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of anonymization is to focus on the process of minimizing risk of reidentification and sensitive attribute disclosure, not preventing harm. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been “anonymized.” It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.
paper here

The popular streaming service is now the latest platform that is opening its data to targeted advertising. Everything from your age and gender, to the music genres you like to listen will be available to various third-party companies.

Spotify is calling it programmatic buying and has already enabled it. Advertisers will have access to the 70 million people that use Spotify’s free, ad-supported streaming across 59 countries. By viewing your song picks, these buyers will be able to look for specific users who might be the best matches for the products they’re selling.

Source: Spotify is now selling your information to advertisers

the new legislation — which Edward Snowden has called “Russia’s new Big Brother law” — is not only severe against those involved in “international terrorism,” its financing, and its non-denunciation. Law enforcement agencies will also be granted access to any user’s messages without any judicial oversight.

Several key provisions will directly affect the internet and telecom industry. In particular, telecom operators and internet resources will need to store the recordings of all phone calls and the content of all text messages for a period of six months. They will be required to cooperate with the Federal Security Service (FSB) to make their users’ communications fully accessible to this organization.

Source: Russian leader Putin signs controversial ‘Big Brother’ law

More than 800 UK police staff inappropriately accessed personal information between June 2011 and December 2015, according to a report from activist group Big Brother Watch.

The report says some police staff used their access to a growing trove of police data, which includes personal information on civilians, for entertainment and personal and financial gain.

ot only was some information not needed for official police work, according to the report, but was shared with third parties outside the police, including some organized crime groups, 877 times.

In total, 2,315 incidents of inappropriate access or distribution of data were reported.

The majority of incidents, 1,283, ended up with no disciplinary action taking place, while 297 ended in a resignation or dismissal, 258 resulted in a written or verbal warning, and 70 led to a criminal conviction or caution.