A little-known web standard that lets site owners tell how much battery life a mobile device has left has been found to enable tracking online, a year after privacy researchers warned that it had the potential to do just that.

The battery status API was introduced in HTML5, the fifth version of the code used to lay out the majority of the web, and had already shipped in Firefox, Opera and Chrome by August 2015. It allows site owners to see the percentage of battery life left in a device, as well as the time it will take to discharge or the time it will take to charge, if connected to a power source.

Intended to allow site owners to serve low-power versions of sites and web apps to users with little battery capacity left, soon after it was introduced, privacy researchers pointed out that it could also be used to spy on users. The combination of battery life as a percentage and battery life in seconds provides offers 14m combinations, providing a pseudo-unique identifier for each device.
[…]
Now, two security researchers from Princeton University have shown that the battery status indicator really is being used in the wild to track users. By running a specially modified browser, Steve Engelhard and Arvind Narayanan found two tracking scripts that used the API to “fingerprint” a specific device, allowing them to continuously identify it across multiple contexts.

Source: Your battery status is being used to track you online | Technology | The Guardian

Perfect anonymization of data sets that contain personal information has failed. But the process of protecting data subjects in shared information remains integral to privacy practice and policy. While the deidentification debate has been vigorous and productive, there is no clear direction for policy. As a result, the law has been slow to adapt a holistic approach to protecting data subjects when data sets are released to others. Currently, the law is focused on whether an individual can be identified within a given set. We argue that the best way to move data release policy past the alleged failures of anonymization is to focus on the process of minimizing risk of reidentification and sensitive attribute disclosure, not preventing harm. Process-based data release policy, which resembles the law of data security, will help us move past the limitations of focusing on whether data sets have been “anonymized.” It draws upon different tactics to protect the privacy of data subjects, including accurate deidentification rhetoric, contracts prohibiting reidentification and sensitive attribute disclosure, data enclaves, and query-based strategies to match required protections with the level of risk. By focusing on process, data release policy can better balance privacy and utility where nearly all data exchanges carry some risk.
paper here

The popular streaming service is now the latest platform that is opening its data to targeted advertising. Everything from your age and gender, to the music genres you like to listen will be available to various third-party companies.

Spotify is calling it programmatic buying and has already enabled it. Advertisers will have access to the 70 million people that use Spotify’s free, ad-supported streaming across 59 countries. By viewing your song picks, these buyers will be able to look for specific users who might be the best matches for the products they’re selling.

Source: Spotify is now selling your information to advertisers

the new legislation — which Edward Snowden has called “Russia’s new Big Brother law” — is not only severe against those involved in “international terrorism,” its financing, and its non-denunciation. Law enforcement agencies will also be granted access to any user’s messages without any judicial oversight.

Several key provisions will directly affect the internet and telecom industry. In particular, telecom operators and internet resources will need to store the recordings of all phone calls and the content of all text messages for a period of six months. They will be required to cooperate with the Federal Security Service (FSB) to make their users’ communications fully accessible to this organization.

Source: Russian leader Putin signs controversial ‘Big Brother’ law

More than 800 UK police staff inappropriately accessed personal information between June 2011 and December 2015, according to a report from activist group Big Brother Watch.

The report says some police staff used their access to a growing trove of police data, which includes personal information on civilians, for entertainment and personal and financial gain.

ot only was some information not needed for official police work, according to the report, but was shared with third parties outside the police, including some organized crime groups, 877 times.

In total, 2,315 incidents of inappropriate access or distribution of data were reported.

The majority of incidents, 1,283, ended up with no disciplinary action taking place, while 297 ended in a resignation or dismissal, 258 resulted in a written or verbal warning, and 70 led to a criminal conviction or caution.

Facebook wants to show advertisers that their ads make you visit their bricks-and-mortar stores and buy their stuff. To do this, they’ll use phones’ location services to track whether people actually walk into the stores after seeing an ad.

Source: Facebook Will Start Tracking Which Stores You Walk Into

Researchers from the University of Washington and the University of California, San Diego did an experiment to see what could be learned from just the information many cars are already recording. The result was that the way people drove was as identifiable as a fingerprint. […] When it was given data from all 16 sensors for the whole drive, the match was made 100 percent of the time. When it was given data from five sensors, three sensors, and even just the brake pedal, the match was made 100 percent of the time.

On just 15 minutes of data and all 16 sensors, the match was made 100 percent of the time. Just the brake pedal was 87 percent accurate.

This research reveals just how much data your car is actually collecting—and that turning over all that data through apps or insurance company dongles may be revealing more about yourself than you realize. Tesla, with its auto-uploading feature, probably knows a lot about its drivers.

Source: You Can Absolutely Be Identified Just By How You Drive

In a study published online Monday in the journal Proceedings of the National Academy of Sciences, Stanford University researchers demonstrated how they used publicly available sources—like Google searches and the paid background-check service Intelius—to identify “the overwhelming majority” of their 823 volunteers based only on their anonymized call and SMS metadata.

Using data collected through a special Android app, the Stanford researchers determined that they could easily identify people based on their call and message logs.

The results cast doubt on claims by senior intelligence officials that telephone and Internet “metadata”—information about communications, but not the content of those communications—should be subjected to a lower privacy threshold because it is less sensitive.

Contrary to those claims, the researchers wrote, “telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences.” Study shows phone metadata is much more sensitive than top spies admit

The NCC, a consumer rights watchdog, is conducting an investigation into 20 apps’ terms and conditions to see if the apps do what their permissions say they do and to monitor data flows. Tinder has already been reported to the Norwegian data protection authority for similar breaches of privacy laws. The NCC’s investigation into Runkeeper discovered that user location data is tracked around the clock and gets transmitted to a third party advertiser in the U.S. called Kiip.me.

Source: Runkeeper is secretly tracking you around the clock and sending your data to advertisers

In my hands is something dangerous. It is proof that someone moved confidential government data out of Mexico and into the United States. It is a hard drive with 93.4 million downloaded voter registration records— The Mexican voter database.

See the interview with Chris Vickery commenting on this breach:

Before going any further, let’s make one thing very clear. I’m not the one who transmitted the data out of Mexico. Someone else will have to answer for that. However, eight days ago (April 14th), I did discover a publicly accessible database, hosted on an Amazon cloud server, containing these records. There was no password or authentication of any sort required. It was configured purely for public access. Why? I have no clue.

After reporting the situation to the US State Department, DHS, the Mexican Embassy in Washington, the Mexican Instituto Nacional Electoral (INE), and Amazon, the database was finally taken offline April 22nd, 2016.

Under Mexican law, these files are “strictly confidential”, carrying a penalty of up to 12 years in prison for anyone extracting this data from the government for personal gain. We’re talking about names, home addresses, birthdates, a couple of national identification numbers, and a few other bits of info.

Source: BREAKING: Massive Breach of Mexican Voter Data – Blog – MacKeeper™

The new rules include provisions on:

a right to be forgotten,

“clear and affirmative consent” to the processing of private data by the person concerned,

a right to transfer your data to another service provider,

the right to know when your data has been hacked,

ensuring that privacy policies are explained in clear and understandable language, and

stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.

Source: Data protection reform – Parliament approves new rules fit for the digital era

So we get simpler EULAs that no one will read either… But it’s nice to have control over your own data and the right to know when your data has been breeched. Not that you can do much with that knowledge, but ok.

Hotjar is a new and easy way to truly understand your web and mobile site visitors.

Source: Hotjar – Heatmaps, Visitor Recordings, Conversion Funnels, Form Analytics, Feedback Polls and Surveys in One Platform

I’ve been seeing this on more and more sites recently. They state that the service is cheap (but no pricing to be found) and I’m very curious if they keep your data and link it to you as a person on multiple tracked sites?

Clearista products were designed with medical applications in mind before they became beauty products. The idea was that removing the product got you access to traces or biological markers that give an insight into the health of a person. They also cover blemishes and dark spots on the skin. So the CIA is interested, as DNA is one of the markers they can pick up. They use their vehicle In-Q-Tel (IQT) to fund Skincential Sciences, which produces Clearista (among other products)

Source: CIA’s Venture Capital Arm Is Funding Skin Care Products That Collect DNA

Pentagon: DRTBox can usually nab phone’s crypto session keys in under a second.

Source: City cops in Disneyland’s backyard have had “stingray on steroids” for years

Military grade Dirtboxes have been flying for the police without requiring a warrant for years. The 4th Reich irrepresive surveillance machine strikes again – Anaheim won’t be the only police force using this stuff.

Without trust, Microsoft thinks, nobody is going to use any cloud services, and the Snowden revelations put the trustworthiness of all technology suppliers in the spotlight. So when a warrant arrived at Microsoft’s Dublin data centre one day in 2013, a not uncommon occurrence for a cloud host, Microsoft was ready to kick back.

What Microsoft has done is refuse to comply, putting itself voluntarily in contempt of court. At issue is a piece of legislation called the 1986 Stored Communications Act, and the software firm is challenging two key things about it. Firstly, that the act covers private data that happens to be stored on your behalf by a third party (in this case Microsoft). Microsoft argues that the personal data is not its own, much as a UGC hosted YouTube argues that it doesn’t own material that is “stored at users’ direction”
[…]
“These are the private communications of our customers. They’re not ours. We don’t have access to them. We don’t want access to them,” he told an audience this week. “That’s a very different position to saying that any data stored with a cloud provider is a business record of that cloud provider, that can then be turned over to the government. That is a very dangerous precedent.”

And an interview with The Register clarified that point further: “By design we tell customers it is yours, we’re not going to access your data.”

Source: Microsoft legal eagle explains why the Irish Warrant Fight covers your back

Per 1 januari is de naam van het College bescherming persoonsgegevens (CBP) veranderd in Autoriteit Persoonsgegevens. Voortaan kan de Autoriteit Persoonsgegevens boetes opleggen en zijn organisaties verplicht ernstige datalekken direct te melden aan de toezichthouder. Onvoldoende zorgvuldige omgang met persoonsgegevens levert voortaan dus zowel een boete als reputatieschade op. De maximale boete is 820.000 euro.

Source: Nieuwe taken voor Autoriteit Persoonsgegevens – Emerce

This might seem like a slightly strange statistic for Microsoft to keep track of, but the company knows how long, collectively, Windows 10 has been running on computers around the world. To have reached this figure (11 billion hours in December, apparently) Microsoft must have been logging individuals’ usage times

Source: Why is Microsoft monitoring how long you use Windows 10?

When a user installs AVG AntiVirus, a Chrome extension called “AVG Web TuneUp” with extension id chfdnecihphmhljaaejmgoiahnihplgn is force-installed. I can see from the webstore statistics it has nearly 9 million active Chrome users.

the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn’t be surprised if it’s possible to turn this into arbitrary code execution.

Source: Issue 675 – google-security-research – AVG: “Web TuneUP” extension multiple critical vulnerabilities – Google Security Research – Google Project Hosting

One of the excellent features of new Windows devices is that disk encryption is built-in and turned on by default, protecting your data in case your device is lost or stolen. But what is less well-known is that, if you are like most users and login to Windows 10 using your Microsoft account, your computer automatically uploaded a copy of your recovery key – which can be used to unlock your encrypted disk – to Microsoft’s servers, probably without your knowledge and without an option to opt-out.
[…]
As Green puts it, “Your computer is now only as secure as that database of keys held by Microsoft, which means it may be vulnerable to hackers, foreign governments, and people who can extort Microsoft employees.”

Source: Recently Bought a Windows Computer? Microsoft Probably Has Your Encryption Key

Under the original CISA legislation, companies would share their users’ information with federal government departments once it had been anonymized. The government could then analyze it for online threats, while the companies received legal immunity from prosecution for breaking existing privacy agreements.

But as the bill was amended, the privacy parts of the proposed law have been stripped away. Now companies don’t have to anonymize data before handing it over. In addition, the government can use it for surveillance and for activities outside cybercrime. And in addition, companies don’t have to report security failings even if they spot them.

Source: Congress strips out privacy protections from CISA ‘security’ bill

IAB Europe maakt zich grote zorgen over de nieuwe geharmoniseerde privacywetten die in 2018 van kracht worden in Europa. Ook Apple, Google, Microsoft en Nederland ICT zien economische hindernissen ontstaan.

Source: IAB: ‘Nieuwe privacywet maakt online branche kreupel’ – Emerce