Privacy Badger Now Fights More Sneaky Google Tracking | Electronic Frontier Foundation

With its latest update, Privacy Badger now fights “link tracking” in a number of Google products.

Link tracking allows a company to follow you whenever you click on a link to leave its website. Earlier this year, EFF rolled out a Privacy Badger update targeting Facebook’s use of this practice. As it turns out, Google performs the same style of tracking, both in web search and, more concerning, in spaces for private conversation like Hangouts and comments on Google Docs. From now on, Privacy Badger will protect you from Google’s use of link tracking in all of these domains.

— Read on www.eff.org/deeplinks/2018/10/privacy-badger-now-fights-more-sneaky-google-tracking

Yikes!

More reason to move off of Google properties and when you have no choice but use them, protect yourself.

Also on:

ICYMI: Facebook Is Allowing Ad Targeting Based on Contact Information You Have No Control Over

Facebook Is Allowing Ad Targeting Based on Contact Information You Have No Control Over:

Even for Facebook’s low standards, this is exceptionally unethical: you haven’t given them permission to use this information; someone you know or someone you purchased products from has done that for you, probably with consent buried in an opaque privacy policy. There’s no way to opt out. And there are few-to-no regulations governing this.

(Via Pixel Envy)

This is a disaster from the security perspective. Users should enable 2FA to protect themselves with an expectation that this data is restricted for only this use.

Also on:

Mobile Websites Can Tap Into Your Phone’s Sensors Without Asking

Mobile Websites Can Tap Into Your Phone’s Sensors Without Asking:

When an app wants to access data from your smartphone’s motion or light sensors, iOS and Android require them to get your permission first. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that those rules don’t apply to websites loaded in mobile browsers, which can often often access an array of device sensors without any notifications or permissions whatsoever.

That mobile browsers offer developers access to sensors isn’t necessarily problematic on its own. It’s what helps those services automatically adjust their layout, for example, when you switch your phone’s orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers—Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University—found that the standards allow for unfettered access to certain sensors. And sites are using it.

(Via Security Latest)

Clearly this is a gap in vendor protection and user informed consent. When paired with the amount of bandwidth and other resources consumed by scripts, trackers, ads and the like, this news reinforces my opinion on ad-blockers that also deal with javascript.

Before we all panic, please note that the study only found 3.7% of the top 100,000 sites make use of this. And bear the following in mind:

That unapproved access to motion, orientation, proximity, or light sensor data alone probably wouldn’t compromise a user’s identity or device. And a web page can only access sensors as long as a user is actively browsing the page, not in the background.

Regardless, there is clearly an attack surface here that will be exploited. I can imagine something targeted using watering hole attacks being particularly successful.

“There’s a difference between the access from the web scripts compared to say mobile apps,” Acar says. “And a lot of this is legitimate. But the fact that access can be granted without prompting the user is surprising. It’s currently up to the vendors, and vendors tend to choose the side of more usability.”

Also on:

Privacy Shield on Shaky Ground: What’s Up with EU-U.S. Data Privacy Regulations

Privacy Shield on Shaky Ground: What’s Up with EU-U.S. Data Privacy Regulations:

There’s a lot going on in the privacy and data protection world. But one of the most pressing issues is the uncertain fate of Privacy Shield, the framework governing the flow of data between the EU and the U.S. for commercial purposes.

The Trump Administration has been given an ultimatum: comply with Privacy Shield, or risk a complete suspension of the EU-U.S. data sharing agreement. In a letter dated July 26, EU commissioner for justice Věra Jourová wagered to U.S. commerce secretary Wilbur Ross that suspension of the EU-U.S. Privacy Shield system would incentivize the U.S. to comply fully with the terms of the agreement. But Jourová’s urging that Ross “be smart and act” in appointing senior personnel to oversee the data sharing deal is hardly new. The July letter closely echoes a European Parliament (EP) resolution passed just three weeks earlier, and the European Commission (EC) voiced similar sentiments in its review of the Privacy Shield Framework last September. Further adding to the chorus of voices raising concerns about Privacy Shield compliance are tech and business groups, which jointly called for the nomination of a Privacy Shield ombudsperson in an Aug. 20 letter.

In addition to admonishing the EC’s failure to hold the U.S. accountable thus far, the EP resolution calls for a suspension of Privacy Shield if the U.S. has not fully complied by Sept. 1—though no such suspension has yet been announced. It also expresses serious concerns regarding the U.S.’s recent adoption of the Clarifying Lawful Overseas Use of Data (Cloud) Act and the legislation’s potential conflict with EU data protection laws. With the General Data Protection Regulation (GDPR)—the EU’s new regulatory regime for the protection of individual data—having come into effect on May 25, 2018, the EP considers the EC in contravention of GDPR Article 45(5). This article requires the EC to repeal, amend, or suspend an adequacy decision to the extent necessary once a third country no longer ensures an adequate level of data protection— until the U.S. authorities comply with its terms.

So what led to this ultimatum, and what’s next on the global data protection stage?    

(Via Lawfare – Hard National Security Choices)

The article gives a level set on Privacy Shield and then dives into specific areas. I highly recommend giving this a good read.

Also on:

Is Your Smart Meter Spying on You? Yes.

From <a href=”https://motherboard.vice.com/en_us/article/j5n3pb/your-smart-electricity-meter-can-easily-spy-on-you-court-ruling-warns”>Your Smart Electricity Meter Can Easily Spy On You, Court Ruling Warns – Motherboard</a>:

Consumers already face a laundry list of daily privacy issues ranging from Facebook’s failure to police how user data is abused, to ISPs that routinely track your every online movement down to the millisecond.

But another, less talked about privacy problem has slowly been gaining steam: the modern, electrical utility smart meter.

Modern electricity usage meters provide innumerable benefits to utility companies, including a variety of remote access and monitoring tools to better manage the power grid. They also dramatically reduce the cost of technician visits for on-location meter readings.

The benefits to consumers have been less impressive, however. Some models have been found to interfere with some home routers, and, like so many internet-connected devices, other variants are easily hacked.

I remember when my utility in Michigan wore me down and I let them install the one for my house. The reported benefits, specifically the cost saving reflected in the fact that a meter reader was no longer dispatched to my house every month, never materialized.

I never considered the privacy implications. I should have.

Back in Illinois, the court warned that the entire fight could have been avoided if the city-owned utility had simply provided users with the option of using a traditional meter instead of forcing the upgrade. They also could have provided consumers the ability to opt out of data collection.

“Naperville could have avoided this controversy—and may still avoid future uncertainty—by giving its residents a genuine opportunity to consent to the installation of smart meters, as many other utilities have,” the court said.

As the country debates new privacy rules in the wake of endless hacking scandals and rampant social media and broadband ISP data collection, it’s important not to forget about the lowly electrical meter. And as the internet of broken things often makes clear, sometimes the “dumber” technical solution is the smarter bet when it comes to privacy and security.

Also on:

Beware the Subscription Model

Apple is secretly encouraging paid app developers to switch to subscription – ldstephens

I’m disappointed to hear that Apple is encouraging developers to move to a subscription model. As I’ve written before, I think this will be the demise of many small developers.

Many users dislike subscriptions. If you don’t believe me just read the App Store reviews for some of the developers that have switched their app to a subscription. A good place to start would be Ulysses or Drafts 5.

Personally, I’m experiencing subscription fatigue. My subscriptions add up to around $1500 per year. Yes, this includes my Netflix, Hulu and Sling subscriptions. It also includes my internet subscription, the subscription for all that’s needed to operate this website, my email subscription at Fastmail, and the subscription to a few apps. I’m not interested in adding more subscriptions.

I love trying new apps. If all apps went to a subscription I would no longer be able to continue trying and writing about them.

For example, I have several writing apps. If they all went subscription I would have to select one and abandon the others. In this scenario, there will be one winner and several losers.

(Via ldstephens.net)

I already try to avoid any app that uses a subscription model. An app that solves specific problems in a way that works well for me and where I maintain control of my data is one for possible exception – but they are rare.

As mentioned I am pruning my subscriptions of all types. Drafts 5 will soon be another as I don’t use it enough to justify the expense. Google Drive, 1Password, The Atlantic (sadly, but I’m reconsidering), Audible (for DRM reasons), and Netflix (for timesuck reasons) all went on my financial chopping block. The two (!) Amazon Primes (Japan & US), Apple Music, LastPass, and the Guardian and Washington Post newspapers are up for review.

I don’t think I’ll ever want to get to a zero subscription point, but I will definitely keep them in check. As Google, Amazon, and Microsoft (among others, and to a lesser extent Apple) continue to push hard on the “digital assistant” front – something that interests me very little – jumping back into a F/OSS lifestyle seems not only wise but prudent.

To be clear, I want developers to be paid for their work. Even F/OSS developers will ask for donations of one kind or another. As I wrote I think commercial developers, independent or in the Small to Medium Enterprise (SME) space, can work well without embracing the subscription model.

I’m no Luddite or neophyte, mind you. I simply value my freedom more than the ability to dim the house lights when I fire up a streamed movie from my couch.

On another tack, the rise of subscriptions should trigger more thought about data portability. Locking one’s data in a proprietary app requiring a subscription to access said data lacks foresight. However, application developers don’t often list how the data is stored or how one can get their data out if they chose to move.

Also on:

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.

Don’t Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.:

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes — 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.

To be clear, the TSA has put forth no concrete proposal. The internal agency working group’s report obtained by CNN contains no recommendations. It’s nothing more than 20 people examining the potential security risks of the policy change. It’s not even new: The TSA considered this back in 2011, and the agency reviews its security policies every year. But commentary around the news has been strongly negative. Regardless of the idea’s merit, it will almost certainly not happen. That’s the result of politics, not security: Sen. Charles E. Schumer (D-N.Y.), one of numerous outraged lawmakers, has already penned a letter to the agency saying that “TSA documents proposing to scrap critical passenger security screenings, without so much as a metal detector in place in some airports, would effectively clear the runway for potential terrorist attacks.” He continued, “It simply boggles the mind to even think that the TSA has plans like this on paper in the first place.”

We don’t know enough to conclude whether this is a good idea, but it shouldn’t be dismissed out of hand. We need to evaluate airport security based on concrete costs and benefits, and not continue to implement security theater based on fear. And we should applaud the agency’s willingness to explore changes in the screening process.

There is already a tiered system for airport security, varying for both airports and passengers. Many people are enrolled in TSA PreCheck, allowing them to go through checkpoints faster and with less screening. Smaller airports don’t have modern screening equipment like full-body scanners or CT baggage screeners, making it impossible for them to detect some plastic explosives. Any would-be terrorist is already able to pick and choose his flight conditions to suit his plot.

Over the years, I have written many essays critical of the TSA and airport security, in general. Most of it is security theater — measures that make us feel safer without improving security. For example, the liquids ban makes no sense as implemented, because there’s no penalty for repeatedly trying to evade the scanners. The full-body scanners are terrible at detecting the explosive material PETN if it is well concealed — which is their whole point.

There are two basic kinds of terrorists. The amateurs will be deterred or detected by even basic security measures. The professionals will figure out how to evade even the most stringent measures. I’ve repeatedly said that the two things that have made flying safer since 9/11 are reinforcing the cockpit doors and persuading passengers that they need to fight back. Everything beyond that isn’t worth it.

It’s always possible to increase security by adding more onerous — and expensive — procedures. If that were the only concern, we would all be strip-searched and prohibited from traveling with luggage. Realistically, we need to analyze whether the increased security of any measure is worth the cost, in money, time and convenience. We spend $8 billion a year on the TSA, and we’d like to get the most security possible for that money.

This is exactly what that TSA working group was doing. CNN reported that the group specifically evaluated the costs and benefits of eliminating security at minor airports, saving $115 million a year with a “small (nonzero) undesirable increase in risk related to additional adversary opportunity.” That money could be used to bolster security at larger airports or to reduce threats totally removed from airports.

We need more of this kind of thinking, not less. In 2017, political scientists Mark Stewart and John Mueller published a detailed evaluation of airport security measures based on the cost to implement and the benefit in terms of lives saved. They concluded that most of what our government does either isn’t effective at preventing terrorism or is simply too expensive to justify the security it does provide. Others might disagree with their conclusions, but their analysis provides enough detailed information to have a meaningful argument.

The more we politicize security, the worse we are. People are generally terrible judges of risk. We fear threats in the news out of proportion with the actual dangers. We overestimate rare and spectacular risks, and underestimate commonplace ones. We fear specific “movie-plot threats” that we can bring to mind. That’s why we fear flying over driving, even though the latter kills about 35,000 people each year — about a 9/11’s worth of deaths each month. And it’s why the idea of the TSA eliminating security at minor airports fills us with fear. We can imagine the plot unfolding, only without Bruce Willis saving the day.

Very little today is immune to politics, including the TSA. It drove most of the agency’s decisions in the early years after the 9/11 terrorist attacks. That the TSA is willing to consider politically unpopular ideas is a credit to the organization. Let’s let them perform their analyses in peace.

This essay originally appeared in the Washington Post.

(Via Schneier on Security – emphasis above is mine)

Bruce knows at least as much about this as anyone outside of TSA, and one can argue more than most inside. I always appreciate his analysis.

Also on:

New Polling Agency

New Polling Agency:

There is a new polling agency on the block, called DeltaPoll.

I had never heard of them until last week, when they had a strange poll published in the Daily Mail (which, obviously, I’m not going to link to).

I think we need new pollsters like we need a hole in the head. These companies are forever misrepresenting the accuracy of their surveys and they confuse more than they inform. I was intrigued, however, so I looked up their Twitter profile and found this:

They don’t have a big Twitter following, but the names behind it have previously been associated with other polling agencies, so perhaps it’s not as dodgy as I assumed.

On the other hand, what on Earth does ’emotional and mathematical measurement methods’ mean?

(Via In the Dark)

Also on:

Amazon Echo Data Leaks, Shows Poor Engagement

Amazon Echo Data Leaks, Shows Poor Engagement:

First, Alexa and the Echo speakers came to market for a single reason only: To provide Amazon’s customers with yet another way to easily make purchases from its online store.

Second, while Amazon does currently lead in the market for smart speakers, Google is very quickly catching up. And I still expect Google to surpass Amazon, perhaps as soon as by the end of 2018.

Not being able to monetize Echo and Alexa is a problem. And it’s going to be a problem for Google, too. In that case, the online search giant will attempt to leverage its own Google Home/Google Assistant user base with, yep, you guessed it, advertising. Something that Google has publicly stated is coming to the platform.

(Via Thurrott.com)

I’ve seen this first hand at my sister’s — she & her husband add items to the shopping list only to shop at an actual brick-and-mortar store (the horror!). Even when they buy from Amazon they fire up a web browser on their laptop and don’t use their Echo at all. Mostly, they use it for music and for the occasional trivia question.

This cannot be what Amazon hoped for when they released this beast.

Also on:

John Oliver Calls Facebook ‘History’s Most Profitable Data-Harvesting Machine’

John Oliver Calls Facebook ‘History’s Most Profitable Data-Harvesting Machine’:

“We came here for your data and the data of everyone you’ve ever come into contact with,” the ad’s narrator says. “Your data allowed us to make a fuckton of ad money … but here’s the thing. Nothing’s going to change. We’ve got your data, we’ve got your friends. And really, where are you going to go?”

(Via Motherboard)

Also on: