Google will soon roll out its Tracking Protection feature to some randomly chosen users in order to prepare for a full deployment.

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. read more

Any website can use a simple API to replace CAPTCHAs with our invisible alternative, whether they’re on the Cloudflare network or not.

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

Software supply chain security fears escalated again this week with the discovery of what’s being described as "deliberate sabotage" of code in the open-source npm package manager ecosystem. read more

Video conferencing software giant Zoom has shipped patches for a pair of security defects that expose Windows, macOS, Linux, iOS and Android users to malicious hacker attacks. read more

Microsoft-owned GitHub is again flagging major security problems in the npm registry, warning that a pair of newly discovered vulnerabilities continue to expose the soft underbelly of the open-source software supply chain. read more

Encrypted instant messaging app Signal was hit by a brief outage late Sunday that interrupted services on the platform at the same time as localised interruptions on other social media services. read more

Adobe has issued a warning for a pair of major security vulnerabilities affecting its popular Photoshop image manipulation software. The flaws, rated critical, expose both Windows and MacOS users to code execution attacks, Adobe said in an advisory released Tuesday. read more

WhatsApp said it will no longer limit app functionality for users who refuse to share some data with Facebook. Categories: Privacy Tags: end-to-end encryptionfacebookwhatsappwhatsapp privacy policy (Read more...) The post WhatsApp reverses course, will not limit app functionality appeared first on Malwarebytes Labs.

Following an eight-month audit of the code in the latest infotainment system in Mercedes-Benz cars, security researchers with Tencent Security Keen Lab identified five vulnerabilities, four of which could be exploited for remote code execution. read more

Researchers publicly disclosed flaws in ADT's LifeShield DIY HD Video Doorbell, which could have allowed local attackers to access credentials, video feeds and more.

Companies and organizations are dicouraging their employees to use TikTok, especially on work related devices. Will TikTok face a ban? Categories: Privacy Tags: amazonAustraliabanbytedancechinaindiaprivacyredditsocial mediatiktokusa (Read more...) The post TikTok is being discouraged and the app may be banned appeared first on Malwarebytes Labs.

Across the United States, people are taking to the street to protest racist police violence, including the tragic police killings of George Floyd and Breonna Taylor. This is a historic moment of reckoning for law enforcement. Technology companies, too, must rethink how the tools they design and sell to police departments minimize accountability and exacerbate injustice. Even worse, some companies profit directly from exploiting irrational fears of crime that all too often feed the flames of police brutality. So we’re calling on Amazon Ring, one of the worst offenders, to immediately end the partnerships it holds with over 1300 law enforcement agencies. SIGN PETITION TELL AMAZON RING: END POLICE PARTNERSHIPS  One by one, companies that profit off fears of crime have released statements voicing solidarity with those communities that are disproportionately impacted by police violence. Amazon, which owns Ring, announced that they “stand in solidarity with the Black community—[their] employees, customers, and partners — in the fight against systemic racism and injustice.”  Amazon Statement And yet, Amazon and other companies offer a high-speed digital mechanism by which people can make snap judgements about who does, and who does not, belong in their neighborhood, and summon police to confront them. This mechanism also facilitates police access to video and audio footage from massive numbers of doorbell cameras aimed at the public way across the country—a feature that could conceivably be used to identify participants in a protest through a neighborhood. Amazon built this surveillance infrastructure through tight-knit partnerships with police departments, including officers hawking Ring’s cameras to residents, and Ring telling officers how to better pressure residents to share their videos. Ring plays an active role in enabling and perpetuating police harassment of Black Americans. Despite Amazon’s statement that “the inequitable and brutal treatment of Black people in our country must stop,” Ring plays an active role in enabling and perpetuating police harassment of Black Americans. Ring’s surveillance doorbells and its accompanying Neighbors app have inflamed many residents’ worst instincts and urged them to spy on pedestrians, neighbors, and workers. We must tell Amazon Ring to end their police partnerships today.  Ring Threatens Privacy and Communities We’ve written extensively about why Ring is a “Perfect Storm of Privacy Threats,” and we’ve laid out five specific problems with Ring-police partnerships. We also revealed a number of previously-undisclosed trackers sending information from the Ring app to third parties, and critiqued the lackluster changes made in response to security flaws.  To start, Ring sends notifications to a person’s phone every time the doorbell rings or motion near the door is detected. With every notification, Ring turns the pizza delivery person or census-taker innocently standing at the door into a potential criminal. And with the click of a button, Ring allows a user to post video taken from that camera directly to their community, facilitating the reporting of so-called “suspicious” behavior. This encourages racial profiling—take, for example, an African-American real estate agent who was stopped by police because neighbors thought it was “suspicious” for him to ring a doorbell.  Ring Could Be Used to Identify Protesters To make matters worse, Ring continuing to grow partnerships with police departments during the current protests make an arrangement already at risk of enabling racial profiling even more troubling and dangerous. Ring now has relationships with over 1300 police departments around the United States. These partnerships allow police to have a general idea of the location of every Ring camera in town, and to make batch-requests for footage via email to every resident with a camera within an area of interest to police—potentially giving police a one-step process for requesting footage of protests to identify protesters. In some towns, the local government has even offered tiered discount rates for the camera based on how much of the public area on a street the Ring will regularly capture. The more of the public space it captures, the larger the discount.  If a Ring camera captures demonstrations, the owner is at risk of making protesters identifiable to police and vulnerable to retribution. Even if the camera owner refuses to voluntarily share footage of a protest with police, law enforcement can go straight to Amazon with a warrant and thereby circumvent the camera’s owner.  Ring Undermines Public Trust In Police The rapid proliferation of these partnerships between police departments and the Ring surveillance system—without oversight, transparency, or restrictions—poses a grave threat to the privacy and safety of all people in the community. “Fear sells,” Ring posted on their company blog in 2016. Fear also gets people hurt, by inflaming tensions and creating suspicion where none rationally exists.  Consider that Amazon also encourages police to tell residents to install the Ring app and purchase cameras for their homes, in an arrangement that makes salespeople out of what should be impartial and trusted protectors of our civic society. Per Motherboard, for every town resident that downloads Ring’s Neighbors app, the local police department gets credits toward buying cameras it can distribute to residents. This troubling relationship is worse than uncouth: it’s unsafe and diminishes public trust. Some of the “features” Ring has been considering adding would considerably increase the danger it poses. Integrated face recognition software would enable the worst type of privacy invasion of individuals, and potentially force every person approaching a Ring doorbell to have their face scanned and cross-checked against a database of other faces without their consent. License plate scanning could match people’s faces to their cars. Alerting users to local 911 calls as part of the “crime news” alerts on its app, Neighbors, would instill even more fear, and probably sell additional Ring services.  Just today Amazon announced a one-year moratorium on police use of its dangerous "Rekognition" facial recognition tool. This follows an announcement from IBM that it will no longer develop or research face recognition technology, in part because of its use in mass surveillance, policing, and racial profiling. We're glad Amazon has admitted that the unregulated use of face recognition can do harm to vulnerable communities. Now it's time for it to admit the dangers of Ring-police partnerships, and stand behind its statement on police brutality.  SIGN PETITION TELL AMAZON RING: END POLICE PARTNERSHIPS

The end-to-end encryption feature will not be offered to free users, Zoom's CEO said, in case Zoom needed to comply with federal and local law enforcement.

She wanted a sub, not Facebook, Instagram and SMS come-ons from the guy who served her and intercepted her contact-tracing details.

Since senators introduced the EARN IT Act (S. 3398) in early March, EFF has called attention to the many ways in which the bill would be a disaster for Internet users’ free speech and security. We’ve explained how the EARN IT Act could be used to drastically undermine encryption. Although the bill doesn’t use the word “encryption” in its text, it gives government officials like Attorney General William Barr the power to compel online service providers to break encryption or be exposed to potentially crushing legal liability. The bill also violates the Constitution’s protections for free speech and privacy. As Congress considers the EARN IT Act—which would require online platforms to comply with to-be-determined “best practices” in order to preserve certain protections from criminal and civil liability for user-generated content under Section 230 (47 U.S.C. § 230)—it’s important to highlight the bill’s First and Fourth Amendment problems. First Amendment As we explained in a letter to Congress, the EARN IT Act violates the First Amendment in several ways. 1. The bill’s broad categories of “best practices” for online service providers amount to an impermissible regulation of editorial activity protected by the First Amendment. The bill’s stated purpose is “to prevent, reduce, and respond to the online sexual exploitation of children.” However, it doesn’t directly target child sexual abuse material (CSAM, also referred to as child pornography) or child sex trafficking ads. (CSAM is universally condemned, and there is a broad framework of existing laws that seek to eradicate it, as we explain in the Fourth Amendment section below). Instead, the bill would allow the government to go much further and regulate how online service providers operate their platforms and manage user-generated content—the very definition of editorial activity in the Internet age. Just as Congress cannot pass a law demanding news media cover specific stories or present the news a certain way, it similarly cannot direct how and whether online platforms host user-generated content. 2. The EARN IT Act’s selective removal of Section 230 immunity creates an unconstitutional condition. Congress created Section 230 and, therefore, has wide authority to modify or repeal the law without violating the First Amendment (though as a policy matter, we don’t support that). However, the Supreme Court has said that the government may not condition the granting of a governmental privilege on individuals or entities doing things that amount to a violation of their First Amendment rights. Thus, Congress may not selectively grant Section 230 immunity only to online platforms that comply with “best practices” that interfere with their First Amendment right to make editorial choices regarding their hosting of user-generated content. 3. The EARN IT Act fails strict scrutiny. The bill seeks to hold online service providers responsible for a particular type of content and the choices they make regarding user-generated content, and so it must satisfy the strictest form of judicial scrutiny. Although the content the EARN IT Act seeks to regulate is abhorrent and the government’s interest in stopping the creation and distribution of that content is compelling, the First Amendment still requires that the law be narrowly tailored to address those weighty concerns. Yet, given the bill’s broad scope, it will inevitably force online platforms to censor the constitutionally protected speech of their users. Fourth Amendment The EARN IT Act violates the Fourth Amendment by turning online platforms into government actors that search users’ accounts without a warrant based on probable cause. The bill states, “Nothing in this Act or the amendments made by this Act shall be construed to require a provider of an interactive computer service to search, screen, or scan for instances of online child sexual exploitation.” Nevertheless, given the bill’s stated goal to, among other things, “prevent” online child sexual exploitation, it’s likely that the “best practices” will effectively coerce online platforms into proactively scanning users’ accounts for content such as CSAM or child sex trafficking ads. Contrast this with what happens today: if an online service provider obtains actual knowledge of an apparent or imminent violation of anti-child pornography laws, it’s required to make a report to the National Center for Missing and Exploited Children’s (NCMEC) CyberTipline. NCMEC then forwards actionable reports to the appropriate law enforcement agencies. Under this current statutory scheme, an influential decision by the U.S. Court of Appeals for the Tenth Circuit, written by then-Judge Neil Gorsuch, held that NCMEC is not simply an agent of the government, it is a government entity established by act of Congress with unique powers and duties that are granted only to the government. On the other hand, courts have largely rejected arguments that online service providers are agents of the government in this context. That’s because the government argues that companies voluntarily scan their own networks for private purposes, namely to ensure that their services stay safe for all users. Thus, courts typically rule that these scans are considered “private searches” that are not subject to the Fourth Amendment’s warrant requirement. Under this doctrine, NCMEC and law enforcement agencies also do not need a warrant to view users’ account content already searched by the companies. However, the EARN IT Act’s “best practices” may effectively coerce online platforms into proactively scanning users’ accounts in order to keep the companies’ legal immunity under Section 230. Not only would this result in invasive scans that risk violating all users’ privacy and security, companies would arguably become government agents subject to the Fourth Amendment. In analogous cases, courts have found private parties to be government agents when the “government knew of and acquiesced in the intrusive conduct” and “the party performing the search intended to assist law enforcement efforts or to further his own ends.” Thus, to the extent that online service providers scan users’ accounts to comply with the EARN IT Act, and do so without a probable cause warrant, defendants would have a much stronger argument that these scans violate the Fourth Amendment. Given Congress’ goal of protecting children from online sexual exploitation, it should not risk the suppression of evidence by effectively coercing companies to scan their networks. Next Steps Presently, the EARN IT Act has been introduced in the Senate and assigned to the Senate Judiciary Committee, which held a hearing on March 11. The next step is for the committee to consider amendments during a markup proceeding (though given the current state of affairs it’s unclear when that will be). We urge you to contact your members of Congress and ask them to reject the bill. Take Action PROTECT OUR SPEECH AND SECURITY ONLINE

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic. read more

The Tor browser has a bug that could allow JavaScript to execute on websites even when users think they’ve disabled it for maximum anonymity.

It's charging subpar password security and lousy user notification: Zynga has yet to notify users to warn them of the breach, the suit says.

We don't want to see what you do behind closed doors, but lots of hackers would be happy to pull up a chair to view that video stream.

Cisco, the makers of Webex, had warned users of the online conferencing service that a vulnerability allowed unauthorised remote users to listen in on private online meetings – without having to enter a password.

This could signal a renewed war between Apple and law enforcement over breaking encryption.

It’s not only external hackers who pose a threat to the customer data that your company stores.

Identifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices -- opening an attack vector.

Police in Bulgaria have arrested a 20-year-old man after a hack against the Bulgarian tax authority, known as the National Revenue Agency (NRA), which saw data on every single adult living in Bulgaria stolen, and offered to the media.

Amazon's acknowledgment that it saves Alexa voice recordings - even sometimes after consumers manually delete their interaction history - has thrust voice assistant privacy policies into the spotlight once again.

"I'm not a voyeur, I'm a technology enthusiast,” says the creator, who combined deepfake AI with a need for cash to get ka-CHING!

Less than one week after Maine Governor Janet Mills received one of the nation’s most privacy-protective state bills on her desk, she signed it into law. The move makes Maine the latest US state to implement its own online privacy protections. Categories: Privacy Tags: ACLU of MaineBangor Daily Newsdata privacy lawdata privacy legislationGovernor Janet MillsGSIinternet service providerISPJanet MillsLD 946MaineMaine State Chamber of Commerceonline privacyonline privacy lawonline privacy legislationSenator Shenna BellowsShenna Bellows (Read more...) The post Maine governor signs ISP privacy bill appeared first on Malwarebytes Labs.

Apple 0-Day allows hackers to mimic mouse-clicks to allow malicious behavior on macOS Mojave, despite mitigations.

Google is giving you more control over how long you want the tech company to hold on to your location history and web activity data. Google has introduced a new, easier, privacy-focused auto-delete feature for your Google account that will allow you to automatically delete your Location History and Web and App Activity data after a set period of time. Google's Location History feature, if

There's heartening news for our location privacy out of Massachusetts this week. The Supreme Judicial Court, the state's highest court, ruled that police access to real-time cell phone location data—whether it comes from a phone company or from technology like a cell site simulator—intrudes on a person’s reasonable expectation of privacy. Absent exigent circumstances, the court held, the police must get a warrant. In Commonwealth of Massachusetts v. Almonor, police had a phone carrier “ping” the cell phone of a suspect in a murder case—surreptitiously accessing GPS functions and causing the phone to send its coordinates back to the phone carrier and the police. This real-time location data pinpointed Mr. Almonor’s phone to a location inside a private home. The state argued it could warrantlessly get cell phone location data to find anyone, anytime, at any place as long as it was less than six hours old. A trial court disagreed and the state appealed. EFF filed an amicus brief in this case in partnership with the ACLU and the Massachusetts Association of Criminal Defense Lawyers. We asked the court to recognize, as the Supreme Court did in U.S. v Carpenter, that people have a constitutional right to privacy in their physical movements. We argued that, because people have their phones with them all the time, and because the location information produced by the phone can reveal our every move—where and with whom we live, socialize, visit, vacation, worship, and much more—the police must get a warrant to access this sensitive information. The Massachusetts court held that “[m]anipulating our phones for the purpose of identifying and tracking our personal location presents an even greater intrusion” than accessing the historical location data at issue in Carpenter. It concluded that “by causing the defendant's cell phone to reveal its real-time location, the Commonwealth intruded on the defendant's reasonable expectation of privacy in the real-time location of his cell phone.” The court recognized both that cell phone use is ubiquitous in our society, and that a phone’s location is a “proxy” for its owner’s location. The court noted that “society's expectation has been that law enforcement could not secretly and instantly identify a person's real-time physical location at will,” and “[a]llowing law enforcement to immediately locate an individual whose whereabouts were previously unknown by compelling that individual's cell phone to reveal its location contravenes that expectation.” Much of the majority’s opinion focuses on the fact that, in this case, law enforcement directed the phone company to “manipulate” the defendant’s phone, causing it to send its location to the phone company. In other words, the phone company wouldn’t have collected the data on its own as part of its normal business practices. But two judges, in a concurring opinion, expressed concern that this focus on law enforcement action—rather than on the collection of location data alone—would result in an exception for searches of real-time location data that providers collect automatically. The concurring justices would hold that the Massachusetts constitution “protects us from pings not because of the right to keep the government from interfering with our cellular telephones, but because of the right to keep the government from finding us.” This is very concerning because, as the concurring justices note, the majority’s focus on government action here could allow the police to “side-step the constitutional protection” by just asking for the data the cell service provider collects on its own. Although the majority denied that would happen, it remains to be seen, both how officers will implement searches after this opinion and how lower courts will apply constitutional law to those searches. We’ve seen the Commonwealth interpret this court’s prior decisions on location tracking very narrowly in the past. Although the defendant raised both federal and state constitutional claims in Almonor, the court based its decision solely on Article 14 of the Massachusetts Declaration of Rights, which was drafted before—and served as one of the models for—our federal Bill of Rights. Article 14, one of the cornerstones of the Massachusetts Constitution, is the state’s equivalent to the Fourth Amendment. As the court notes, it “does, or may, afford more substantive protection to individuals than that which prevails under the Constitution of the United States.” Courts around the country are now being asked to address the scope of the Carpenter ruling. Almonor in Massachusetts and a case called State of Maine v. O’Donnell, in Maine are among the first to deal directly with how Carpenter should be applied when police track and locate people in real-time. We’re heartened that the Massachusetts court took these issues seriously and made clear that the police must get a warrant, whether they access historical cell phone location data or whether they cause a phone to send its real-time location. We’re still waiting for the Maine court’s opinion in O’Donnell, and we’re actively tracking other cases addressing these issues across the country.   Related Cases:  Carpenter v. United States

The privacy think tank had them for 20 days, and one of the docs was already displayed at a conference, but the NYPD is still clawing them back.

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement. Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those people have a right to obtain information about how the error-prone technology functions and whether it produced other matches.EFF, ACLU, Georgetown Law’s Center on Privacy & Technology, and Innocence Project filed an amicus brief in support of the defendant’s petition for review in Willie Allen Lynch v. State of Florida. Prosecutors in the case didn’t disclose information about how the algorithm worked, that it produced other matches that were never considered, or why Lynch’s photo was targeted as the best match. This information qualifies as “Brady” material—evidence that might exonerate the defendant—and should have been turned over to Lynch.We have written extensively about how facial recognition systems are prone to error and produce false positives, especially when the algorithms are used on African Americans, like the defendant in this case. Researchers at the FBI, MIT, and ProPublica have reported that facial recognition algorithms misidentify black people, young people, and women at higher rates that white people, the elderly, and men.Facial recognition is increasingly being used by law enforcement agencies around the country to identify suspects. It’s unfathomable that technology that could help to put someone in prison is used mostly without question or oversight. In Lynch’s case, facial recognition could help to send him to prison for eight years.Undercover police photographed Lynch using an older-model cell phone at an oblique angle while he was in motion. The photo, which is blurred in places, was run through a facial recognition algorithm to see whether it matched any images of a database of county booking photos. The program returned a list of four possible matches, the first of which was Lynch’s from a previous arrest. His photo was the only one sent on to prosecutors, along with his criminal records.The algorithm used on Lynch is part of the Face Analysis Comparison Examination Systems (FACES), a program operated by the Pinellas County Sheriff’s Office and made available to law enforcement agencies throughout the state. The system can search over 33 million faces from drivers’ licenses and police photos. It doesn’t produce “yes” or “no” responses to matches; it rates matches as likely or less likely matches. Error rates in systems like this can be significant and the condition of Lynch’s photo only exacerbates the possibility of errors.FACES is poorly regulated and shrouded in secrecy. The sheriff said that his office doesn’t audit the system, and there’s no written policy governing its use. The sheriff’s office said it hadn’t been able to validate the system, and “cannot speak to the algorithms and the process by which a match is made.”That he was identified by a facial recognition algorithm wasn’t known by Lynch until just days before his final pretrial hearing, although prosecutors had known for months. Prior to that, prosecutors had never disclosed information about the algorithm to Lynch, including that it produced other possible matches. Neither the crime analyst who operated the system or the detective who accepted the analyst’s conclusion that Lynch’s face was a match knew how the algorithm functioned. The analyst said the first-listed photo in the search results is not necessarily the best match—it could be one further down the list. An Assistant State Attorney doubted the system was reliable enough to meet standards used by courts to assess the credibility of scientific testimony and whether it should be used at trial. Lynch asked for the other matches produced by FACES—the court refused.If a human witness who identified Lynch in a line-up said others in the line-up also looked like the criminal, the state would have had to disclose that information, and Lynch could have investigated those alternate leads. The same principle should have required the state to disclose other people the algorithm produced as matches and information about how the algorithm functions, EFF and ACLU told the Florida Supreme Court.When defendants are facing lengthy prison sentences or even the death penalty, tight controls on the use of facial recognition are crucial. Defendants have a due process right to information about the algorithms used and search results.  The Florida Supreme Court should accept this case for review and provide guidance to law enforcement who use facial recognition to arrest, charge, and deprive people of their liberty. Related Cases:  FBI Facial Recognition Documents