This Week in Privacy #6

This Week in Privacy #62000×1125 89.4 KB

Welcome back to This Week in Privacy, our weekly series where we cover the latest updates with what we're working on within the Privacy Guides community, and this week's top stories in the data privacy and cybersecurity space.

Privacy Guides is a non-profit which researches and shares privacy-related information, and facilitates a community on our forum and Matrix where people can ask questions and get advice about staying private online and preserving their digital rights.

Privacy Guides Updates

The This Week in Privacy podcast is now available via standard RSS for consumption within your favorite podcast client. Thanks to hosting it with Castopod, an open-source podcasting hosting platform, it can also be followed by any fediverse client such as Mastodon at @thisweekinprivacy@fm.neat.tube. If you enjoy the audio show, give us a follow!

Privacy News

While not strictly privacy-related per se, one of the biggest problems stopping adoption of privacy-respecting software is that big tech gatekeepers go out of their way to prevent alternatives from being as user friendly and feature complete as they could be. In response to this, Mozilla created a new issue tracker called Platform Tilt, in which they document all of the ways that Apple, Google, and Microsoft purposely put alternatives like Firefox at a disadvantage, and is calling for action from these companies to level the playing field.

Platform Tilt: Documenting the Uneven Playing Field for an Independent Browser Like Firefox – Open Policy & Advocacy

Browsers are the principal gateway connecting people to the open Internet, acting as their agent and shaping their experience. The central role of browsers has long motivated us to build…

Open Policy & Advocacy

In law enforcement news, WIRED reports that police throughout the United States believe that running faces generated by AI based on DNA evidence through AI facial recognition software "should at least be an option" available to investigators, and that this practice has been performed by various agencies already.

[In 2017, detectives working a cold case at the East Bay Regional Park District Police Department] sent genetic information collected at the crime scene to Parabon NanoLabs—a company that says it can turn DNA into a face. [...]
[The] department published the predicted face in an attempt to solicit tips from the public. Then, in 2020, one of the detectives did something civil liberties experts say is even more problematic—and a violation of Parabon NanoLabs’ terms of service: He asked to have the rendering run through facial recognition software.

Cops Used DNA to Predict a Suspect’s Face—and Tried to Run Facial Recognition on It

Police around the US say they’re justified to run DNA-generated 3D models of faces through facial recognition tools to help crack cold cases. Everyone but the cops thinks that’s a bad idea.

WIREDCondé Nast

In unsurprising news, researchers have found that many iPhone apps spy on you when they receive notifications, despite Apple's "policies" against this behavior.

If the app is closed, the iPhone operating system lets the app wake up temporarily [when it receives a push notification] to contact company servers, send you the notification, and perform any other necessary business. The data harvesting Mysk spotted happened during this brief window.

iPhone Apps Secretly Harvest Data When They Send You Notifications, Researchers Find

Security researchers say apps including Facebook, LinkedIn, TikTok, Twitter, and countless others collect data in surprising ways.

GizmodoThe A.V. Club

Amazon Ring is no longer sharing videos with police without performing a formal legal request through the court system, as it probably should have been this whole time:

Amazon’s Ring will no longer let police and other government agencies request doorbell camera footage from within the company’s Neighbors app, in what privacy advocates are hailing as a long-awaited victory for civil liberties.
Authorities seeking Ring surveillance videos must now submit a formal legal request to the company, rather than soliciting footage directly from users through the app, Ring said in a blog post Wednesday.

Amazon’s Ring to shutter video-sharing program popular with police | CNN Business

Amazon’s Ring will no longer let police and other government agencies request doorbell camera footage from within the company’s Neighbors app, in what privacy advocates are hailing as a long-awaited victory for civil liberties.

CNNBrian Fung

In more lighthearted news, 404 Media reported on a collection of documents obtained this week from the NSA, published on the Internet Archive, detailing concerns in 1998 about "embedded AI" in the Furby children's toy.

The NSA’s interest in and concern with the spying capabilities of the Furby—the iconic furry robot toy—has been documented over the years by various news outlets, YouTube channels, and the Federal Aviation Administration (which banned Furby operation during takeoff and landing). But previous write-ups rely on a brief news story in the Washington Post from January 13, 1999 called “A TOY STORY OF HAIRY ESPIONAGE,” which noted that Furby had been banned from the NSA’s offices in Maryland in part because they were worried that NSA employees would discuss classified information to the Furby, which could learn from it and would possibly repeat what it’d heard at a later date.

These Are the Notorious NSA Furby Documents Showing Spy Agency Freaking Out About Embedded AI in Children’s Toy

“Apparently, these stuffed critters learn from nearby speech patterns. That would definitely be a security concern.”

404 MediaJason Koebler

Finally, US Senator Ron Wyden (D-Oregon) revealed documents confirming that the NSA purchases records from commercial data brokers in order to spy on which apps and websites Americans use.

Wyden suggested that the intelligence community might be helping data brokers violate an FTC order requiring that Americans are provided "clear and conspicuous" disclosures and give informed consent before their data can be sold to third parties. In the seven years that Wyden has been investigating data brokers, he said that he has not been made "aware of any company that provides such a warning to users before collecting their data."

NSA finally admits to spying on Americans by purchasing sensitive data

Violating Americans’ privacy “not just unethical but illegal,” senator says.

Ars TechnicaAshley Belanger

Security News

Microsoft announced that they were breached this month by SVR, the same Russian intelligence agency which broke into SolarWinds in 2020. Microsoft reports that the attackers compromised the email accounts of members of their senior leadership team and employees in other departments including cybersecurity and legal. It doesn't appear that the attackers had to use any new vulnerabilities/0-days, Microsoft merely didn't follow best security practices internally.

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center

Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard

Microsoft Security Response CenterMSRC

Community News

OpenWrt, one of our top choices for alternative/open-source router firmware, is working on creating its own open reference hardware.

OpenWrt[...] is 20 years old this year. To keep the project going, lead developers have proposed creating a "fully upstream supported hardware design," one that would prevent the need for handling "binary blobs" in modern router hardware and let DIY router enthusiasts forge their own path. [...] There is no expected release date, though it's noted that it's the "first" community-driven reference hardware.

OpenWrt, now 20 years old, is crafting its own future-proof reference hardware

There are, as you might expect, a few disagreements about what’s most important.

Ars TechnicaKevin Purdy

Apple announced this week that—in the EU only!—they would begin to allow alternative app marketplaces, alternative browser engines, and alternative NFC payment apps on iOS. However, the restrictive way that they are going about this means we're not going to see Android-style side loading or an iOS version of F-Droid anytime soon.

I wrote more about these changes and Apple's non-compliance with the DMA in a separate blog post:

Apple is Incredibly Salty About the Digital Markets Act

Apple’s press release yesterday reads with the professionally and poise of a teenager throwing a tantrum, it’s amazing really. Apple announces changes to iOS, Safari, and the App Store in the European UnionApple announced changes to iOS, Safari, and the App Store impacting developers’ apps in the EU to comply

Jonah AragonJonah Aragon

TWIP Live 🔴

All the updates from This Week in Privacy will be shared here on the blog every week, so subscribe with your favorite RSS reader if you want to stay tuned. However, for people who prefer audio, we're going to be trying out a podcast-style recording of these updates every week, livestreamed on our YouTube channel.

• Listen to This Week in Privacy #6 on YouTube
• Follow the This Week in Privacy podcast via RSS

In the next TWIP

Will we continue to publish these updates? We'll see! We are hoping to publish a new TWIP update every Saturday, but we won't be able to do so without your help. If you find a news story you'd like us to share, or you're working on anything in the privacy space which our community would be interested in, please get in touch on our forum to share your update and be featured in next week's publication.