Connect with us

Biz & IT

Facebook will shut down its spyware VPN app Onavo

Published

on

Facebook will end its unpaid market research programs and proactively take its Onavo VPN app off the Google Play store in the wake of backlash following TechCrunch’s investigation about Onavo code being used in a Facebook Research app the sucked up data about teens. The Onavo Protect app will eventually shut down, and will immediately cease pulling in data from users for market research though it will continue operating as a Virtual Private Network in the short-term to allow users to find a replacement.

Facebook has also ceased to recruit new users for the Facebook Research app that still runs on Android but was forced off of iOS by Apple after we reported on how it violated Apple’s Enterprise Certificate program for employee-only apps. Existing Facebook Research app studies will continue to run, though.

With the suspicions about tech giants and looming regulation leading to more intense scrutiny of privacy practices, Facebook has decided that giving users a utility like a VPN in exchange for quietly examining their app usage and mobile browsing data isn’t a wise strategy. Instead, it will focus on paid programs where users explicitly understand what privacy they’re giving up for direct financial compensation.

Onavo billed itself as a way to “limit apps from using background data and “use a secure VPN network for your personal info” but also noted it would collect the “Time you spend using apps, mobile and Wi-Fi data you use per app, the websites you visit, and your country, device and network type” A Facebook spokesperson confirmed the change and provided this statement: “Market research helps companies build better products for people. We are shifting our focus to reward-based market research which means we’re going to end the Onavo program.”

Facebok acquired Onavo in 2013 for a reported $200 million to use its VPN app the gather data about what people were doing on their phones. That data revealed WhatsApp was sending over twice as many messages per day as Messenger, BuzzFeed’s Ryan Mac and Charlie Warzel reported, convincing Facebook to pay a steep sum of $19 billion to buy WhatsApp. Facebook went on to frame Onavo as a way for users to reduce their data usage, block dangerous websites, keep their traffic safe from snooping — while Facebook itself was analyzing that traffic. The insights helped it discover new trends in mobile usage, keep an eye on competitors, and figure out what features or apps to copy. Cloning became core to Facebook’s product strategy over the past years, with Instagram’s version of Snapchat Stories growing larger than the original.

But last year, privacy concerns led Apple to push Facebook to remove the Onavo VPN app from the App Store, though it continued running on Google Play. But Facebook quietly repurposed Onavo code for use in its Facebook Research app that TechCrunch found was paying users in the U.S. and India ages 13 to 35 up to $20 in gift cards per month to give it VPN and root network access to spy on all their mobile data.

Facebook ran the program in secret, obscured by intermediary beta testing services like Betabound and Applause. It only informed users it recruited with ads on Instagram, Snapchat and elsewhere that they were joining a Facebook Research program after they’d begun signup and signed non-disclosure agreements. A Facebook spokesperson claimed in a statement that “there was nothing ‘secret’ about this”, yet it had threatened legal action if users publicly discussed the Research program.

But the biggest problem for Facebook ended up being that its Research app abused Apple’s Enterprise Certificate program meant for employee-only apps to distribute the app outside the company. That led Apple to ban the Research app from iOS and invalidate Facebook’s certificate. This shut down Facebook’s internal iOS collaboration tools, pre-launch test versions of its popular apps, and even its lunch menu and shuttle schedule to break for 30 hours, causing chaos at the company’s offices.

To preempt any more scandals around Onavo and the Facebook Research app and avoid Google stepping in to forcibly block the apps, Facebook is now taking Onavo off the Play Store and stopping recruitment of Research testers. That’s a surprising voluntary move that perhaps shows Facebook is finally getting in tune with the public perception of its shady actions. The company has repeatedly misread how users would react to its product launches and privacy invasions, leading to near constant gaffes and an unending news cycle chronicling its blunders.

Without Onavo, Facebook loses a powerful method of market research, and its future initiatives here will come at a higher price. Facebook has run tons of focus groups, surveys, and other user feedback programs over the past decade to learn where it could improve or what innovations it could co-opt. And with more apps recently turning on encryption, Onavo likely started learning less about their usage. But given how cloning plus acquisitions like WhatsApp and Instagram have been vital to Facebook’s success, it’s likely worth paying out more gift cards and more tightly monitoring its research practices. Otherwise Facebook could miss the next big thing that might disrupt it.

Hopefully Facebook will be less clandestine with its future market research programs. It should be upfront about its involvement, make certain that users understand what data they’re giving up, stop researching teens or at the very least verify the consent of their parents, and avoid slurping up sensitive information or data about a user’s unwitting friends. For a company that depends on people to trust it with their content, it has a long way to go win back our confidence.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Better than JPEG? Researcher discovers that Stable Diffusion can compress images

Published

on

Enlarge / These jagged, colorful blocks are exactly what the concept of image compression looks like.

Benj Edwards / Ars Technica

Last week, Swiss software engineer Matthias Bühlmann discovered that the popular image synthesis model Stable Diffusion could compress existing bitmapped images with fewer visual artifacts than JPEG or WebP at high compression ratios, though there are significant caveats.

Stable Diffusion is an AI image synthesis model that typically generates images based on text descriptions (called “prompts”). The AI model learned this ability by studying millions of images pulled from the Internet. During the training process, the model makes statistical associations between images and related words, making a much smaller representation of key information about each image and storing them as “weights,” which are mathematical values that represent what the AI image model knows, so to speak.

When Stable Diffusion analyzes and “compresses” images into weight form, they reside in what researchers call “latent space,” which is a way of saying that they exist as a sort of fuzzy potential that can be realized into images once they’re decoded. With Stable Diffusion 1.4, the weights file is roughly 4GB, but it represents knowledge about hundreds of millions of images.

Examples of using Stable Diffusion to compress images.
Enlarge / Examples of using Stable Diffusion to compress images.

While most people use Stable Diffusion with text prompts, Bühlmann cut out the text encoder and instead forced his images through Stable Diffusion’s image encoder process, which takes a low-precision 512×512 image and turns it into a higher-precision 64×64 latent space representation. At this point, the image exists at a much smaller data size than the original, but it can still be expanded (decoded) back into a 512×512 image with fairly good results.

While running tests, Bühlmann found that images compressed with Stable Diffusion looked subjectively better at higher compression ratios (smaller file size) than JPEG or WebP. In one example, he shows a photo of a candy shop that is compressed down to 5.68KB using JPEG, 5.71KB using WebP, and 4.98KB using Stable Diffusion. The Stable Diffusion image appears to have more resolved details and fewer obvious compression artifacts than those compressed in the other formats.

Experimental examples of using Stable Diffusion to compress images. SD results are on the far right.
Enlarge / Experimental examples of using Stable Diffusion to compress images. SD results are on the far right.

Bühlmann’s method currently comes with significant limitations, however: It’s not good with faces or text, and in some cases, it can actually hallucinate detailed features in the decoded image that were not present in the source image. (You probably don’t want your image compressor inventing details in an image that don’t exist.) Also, decoding requires the 4GB Stable Diffusion weights file and extra decoding time.

While this use of Stable Diffusion is unconventional and more of a fun hack than a practical solution, it could potentially point to a novel future use of image synthesis models. Bühlmann’s code can be found on Google Colab, and you’ll find more technical details about his experiment in his post on Towards AI.

Continue Reading

Biz & IT

Apps can pose bigger security, privacy threat based on where you download them

Published

on

Google and Apple have removed hundreds of apps from their app stores at the request of governments around the world, creating regional disparities in access to mobile apps at a time when many economies are becoming increasingly dependent on them.

The mobile phone giants have removed over 200 Chinese apps, including widely downloaded apps like TikTok, at the Indian government’s request in recent years. Similarly, the companies removed LinkedIn, an essential app for professional networking, from Russian app stores at the Russian government’s request.

However, access to apps is just one concern. Developers also regionalize apps, meaning they produce different versions for different countries. This raises the question of whether these apps differ in their security and privacy capabilities based on region.

In a perfect world, access to apps and app security and privacy capabilities would be consistent everywhere. Popular mobile apps should be available without increasing the risk that users are spied on or tracked based on what country they’re in, especially given that not every country has strong data protection regulations.

My colleagues and I recently studied the availability and privacy policies of thousands of globally popular apps on Google Play, the app store for Android devices, in 26 countries. We found differences in app availability, security, and privacy.

While our study corroborates reports of takedowns due to government requests, we also found many differences introduced by app developers. We found instances of apps with settings and disclosures that expose users to higher or lower security and privacy risks depending on the country in which they’re downloaded.

Geoblocked apps

The countries and one special administrative region in our study are diverse in location, population and gross domestic product. They include the US, Germany, Hungary, Ukraine, Russia, South Korea, Turkey, Hong Kong, and India. We also included countries like Iran, Zimbabwe, and Tunisia, where it was difficult to collect data. We studied 5,684 globally popular apps, each with over 1 million installs, from the top 22 app categories, including Books and Reference, Education, Medical, and News and Magazines.

Our study showed high amounts of geoblocking, with 3,672 of 5,684 globally popular apps blocked in at least one of our 26 countries. Blocking by developers was significantly higher than takedowns requested by governments in all our countries and app categories. We found that Iran and Tunisia have the highest blocking rates, with apps like Microsoft Office, Adobe Reader, Flipboard, and Google Books all unavailable for download.

Continue Reading

Biz & IT

Russia plans “massive cyberattacks” on critical infrastructure, Ukraine warns

Published

on

gwengoat | Getty Images

The Ukrainian government on Monday warned that the Kremlin is planning to carry out “massive cyberattacks” targeting power grids and other critical infrastructure in Ukraine and in the territories of its allies.

“By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine,” an advisory warned. “The occupying command is convinced that this will slow down the offensive operations of the Ukrainian Defence Forces.”

Monday’s advisory alluded to two cyberattacks the Russian government carried out—first in 2015 and then almost exactly one year later—that deliberately left Ukrainians without power during one of the coldest months of the year. The attacks were seen as a proof-of-concept and test ground of sorts for disrupting Ukraine’s power supply.

The first attack repurposed a known piece of malware, called BlackEnergy, created by Kremlin-backed hackers. The attackers used this new BlackEnergy3 malware to break into the corporate networks of Ukrainian power companies and then further encroach into the supervisory control and data acquisition systems the companies used to generate and transmit electricity. The hack allowed the attackers to use legitimate functionality commonly found in power distribution and transmission to trigger a failure that caused more than 225,000 people to go without power for more than six hours.

The 2016 attack was more sophisticated. It used a new piece of malware written from scratch specifically designed for hacking electric grid systems. The new malware—which goes by the names Industroyer and Crash Override—was notable for its mastery of the arcane industrial processes used by Ukraine’s grid operators. Industroyer natively communicated with those systems to instruct them to de-energize and then re-energize substation lines.

“The experience of cyberattacks on Ukraine’s energy systems in 2015 and 2016 will be used when conducting operations,” the Ukrainian government said on Monday.

Monday’s advisory comes two weeks after Ukrainian forces recaptured vast swaths of territory in Kharkiv and other cities that had been under Russian control for months. Russian President Vladimir Putin last week called for the mobilization of 300,000 Russian citizens to bolster the country’s military invasion of Ukraine.

The move, which was the first time since World War II that Russia has done so, has prompted protests and a diaspora of mostly male Russians fleeing the country. A pivot to increased reliance on hacking by the country’s military could be seen as a way to achieve objectives without further straining the ongoing personnel shortage.

It’s hard to assess the chances of a successful hacking campaign against Ukraine’s power grids. Earlier this year, Ukraine’s CERT-UA said it successfully detected a new strain of Industroyer inside the network of a regional Ukrainian energy firm. Industroyer2 reportedly was able to temporarily switch off power to nine electrical substations but was stopped before a major blackout could be triggered.

“We don’t have any direct knowledge or data to make an assessment on Ukraine’s capability to defend its grid, but we do know that CERT-UA stopped the deployment of INDUSTROYER.V2 malware that targeted Ukraine’s electric substations earlier this year,” Chris Sistrunk, technical manager of Mandiant Industrial Control Systems Consulting, wrote in an email. “Based on that, and what we know about the Ukrainian people’s overall resolve, it’s increasingly clear that one of the reasons cyberattacks in Ukraine have been dampened is because its defenders are very aggressive and very good at confronting Russian actors.”

But researchers from Mandiant and elsewhere also note that Sandworm, the name for the Kremlin-backed group behind the power grid hacks, is among the most elite hacking groups in the world. They are known for stealth, persistence, and remaining hidden inside targeted organizations for months or even years before surfacing.

Besides an attack on electrical grids, Monday’s advisory also warned of other forms of disruptions the country expected Russia to ramp up.

“The Kremlin also intends to increase the intensity of DDoS attacks on the critical infrastructure of Ukraine’s closest allies, primarily Poland and the Baltic states,” the advisory stated. Since February, researchers have said pro-Russian threat actors have been behind a steady stream of distributed denial-of-service attacks targeting Ukraine and its allies.

Continue Reading

Trending