Connect with us

Biz & IT

Get popcorn for iOS 13’s privacy pop-ups of creepy Facebook data grabs

Published

on

Privacy-minded changes to smartphone operating systems which foreground the background activity of third party apps are helping to spotlight more of the surveillance infrastructure deployed by adtech giants to track and profile human eyeballs for profit.

To wit: iOS 13, which will be generally released later this week, has already been spotted catching Facebook’s app trying to use Bluetooth to track nearby users.

Why might Facebook want to do this? Matching Bluetooth (and wif-fi) IDs that share physical location could allow it to supplement the social graph it gleans by data-mining user-to-user activity on its platform.

Such location tracking provides a physical confirm that individuals were (at very least) in close proximity.

Combined with personal data Facebook also holds on people, and contextual data on the nature of the location itself — a bar, say, or a house — there’s a clear path for the company to make inferences about the nature of the relationship between the people who it’s repurposed short range wireless tech to determine are in close contact.

For a company that makes money by serving targeted ads at humans there are clear commercial reasons for Facebook to seek to intimately understand people’s friend networks.

Facebook piggybacking on people’s use of Bluetooth for benign purposes like pairing devices so that its ad business can ‘pair’ people is the sneaky modus operandi that iOS 13 has caught in the act here.

Ads are Facebook’s business, as CEO Mark Zuckerberg famously told the senate last year. But it’s worth noting the social network giant recently sought to push into the dating space — giving it a fresh, product-based incentive to pry into where and with whom humans are spending their time.

Algorithmic matchmaking based on cold signals like shared interests (in basic Facebook currency this might mean stuff like liking the same pages and events) is of course nothing new.

Yet mix in hot-blooded signals gathered by watching who actually mingles with whom, where and when — by repurposing Bluetooth to harvest interpersonal interactions via tracking people’s physical movements — and Facebook can take its curtain-twitching surveillance of human behavior to the next level.

The path of least resistance to tracking people’s movements is if Facebook app users are opting in to location tracking on their devices. Which means users enabling Location Services — a location tracking feature on smartphones that covers GPS, Bluetooth and crowd-sources wi-fi hotspots and mobile cell towers.

Unsurprisingly, then Facebook Dating requires Location Services to be enabled to function. The company confirmed to us that the Facebook app prompts dating users to enable Location Services if they haven’t already. Facebook also told us it doesn’t use wi-fi or Bluetooth to determine a person’s precise location if a user has Location Services turned off.

It also made a point of emphasizing that users can switch Location Services off at any time. Just not if they wish to use, er, Facebook Dating…

As per usual the company is tangling separate purposes for data processing in a way that denies people a meaningful choice over protecting their privacy. Hence Facebook dating users get to ‘choose’ between being able to use the service; or being able to blanket-deny Facebook the ability to track their physical movements. Like it or lump it.

iOS 13’s new privacy pop-ups to call out background app activity are a clear response to such disingenuous methods by an industry Apple CEO Tim Cook has dubbed the data industrial complex — putting a degree of control back in the hands of the user, who gets a third choice of manually disallowing Bluetooth proximity tracking (in the above example).

Android 10 has also recently expanded the location tracking controls it offers users — with the ability to only share location data with apps while you use them. Though Google’s OS lags far behind what Apple is now offering with these granular pop-ups.

Facebook has responded to awkward (for it) privacy changes incoming at the smartphone OS level by putting out an update on location services last week — where it seeks to get ahead of the deluge of data-grab warnings that iOS users of the Facebook app are likely to experience as they update to iOS 13.

Here it tries to spin Apple’s pro-active foregrounding of apps’ background tracking tactics via push notifications as “reminders” — in just one amusing rebrand.

But in a truly shameless contradiction Facebook also goes on to claim that: “You’re in control of who sees your location on Facebook” (because it says users can make use of the Location Services setting on a phone or tablet to deny tracking) — before admitting that switching off Location Services doesn’t actually mean Facebook will not track your location.

Just because you’re signalling very clearly to Facebook that you don’t want your location to be collected by Facebook doesn’t mean Facebook is going to respect that. Hell no!

“We may still understand your location using things like check-ins, events and information about your internet connection,” it writes. (For a clearer understanding of Facebook’s use of the word “understand” in that sentence we suggest you try substituting the word “steal”.)

In a final shameless kicker — in which Facebook almost appears to be trying to claim credit for smartphone OSes building more privacy features in response to its data grabs — the company seeks to finish on a forward-gazing note, per its preferred crisis PR custom, writing: “We’ll continue to make it easier for you to control how and when you share your location.”

Facebook dishing out misleading qualifications (e.g. “easier”) that whitewash the extent of its rampant data grabs is nothing new. But how much longer it can hope to rely on such flimsy figleaves to cover its privacy sins as the winds of change come rattling through remains to be seen…

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Cox’s bad customer service stymies users who don’t want upload speeds cut

Published

on

Cox has been making it extremely difficult or impossible for some customers to stick with their current Internet speeds despite promising that it won’t force users onto plans with slower uploads.

As we wrote two weeks ago, Cox informed customers with 300Mbps download and 30Mbps upload speeds that they will be switched to a plan with 500Mbps downloads and 10Mbps uploads on March 3. A Cox spokesperson told Ars at the time that customers can stay on the plan with 30Mbps uploads as long as they upgrade to a DOCSIS 3.1 modem. But Cox’s email to its customers did not mention this option, and customers who called Cox customer service have since been told in no uncertain terms that they cannot stay on their current plans.

Several Cox users from California emailed Ars about the problem after reading our article, all with similar experiences.

“I just got off the phone with a Cox tech rep and she said that my current Ultimate Classic plan (300/30) is going away regardless of whether I upgrade to a DOCSIS 3.1 modem or not,” a customer whose first name is Dam and lives in Aliso Viejo, California, told Ars on Thursday last week. “When the time comes in March, my new plan will be the new Ultimate 500/10. I told her about your article and she said that is not what she’s seeing in her system or hearing from her higher-ups.”

We contacted Cox about the problem on Friday last week, and a Cox spokesperson admitted that the company failed to ensure that sales reps know customers are allowed to stay on the 300/30Mbps plan.

“There clearly are some gaps that we need to address to avoid this confusion,” Cox told Ars on Monday. “We’re in the process of retraining our frontline-facing teams to make sure they are consistently communicating the options available to impacted customers, including staying on their existing plan of 300/30 so long as they upgrade their modem.”

As before, customers will be automatically switched from the 300/30Mbps plan to the 500/10Mbps tier unless they contact customer service and insist on keeping their plan. The change to download and upload speeds will happen regardless of whether customers have an upgraded modem, but customers who stick with an older modem may not get the full 500Mbps download speeds. Cox, which has about 5.3 million Internet customers in 19 states, says the changes are related to a network upgrade.

Cox’s customer-service screwup

The evidence (including Cox’s email to customers and statements from Cox sales reps to customers) makes it seem as if Cox didn’t intend to let customers keep their 30Mbps upload speeds until the company faced criticism and media exposure two weeks ago. That would explain why customer-service reps have told customers they must give up the 300/30Mbps plan and why Cox is now scrambling to tell employees about the option.

However, a Cox spokesperson told Ars that the company “always” intended to let customers keep the 30Mbps upload speeds. If that is true, then the company totally screwed up its messaging to customers and the change to its customer-service systems.

Cox described the fix now being implemented as a “retraining” in a statement to Ars yesterday:

Our frontline care agents were originally trained late January ahead of the first batch of customer communications in early February. Based on the feedback from a few customers, including the ones you shared, we are revisiting training to ensure ALL customers are getting consistent and correct information. To that end, we are in the process of conducting refresher training that will run through the end of this week for all our frontline employees.

As we retrain our employees, we are making sure they are communicating the options available to impacted customers, including staying on their existing Ultimate Classic plan (300/30) so long as they upgrade their modem. Staying on this plan was always an available option, albeit not one that was communicated as clearly as it could have been. We want to be sure customers clearly understand their options if they need more upload speed.

The 500/10Mbps plan is a direct replacement for the 300/30Mbps plan in terms of price and its place within Cox’s speed tiers. It costs $80 a month for the first year and $100 after the promo period expires. With the 300/30Mbps plan being discontinued, the only option with upload speeds higher than 10Mbps is the “Gigablast” plan with 940Mbps download speeds and 35Mbps upload speeds. That plan generally costs $100 during the promo period and $120 afterward, but some customers have been offered a $92.50 promotional rate. Cox charges $12 a month for a combined modem and router, but customers can use their own compatible equipment to avoid the rental fee.

Cox’s email notifying users of the upcoming download and upload speed changes said that customers who want upload speeds above 10Mbps can “call to learn more about equipment and our speed plans,” but it did not mention the option of staying on the same 300/30Mbps plan. Customers who received this email and those who contact Cox before all of the customer-service problems are solved may still mistakenly believe that keeping their plan isn’t an option. They would thus have their upload speeds cut to 10Mbps automatically when the change takes effect next week. We asked Cox if it is contacting all of these customers again to make clear they can avoid the upload-speed cut, and we will update this article if we get an answer.

Cox has apparently struggled to provide advertised upload speeds during the pandemic. In June 2020, we wrote about how Cox warned some customers about “excessive” upload usage and how the company lowered upload speeds on the Gigablast plan from 35Mbps to 10Mbps in some entire neighborhoods where its network was having trouble.

Continue Reading

Biz & IT

Ukraine says Russia hacked its document portal and planted malicious files

Published

on

Ukraine has accused the Russian government of hacking into one of its government Web portals and planting malicious documents that would install malware on end users’ computers.

“The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most public authorities,” officials from Ukraine’s National Coordination Center for Cybersecurity said in a statement published on Wednesday. “The malicious documents contained a macro that secretly downloaded a program to remotely control a computer when opening the files.”

Wednesday’s statement said that the methods used in the attack connected the hackers to the Russian Federation. Ukraine didn’t say if the attack succeeded in infecting any authorities’ computers.
A large body of evidence has linked Russia’s government to several highly aggressive hacks against Ukraine in the past. The hacks include:

  • A computer intrusion in late 2015 against regional power authorities in Ukraine. It caused a power failure that left hundreds of thousands of homes without electricity in the dead of winter.
  • Almost exactly one year later, a second attack at an electricity substation outside Kyiv that once again left residents without power
  • A malicious update for widely used tax software in Ukraine that distributed disk-wiping malware to users. The so-called NotPetya worm ended up shutting down computers worldwide and led to the world’s most costly hack.

Elsewhere, Russia’s SVR intelligence agency has also been accused of carrying out the recently discovered hack that targeted at least nine US agencies and 100 companies in a supply chain attack against customers of the SolarWinds network management software.

Wednesday’s statement didn’t identify which of several known Russian hacking groups was accused of the breach.

Macro attacks like the one mentioned in the statement typically work by tricking Microsoft Office users into enabling macros, often under the guise that the macro is required for the document to display properly. The macros then download malware from an attacker-controlled server and install it.

The statement provided no details on how or when Ukraine’s System of Electronic Interaction of Executive Bodies—a portal that distributes documents to public authorities—was hacked or how long the intrusion lasted.

Indicators that someone has been compromised include:

Domain: enterox.ru

IP addresses: 109.68.212.97

Link (URL): http://109.68.212.97/infant.php

Wednesday’s statement came two days after Ukraine’s National Coordination Center for Cybersecurity reported what it said were “massive DDoS attacks on the Ukrainian segment of the Internet, mainly on the websites of the security and defense sector.” An analysis revealed that the attacks used a new mechanism that hadn’t been seen before. DDoS attacks take down targeted servers by bombarding them with more data than they can process.

Continue Reading

Biz & IT

Android users now have an easy way to check the security of their passwords

Published

on

Getty Images

Google is adding its password checkup feature to Android, making the mobile OS the latest company offering to give users an easy way to check if the passcodes they’re using have been compromised.

Password Checkup works by checking credentials entered into apps against a list of billions of credentials compromised in the innumerable website breaches that have occurred in recent years. In the event there’s a match, users receive an alert, along with a prompt that can take them to Google’s password manager page, which offers a way to review the security of all saved credentials.

Alerts look like this:

Google

Google introduced Password Checkup in early 2019, in the form of a Chrome extension. In October of that year, the feature made its way into the Google Password Manager, a dashboard that examines Web passwords saved within Chrome that are synchronized using a Google account. Two months later, the company added it to Chrome.

Google’s Password Manager makes it easy for users to directly visit sites using bad passwords by clicking the “Change Password” button displayed next to each compromised or weak password. The password manager is accessible from any browser, but it works only when users sync credentials using their Google account password, rather than an optional standalone password.

The new password checkup was available as of Tuesday on Android 9 and above for users of autofill with Android, a feature that automatically adds passwords, addresses, payment details, and other information commonly entered into Web and app forms.

The Android autofill framework uses advanced encryption to ensure that passwords and other information are available only to authorized users. Google has access to user credentials only when users 1) have already saved a credential to their Google account and 2) were offered to save a new credential by the Android OS and chose to save it to their account.

When a user interacts with a password by either filling it into a form or saving it for the first time, Google uses the same encryption that powers the Privacy Checkup in Chrome to check if the credential is part of a list of known compromised passwords. The Web application interface sends only passwords that are cryptographically hashed using the Argon2 function to create a search key that’s encrypted with Elliptic Curve cryptography.

In a post published Tuesday, Google said that the implementation ensures that:

  • Only an encrypted hash of the credential leaves the device (the first two bytes of the hash are sent unencrypted to partition the database)
  • The server returns a list of encrypted hashes of known breached credentials that share the same prefix
  • The actual determination of whether the credential has been breached happens locally on the user’s device
  • The server (Google) does not have access to the unencrypted hash of the user’s password and the client (User) does not have access to the list of unencrypted hashes of potentially breached credentials

Google has written more about how the implementation works here.

On most Android devices, autofill can be enabled by:

  1. Opening Settings
  2. Tapping System > Languages & input > Advanced
  3. Tapping Autofill service
  4. Tapping Google to make sure the setting is enabled

Separately, Google on Tuesday reminded users of two other security features added to Android autofill last September. The first is a password generator that will automatically choose a strong and unique password and save it to users’ Google accounts. The generator can be accessed by long-pressing the password field and selecting Autofill in the pop-up menu.

Users can also configure the Android autofill to require biometric authentication before it will add credentials or payment information to an app or Web field. Biometric authentication can be enabled inside of the Autofill with Google settings.

Continue Reading

Trending