Connect with us

Biz & IT

Get popcorn for iOS 13’s privacy pop-ups of creepy Facebook data grabs

Published

on

Privacy-minded changes to smartphone operating systems which foreground the background activity of third party apps are helping to spotlight more of the surveillance infrastructure deployed by adtech giants to track and profile human eyeballs for profit.

To wit: iOS 13, which will be generally released later this week, has already been spotted catching Facebook’s app trying to use Bluetooth to track nearby users.

Why might Facebook want to do this? Matching Bluetooth (and wif-fi) IDs that share physical location could allow it to supplement the social graph it gleans by data-mining user-to-user activity on its platform.

Such location tracking provides a physical confirm that individuals were (at very least) in close proximity.

Combined with personal data Facebook also holds on people, and contextual data on the nature of the location itself — a bar, say, or a house — there’s a clear path for the company to make inferences about the nature of the relationship between the people who it’s repurposed short range wireless tech to determine are in close contact.

For a company that makes money by serving targeted ads at humans there are clear commercial reasons for Facebook to seek to intimately understand people’s friend networks.

Facebook piggybacking on people’s use of Bluetooth for benign purposes like pairing devices so that its ad business can ‘pair’ people is the sneaky modus operandi that iOS 13 has caught in the act here.

Ads are Facebook’s business, as CEO Mark Zuckerberg famously told the senate last year. But it’s worth noting the social network giant recently sought to push into the dating space — giving it a fresh, product-based incentive to pry into where and with whom humans are spending their time.

Algorithmic matchmaking based on cold signals like shared interests (in basic Facebook currency this might mean stuff like liking the same pages and events) is of course nothing new.

Yet mix in hot-blooded signals gathered by watching who actually mingles with whom, where and when — by repurposing Bluetooth to harvest interpersonal interactions via tracking people’s physical movements — and Facebook can take its curtain-twitching surveillance of human behavior to the next level.

The path of least resistance to tracking people’s movements is if Facebook app users are opting in to location tracking on their devices. Which means users enabling Location Services — a location tracking feature on smartphones that covers GPS, Bluetooth and crowd-sources wi-fi hotspots and mobile cell towers.

Unsurprisingly, then Facebook Dating requires Location Services to be enabled to function. The company confirmed to us that the Facebook app prompts dating users to enable Location Services if they haven’t already. Facebook also told us it doesn’t use wi-fi or Bluetooth to determine a person’s precise location if a user has Location Services turned off.

It also made a point of emphasizing that users can switch Location Services off at any time. Just not if they wish to use, er, Facebook Dating…

As per usual the company is tangling separate purposes for data processing in a way that denies people a meaningful choice over protecting their privacy. Hence Facebook dating users get to ‘choose’ between being able to use the service; or being able to blanket-deny Facebook the ability to track their physical movements. Like it or lump it.

iOS 13’s new privacy pop-ups to call out background app activity are a clear response to such disingenuous methods by an industry Apple CEO Tim Cook has dubbed the data industrial complex — putting a degree of control back in the hands of the user, who gets a third choice of manually disallowing Bluetooth proximity tracking (in the above example).

Android 10 has also recently expanded the location tracking controls it offers users — with the ability to only share location data with apps while you use them. Though Google’s OS lags far behind what Apple is now offering with these granular pop-ups.

Facebook has responded to awkward (for it) privacy changes incoming at the smartphone OS level by putting out an update on location services last week — where it seeks to get ahead of the deluge of data-grab warnings that iOS users of the Facebook app are likely to experience as they update to iOS 13.

Here it tries to spin Apple’s pro-active foregrounding of apps’ background tracking tactics via push notifications as “reminders” — in just one amusing rebrand.

But in a truly shameless contradiction Facebook also goes on to claim that: “You’re in control of who sees your location on Facebook” (because it says users can make use of the Location Services setting on a phone or tablet to deny tracking) — before admitting that switching off Location Services doesn’t actually mean Facebook will not track your location.

Just because you’re signalling very clearly to Facebook that you don’t want your location to be collected by Facebook doesn’t mean Facebook is going to respect that. Hell no!

“We may still understand your location using things like check-ins, events and information about your internet connection,” it writes. (For a clearer understanding of Facebook’s use of the word “understand” in that sentence we suggest you try substituting the word “steal”.)

In a final shameless kicker — in which Facebook almost appears to be trying to claim credit for smartphone OSes building more privacy features in response to its data grabs — the company seeks to finish on a forward-gazing note, per its preferred crisis PR custom, writing: “We’ll continue to make it easier for you to control how and when you share your location.”

Facebook dishing out misleading qualifications (e.g. “easier”) that whitewash the extent of its rampant data grabs is nothing new. But how much longer it can hope to rely on such flimsy figleaves to cover its privacy sins as the winds of change come rattling through remains to be seen…

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Biz & IT

Debit card fraud leaves Ally Bank customers, small stores reeling

Published

on

Enlarge / Ally debit card owners are reporting fraudulent charges at a steady cadence over the past week.

Getty Images

Ben Langhofer, a financial planner and single father of three in Wichita, Kansas, decided to start a side business. He had made a handbook for his family, laying out core values, a mission statement, and a constitution. He wanted to help other families put their beliefs into a real book, one they could hold and display.

So Langhofer hired web developers about two years ago and set up a website, customer relationship management system, and payment processing. On Father’s Day, he launched MyFamilyHandbook.com. He’s had some modest success and has spoken with larger groups about bulk orders, but business has been mostly quiet so far.

That’s how Langhofer knew something was wrong on Friday, August 11, when a woman from California called about a fraudulent charge. He checked his merchant account and saw nearly 800 transactions.

One of thousands of charges sent out from Langhofer's site earlier this week, as seen from a customer's Ally Bank app.
Enlarge / One of thousands of charges sent out from Langhofer’s site earlier this week, as seen from a customer’s Ally Bank app.

“My heart, it sunk,” Langhofer told Ars on Thursday. He immediately contacted his payment vendor Stripe, who he said told him about card testing—a scheme in which online card thieves use tiny charges from an account to test for valid cards. Stripe said it would issue a bulk refund, Langhofer said. Knowing his payment processor was aware of the issue, he went about his weekend.

Langhofer awoke early Monday morning to a flurry of missed calls.

He said his site had attempted nearly 11,000 more transactions, each for $1, most of them initiated by email addresses minutely different from one another. Many of them involved Ally Bank cards, Langhofer said. He’d only ever had two phone calls to the forwarded number listed in his online store, but now his phone wouldn’t stop ringing.

“My dad always taught me to have a good name, so this hurts,” he said. “I don’t have a big staff, but I have a great name in Wichita, in this state. Now my business is tied up in this, and I have no idea what’s next.” In text messages before an Ars Technica interview, Langhofer said the ordeal “consumed my entire week and caused more panic than I recall having in a long time.”

For sale: debit cards, barely used

Langhofer’s business appears to be a victim in a chain of fraud that has affected thousands of debit card customers over the past week. Most prominent among them are Ally Bank customers, who have been tweeting and posting in the r/AllyBank subreddit about charges on cards, some they’ve never activated or used. They’ve reported (and Ars Technica has seen) phone support wait times of up to an hour or more.

There’s an overwhelming sentiment that something is happening, but the major parties have yet to confirm anything.

Screenshot of r/AllyBank the morning of Friday, August 19.
Enlarge / Screenshot of r/AllyBank the morning of Friday, August 19.

Ars Technica has reached out to Ally Bank numerous times, by phone and email, for comment on this story. We’ve also contacted Shopify. We will update this post if we hear back.

Two of those wondering what’s happening are Stephen Fuchs and Curt Grimes, a Chicago-area couple who spoke with Ars Technica and shared their documentation. They opened their joint Ally checking account in March 2022. Both had debit cards tied to it, each with different numbers. Fuchs never activated his card. Up until last week, Grimes had only used his card once, to send about $5 to someone via Apple Cash.

On August 10, a charge for $15 from a quirky software site appeared on one of their cards, but it went unnoticed. On Friday, August 12, Grimes received an SMS fraud alert from Ally, alerting him to charges from two different Shopify stores for nearly $200. Grimes flagged the charges as fraudulent, and Ally (and Apple Pay) reported that the card was suspended. After spending almost an hour waiting on the phone for Ally on Saturday, August 13, Grimes disputed the earlier $15 charge and saw in his Ally app that a new card, with a new number, was on its way.

Continue Reading

Biz & IT

Netflix’s ad-supported plan likely to have another drawback: No video downloads

Published

on

Getty Images | Bloomberg

The presence of advertisements apparently won’t be the only major difference between Netflix’s ad-supported and ad-free plans. Text reportedly found in the code of Netflix’s iPhone app suggests the ad-supported plan won’t let users download movies and shows for offline viewing.

The text says, “Downloads available on all plans except Netflix with ads,” according to a Bloomberg report yesterday. The text was discovered by iOS developer Steve Moser, who wrote about it on his blog. Unsurprisingly, the Netflix app “code also suggests that users won’t be able to skip ads—a common move in the streaming world—and playback controls won’t be available during ad breaks,” Bloomberg wrote.

Netflix has been offering video downloads in its apps since late 2016. A Netflix spokesperson told Ars, “We are still in the early days of deciding how to launch a lower-priced, ad-supported tier and no decisions have been made. So this is all just speculation at this point.”

Moser’s blog post said he also found Netflix app text from a setup process for new subscribers who select the ad-supported plan. The text refers to the use of personalized ads. “Now, let’s set up your ad experience. We just need a few details to make sure you get the most relevant ads on Netflix. It’ll be really quick, we promise!” the text says.

Hulu similarly makes downloads available only to users on its no-ads plans. HBO Max also requires an ad-free plan for downloads.

Ad tier planned for early 2023

After years of resisting ads, Netflix Co-CEO Reed Hastings announced in April that the streaming service will offer an ad-supported tier. Netflix says it plans to launch the ad-supported tier in early 2023.

Netflix prices in the US range from $9.99 for “Basic” to $19.99 a month for “Premium.” Netflix says the “lower priced ad-supported subscription plan” will be offered “in addition to our existing ads-free basic, standard, and premium plans.”

Netflix hasn’t said what the ad-supported plan will cost or whether it will have other limits like the ones in Netflix’s cheapest current plan. The Basic plan, which is currently the cheapest option, does not provide high-definition video and has two other notable limits: Basic users can’t watch on more than one screen at a time, and they can only download videos on one phone or tablet.

The $15.49-per-month Standard plan allows HD video and lets subscribers watch on two screens simultaneously and download videos on two devices. The $19.99 Premium plan allows 4K viewing, the ability to watch on four screens simultaneously, and downloads on up to four devices.

Netflix losing subscribers

Netflix is also cracking down on account-sharing by testing an “extra member” fee in some countries and an “extra home” fee in others. A Netflix letter to shareholders said the company aims to complete a broader rollout of sharing fees next year.

Netflix last month reported a loss of 970,000 paid streaming subscribers in Q2 earnings after having lost 200,000 customers in the first quarter of 2022. Worldwide paid memberships decreased from 221.64 million to 220.67 million in Q2, and revenue growth has slowed dramatically.

Netflix says the ad-supported tier is key to improving revenue and profits. “While it will take some time to grow our member base for the ad tier and the associated ad revenues, over the long run, we think advertising can enable substantial incremental membership (through lower prices) and profit growth (through ad revenues),” Netflix’s quarterly letter to shareholders said.

Netflix hired Microsoft to provide advertising technology, saying that “Microsoft offered the flexibility to innovate over time on both the technology and sales side, as well as strong privacy protections for our members.”

Continue Reading

Biz & IT

Zoom patches critical vulnerability again after prior fix was bypassed

Published

on

Enlarge / A critical vulnerability in Zoom for MacOS, patched once last weekend, could still be bypassed as of Wednesday. Users should update again.

Getty Images

It’s time for Zoom users on Mac to update—again.

After Zoom patched a vulnerability in its Mac auto-update utility that could give malicious actors root access earlier this week, the video conferencing software company issued another patch Wednesday, noting that the prior fix could be bypassed.

Zoom users on macOS should download and run version 5.11.6 (9890), released August 17. You can also check Zoom’s menu bar for updates. Waiting for an automatic update could leave you waiting days while this exploit is publicly known.

Zoom’s incomplete fix was reported by macOS security researcher Csaba Fitzl, aka theevilbit of Offensive Security. Zoom credited Fitzl in its security bulletin (ZSB-22019) and issued a patch the day before Fitzl tweeted about it.

Neither Fitzl nor Zoom detailed how Fitzl was able to bypass the fix for the vulnerability first discovered by Patrick Wardle, founder of the Objective-See Foundation. Wardle spoke at Def Con last week about how Zoom’s auto-update utility held onto its privileged status to install Zoom packages but could be tricked into verifying other packages. That meant malicious actors could use it to downgrade Zoom for better exploit access or even to gain root access to the system.

Continue Reading

Trending