Over the last three years, Google has received a surge in geofence warrant requests — a type of request that allows police to gather information on devices in a certain region. The company has also been complying with keyword warrants, which gives police information on anyone who’s looked up specific phrases on the search engine. But the public doesn’t know exactly how often this happens — and 60 civil rights and privacy advocacy groups want to change that. 

In a letter sent to Google CEO Sundar Pichai on Tuesday, a coalition of 60 groups — including the Surveillance Technology Oversight Project, the Electronic Frontier Foundation, Fight for the Future and the Open Technology Institute — requested that the company start providing monthly data on how many geofence and keyword warrants it receives. 

Google releases a transparency report every six months, detailing government requests for user information, but it doesn’t break down what types of requests they are. These requests can range from police asking for a specific suspect’s emails with probable cause to a dragnet request that turns innocent people into suspects.

A man riding his bicycle near the scene of a burglary in Florida suddenly found himself a potential suspect because he’d been caught up in a geofence warrant request in March 2019, and he only learned about it nine months later. 

A federal judge ruled in Illinois that geofence warrants violate the Fourth Amendment, and it’s also being challenged in Virginia and could potentially be outlawed in New York.

Since 2017, police have increased how often they send geofence warrant requests to Google, rising 75-fold in just two years. The only reason that data is available is because of Google’s amicus curiae brief in the Virginia court case.  

“Currently, Google lumps these invasive court orders in with standard warrants, but geofence and keyword warrants pose a much more potent threat,” Albert Fox Cahn, the executive director of the Surveillance Technology Oversight Project, said. “A single one of these orders can track every person at a protest, a house of worship, or a medical facility. With more transparency, we can amplify efforts to outlaw these sweeping search warrants.”

While other companies track location data and have also received geofence warrant requests, Google receives the lion’s share of these demands because of its location history feature and its Sensorvault database.  

Google didn’t immediately respond to a request for comment.

At the Big Tech antitrust hearing in July, Rep. Kelly Armstrong, a Republican from North Dakota, questioned Pichai about geofence warrants, telling the Google CEO that people “would be terrified to know that law enforcement could grab general warrants and get everyone’s information everywhere.” 

Pichai replied that Armstrong’s concerns are why Google issues transparency reports for Congress to have oversight, but didn’t disclose that its reports don’t specify how many requests it receives are geofence warrants.

Without that information, civil rights groups and privacy advocates said it’s difficult to push for any regulations or reform on geofence warrants. 

“By providing this semiannual breakdown of requests, tracking the growth of these abusive tactics over time, you’ll provide us and other civil society organizations vital ammunition in the fight for privacy,” the letter said. 

The post Privacy groups demand Google disclose details on geofence warrants first appeared on Joggingvideo.com.

Your phone can tell a lot about you: where you’ve been, where your home and workplace are, and where your favorite places are. Federal agents are taking advantage of location data siphoned from advertisers through seemingly innocuous apps that you download for weather updates or cheap gas prices, and now a government watchdog is investigating the surveillance program. 

In a letter dated Nov. 25, the Department of Homeland Security’s inspector general, Joseph Cuffari, said his office would audit US Customs and Border Protection’s use of commercial databases to track people by way of their phone locations. CBP is a branch of Homeland Security.

In a landmark case, the Supreme Court ruled in 2018 that law enforcement agents much get a warrant to track people via their phone location, but agencies have been circumventing the requirement by simply buying the data from businesses that maintain commercial databases. 

“The objective of our audit is to determine if the Department of Homeland Security (DHS) and its components have developed, updated, and adhered to policies related to cell-phone surveillance devices,” Cuffari said in the letter.

Now playing:
Watch this:

Turn off Google location tracking for real

1:35

Apps request your permission for them to collect location data from your device so they can offer desired services — such as when a weather app needs to know where you are so it can tell you if it’s going to rain in your area.

But once the apps collect the data, they can also pass it on to data brokers, who provide it to advertisers for targeted commercials. Unless you’re resetting your app permissions or your device advertising ID every day, the tracking can provide a long history of your whereabouts. 

The Wall Street Journal, which first reported the DHS’ internal investigation on Wednesday, revealed in February that CBP was using phone location data for immigration enforcement. The data came from a company called Venntel, which collected information on millions of devices by way of gaming and weather apps.

In November, Motherboard also reported that the US military bought location data collected from apps like Muslim Pro, which requires location data because it tells users which direction to face in order to pray toward Mecca. 

Staying secure

• 4 signs your Android phone has hidden malware, and how to deal with it
• 7 security tips to keep people and apps from stealing your data
• Google collects a frightening amount of data about you. You can find and delete it now

The DHS’ investigation comes after requests from a group of Senate Democrats in October, noting that the agency spent half a million dollars to access location data from Venntel.

“CBP is not above the law and refused to answer questions about purchasing people’s mobile location history without a warrant  — including from shady data brokers like Venntel,” Sen. Elizabeth Warren, a Democrat from Massachusetts, said in a statement. “I’m glad that the Inspector General agreed to our request to investigate this potentially unconstitutional abuse of power by the CBP because we must protect the public’s Fourth amendment rights to be free from warrantless searches.”

Agencies like the Internal Revenue Service have also used Venntel to track people. The IRS is also opening its own investigation into how it uses people’s location data without a warrant. 

Venntel didn’t respond to a request for comment. 

Also on Wednesday, the American Civil Liberties Union announced it is suing the DHS to turn over all records related to the agency’s purchase and use of phone location data. 

“If federal agencies are tracking American citizens without warrants, the public deserves answers and accountability,” Sen. Ron Wyden, a Democrat from Oregon, said. “I won’t accept anything less than a thorough and swift inspector general investigation that sheds light on CBP’s phone location data surveillance program.”

The post Homeland Security watchdog to examine agency’s use of phone location data first appeared on Joggingvideo.com.

Apple had a security vulnerability that could have allowed potential hackers to get complete access to a person’s iPhone — everything from viewing photos to monitoring activities in real time — without the victim ever needing to click on any suspicious links or download malware. 

While most malware requires hackers to trick people in some way, like through a disguised email or an app pretending to be beneficial, this iOS exploit only needed the victim to be within Wi-Fi range, Ian Beer, a security researcher with Google’s Project Zero, explained in a blog post on Tuesday.  

These types of vulnerabilities are considered the biggest threats to companies like Apple. At the Black Hat cybersecurity conference in 2019, Apple started offering $1 million bug bounties for researchers who could present a flaw that didn’t require victims to click on anything and gave full access. 

In a video, Beer showed how a Raspberry Pi setup with store-bought Wi-Fi adapters could steal photos from an untouched iPhone in a different room within five minutes. In another clip, Beer demonstrated how the same vulnerability could let him repeatedly reboot 26 iPhones at the same time. 

“Imagine the sense of power an attacker with such a capability must feel,” Beer said in his post. “As we all pour more and more of our souls into these devices, an attacker can gain a treasure trove of information on an unsuspecting target.”

The security flaw was fixed in May, in the same patch through which Apple introduced its notification exposure tools on iOS devices. 

A snapshot of user adoption of the latest Apple software from around that time showed that the majority of users were already on current versions of iOS and thus protected against the issue, Apple said in a statement. “Also, it’s good to note that this does require relatively close proximity as it needs to be within WiFi range to work.”

See also: iPhone 12 vs. iPhone 11: All the big differences and whether you should upgrade

Apple vulnerabilities are rare because of the company’s investments in security and its closed-off App Store. In 2019, Beer’s team discovered another iOS vulnerability that allowed hacked websites to send malware to visitors. The hack was used by the Chinese government to track and spy on Uighur Muslims. 

Beer said he had spent about six months looking into the security vulnerability. He explained that the weak links came from Apple’s proprietary mesh network AWDL, which allows iOS devices to easily connect to each other, like your Apple Watch linking to your iPhone, for example. 

The network didn’t have built-in encryption, and Beer was able to exploit a single memory corruption to take over devices as new as the iPhone 11 Pro. He explained that the flaw came from a “fairly trivial buffer overflow programming error in C++ code” that allowed for untrusted data to pass through over Wi-Fi signals. 

Typically, vulnerabilities work off each other like pieces of a puzzle — finding one flaw leads to another until you’re able to get the big picture. Getting complete access through a single exploit is part of what makes Beer’s discovery so impressive. 

Beer said that he hasn’t seen any evidence that the flaw was exploited by others before it had been patched, but about 13% of all iPhone users are still vulnerable to this issue. While the flaw has been fixed, Beer noted that it likely won’t be the last time an issue like this comes up for Apple — pointing out that he was able to find this exploit on his own. 

“As things stand now in November 2020, I believe it’s still quite possible for a motivated attacker with just one vulnerability to build a sufficiently powerful weird machine to completely, remotely compromise top-of-the-range iPhones,” Beer said.

Now playing:
Watch this:

iPhone 12 Mini review: There’s a lot to like for a phone…

11:25

The post Google researcher demonstrates iPhone exploit with Wi first appeared on Joggingvideo.com.

Twitter faces a class-action lawsuit for providing advertisers access to people’s phone numbers without consent. The complaint, filed Monday in the United States District Court for the Western District of Washington, seeks $5,000 in damages for every person in the state affected by Twitter’s privacy misstep. 

The lawsuit alleges that Twitter violated a Washington law against unauthorized procurement or sale of phone records, as well as its users’ civil rights to privacy. The complaint says Twitter should compensate for the “mental pain and suffering” it caused users, and is seeking up to $5 million in total. 

Twitter declined to comment.

Advertisers often use phone numbers to connect people’s online identities with their offline activities. For example, if you buy fruit with a credit card that has your phone number attached to it, advertisers can link that phone number to online accounts that also include that number. That lets advertisers serve you more ads for fruit.

Twitter allows this type of ad-targeting through its Tailored Audiences network, using phone numbers people give it voluntarily. In October 2019, however, the social network disclosed that advertisers also had access to phone numbers given specifically for security purposes. At the time, Twitter acknowledged the error.

Mobile security

• Two-factor authentication: How and why to use it
• Do you use SMS for two-factor authentication? Here’s why you shouldn’t
• New phone? Setting up Google Authenticator is easier than ever. Here’s how

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” Twitter said in its disclosure last year. “This was an error and we apologize.”

The phone numbers were required until November 2019 to enroll in Twitter’s two-factor authentication, an important security feature that protects your account from hackers (but that’s still susceptible to vulnerabilities). 

Phone numbers given for two-factor authentication aren’t supposed to be used for advertising because the practice pits privacy and security against each other. The adoption rate for two-factor authentication is low, and it’s more difficult to convince people to use this feature if their privacy is at risk. 

Facebook disclosed in March 2019 that it had a similar issue. The social network stopped the practice as part of its $5 billion settlement with the Federal Trade Commission last December. 

Twitter faces a similar order and anticipates a $250 million fine from the FTC for using security data for advertising. 

The company hasn’t disclosed how many people were affected by this issue. It declined to provide that information when asked by CNET. 

Darlin Gray, a Twitter user and a Seattle-based designer, filed the lawsuit on behalf of Washington residents affected by Twitter.

“Those powerful companies disregard their promises to users about privacy because of strong financial incentives,” the complaint reads. “Using and trading in private user data can be extraordinarily lucrative for those companies which do so.”

Joel Ard, the attorney who filed the case, said it was important to keep companies accountable for privacy violations. 

“You don’t have to try to get into a debate over exactly how many dollars it costs to have your privacy invaded,” Ard said. You can read the full lawsuit here: 

The post Twitter faces class first appeared on Joggingvideo.com.

For the most up-to-date news and information about the coronavirus pandemic, visit the WHO and CDC websites.

Citizen, an app that lets you see unverified crime reports in your neighborhood, has often been used to advance false claims. One doozy: a tiger reportedly loose in Manhattan that turned out to be a raccoon. Now the company wants to help cities track cases of COVID-19. 

Los Angeles County on Wednesday said it’s partnering with Citizen for its contact tracing app SafePass. The app, unveiled in August, works as a digital pass for logging your symptoms and location. It uses Bluetooth and GPS to track your interactions with other people using the app. 

If someone you’ve been in contact with later tests positive for COVID-19 and marks themselves on the app, the app notifies you about the exposure and provides details on when and where it happened.

The officials, including Mayor Eric Garcetti and public health director Dr. Barbara Ferrer, encouraged the area’s 10 million residents to download the app. Advocates, however, have warned that SafePass’ location-tracking features are a privacy risk.

The mayor’s office didn’t respond to a request for comment on privacy concerns with the app. 

“We have to deploy every tool at our disposal to halt the spread of COVID-19 –– from wearing masks to keeping our distance to avoiding large gatherings –– and contact tracing is an absolutely essential part of our effort to track this virus and save lives,” Garcetti said in a statement. 

Public safety experts and lawmakers have criticized Citizen for stirring panic in communities, accusing the app of inundating people with crime alerts while overall crime rates are at historic lows. The company’s shift to public health raises alarms that it could bring that practice into a global pandemic. 

Now playing:
Watch this:

Contact tracing explained: How apps can slow the coronavirus

6:07

“For an app that’s pretty much designed to try to make you get a constant stream of dangerous situations to avoid, it’s not hard to imagine they would attach a public health lens on top of the unverified crime reporting that they do,” said Angel Diaz, liberty and national security counsel at the Brennan Center for Justice. 

Diaz said he first started examining Citizen’s contact tracing app when the company was in talks to partner with New York City. He said he saw several red flags with the service, specifically with how it shows exposures and the amount of location data it takes.

The coronavirus pandemic has eroded many privacy protections, with companies using surveillance software to monitor social distancing while data brokers use location data to monitor people’s movements. 

Contact tracing apps come with their own privacy concerns because they essentially require people to share their whereabouts at all times with an app. The apps work by notifying people if they’ve been around someone who tested positive for COVID-19, based on their location history. 

Contact tracing is considered an effective tool for limiting the spread of the contagious disease, but there are still privacy concerns about how the data collected in apps is protected. 

In July, lawmakers pushed for a privacy bill that would limit contact tracing data to health purposes only, blocking the data from being used by law enforcement agencies or for-profit companies.

Citizen CEO Andrew Frame said the company was committed to maintaining privacy in its contact tracing app, though there are a handful of concerns about what data SafePass collects, and how it can be used. 

“We created SafePass to help slow the spread [of the] virus and give people the tools they need to keep themselves and their communities safe through collective action, including sharing information,” Frame said in a statement. 

Location tracking 

For Citizen’s contact tracing to work, the app takes your device’s location data through both its GPS and Bluetooth. You can turn off your GPS, but the company said the app won’t function without location data. 

Citizen said its alerts don’t share any personal information, but the notification shows the time, place and duration of an exposure to COVID-19. The company acknowledges in its privacy policy that this is enough information needed to figure out someone’s identity. 

 “While this information does not identify you, there are circumstances when a user could identify you based on the location,” the company said. “For example, this may occur if a user knows you personally and recalls that they met you at the location we specify on the map.”

Other apps for tracking COVID-19 exposures don’t require location data as a privacy protection. Google and Apple’s exposure notification tools don’t request GPS information, and only use encrypted Bluetooth signals to mark distance, for example. 

The structure lets you know you were exposed to someone who tested positive for COVID-19 and that you should be tested and quarantine. But it doesn’t tell you where the exposure took place. 

Coronavirus updates

• I’m Eligible for a Second COVID Vaccine Booster. When Should I Get It?
• Free COVID Antiviral Pills: New Official Website Helps Find Them
• Long COVID Symptoms May Depend on the Variant You Contracted
• News, advice and more about COVID-19

Diaz says that’s important for privacy and safety because knowing where a potential exposure happened is often enough to identify the person involved. 

“If you got exposed near a restaurant or a school, it really opens up harassment that could have been avoided,” Diaz said. 

Citizen said it’s valuable for people to know where the exposures happened, noting that it could help lead to better decisions for people potentially infected with COVID-19. 

“If a potentially infected user, say at a birthday party, sees that they may have been exposed at the party and remembers that they weren’t wearing a mask or maintaining a social distance, he/she may decide to take different precautions than if they were,” a Citizen spokesman said. “Knowing where you may have been exposed can also give you the information you need to alert your friends and family who were at the birthday party who aren’t contact tracing.”

The company said it deletes location data from Bluetooth and GPS, as well as photos of your ID used for verification purposes after 30 days.

The company’s privacy policy also said that your location data could be shared with government agencies, without clarifying which agencies those could be. Diaz raised concerns that it could mean anything from public health officials to law enforcement agencies. 

Citizen said in a statement it can conduct COVID-19 symptom surveys on behalf of a state or city government agency and share results, but doesn’t provide data to law enforcement agencies unless presented with a warrant or a subpoena. 

The company didn’t answer why its privacy policy doesn’t specify that. 

The privacy policy also said Citizen can share the data to protect against “fraudulent, harmful, unauthorized, unethical or illegal activity,” which Diaz warns leaves the window open for sharing data with law enforcement agencies. 

“That gives them a lot of leeway in terms of what they decide is necessary to give over to the government,” he said. 

The post A crime reporting app shifts to tracking COVID first appeared on Joggingvideo.com.

For the most up-to-date news and information about the coronavirus pandemic, visit the WHO and CDC websites.

With the coronavirus pandemic pushing schools online out of public health concerns, parents and teachers are turning to digital alternatives like apps to bridge the virtual gap. While kids can learn via these apps, hundreds of advertisers are learning about them, too. 

Researchers from the International Digital Accountability Council looked at 496 education apps across 22 countries, finding privacy issues with many of these services. Several apps were providing location data to third-party advertisers, and also collected device identifiers that can’t be reset unless you buy a new phone. 

While the majority of apps examined in the report met privacy standards, the scale of data collection discovered raised alarms about the nature of education apps. 

Researchers found that 79 out of 123 apps manually tested were sharing user data with third parties. That data going to advertisers could include your name, email address, location data and device ID. The study also found that more than 140 third-party companies were getting data from ed tech apps, the majority of which went to Facebook, followed by Google. 

Security researchers often find privacy issues with apps, many of which harvest data from devices even when you don’t give consent. 

Even if you do give permission, the data is often shared with multiple third parties that use the data in their own ways. You may allow your weather app to get your location for accurate forecasts, but that app’s data partners can use it for advertising or law enforcement purposes. 

App creators often also use software development kits, or SDKs, as shortcuts rather than making their software from scratch, which can also lead to data-stealing schemes. 

Security researchers will analyze network traffic and examine code on apps to figure out where the data is going, but the average person shouldn’t be expected to learn this skill to protect their privacy. 

These privacy concerns are common across apps, but it’s a bigger issue among education apps since the majority of people using them are children. Education apps with millions of downloads are sharing location data on kids without their knowledge, the report found. 

“When you have a population of users that is so heavily focused on younger people, that raises sensitivity that developers should be aware of and the platforms should be vigilant about,” IDAC president Quentin Palfrey said.

Now playing:
Watch this:

Tips and tricks to make your iPhone work for you this…

1:48

Learning about you 

The researchers manually tested 78 Android apps and 45 iOS apps, some of which overlapped, for a combined 98 unique apps. They also automatically tested 421 Android apps in their research. 

The manual tests are more thorough, and look at how personal data is collected, who it’s sent to, and what kind of information is being taken. 

The study found 27 apps that were taking location data. Some had a purpose for needing that information — like constellation apps that used your location to tell you what stars are above you in real time. Other apps had more questionable reasons for gathering your location data, like apps for learning programming languages like JavaScript and SQL.

Coronavirus updates

• I’m Eligible for a Second COVID Vaccine Booster. When Should I Get It?
• Free COVID Antiviral Pills: New Official Website Helps Find Them
• Long COVID Symptoms May Depend on the Variant You Contracted
• News, advice and more about COVID-19

One app, Shaw Academy, was collecting location data and personal identifiers and sending it to third-party marketing firm WebEngage.  In June, Shaw Academy boasted that its online educational platform saw a nearly eightfold increase since COVID-19 lockdowns began in March, with the majority of its new users aged between 25 and 34. 

Shaw Academy’s chief strategy officer, John White, referred to the company’s privacy policy, which stated that the company can collect, use and share real-time location data through GPS, Bluetooth and IP address, as well as cell tower locations, to “provide location-based services,” but did not explain what the services are. 

“This location data is collected anonymously, unless the user provides consent. The user may withdraw consent to Shaw Academy and our partners’ collection, use, transmission, processing and maintenance of location and account data at any time by not using the location-based features and turning off the Location Services settings (as applicable) on the users device and computer,” White said in an email.

WebEngage, which specializes in targeted advertising on Facebook, email and push notifications, boasts that it tracks 400 million people per month. The company didn’t respond to a request for comment. 

Even when apps aren’t collecting your location data specifically, if they’re collecting data related to your Wi-Fi like your router details, that serves as a de facto location marker. 

Router data is often tied to locations — unless you’re actively moving your router around — which means that advertisers are aware when you’re on a home Wi-Fi network or one in a coffee shop. 

Many of the apps also collected device identifiers along with advertising IDs, which goes against Google’s developers policy. Your phone has multiple identifiers, but developers are generally not allowed to collect persistent identifiers. 

Best back-to-school tech for under $100

+24 more

See all photos

You can reset your Android and Apple advertising IDs, but you can’t reset your device ID unless you get a new phone. Google’s policies don’t allow developers to collect both the advertising ID and the device ID, because data brokers can just link new advertising IDs with the permanent device IDs, essentially making the effort useless. 

The manual tests found nine apps that were collecting and sharing this data with third-party advertisers, each of which were installed on at least 10 million devices. The researchers found that Duolingo, a popular language learning app, was sharing Android IDs and advertising IDs with Facebook. 

Duolingo didn’t respond to a request for comment. 

On average, the education apps examined shared data with at least three third-party companies. Facebook had the widest pool, getting user data from 128 apps, followed by advertising company Unity, which got data from 72 education apps.

See also: Choosing the right back-to-school laptop for in-school vs. remote learning

An unnamed app, which had more than 1 billion installations, didn’t know it was sharing data with the mobile analytics firm Amplitude until the researchers brought it up to the company, the report stated. 

“Our investigation did not reveal any misconduct by these third parties, but the scale and opacity of the data-collection is noteworthy and presents some risks to the health of the ed tech ecosystem,” the report said. 

The study also found that 46% of apps it tested used a “potentially concerning” SDK. It collects data in the background, and people wouldn’t ever know unless they had the same tools and capabilities as security researchers.

“Our concern is how little users know and can control about what happens once data is collected through a relationship between the app and the SDK,” Palfrey said. “If you don’t know about it, you can’t control it, and you can’t say no to it.” 

Because these apps are circumventing permissions requests and the trackers are often hidden from public view, it’s hard to give advice to parents and teachers who have privacy concerns. The fix relies on regulators and platforms like Google and Apple to kick off misbehaving apps, the watchdog group said. 

“A lot of what we saw are the kinds of things that can be best remedied by good developer practices, good platform oversight or greater regulatory scrutiny,” Palfrey said. “As opposed to the kinds of things that parents or teachers on their own are able to remedy.”

The post Education apps are sending your location data and personal info to advertisers first appeared on Joggingvideo.com.

Facebook filed a lawsuit Thursday against MobiBurn, alleging that apps using code written by the data monetization company harvested information about the social network’s users without permission.

Last November, Facebook and Twitter launched investigations into two third-party software development kits (SDKs) that security researchers found were collecting data without consent.

Making an app from scratch takes a lot of time, and SDKs are building blocks developers can use instead. These chunks of code often come at a price to app users, though. SDKs can be free to developers in exchange for user data, which essentially means you can be tracked by companies you’ve never heard of. When you download an app that finds cheap gas, for instance, your location data may be actively sold to data brokers.

The practice is widespread across the data industry, and companies say it’s transparent because it’s disclosed in their privacy policies. But studies have found that the majority of people don’t read privacy policies, casting doubt on these assertions of transparency.

In its lawsuit, Facebook argues that MobiBurn wasn’t transparent about its actions, accusing the company of siphoning data from people’s devices without consent. The SDK would grab a digital key for the “Log In with Facebook” feature, and use it to make requests for data from Facebook every 24 hours. 

Data privacy

• Facebook wants your data: 5 ways to keep it safe
• How to delete your Facebook account once and for all
• Facebook sues analytics firm for allegedly harvesting user data

If your device had an app that was built with MobiBurn’s SDK, and that app was also linked to your Facebook account, the app would siphon data such as your name, time zone, email address and gender from your profile, the social network said. Facebook sent a cease-and-desist order to the UK-based company last November.

The lawsuit said MobiBurn had its SDK in about 400 apps for gaming, security and utility. In addition to grabbing data from Facebook accounts, the SDK would also take a device’s call logs, location data, contacts, browser type, email and other apps installed on the phone, according to court documents.

In a November statement, MobiBurn denied the accusations, saying “no data from Facebook is collected, shared or monetized by MobiBurn.” 

On Friday, MobiBurn doubled down on its defense, stating that it couldn’t have stolen data because none of the apps its SDK was installed on had the “Log In With Facebook” feature.

“MobiBurn and the other Defendants respect Facebook’s genuine but in this case unwarranted privacy concerns and were, and remain, prepared to give undertakings to the English courts to remove these concerns,” the company said in a statement. 

Facebook accused MobiBurn of paying developers to install its SDK in their apps, where the code remained hidden. The code harvested data until the social network disabled app access last November. MobiBurn has also since disabled its SDK.

The social network said that MobiBurn isn’t cooperating with Facebook’s request for an audit. The lawsuit marks the first time Facebook has sued a UK app developer. The social network says it wants an injunction to reinforce its ban against MobiBurn using Facebook’s platform. It’s still seeking an audit. 

“Today’s actions are the latest in our efforts to protect people who use our services, hold those who abuse our platform accountable, and advance the state of the law around data misuse and privacy,” Jessica Romero, Facebook’s director of platform enforcement and litigation, said in a statement.

MobiBurn said that it complied with Facebook’s request for an audit, to be carried out by a third-party cybersecurity company rather than the social network. 

Now playing:
Watch this:

Facebook braces for Apple’s privacy changes, Fall Guys…

1:35

This isn’t the first time Facebook has turned to legal action against alleged data abuse. In February, the social network sued data analytics firm OneAudience for a similar practice, alleging the company paid developers to install its SDK in shopping and gaming apps so it could harvest data. 

Facebook has also sued developers over alleged data scraping abuse, ad fraud and hacking campaigns. 

Along with Thursday’s lawsuit against MobiBurn, Facebook also announced litigation against Nakrutka, a service it accused of using bots to generate fake likes, comments, views and followers on Instagram.

The service’s website, which is entirely in Russian, openly markets fake engagement from bots. 

Nakrutka didn’t immediately respond to a request for comment. 

The post Facebook sues company allegedly behind data first appeared on Joggingvideo.com.

Geofence warrants are a concern among privacy advocates and lawmakers, and recently unsealed court documents show that Google engineers also have issues with the sweeping requests for location data. 

On Friday, Arizona’s attorney general published internal emails from Google obtained as part of an ongoing lawsuit by the state on alleged consumer fraud and location data. Google had fought to keep its internal discussions secret, saying the investigation was “improperly publicized.”

On Aug. 5, a judge’s order ruled that Google had to affirmatively move to seal documents, and anything the tech giant didn’t take action on would be released publicly, an Arizona attorney general spokesperson said. Of the 270 documents obtained by the state attorney general’s office, 33 have been made public.

The released documents show internal discussions among Google engineers and communications staff that highlighted frustrations over the company’s collection of location data and the lack of meaningful controls for its billions of users. 

“Location off should mean location off, not ‘except for this case or that case,'” a Google engineer wrote in an email thread on Aug. 13, 2018. “The current UI feels like it is designed to make things possible, yet difficult enough that people won’t figure it out.” 

The discussions also included worries about geofence warrants — requests for location data in which law enforcement provides a time and a place, and Google responds with information on all devices that were in that area. 

Alphabet-owned Google isn’t the only company that has location data, but it does receive the majority of geofence warrants because of its Sensorvault database, which stores location history for millions of people, and its vast amount of users. 

“Privacy controls have long been built into our services and our teams work continuously to discuss and improve them. In the case of location information, we’ve heard feedback, and have worked hard to improve our privacy controls,” said Jose Castaneda, a Google spokesperson. “In fact, even these cherry picked published extracts state clearly that the team’s goal was to ‘Reduce confusion around Location History Settings.'” 

Geofence warrants face constitutional challenges in Virginia, and lawmakers in New York have proposed a bill to make them illegal. In Illinois, a federal judge on Monday struck down the practice, finding that the warrants violated the Fourth Amendment. 

Police have increasingly used geofence warrants, with a 1,500 percent rise from 2017 to 2018, and a subsequent 500 percent increase from 2018 to 2019. The surge in geofence warrant requests, coupled with confusion among Google staff about location data, rang privacy alarms within the search giant, the court documents show.

Managing Your Location History

• Google will now let you automatically delete location and activity history. Here’s how
• Google collects a frightening amount of data about you. You can find and delete it now
• How to turn off Google Maps’ invasive location history log

After a Google staffer explained there were three different settings for location data — Location Services, which uses your GPS, Location History, which logs where you’ve been, and Timeline, which makes an itinerary from your logs — a software engineer expressed frustration in internal emails. 

“I’d want to know which of these options (some? All? none?) enter me into the wrongful-arrest lottery,” the engineer wrote. “And I’d want that to be very clear to even the least technical people.”

While other Google staffers on the email thread looked to downplay concerns over geofence warrants, the engineer called the practice scary, pointed out that police were randomly searching for people, and argued the company had a responsibility to protect people’s data from government requests. 

“I feel like erring on the side of validating people’s expectations for keeping their information away from potentially unreasonable uses by the government is anyone’s job who works here,” the engineer said in an email on April 5, 2019. 

The internal emails offer a glimpse at how some Google staffers view geofence warrants, a subject the company has been careful in discussing. In recent testimony, CEO Sundar Pichai told Congress the warrants were an important area for lawmakers to have oversight on. 

Privacy advocates are asking for Google to do more against geofence warrants. 

“These emails describe a Google where employees know enough about geofence warrants to be scared, without knowing enough to actually fix the problem,” said Surveillance Technology Oversight Project Executive Director Albert Fox Cahn. “The internal fight over geofence warrants is particularly alarming. It highlights just how dependent we are on giant tech firms to push back when police try to weaponize our devices against the public.”

Now playing:
Watch this:

Turn off Google location tracking for real

1:35

‘Trying to rein in the overall mess’ 

Internal emails from Google going as far back as October 2014 show the company knew that its privacy settings were confusing. 

A presentation titled Simplifying Location History Settings (On Android) noted that “most users don’t understand the difference between location reporting and location history.” 

Location History, which people need to opt in to on Google Maps, is a log of where you’ve been. Location Reporting is which devices are the ones providing that data. 

That confusion carried on, with emails from 2016 noting that even Google’s own staffers didn’t know there were switches to turn off location reporting for each device. An email from 2017 described a project to “rein in the overall mess that we have with regards to data collection, consent and storage.” 

The same staffer pointed out Location History specifically, calling it “super messy.” 

It appeared to still be a mess by 2018, when the Associated Press published an investigation of Google location tracking that revealed the company still tracked people even after they’d turned the function off.

In internal emails from April 2019, a Google staffer pointed out that he thought he’d turned off tracking. It turned out he’d only turned off location history and that the tracking function was still active. 

“Our messaging around this is enough to confuse a privacy-focused Google [software engineer]. That’s not good,” the engineer said. “*I* should be able to get *my* location on *my* phone without sharing that information with Google. This may be how Apple is eating our lunch.”

The engineer wasn’t alone in this criticism, with multiple emails saying the company wasn’t doing a good job at explaining how it tracks location data, confusing its own engineers. 

“The real failure is that we shipped a [user interface] that confuses users and requires explanation,” a Google staffer said.

The post Google court docs raise concerns on geofence warrants, location tracking first appeared on Joggingvideo.com.

 The Los Angeles city attorney on Wednesday announced a settlement with the Weather Channel over a lawsuit claiming the company’s app gathered millions of people’s location data without properly disclosing that the sensitive information was shared with advertisers. 

The office considered the settlement a major privacy win, as it will now require The Weather Channel app to notify users that they are constantly being tracked rather than hide it in unread privacy policies. 

 “Our successful work to ensure meaningful consumer notice and consent and to hold The Weather Channel App accountable puts other Apps on notice:  We’re monitoring their practices and will continue to be vigilant in fighting for consumers,” LA City Attorney Mike Feuer said in a statement. 

But the terms of the settlement don’t mean much for the average person’s privacy. The Weather Channel’s app will continue being able to track your movements and profit off your data, as long as it tells you in a pop-up when you first download the app or when it’s updated later. 

The company didn’t respond to a request for comment. 

Data privacy has become an ongoing chore. While laws like the California Consumer Privacy Act require companies to allow people to opt out of tracking and send deletion requests, much of the burden is still on you rather than the companies themselves. Your default privacy settings often provide the weakest protections, requiring you to maintain data hygiene rather than the companies that handle that information.

Data brokers often argue that they are transparent about collecting information from people, while the disclosure is often hidden in the fine print on privacy policies, which the majority of people don’t read.  

The Weather Channel’s settlement will make that disclosure much more obvious, but research shows that you’ll be just as likely to glance over that, too. 

The settlement requires the Weather Channel to update the app’s “Blue Screen” and “Learn More” pages by Oct. 15. The former pops up whenever you download the app or an update arrives, and the latter appears if you click on a prompt. 

Here’s what a sample of that disclosure could look like, according to the settlement: 

Location and Your Weather

Did you know that if you allow access to your device’s location and barometric pressure sensor data, it enables us automatically to provide you with more accurate local forecasts? 

As our Privacy Policy describes, if you grant permission, we use your device’s location to deliver forecasts and weather alerts. We also may use and share this information with trusted partners for ads, and to provide and improve our Services. Regardless of whether or not you allow location access, you can always receive accurate local forecasts by manually entering a location.

You can change permissions at any time. Learn More.

I Understand

How many of you actually read that entire post?

Researchers have found that people suffer from “consent fatigue.” When so many of these disclosure pop-ups happen, like privacy policies, people will glance it over and click yes, and then be shocked to find out that their data has been tracked for years. 

And you’ll only get that pop-up any time the app updates, not any time you’re being tracked or data about you is being sold. 

“It really isn’t much,” said Ben Brook, the co-founder and CEO of privacy infrastructure company Transcend. “Whether they make broader efforts to provide more choice to end users is still to be determined.” 

In the suggested language, the Weather Channel app also doesn’t disclose who those “trusted partners” are. To find that, you need to go on a separate page, which discloses ad partners like CuebIQ and LiveRamp. 

LiveRamp is a major marketing company responsible for “data on-boarding,” a practice where advertisers can link your online identity with offline activities like physical purchases and your location history. CuebIQ has used its troves of location data to help policymakers keep track of COVID-19’s spread. 

Location data is also often sold by advertisers to government agencies, including agencies behind immigration enforcement. 

The most important lines from the Weather Channel’s new notice required by its settlement are kept at the end. You can still get accurate information without constantly giving the app your location data, and you can opt out at any time. 

The terms of LA’s settlement expire within two years, but data-tracking companies may have to adapt to a more privacy-focused message if they want to stay in business, Brook said. 

“For these companies to stay relevant in the long term, it’s going to be very important for them to be more transparent and provide more control to end users,” he said. 

The post Weather Channel’s location data settlement doesn’t mean much for your privacy first appeared on Joggingvideo.com.

Travelers heading to the US have many reasons to be cautious about their devices when it comes to privacy. A report released Thursday from the Department of Homeland Security provides even more cause for concern about how much data border patrol agents can pull from your phones and computers.

In a Privacy Impact Assessment dated July 30, the DHS detailed its US Border Patrol Digital Forensics program, specifically for its development of tools to collect data from electronic devices. For years, DHS and border agents were allowed to search devices without a warrant, until a court found the practice unconstitutional in November 2019. 

In 2018, the agency searched more than 33,000 devices, compared to 30,200 searches in 2017 and just 4,764 searches in 2015. Civil rights advocates have argued against this kind of surveillance, saying it violates people’s privacy rights. 

The report highlights the DHS’ capabilities, and shows that agents can create an exact copy of data on devices when travelers cross the border. According to the DHS, extracted data from devices can include:

• Contacts 
• Call logs/details 
• IP addresses used by the device 
• Calendar events 
• GPS locations used by the device 
• Emails
• Social media information
• Cell site information
• Phone numbers
• Videos and pictures
• Account information (user names and aliases)
• Text/chat messages
• Financial accounts and transactions
• Location history
• Browser bookmarks
• Notes
• Network information
• Tasks list

The policy to retain this data for 75 years still remains, according to the report. 

That data is extracted and saved on the DHS’ local digital forensics network, and transferred to PenLink PLX, a phone surveillance software that helps manage metadata taken from devices. 

“Collection of this data will be based on a law enforcement/investigative purpose related to authorities [US Customs and Border Protection] is responsible for enforcing. Legal authorities such as a Search Warrant, Consent, Border Search or other Fourth Amendment exceptions will be used to gather the data that will be inputted into PLX,” a DHS spokesman said in a statement.

PenLink is used by police across the US to intercept text messages, phone calls and GPS data from devices.

But it also analyzes data from social media and tech platforms, according to its website. 

On its free trial offer, PenLink tells potential customers that it can map collected data including Snapchat geolocations, Facebook logged locations and Google’s geofenced data. The company didn’t respond to a request for comment. 

“USBP uses the information it gathers using these tools to develop leads, identify trends associated with illicit activity, and further law enforcement actions related to terrorism, human and narcotic smuggling, and other activities posing a threat to border security or national security or indicative of criminal activity,” the DHS report stated. 

The detailed list of how much information your phone can give about you came several days before the National Security Agency advised its staffers of the best practices for keeping their device data private. They include turning off location services and advertising permissions, and deactivating Bluetooth and Wi-Fi. 

The DHS said the privacy risks of using the tools are low because only trained forensics technicians will have access to the tools, and only data relevant to investigations will be extracted. 

That assurance is in stark contrast from what lawyers from the American Civil Liberties Union and the Electronic Frontier Foundation found, after a lawsuit revealed that agents had searched through travelers’ devices without any restrictions, and often for unrelated reasons like enforcing bankruptcy laws and helping outside investigations.  

The post Homeland Security details new tools for extracting device data at US borders first appeared on Joggingvideo.com.