Privacy

A bill was recently introduced to the New York State Senate by Senator Kevin Parker and Brooklyn borough President, Eric Adams, that would require gun license applicants to hand over social media passwords, and 3 years of search history for review by the State. Regardless of how you feel about gun rights, this is a clear violation of privacy, and a request like this in any context is completely inappropriate, and totally unconstitutional. Background checks are one thing, but the process outlined in this bill goes way too far. This isn't about gun rights, this is about privacy rights.

The authorities intend to check that all licence applicants are totally politically correct. The relevant text of the bill reads:

In order to ascertain whether any social media account or search engine history of an applicant presents any good cause for the denial of a license, the investigating officer shall, after obtaining the applicant's consent pursuant to subdivision three of this section, and obtaining any log-in name, password or other means for accessing a personal account, service, or electronic communications device necessary to review such applicant's social media accounts and search engine history, review an applicant's social media accounts for the previous three years and search engine history for the previous year and investigate an applicant's posts or searches related to:

• (i) commonly known profane slurs or biased language used to describe the race, color, national origin, ancestry, gender, religion, religious practice, age, disability or sexual orientation of a person;

• (ii) threatening the health or safety of another person;

• (iii) an act of terrorism; or

• (iv) any other issue deemed necessary by the investigating officer.

For the purposes of this subdivision, "social media accounts" shall only include facebook, snapchat, twitter and instagram, and "search engine" shall only include google, yahoo and bing.

Security experts have long warned that it's extremely dangerous to give your password to anyone, including your local police department. It not only exposes you to unreasonably intrusive analysis, but also exposes private details of everyone you have ever communicated with with online. If your friend wants to buy a gun does that mean the police should get to read every message you've ever sent them? The best thing we can do is reject these ideas right now to prevent bad privacy practices from become normalized.

It makes perfect sense to require background checks and other vetting before allowing someone to purchase a weapon, but setting any precedent that allows the government to demand social media passwords is extremely dangerous. If you care about privacy, and keeping a close eye on overreaching state power, please sign this petition and tell the NY State Senate that you oppose bill S9191.

Sign the petition from actionnetwork.org

Facebook has been fined ?10m (£8.9m) by Italian authorities for misleading users over its data practices.

The two fines issued by Italy's competition watchdog are some of the largest levied against the social media company for data misuse.

The Italian regulator found that Facebook had breached the country's consumer code by:

• Misleading users in the sign-up process about the extent to which the data they provide would be used for commercial purposes.
• Emphasising only the free nature of the service, without informing users of the "profitable ends that underlie the provision of the social network", and so encouraging them to make a decision of a commercial nature that they would not have taken if they were in full possession of the facts.
• Forcing an "aggressive practice" on registered users by transmitting their data from Facebook to third parties, and vice versa, for commercial purposes.

The company was specifically criticised for the default setting of the Facebook Platform services, which in the words of the regulator, prepares the transmission of user data to individual websites/apps without express consent from users. Although users can disable the platform, the regulator found that its opt-out nature did not provide a fully free choice.

The authority has also directed Facebook to publish an apology to users on its website and on its app.

Parliament's fake news inquiry has published a cache of seized Facebook documents including internal emails sent between Mark Zuckerberg and the social network's staff. The emails were obtained from the chief of a software firm that is suing the tech giant. About 250 pages have been published, some of which are marked highly confidential.

Facebook had objected to their release.

Damian Collins MP, the chair of the parliamentary committee involved, highlighted several key issues in an introductory note. He wrote that:

• Facebook allowed some companies to maintain "full access" to users' friends data even after announcing changes to its platform in 2014/2015 to limit what developers' could see. "It is not clear that there was any user consent for this, nor how Facebook decided which companies should be whitelisted," Mr Collins wrote
• Facebook had been aware that an update to its Android app that let it collect records of users' calls and texts would be controversial. "To mitigate any bad PR, Facebook planned to make it as hard as possible for users to know that this was one of the underlying features," Mr Collins wrote
• Facebook used data provided by the Israeli analytics firm Onavo to determine which other mobile apps were being downloaded and used by the public. It then used this knowledge to decide which apps to acquire or otherwise treat as a threat
• there was evidence that Facebook's refusal to share data with some apps caused them to fail
• there had been much discussion of the financial value of providing access to friends' data

In response, Facebook has said that the documents had been presented in a very misleading manner and required additional context.

See Mark Zuckerberg's response on Facebook

Offsite Analysis: New Documents Show That Facebook Has Never Deserved Your Trust

7th December 2018. See  article from eff.org by Bennett Cyphers and Gennie Gebhart

Mastercard and Microsoft are collaborating in an identity management system that promises to remember users' identity verification and passwords between sites and services.

Mastercard highlights four particular areas of use: financial services, commerce, government services, and digital services (eg social media, music streaming services and rideshare apps). This means the system would let users manage their data across both websites and real-world services.

However, the inclusion of government services is an eyebrow-raising one. Microsoft and Mastercard's system could link personal information including taxes, voting status and criminal record, with consumer services like social media accounts, online shopping history and bank accounts.

As well as the stifling level of tailored advertising you'd receive if the system knew everything you did, this sets the dangerous precedent for every byte of users' information to be stored under one roof -- perfect for an opportunistic hacker or businessman. Mastercard mention it is working closely with players like Microsoft, showing that many businesses have access to the data.

Neither Microsoft nor Mastercard have slated a release date for the system, only promising additional details on these efforts will be shared in the coming months.

California is still trying to gag websites from sharing true, publicly available, newsworthy information about actors. While this effort is aimed at the admirable goal of fighting age discrimination in Hollywood, the law unconstitutionally punishes publishers of truthful, newsworthy information and denies the public important information it needs to fully understand the very problem the state is trying to address. So we have once again filed a friend of the court brief opposing that effort.

The case, IMDB v. Becerra , challenges the constitutionality of California Civil Code section 1798.83.5 , which requires "commercial online entertainment employment services providers" to remove an actor's date of birth or other age information from their websites upon request. The purported purpose of the law is to prevent age discrimination by the entertainment industry. The law covers any "provider" that "owns, licenses, or otherwise possesses computerized information, including, but not limited to, age and date of birth information, about individuals employed in the entertainment industry, including television, films, and video games, and that makes the information available to the public or potential employers." Under the law, IMDb.com, which meets this definition because of its IMDb Pro service, would be required to delete age information from all of its websites, not just its subscription service.

We filed a brief in the trial court in January 2017, and that court granted IMDb's motion for summary judgment, finding that the law was indeed unconstitutional. The state and the Screen Actors Guild, which intervened in the case to defend the law, appealed the district court's ruling to the U.S. Court of Appeals for the Ninth Circuit. We have now filed an amicus brief with that court. We were once again joined by First Amendment Coalition, Media Law Resource Center, Wikimedia Foundation, and Center for Democracy and Technology.

As we wrote in our brief, and as we and others urged the California legislature when it was considering the law, the law is clearly unconstitutional. The First Amendment provides very strong protection to publish truthful information about a matter of public interest. And the rule has extra force when the truthful information is contained in official governmental records, such as a local government's vital records, which contain dates of birth.

This rule, sometimes called the Daily Mail rule after the Supreme Court opinion from which it originates, is an extremely important free speech protection. It gives publishers the confidence to publish important information even when they know that others want it suppressed. The rule also supports the First Amendment rights of the public to receive newsworthy information.

Our brief emphasizes that although IMDb may have a financial interest in challenging the law, the public too has a strong interest in this information remaining available. Indeed, if age discrimination in Hollywood is really such a compelling issue, and EFF does not doubt that it is, hiding age information from the public makes it difficult for people to participate in the debate about alleged age discrimination in Hollywood, form their own opinions, and scrutinize their government's response to it.

The IWF writes:

The Internet Watch Foundation (IWF) calls on the European Commission to reconsider proposed legislation on E-Privacy. This is important because if the proposal is enshrined in law, it will potentially have a direct impact on the tech companies' ability to scan their networks for illegal online child sexual abuse images and videos.

Under Article 5 of the proposed E-Privacy legislation, people would have more control over their personal data. As currently drafted, Article 5 proposes that tech companies would require the consent of the end user (for example, the person receiving an email or message), to scan their networks for known child sexual abuse content. Put simply, this would mean that unless an offender agreed for their communications to be scanned, technology companies would no longer be able to do that.

Susie Hargreaves of the IWF says:

At a time when IWF are taking down more images and videos of child sexual abuse, we are deeply concerned by this move. Essentially, this proposed new law could put the privacy rights of offenders, ahead of the rights of children - children who have been unfortunate enough to be the victim of child sexual abuse and who have had the imagery of their suffering shared online.

We believe that tech companies' ability to scan their networks, using PhotoDNA and other forms of technology, for known child sexual abuse content, is vital to the battle to rid the internet of this disturbing material.

It is remarkable that the EU is pursuing this particular detail in new legislation, which would effectively enhance the rights of possible 'offenders', at a time when the UK Home Secretary is calling on tech companies to do more to protect children from these crimes. The only way to stop this ill-considered action, is for national governments to call for amendments to the legislation, before it's too late. This is what is in the best interests of the child victims of this abhorrent crime.

Facebook has files a patent that describes a method of using the devices of Facebook app users to identify various wireless signals from the devices of other users.

It explains how Facebook could use those signals to measure exactly how close the two devices are to one another and for how long, and analyses that data to infer whether it is likely that the two users have met. The patent also suggests the app could record how often devices are close to one another, the duration and time of meetings, and can even use its gyroscope and accelerometer to analyse movement patterns, for example whether the two users may be going for a jog, smooching or catching a bus together.

Facebook's algorithm would use this data to analyse how likely it is that the two users have met, even if they're not friends on Facebook and have no other connections to one another. This might be based on the pattern of inferred meetings, such as whether the two devices are close to one another for an hour every Thursday, and an algorithm would determine whether the two users meeting was sufficiently significant to recommend them to each other and/or friends of friends.

I don't suppose that Facebook can claim this patent though as police and the security services have no doubt been using this technique for years.

Privacy International has filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.

It's been more than five months since the EU's General Data Protection Regulation (GDPR) came into effect. Fundamentally, the GDPR strengthens rights of individuals with regard to the protection of their data, imposes more stringent obligations on those processing personal data, and provides for stronger regulatory enforcement powers -- in theory.

In practice, the real test for GDPR will be in its enforcement.

Nowhere is this more evident than for data broker and ad-tech industries that are premised on exploiting people's data. Despite exploiting the data of millions of people, are on the whole non-consumer facing and therefore rarely have their practices challenged.

The Google+ social network exposed the personal information of hundreds of thousands of people using the site between 2015 and March 2018, according to a report in the Wall Street Journal. But managers at the company chose not to go public with the failures, because they worried that it would invite scrutiny from regulators, particularly in the wake of Facebook's security failures.

Shortly after the report was published, Google announced that it would be shutting down Google+ by August 2019. In the announcement, Google also announced raft of new security features for Android, Gmail and other Google platforms that it has taken as a result of privacy failures..

Google said it had discovered the issues during an internal audit called Project Strobe. Ben Smith, Google's vice president of engineering, wrote in a blog post:

Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.

The audit found that Goggle+ APIs allowed app developers to access the information of Google+ users' friends, even if that data was marked as private by the user. As many as 438 applications had access to the unauthorized Google+ data, according to the Journal.

Now, users will be given greater control over what account data they choose to share with each app. Apps will be required to inform users what data they will have access to. Users have to provide explicit permission in order for them to gain access to it. Google is also limiting apps' ability to gain access to users' call log and SMS data on Android devices.Additionally, Google is limiting which apps can seek permission to users' consumer Gmail data. Only email clients, email backup services and productivity services will be able to access this data.

Google will continue to operate Google+ as an enterprise product for companies.

Add a phone number I never gave Facebook for targeted advertising to the list of deceptive and invasive ways Facebook makes money off your personal information. Contrary to user expectations and Facebook representatives' own previous statements, the company has been using contact information that users explicitly provided for security purposes--or that users never provided at all --for targeted advertising.

A group of academic researchers from Northeastern University and Princeton University , along with Gizmodo reporters , have used real-world tests to demonstrate how Facebook's latest deceptive practice works. They found that Facebook harvests user phone numbers for targeted advertising in two disturbing ways: two-factor authentication (2FA) phone numbers, and shadow contact information. Two-Factor Authentication Is Not The Problem

First, when a user gives Facebook their number for security purposes--to set up 2FA , or to receive alerts about new logins to their account--that phone number can become fair game for advertisers within weeks. (This is not the first time Facebook has misused 2FA phone numbers .)

But the important message for users is: this is not a reason to turn off or avoid 2FA. The problem is not with two-factor authentication. It's not even a problem with the inherent weaknesses of SMS-based 2FA in particular . Instead, this is a problem with how Facebook has handled users' information and violated their reasonable security and privacy expectations.

There are many types of 2FA . SMS-based 2FA requires a phone number, so you can receive a text with a second factor code when you log in. Other types of 2FA--like authenticator apps and hardware tokens--do not require a phone number to work. However, until just four months ago , Facebook required users to enter a phone number to turn on any type of 2FA, even though it offers its authenticator as a more secure alternative. Other companies-- Google notable among them --also still follow that outdated practice.

Even with the welcome move to no longer require phone numbers for 2FA, Facebook still has work to do here. This finding has not only validated users who are suspicious of Facebook's repeated claims that we have complete control over our own information, but has also seriously damaged users' trust in a foundational security practice.

Until Facebook and other companies do better, users who need privacy and security most--especially those for whom using an authenticator app or hardware key is not feasible--will be forced into a corner. Shadow Contact Information

Second, Facebook is also grabbing your contact information from your friends. Kash Hill of Gizmodo provides an example :

...if User A, whom we'll call Anna, shares her contacts with Facebook, including a previously unknown phone number for User B, whom we'll call Ben, advertisers will be able to target Ben with an ad using that phone number, which I call shadow contact information, about a month later.

This means that, even if you never directly handed a particular phone number over to Facebook, advertisers may nevertheless be able to associate it with your account based on your friends' phone books.

Even worse, none of this is accessible or transparent to users. You can't find such shadow contact information in the contact and basic info section of your profile; users in Europe can't even get their hands on it despite explicit requirements under the GDPR that a company give users a right to know what information it has on them.

As Facebook attempts to salvage its reputation among users in the wake of the Cambridge Analytica scandal , it needs to put its money where its mouth is . Wiping 2FA numbers and shadow contact data from non-essential use would be a good start.

Facebook plans to unveil its Portal video chat device for the home next week.

Facebook originally planned to announce Portal at its annual F8 developer conference in May of this year. But the company's scandals, including the Cambridge Analytica data breach led executives to shelve the announcement at the last minute.

Portal will feature a wide-angle video camera, which uses artificial intelligence to recognize people in the frame and follow them as they move throughout a room. In response to the breakdown in trust for Facebook, the company has recently added a privacy shutter which can physically block the camera.

The so called cookie law, a moniker for the proposed new EU ePrivacy regulation due to come into play before the year is out, is expected to severely impact the use of cookies online and across digital marketing. As such, it could pose an even bigger test to businesses than GDPR . It's a regulation that will create a likely deficit in the customer information they collect even post-GDPR.

Current cookie banner notifications, where websites inform users of cookie collection, will make way for cookie request pop-ups that deny cookie collection until a user has opted in or out of different types of cookie collection. Such a pop-up is expected to cause a drop in web traffic as high as 40 per cent. The good news is that it will only appear should the user not have already set their cookie preferences at browser level.

The outcome for businesses whose marketing and advertising lies predominantly online is the inevitable reduction in their ability to track, re-target and optimise experiences for their visitors.

...

For any business with a website and dependent on cookies, the new regulations put them at severe risk of losing this vital source of consumer data . As a result, businesses must find a practical, effective and legal alternative to alleviate the burden on the shoulders of all teams involved and to offset any drastic shortfall in this crucial data.

....

Putting the power in the hands of consumers when it comes to setting browser-level cookie permissions will limit a business's ability to extensively track the actions users take on company websites and progress targeted cookie-based advertising. Millions of internet users will have the option to withdraw their dataset from the view of businesses, one of the biggest threats ePrivacy poses.

...Read the full article from smallbusiness.co.uk

When you turn off location history Google still tracks your location when you use several of its key services including Maps, search and the weather.

A report from the Associated Press has highlighted that the feature called location history is just one of the systems that Google uses to track your location for personalised services, local search and other purposes such as advertising.

When you turn off location history, Google stops automatically recording your location for features such as the Maps timeline, but it warns you that some location data may be saved as part of your activity on other Google services, like Search and Maps. When you perform a search, access Google Maps , or get the weather, either manually or automatically through a smartphone widget, Google will still log your location.

Here's how to really turn all of it off. (Assuming that you believe that Google will actually do what it says it will){

See article from theguardian.com

Offsite Comment: Google's snooping proves big tech will not change

See article from theguardian.com by Arwa Mahdawi

Google's snooping proves big tech will not change -- unless governments step in. News that the company tracks users even when they forbid it shows that technology giants do not take our privacy seriously. They must be regulated

And one last thought. When the BBFC published their consultation of age verification requirements for porn viewing. The BBFC skated over the privacy dangers in allowing private companies to track one's tastes in porn claiming that the industry would follow 'best practise' and safeguard users. Well if one of the biggest companies in the world cannot respect the privacy of their users, then what hope is there for the rest?

The US Federal Government is quietly meeting with top tech company representatives to develop a proposal to protect web users' privacy amid the ongoing fallout globally of scandals that have rocked Facebook and other companies.

Over the past month, the Commerce Department has met with representatives from Facebook and Google, along with Internet providers like AT&T and Comcast, and consumer advocates, sources told the Washington Post.

The goal of these meetings is to come up with a data privacy proposal at the federal level that could serve as a blueprint for Congress to pass sweeping legislation in the mode of the European Union GDPR. There are currently no laws that govern how tech companies harness and monetize US users' data.

A total of 22 meetings with more than 80 companies have been held on this topic over the last month.

One official at the White House told the Post this week that recent developments have been seismic in the privacy policy world, prompting the government to discuss what a modern U.S. approach to privacy protection might look like.

Here is an update on the Facebook app investigation and audit that Mark Zuckerberg promised on March 21.

As Mark explained, Facebook will investigate all the apps that had access to large amounts of information before we changed our platform policies in 2014 -- significantly reducing the data apps could access. He also made clear that where we had concerns about individual apps we would audit them -- and any app that either refused or failed an audit would be banned from Facebook.

The investigation process is in full swing, and it has two phases. First, a comprehensive review to identify every app that had access to this amount of Facebook data. And second, where we have concerns, we will conduct interviews, make requests for information (RFI) -- which ask a series of detailed questions about the app and the data it has access to -- and perform audits that may include on-site inspections.

We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data. Where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website. It will show people if they or their friends installed an app that misused data before 2015 -- just as we did for Cambridge Analytica.

There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time. We are investing heavily to make sure this investigation is as thorough and timely as possible. We will keep you updated on our progress.

Popular messaging service WhatsApp is introducing a minimum age restriction of 16yo, at least in Europe.

The Facebook owned service is changing the rules ahead of the introduction of new EU data privacy regulations in May.

The app,will ask users to confirm their age when prompted to agree new terms of service in the next few weeks. It has not said if the age limit will be enforced.

At present, WhatsApp does not ask users their age when they join, nor does it cross-reference their Facebook or Instagram accounts to find out. About a third of all UK-based 12- to 15-year-olds active on social media use WhatsApp, according to a 2017 report by the media regulator Ofcom. That made it the fifth most popular social network with the age group after Facebook, Snapchat, Instagram and YouTube.

The EU's General Data Protection Regulation (GDPR) includes specific rules to protect youngsters whose personal data is processed in order to provide them with online services. Such websites and apps are obliged to make reasonable efforts to verify that a parent or guardian has given consent for their child's data to be handled. The law says this obligation applies to under-16s, although some countries - including the UK - have been allowed to set the cut-off limit lower, at 13.

Facebook, which has also been criticised for its handling of personal data, is taking a different approach to younger users on its main service. To comply with GDPR , the social network is asking those aged 13 to 15 to nominate a parent or guardian to give permission for them to share information on the platform. If they do not, they will not see a fully personalised version of the platform.

The policy changes implemented in response to GDPR will surely have profound impact on the take up of social media services. Age restrictions (or the ability to ignore age restrictions) are incredibly important. For some apps, the dominant services are those that connect the most people, (whilst others become dominant because the effectively exclude parents). A messaging app will be diminished for many if the kids are banned from it. And as you start chipping away at the reach of the network so it would be less attractive to others on the network. Users could soon rift away to less restrictive alternatives.

This is so wrong on so many levels. Britain would undergo a mass tantrum.

How are parents supposed to entertain their kids if they can't spend all day on YouTube?

And what about all the privacy implications of letting social media companies have complete identity details of their users. It will be like Cambridge Analytica on speed.

Jeremy Hunt wrote to the social media companies:

Dear Colleagues,

Thank you for participating in the working group on children and young people's mental health and social media with officials from my Department and DCMS. We appreciate your time and engagement, and your willingness to continue discussions and potentially support a communications campaign in this area, but I am disappointed by the lack of voluntary progress in those discussions.

We set three very clear challenges relating to protecting children and young people's mental health: age verification, screen time limits and cyber-bullying. As I understand it, participants have focused more on promoting work already underway and explaining the challenges with taking further action, rather than offering innovative solutions or tangible progress.

In particular, progress on age verification is not good enough. I am concerned that your companies seem content with a situation where thousands of users breach your own terms and conditions on the minimum user age. I fear that you are collectively turning a blind eye to a whole generation of children being exposed to the harmful emotional side effects of social media prematurely; this is both morally wrong and deeply unfair on parents, who are faced with the invidious choice of allowing children to use platforms they are too young to access, or excluding them from social interaction that often the majority of their peers are engaging in. It is unacceptable and irresponsible for you to put parents in this position.

This is not a blanket criticism and I am aware that these aren't easy issues to solve. I am encouraged that a number of you have developed products to help parents control what their children an access online in response to Government's concerns about child online protection, including Google's Family Link. And I recognise that your products and services are aimed at different audiences, so different solutions will be required. This is clear from the submissions you've sent to my officials about the work you are delivering to address some of these challenges.
However, it is clear to me that the voluntary joint approach has not delivered the safeguards we need to protect our children's mental health. In May, the Department

for Digital, Culture, Media and Sport will publish the Government response to the Internet Safety Strategy consultation, and I will be working with the Secretary of State to explore what other avenues are open to us to pursue the reforms we need. We will not rule out legislation where it is needed.

In terms of immediate next steps, I appreciate the information that you provided our officials with last month but would be grateful if you would set out in writing your companies' formal responses, on the three challenges we posed in November. In particular, I would like to know what additional new steps you have taken to protect children and young people since November in each of the specific categories we raised: age verification, screen time limits and cyber-bullying. I invite you to respond by the end of this month, in order to inform the Internet Safety Strategy response. It would also be helpful if you can set out any ideas or further plans you have to make progress in these areas.

During the working group meetings I understand you have pointed to the lack of conclusive evidence in this area — a concern which I also share. In order to address this, I have asked the Chief Medical Officer to undertake an evidence review on the impact of technology on children and young people's mental health, including on healthy screen time. 1 will also be working closely with DCMS and UKRI to commission research into all these questions, to ensure we have the best possible empirical basis on which to make policy. This will inform the Government's approach as we move forwards.

Your industry boasts some of the brightest minds and biggest budgets globally. While these issues may be difficult, I do not believe that solutions on these issues are outside your reach; I do question whether there is sufficient will to reach them.

I am keen to work with you to make technology a force for good in protecting the next generation. However, if you prove unwilling to do so, we will not be deterred from making progress.

Grovelling to the Senate Judiciary and Commerce Committees, Mark Zuckerberg apologised that Facebook had not taken a broad enough view of its responsibility for people's public information. He ssaid:

It was my mistake, and I'm sorry. I started Facebook, I run it, and I'm responsible for what happens here.

Zuckerberg said its audit of third-party apps would highlight any misuse of personal information, and said the company would alert users instantly if it found anything suspicious.

When asked why the company did not immediately alert the 87 million users whose data may have been accessed by Cambridge Analytica (CA) when first told about the improper usage in 2015, Zuckerberg said Facebook considered it a closed case after CA said it had deleted it. He apologised:

In retrospect it was clearly a mistake to believe them.

Zuckerberg's profuse apologies seem to have been a hit at the stock exchange but techies weren't impressed when he clammed up when asked for details on how Facebook snoops on users (and non-users).

UK Censorship Culture Secretary Matt Hancock met Facebook executives to warn them the social network is not above law.

Hancock told US-based Vice President of Global Policy Management Monika Bickert, and Global Deputy Chief Privacy Officer Stephen Deadman he would hold their feet to the fire over the privacy of British users.

Hancock pressed Facebook on accountability, transparency, micro-targeting and data protection. He also sought assurances that UK citizens data was no longer at risk and that Facebook would be giving citizens more control over their data going forward.

Following the talks, Hancock said:

Social media companies are not above the law and will not be allowed to shirk their responsibilities to our citizens. We will do what is needed to ensure that people's data is protected and don't rule anything out - that includes further regulation in the future.

One of the more understated but intriguing statements in Zuckerberg's Vox interview this past Monday was his public acknowledgement at long last that the company uses computer algorithms to scan all of our private communications on its platform, including Facebook Messenger. While users could always manually report threatening or illegal behavior and communications for human review, Zuckerberg acknowledged for the first time that even in private chat sessions, Facebook is not actually a neutral communications platform like the phone company that just provides you a connection and goes away -- Facebook's algorithms are there constantly monitoring your most private intimate conversations in an Orwellian telescreen that never turns off.

...

The company emphasized in an interview last year that it does not use mine private conversations for advertising, but left open the possibility that they might scan them for other purposes.

In his interview this week, Zuckerberg offered that in cases where people are sending harmful and threatening private messages our systems detect that that's going on. We stop those messages from going through. His reference to our systems detect suggested this was more than just humans manually flagging threatening content. A spokesperson confirmed that in this case the first human recipients of the messages had manually flagged them as violations and as large number of users began flagging the same set of messages, Facebook's systems deleted future transmission of them. The company had previously noted that it uses similarity detection for its fake news and other filters, both matching exact duplicates and highly similar content. The company confirmed that its fingerprinting algorithms (which the company has previously noted include revenge porn, material from the shared terrorism database and PhotoDNA) are applied to private messages as well.

...Read the full article from forbes.com

For years, privacy advocates have been shouting about Facebook, and for years the population as a whole didn't care. Whatever the reason, the ongoing Cambridge Analytica saga seems to have temporarily burst this sense of complacency, and people are suddenly giving the company a lot more scrutiny.

When you delete Facebook, the company provides you with a compressed file with everything it has on you. As well as every photo you've ever uploaded and details of any advert you've ever interacted with, some users are panicking that Facebook seems to have been tracking all of their calls and texts. Details of who you've called, when and for how long appear in an easily accessible list -- even if you don't use Facebook-owned WhatsApp or Messenger for texts or calls.

Although it has been put around that Facebook have been logging calls without your permission, but this is not quite the case. In fact Facebook do actually follow Facebook settings and permissions, and do not track your calls if you don't give permission.  So the issue is people not realising quite how wide permissions are granted when you have ticked permission boxes.

Facebook seemed to confirm this in a statement in response:

You may have seen some recent reports that Facebook has been logging people's call and SMS (text) history without their permission. This is not the case. Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off.

So there you have it, if you use Messenger of Facebook Lite on Android you have indeed given the company permission to snoop on ALL your calls, not just those made through Facebook apps,

The convenience store 7-Eleven is rolling out artificial intelligence at its 11,000 stores across Thailand.

7-Eleven will use facial-recognition and behavior-analysis technologies for multiple purposes. The ones it has decided to reveal to the public are to identify loyalty members, analyze in-store traffic, monitor product levels, suggest products to customers, and even measure the emotions of customers as they walk around.

The company announced it will be using technology developed by US-based Remark Holdings, which says its facial-recognition technology has an accuracy rate of more than 96%. Remark, which has data partnerships with Alibaba, Tencent, and Baidu, has a significant presence in China.

The rollout at Thailand's 7-Eleven stores remains unique in scope. It could potentially be the largest number of facial-recognition cameras to be adopted by one company. No corporate entity is so entrenched in Thai lives, according to a report from Public Radio International. And that may be crucial not only to the success of facial recognition in 7-Eleven stores in Thailand, but across the region.

Today, most web browsers have private-browsing modes, in which they temporarily desist from recording the user's browsing history.

But data accessed during private browsing sessions can still end up tucked away in a computer's memory, where a sufficiently motivated attacker could retrieve it.

This week, at the Network and Distributed Systems Security Symposium, researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) and Harvard University presented a paper describing a new system, dubbed Veil, that makes private browsing more private.

Veil would provide added protections to people using shared computers in offices, hotel business centers, or university computing centers, and it can be used in conjunction with existing private-browsing systems and with anonymity networks such as Tor, which was designed to protect the identity of web users living under repressive regimes.

"Veil was motivated by all this research that was done previously in the security community that said, 'Private-browsing modes are leaky -- Here are 10 different ways that they leak,'" says Frank Wang, an MIT graduate student in electrical engineering and computer science and first author on the paper. "We asked, 'What is the fundamental problem?' And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place."

Wang is joined on the paper by his two thesis advisors: Nickolai Zeldovich, an associate professor of electrical engineering and computer science at MIT, and James Mickens , an associate professor of computer science at Harvard.

Shell game

With existing private-browsing sessions, Wang explains, a browser will retrieve data much as it always does and load it into memory. When the session is over, it attempts to erase whatever it retrieved.

But in today's computers, memory management is a complex process, with data continuously moving around between different cores (processing units) and caches (local, high-speed memory banks). When memory banks fill up, the operating system might transfer data to the computer's hard drive, where it could remain for days, even after it's no longer being used.

Generally, a browser won't know where the data it downloaded has ended up. Even if it did, it wouldn't necessarily have authorization from the operating system to delete it.

Veil gets around this problem by ensuring that any data the browser loads into memory remains encrypted until it's actually displayed on-screen. Rather than typing a URL into the browser's address bar, the Veil user goes to the Veil website and enters the URL there. A special server -- which the researchers call a blinding server -- transmits a version of the requested page that's been translated into the Veil format.

The Veil page looks like an ordinary webpage: Any browser can load it. But embedded in the page is a bit of code -- much like the embedded code that would, say, run a video or display a list of recent headlines in an ordinary page -- that executes a decryption algorithm. The data associated with the page is unintelligible until it passes through that algorithm.

Decoys

Once the data is decrypted, it will need to be loaded in memory for as long as it's displayed on-screen. That type of temporarily stored data is less likely to be traceable after the browser session is over. But to further confound would-be attackers, Veil includes a few other security features.

One is that the blinding servers randomly add a bunch of meaningless code to every page they serve. That code doesn't affect the way a page looks to the user, but it drastically changes the appearance of the underlying source file. No two transmissions of a page served by a blinding sever look alike, and an adversary who managed to recover a few stray snippets of decrypted code after a Veil session probably wouldn't be able to determine what page the user had visited.

If the combination of run-time decryption and code obfuscation doesn't give the user an adequate sense of security, Veil offers an even harder-to-hack option. With this option, the blinding server opens the requested page itself and takes a picture of it. Only the picture is sent to the Veil user, so no executable code ever ends up in the user's computer. If the user clicks on some part of the image, the browser records the location of the click and sends it to the blinding server, which processes it and returns an image of the updated page.

The back end

Veil does, of course, require web developers to create Veil versions of their sites. But Wang and his colleagues have designed a compiler that performs this conversion automatically. The prototype of the compiler even uploads the converted site to a blinding server. The developer simply feeds the existing content for his or her site to the compiler.

A slightly more demanding requirement is the maintenance of the blinding servers. These could be hosted by either a network of private volunteers or a for-profit company. But site managers may wish to host Veil-enabled versions of their sites themselves. For web services that already emphasize the privacy protections they afford their customers, the added protections provided by Veil could offer a competitive advantage.

"Veil attempts to provide a private browsing mode without relying on browsers," says Taesoo Kim, an assistant professor of computer science at Georgia Tech, who was not involved in the research. "Even if end users didn't explicitly enable the private browsing mode, they still can get benefits from Veil-enabled websites. Veil aims to be practical -- it doesn't require any modification on the browser side -- and to be stronger -- taking care of other corner cases that browsers do not have full control of."

A Californian law that prevented the Internet Movie Database (IMDb) from publishing the age of movie stars has been declared unconstitutional, and so the law is struck down on First Amendment grounds. A federal judge declared it not only to be unconstitutional, but also a bad solution to the wrong problem.

The law went into effect in 2017 after being signed by California Gov. Jerry Brown. The goal was to mitigate age discrimination in a youth-obsessed Hollywood by requiring IMDb to remove age-related information upon the request of a subscriber.

The judge explained:

Even if California had shown that the law was passed after targeted efforts to eliminate discrimination in the entertainment industry had failed, the law is not narrowly tailored. For one, the law is underinclusive, in that it bans only one kind of speaker from disseminating age-related information, leaving all other sources of that information untouched. Even looking just at IMDb.com, the law requires IMDb to take down some age-related information -- that of the members of its subscription service who request its removal -- but not the age-related information of those who don't subscribe to IMDbPro, or who don't ask IMDb.com to take their information down.

The judge adds that the law is also overinclusive:

For instance, it requires IMDb not to publish the age-related information of all those who request that their information not be published, not just of those protected by existing age discrimination laws, states the opinion (read below). If the state is concerned about discriminatory conduct affecting those not covered by current laws, namely those under 40, it certainly has a more direct means of addressing those concerns than imposing restrictions on IMDb's speech.

Californian officials said the state will be appealing this ruling to the Ninth Circuit Court of Appeals.

Germany

In a ruling of particular interest to those working in the adult entertainment biz, a German court has ruled that Facebook's real name policy is illegal and that users must be allowed to sign up for the service under pseudonyms.

The opinion comes from the Berlin Regional Court and disseminated by the Federation of German Consumer Organizations, which filed the suit against Facebook. The Berlin court found that Facebook's real name policy was a covert way of obtaining users' consent to share their names, which are one of many pieces of information the court said Facebook did not properly obtain users' permission for.

The court also said that Facebook didn't provide a clear-cut choice to users for other default settings, such as to share their location in chats. It also ruled against clauses that allowed the social media giant to use information such as profile pictures for commercial, sponsored or related content.

Facebook told Reuters it will appeal the ruling, but also that it will make changes to comply with European Union privacy laws coming into effect in June.

Belgium

Facebook has been ordered to stop tracking people without consent, by a court in Belgium. The company has been told to delete all the data it had gathered on people who did not use Facebook. The court ruled the data was gathered illegally.

Belgium's privacy watchdog said the website had broken privacy laws by placing tracking code on third-party websites.

Facebook said it would appeal against the ruling.

The social network faces fines of 250,000 euros a day if it does not comply.

The ruling is the latest in a long-running dispute between the social network and the Belgian commission for the protection of privacy (CPP). In 2015, the CPP complained that Facebook tracked people when they visited pages on the site or clicked like or share, even if they were not members.

Some users have reported seeing pop ups in Instagram (IG) informing them that, from now on, Instagram will be flagging when you record or take a screenshot of other people's IG stories and informing the originator that you have rsnapped or ecorded the post.

According to a report by Tech Crunch , those who have been selected to participate in the IG trial can see exactly who has been creeping and snapping their stories. Those who have screenshotted an image or recorded a video will have a little camera shutter logo next to their usernames, much like Snapchat.

Of course, users have already found a nifty workaround to avoid social media stalking exposure. So here's the deal: turning your phone on airplane mode after you've loaded the story and then taking your screenshot means that users won't be notified of any impropriety (sounds easy for Instagram to fix this by saving the keypress until the next time it communicates with the Instagram server). You could also download the stories from Instagram's website or use an app like Story Reposter. Maybe PC users just need another small window on the desktop, then move the mouse pointer to the small window before snapping the display.

Clearly, there's concerns on Instagram's part about users' content being shared without their permission, but if the post is shared with someone for viewing, it is pretty tough to stop then from grabbing a copy for themselves as they view it.

Smartphones rule our lives. Having information at our fingertips is the height of convenience. They tell us all sorts of things, but the information we see and receive on our smartphones is just a fraction of the data they generate. By tracking and monitoring our behaviour and activities, smartphones build a digital profile of shockingly intimate information about our personal lives.

These records aren’t just a log of our activities. The digital profiles they create are traded between companies and used to make inferences and decisions that affect the opportunities open to us and our lives. What’s more, this typically happens without our knowledge, consent or control.

New and sophisticated methods built into smartphones make it easy to track and monitor our behaviour. A vast amount of information can be collected from our smartphones, both when being actively used and while running in the background. This information can include our location, internet search history, communications, social media activity, finances and biometric data such as fingerprints or facial features. It can also include metadata – information about the data – such as the time and recipient of a text message.

Each type of data can reveal something about our interests and preferences, views, hobbies and social interactions. For example, a study conducted by MIT demonstrated how email metadata can be used to map our lives , showing the changing dynamics of our professional and personal networks. This data can be used to infer personal information including a person’s background, religion or beliefs, political views, sexual orientation and gender identity, social connections, or health. For example, it is possible to deduce our specific health conditions simply by connecting the dots between a series of phone calls.

Different types of data can be consolidated and linked to build a comprehensive profile of us. Companies that buy and sell data – data brokers – already do this. They collect and combine billions of data elements about people to make inferences about them. These inferences may seem innocuous but can reveal sensitive information such as ethnicity, income levels, educational attainment, marital status, and family composition.

A recent study found that seven in ten smartphone apps share data with third-party tracking companies like Google Analytics. Data from numerous apps can be linked within a smartphone to build this more detailed picture of us, even if permissions for individual apps are granted separately. Effectively, smartphones can be converted into surveillance devices.

The result is the creation and amalgamation of digital footprints that provide in-depth knowledge about your life. The most obvious reason for companies collecting information about individuals is for profit, to deliver targeted advertising and personalised services. Some targeted ads, while perhaps creepy, aren’t necessarily a problem, such as an ad for the new trainers you have been eyeing up.

But targeted advertising based on our smartphone data can have real impacts on livelihoods and well-being, beyond influencing purchasing habits. For example, people in financial difficulty might be targeted for ads for payday loans . They might use these loans to pay for unexpected expenses , such as medical bills, car maintenance or court fees, but could also rely on them for recurring living costs such as rent and utility bills. People in financially vulnerable situations can then become trapped in spiralling debt as they struggle to repay loans due to the high cost of credit.

Targeted advertising can also enable companies to discriminate against people and deny them an equal chance of accessing basic human rights, such as housing and employment. Race is not explicitly included in Facebook’s basic profile information, but a user’s “ethnic affinity” can be worked out based on pages they have liked or engaged with. Investigative journalists from ProPublica found that it is possible to exclude those who match certain ethnic affinities from housing ads , and certain age groups from job ads .

This is different to traditional advertising in print and broadcast media, which although targeted is not exclusive. Anyone can still buy a copy of a newspaper, even if they are not the typical reader. Targeted online advertising can completely exclude some people from information without them ever knowing. This is a particular problem because the internet, and social media especially, is now such a common source of information.

Social media data can also be used to calculate creditworthiness , despite its dubious relevance. Indicators such as the level of sophistication in a user’s language on social media, and their friends’ loan repayment histories can now be used for credit checks. This can have a direct impact on the fees and interest rates charged on loans, the ability to buy a house, and even employment prospects .

There’s a similar risk with payment and shopping apps. In China, the government has announced plans to combine data about personal expenditure with official records, such as tax returns and driving offences. This initiative, which is being led by both the government and companies, is currently in the pilot stage . When fully operational, it will produce a social credit score that rates an individual citizen’s trustworthiness. These ratings can then be used to issue rewards or penalties, such as privileges in loan applications or limits on career progression.

These possibilities are not distant or hypothetical – they exist now. Smartphones are effectively surveillance devices , and everyone who uses them is exposed to these risks. What’s more, it is impossible to anticipate and detect the full range of ways smartphone data is collected and used, and to demonstrate the full scale of its impact. What we know could be just the beginning.

Vivian Ng , Senior Research Officer, Human Rights Centre, University of Essex, University of Essex and Catherine Kent , Project Officer, Human Rights Centre, University of Essex

This article was originally published on The Conversation . Read the original article .

A large number of games apps are snooping on players using the smart phone's microphone to listen to what is playing on TV, The apps recognise TV audio and report back what is being watched to home base, supposedly to help in targeted advertising.

Software from Alphonso, a start-up that collects TV-viewing data for advertisers, is used in at least 1000 games. The games do actually seek user consent to use the microphone but users may not be fully aware of the consequences of leaving an open mike in their house or in their children's rooms

Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership.

Alphonso claims that its software does not record human speech. The company claims that it did not approve of its software being used in apps meant for children. But it was, as of earlier this month, integrated in more than a dozen games like Teeth Fixed and Zap Balloons from KLAP Edutainment in India, which describes itself as primarily focusing on offering educational games for kids and students.

The app can record audio from the microphone when the game is being player or when it is still running in background on the phone.

Comment: Alphonso knows what you watched last summer

5th January 2018 See  article from openrightsgroup.org

Technology startup Alphonso has caused widespread concern by using smartphones microphones to monitor the TV and media habits of games and apps users.

The New York Times has published a story about a company called Alphonso that has developed a technology that uses smartphone microphones to identify TV and films being played in the background. Alphonso claims not to record any conversations, but simply listen to and encode samples of media for matching in their database. The company combines the collected data with identifiers and uses the data to target advertising, audience measurement and other purposes. The technology is embedded in over one thousand apps and games but the company refuses to disclose the exact list.

Alphonso argues that users have willingly given their consent to this form of spying on their media consumption and can opt out at any time. They argue that their behaviour is consistent with US laws and regulations.

Even if Alphonso were not breaking any laws here or in the US, there is a systemic problem with the growing intrusion of these types of technologies that monitor ambient sounds in private spaces without sufficient public debate. Apps are sneaking this kind of surveillance in, using privacy mechanisms that clearly cannot cope. This is despite the apps displaying a widget asking for permission to use the microphone to detect TV content, which would be a "clear affirmative action" for consent as required by law. Something is not working, and app platforms and regulators need to take action.

In addition to the unethical abuse of users' lack of initiative or ignorance - a bit like tobacco companies - there could be some specific breaches of privacy. The developers are clearly following the letter of the law in the US, obtaining consent and providing an opt out, but in Europe they could face more trouble, particularly after May when the General Data Protection Regulaiton (GDPR) comes into force.

One of the newer requirements on consent under GDPR will be to make it as easy to withdraw as it was to give it in the first place. Alphonso has a web-page with information on how to opt out through the privacy settings of devices, and this information is copied in at least some of the apps' privacy policies, buried under tons of legalese. This may not be good enough. Besides, once that consent is revoked, companies will need to erase any data obtained if there is no other legitimate justification to keep it. It is far from clear this is happening now, or will be in May.

There is also a need for complete clarity on who is collecting the data and being responsible for handling any consent and its revocation. At present the roles of app developers, Apple, Google and Alphonso are blurred.

We have been asked whether individuals can take legal action. We think that under the current regime in the UK this may be difficult because the bar is quite high and the companies involved are covering the basic ground. GDPR will make it easier to launch consumer complaints and legal action. The new law will also explicitly allow non-material damages, which is possible already in limited circumstances, including for revealing "political opinions, religion or philosophical beliefs" . Alphonso is recording the equivalent of a reading list of audiovisual media and might be able to generate such information.

Many of these games are aimed at children. Under GDPR, all data processing of children data is seen as entailing a risk and will need extra care. Whether children are allowed to give consent or must get it from their parents/guardians will depend on their age. In all cases information aimed at children will need to be displayed in a language they can understand. Some of the Alphonso games we checked have an age rating of 4+.

Consumer organisations have presented complaints in the past for similar issues in internet connected toys and we think that Alphonso and the developers involved should be investigated by the Information Commissioner.