Tag: privacy

‘Power Run Amok’: Madison Square Garden Uses Face-Scanning Tech to Remove Perceived Adversaries

BARBARA HART WAS celebrating her wedding anniversary and waiting for Brandi Carlile to take the stage at Madison Square Garden on Oct. 22, when a pair of security guards approached her and her husband by their seats and asked for the couple to follow them. At first, Hart tells Rolling Stone she was excited, thinking it was some sort of surprise before the concert started. Her excitement turned to anxiety soon after, however, as she spoke with security and gathered that she’d been identified using facial-recognition technology. Then they escorted her out of the venue. 

Hart was initially confused, having no idea why she was flagged. She says security informed her that she was being ejected because of her job as an attorney at Grant & Eisenhofer, a law firm currently litigating against Madison Square Garden’s parent company in a Delaware class-action suit involving several groups of shareholders.

Madison Square Garden Entertainment, owned by James Dolan (who has been known to kick out fans who anger him), confirms to RS that it enacted a policy in recent months forbidding anyone in active litigation against the company from entry to the company’s venues — which include the New York arena that gives the company its name, along with Radio City Music Hall, Beacon Theatre, and the Chicago Theatre. The company’s use of facial recognition tools itself dates back to at least 2018, when the New York Times reported on it; anyone who enters the venue is subject to scanning, and that practice now seems to coincide with the policy against opposing litigants.

“This is retaliatory behavior of powerful people against others, and that should be concerning to us,” says Hart, who also spoke of the incident in a sworn affidavit last month, as Reuters reported. Hart recalls that she declined to give MSG security her ID, but that they were able to correctly identify her anyway; she says security mentioned her picture appearing on Grant & Eisenhofer’s website, leading her to the conclusion that facial recognition was involved. “It was a very eerie experience to be on the receiving end of at that moment.”

Keep reading

A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?

In the fall of 2020, gig workers in Venezuela posted a series of images to online forums where they gathered to talk shop. The photos were mundane, if sometimes intimate, household scenes captured from low angles—including some you really wouldn’t want shared on the Internet. 

In one particularly revealing shot, a young woman in a lavender T-shirt sits on the toilet, her shorts pulled down to mid-thigh.

The images were not taken by a person, but by development versions of iRobot’s Roomba J7 series robot vacuum. They were then sent to Scale AI, a startup that contracts workers around the world to label audio, photo, and video data used to train artificial intelligence. 

They were the sorts of scenes that internet-connected devices regularly capture and send back to the cloud—though usually with stricter storage and access controls. Yet earlier this year, MIT Technology Review obtained 15 screenshots of these private photos, which had been posted to closed social media groups. 

The photos vary in type and in sensitivity. The most intimate image we saw was the series of video stills featuring the young woman on the toilet, her face blocked in the lead image but unobscured in the grainy scroll of shots below. In another image, a boy who appears to be eight or nine years old, and whose face is clearly visible, is sprawled on his stomach across a hallway floor. A triangular flop of hair spills across his forehead as he stares, with apparent amusement, at the object recording him from just below eye level.

The other shots show rooms from homes around the world, some occupied by humans, one by a dog. Furniture, décor, and objects located high on the walls and ceilings are outlined by rectangular boxes and accompanied by labels like “tv,” “plant_or_flower,” and “ceiling light.” 

Keep reading

New web tracking technique is bypassing privacy protections

Advertisers and web trackers have been able to aggregate users’ information across all of the websites they visit for decades, primarily by placing third-party cookies in users’ browsers.

Two years ago, several browsers that prioritize user privacy—including Safari, Firefox, and Brave—began to block third-party cookies for all users by default. This presents a significant issue for businesses that place ads on the web on behalf of other companies and rely on cookies to track click-through rates to determine how much they need to get paid.

Advertisers have responded by pioneering a new method for tracking users across the Web, known as user ID (or UID) smuggling, which does not require third-party cookies. But no one knew exactly how often this method was used to track people on the Internet.

Researchers at UC San Diego have for the first time sought to quantify the frequency of UID smuggling in the wild, by developing a measurement tool called CrumbCruncher. CrumbCruncher navigates the Web like an ordinary user, but along the way, it keeps track of how many times it has been tracked using UID smuggling.

The researchers found that UID smuggling was present in about 8 percent of the navigations that CrumbCruncher made. They presented these results at the Internet Measurement Conference Oct. 25 to 27, 2022 in Nice, France. The team is also releasing both their complete dataset and their measurement pipeline for use by browser developers.

The team’s main goal is to raise awareness of the issue with browser developers, said first author Audrey Randall, a computer science Ph.D. student at UC San Diego. “UID smuggling is more widely used than we anticipated,” she said. “But we don’t know how much of it is a threat to user privacy.”

UID smuggling can have legitimate uses, the researchers say. For example, embedding user IDs in URLs can allow a website to realize a user is already logged in, which means they can skip the login page and navigate directly to content. It’s also a tool that a company that owns websites with different domains can use to track user traffic.

It’s also, of course, a tool for affiliate advertisers to track traffic and get paid. For example, a blogger who advertises a product using affiliate links might be paid a commission if anyone clicks their links and then makes a purchase. UID smuggling can identify which blogger should get the commision.

But there are potentially more dangerous uses that researchers worry about. For example, a data broker could use UID smuggling to gather a database of users’ Internet navigation.

Keep reading

FBI Director pushes for “lawful access” to encrypted messages

FBI Director Christopher Wray last month spoke before the US Senate Homeland Security and Governmental Affairs Committee, and, among the many topics dedicated to “threats to the homeland,” he addressed that of encryption.

His remarks on this are carried by the FBI website under the heading, “Lawful Access.” Wray opens by saying that the agency is a strong advocate of “wide and consistent” encryption use.

The FBI chief goes on with platitudes, and not particularly sincere ones (considering his statements that followed): protecting online data and privacy is a top priority, and encryption a key element.

But…

“Encryption without lawful access, though, does have a negative effect on law enforcement’s ability to protect the public,” Wray says, and thus continues the FBI’s long-since established stance that strong encryption prevents law enforcement from performing their duties.

Keep reading

Binance’s ‘CZ’ Says Half Billion WhatsApp User Records For Sale On Dark Web

Nearly half a billion WhatsApp users’ mobile phone numbers are allegedly for sale on a dark web community forum, according to multiple sources, including Binance’s billionaire Changpeng “CZ” Zhao. 

“A new set of 487 million WhatsApp phone numbers for sales in the Dark Web,” CZ tweeted Sunday. He said a sample of hacked data “indicates the phone numbers are legit.”

CZ warned users on the Meta-owned platform that “threat actors downstream will use this data to conduct smishing (phishing messages) campaigns.” 

Cybernews initially confirmed the hack. They said: 

On November 16, an actor posted an ad on a well-known hacking community forum, claiming they were selling a 2022 database of 487 million WhatsApp user mobile numbers.

The dataset allegedly contains WhatsApp user data from 84 countries. Threat actor claims there are over 32 million US user records included.

Another huge chunk of phone numbers belongs to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million).

The dataset for sale also allegedly has nearly 10 million Russian and over 11 million UK citizens’ phone numbers.

The threat actor told Cybernews they were selling the US dataset for $7,000, the UK – $2,500, and Germany – $2,000.

Cybernews also posted a screenshot of the seller’s post on the forum featuring the total number of phone numbers per country. 

Keep reading

The UK plots to ban private messaging

UK’s media regulator Ofcom will get more surveillance powers than spy agencies under the Online Safety Bill, according to a legal analysis by the Index on Censorship organization.

The legislation would allow Ofcom to force tech companies to clamp down on “child abuse” and “terrorist content” by ending end-to-end encrypted messaging platforms like WhatsApp, Signal, Telegram, and Facebook Messenger and force all communications to be scanned.

Human rights lawyer Matthew Ryder, in a legal opinion commissioned by Index on Censorship, said that the powers that Ofcom would be afforded by the bill allow “allow the state to compel [tech companies] to carry out surveillance of the content of communications on a generalized and widespread basis.”

The regulator would not need prior authorization before making a demand to a tech company to scan messages and there would be no independent oversight over how the regulator uses its powers.

Ryder added: “We are unable to envisage circumstances where such a destructive step in the security of global online communications for billions of users could be justified.”

Communications by journalists, whistleblowers, and victims would no longer be safe. Additionally, it is not clear if Ofcom would make public the demands it issues or whether it would keep them secret.

Keep reading

New Zealand spy agency uses ‘computer network exploitation’ to take digital information

One of the country’s two spy agencies has revealed it retrieves information directly from where it is stored or processed on computers.

The “computer network exploitation” operations have been a highly-classified secret at the GCSB until now.

US commentators refer to computer network exploitation as a form of cyber warfare, or the “theft of data”.

“Our legislation … allows us to access information infrastructures, which is more than just interception,” the Director-General of the Government Communications Security Bureau, Andrew Hampton, said.

It “also allows us to retrieve digital information directly from where it is stored or processed”.

The GCSB refers to this as “accessing information infrastructures”.

The spy watchdog, the Inspector-General of Intelligence and Security, Brendan Horsley, cited Hampton’s speech to the Institute of International Affairs in May, for making the revelation.

This had freed Horsley up to be able to assure the public that the exploitation operations were scrutinised, he said in his annual report released on Friday.

Previously, he had had to refer to “certain operations”.

“Although it was subject to oversight, it was not possible to provide any clear public assurance of this.”

In fact, he had conducted a review that found the compliance systems around CNE “to be generally effective and appropriate”.

However, he was still not allowed to go into details “on the bureau’s use of this important capability”.

Keep reading

UN pushes COP27 app that has ability to spy on private conversations and access encrypted texts

Security advisers from Western countries are warning delegates attending the COP27 climate summit not to download the Egyptian government’s official app. The app is supposed to help attendees of the event with navigation but has major privacy concerns – allowing the app to be used as a surveillance tool.

The app is recommended on the official UN website for the COP27.

POLITICO says a potential vulnerability was found by four different cybersecurity experts that reviewed it. The news outlet claims that the app can allow the Egyptian government to read users messages, emails, and even communications via encrypted messaging platforms like Signal and WhatsApp.

The app can track location through GPS and WiFi. It also requires a permission that could allow the government to spy on conversations even when the device is in sleep mode.

The app also gives the government back-door privileges to scan users’ devices.

Some experts said much of the access and data the app gets are fairly standard. Additionally, so far, there is no evidence that people’s messages and emails have been read or users’ location tracked.

The main problem is the combination of the access it has and the Egyptian government’s record with tracking. According to Privacy International, following the Arab Spring, the Egyptian government has cracked down on dissidents and used emergency rules to track citizens both online and offline.

Keep reading

Australia’s Commonwealth Bank begins tracking transactions, links it to carbon footprint

Australia’s Commonwealth Bank (CBA) has added a new feature to its online banking software that tells customers their carbon footprint based on monthly spending. The move follows a partnership between the bank and CoGo, a company that provides carbon footprint management solutions.

According to the bank, the national average of carbon emitted is 1,280 kilograms, while a sustainable figure is 200. The bank has provided the option to “pay a fee” to offset the carbon footprint.

CBA said it does not share data with CoGo. It added that eventually the data will be broken down into each individual transaction.

The bank calculates a person’s carbon footprint based on the transactions using their credit or debit cards.

Keep reading

Google Employees Are Laughing at You for Thinking ‘Incognito Mode’ Is Private

According to a series of internal communications discovered in court, Google employees joked about Chrome’s “Incognito mode” and criticized the company for failing to meet users’ expectations of privacy.

Google is currently the target of a class action lawsuit in California over its misleading claims of privacy.

Court documents obtained by Bloomberg reveal that a Google engineer suggested in 2018 that the Incognito mode icon be changed to “Guy Incognito,” a Simpsons character who looks exactly like Homer Simpson except for his mustache. According to the Google employee, the character “accurately conveys the level of privacy [Incognito mode] provides” compared to Chrome’s standard browsing mode.

In a 2021 email, Google marketing chief Lorraine Twohill urged the implementation of a more secure Incognito mode as a means of gaining users’ trust.

“Make Incognito Mode truly private,” Twohill wrote. “We are limited in how strongly we can market Incognito because it’s not truly private, thus requiring really fuzzy, hedging language that is almost more damaging.”

Studies have shown that the language used by Google contributes to the misconception that “Incognito mode” is truly private.

“We found that browsers’ disclosures fail to correct the majority of the misconceptions we tested,” researchers at the University of Chicago and Leibniz University Hannover wrote in 2019. “These misconceptions included beliefs that private browsing mode would prevent geolocation, advertisements, viruses, and tracking by both the websites visited and the network provider.”

Keep reading