New Windows 10 Update Re-Enables Data Collection Disabled by Third-Party Software

Anecdotal evidence suggests that Microsoft’s November update for Windows 10 has re-enabled all data collection features that may have been disabled by the user via third-party software. Many Windows 10 users, while enjoying the new operating system, are not best pleased at Mircosoft’s draconian approach to metadata collection, and so have been using third-party software such as DisableWinTracking or DoNotSpy10.

Members of the r/PCMasterRace subreddit, however, have reported that since the Windows 10 November Update, which effectively reinstalls the operating system on a computer, those who had previously disabled tracking features have had their changes reset to their defaults.

While some are accusing Microsoft of using the update to deliberately turn the data tracking settings of Windows 10 back on, it makes sense that what effectively amounts to a fresh Windows install would return some settings to their default.

“The November (Fall) Update literally reinstalls the entire operating system, which is why program defaults and a lot more end up reverting and disabled things may come back. I honestly hope they improve this upgrade system for the next big update because this has seriously caused a lot of people some trouble,” posted Puremin0rez.

Anyone using third-party software to disable Windows 10’s tracking features should check to see if their settings have been changed following the November update and adjust accordingly.

FBI Admits Use of Zero-Day Exploits and Stingrays

In a profile of Amy Hess, the FBI’s executive assistant director for science and technology and overseer of the bureau’s Operational Technology Division, conducted by the Washington Post in the wake of the San Bernardino shootings, the FBI executive openly admitted to the use of a number of techniques the FBI use in order to track down criminals. Amongst the methods brought to light by reporter Ellen Nakashima are Zero-Day Exploits, Stingrays and the OTD’s Remote Operations Unit of hacking technicians.

For those unaware, a Stingray is a type of “cell-site simulator” that imitate cellular towers, in order to collect communications data from mobile telephones within range, both suspect and bystander alike. The tool has been a long-kept secret by the FBI, with them requiring local law enforcement members involved in their use to sign nondisclosure agreements. While Hess insisted that the FBI never enacted a gag on the police, they wanted to keep the details of the device’s functionality shielded.

A zero-day exploit is a flaw in a piece of software that can be manipulated in order to exploit it in some way, that are unknown to the software’s vendor and thus unpatched. Usage of these can allow for easier hacks into suspects PCs or mobile devices, however favoring such techniques is unreliable, and thus not a preferred method to use.

The real worry with these types of attacks are the privacy implications on the common person. A stingray’s data would have to be checked in order to identify the suspect’s data, meaning that the privacy of everyone within proximity of the device potentially has their privacy violated. Holding on to known exploits instead of reporting them to the software developers for patching opens any user of the software open to attack from a hacker were the exploit discovered by another unsavory party. As a result of these implications, both are seen as controversial by privacy advocates and as a result, governments have often tried to distance themselves from discussion of their use. Now, in an unusual moment of transparency, the FBI has potentially put itself a little closer to the disc

IRS Used Stingray To Track 37 Phones

Digital security is an issue that is raised weekly, with digital privacy seeming to be at odds, security or privacy. These topics come to a point when the topic of Stingray towers is brought up, mobile devices that mimic mobile phone towers. These devices can be used to intercept data such as phone calls and text messages, potentially leading the authorities to important information. The problem is that these devices act much like regular towers, in that you can’t target them, this means that you can only collect everyone’s data in range and search for the stuff you are interested in afterwards. Seems the IRS (Internal Revenue Service) has been using one of these devices since 2011 and are looking at getting another.

IRS Director John Koskinen wrote in an open letter to Oregon Senator, Ron Wyden, in the hopes of answering some questions regarding the “cell-site simulator technology”. In the letter, they state that they used the device on 11 federal grand jury cases, tracking a total of 37 cellular devices. It does continue to say though that they used the Stingray (constantly referred to as a cell-site simulator) in four non-IRS cases, one federal and three state level.

At the end of the letter, he continues to say about the Department of Justice requiring a warrant now in order to use the technology, along with probable cause and certain restrictions being met.

While it is nice to see agencies report this kind of information and take these steps to monitor information in a legal and controlled way, you have to wonder, if they were trying to monitor 37 phones, how many other phones did they intercept in total?

VTech Leak Contained Headshots of Kids and Chat Logs

Recently it came to light that VTech had been hacked, potentially revealing thousands of emails and usernames. The hacker has revealed more information though on what was contained and revealed within the hack, the information which was revealed yesterday.

The data that was obtained from the hack contained around 4.8 million users details, but the scope of the information is nothing compared to what the hacker was able to obtain. 200GB’s of images were downloaded from the server containing images of both the parents and child of the registered accounts, coupled with the chat logs between parents and children (some of which are recording of conversations).

VTech suggests using the image so that it’s easier for parents and children to talk and interact through their services. The hacker provided Motherboard with 3,832 image files and at least one audio recording to prove that the information they obtained was legitimate and the scope of the risk from such an amount of data.

If that wasn’t bad enough, the photos, chats and recordings were often linked to usernames, something that normally wouldn’t be a problem but with usernames, address and emails being revealed and even their security questions and answers (meaning that resetting your password would have been an easy task).

While the service has been stopped by VTech while they investigate. The hacker stated, “it makes me sick that I was able to get all this stuff” and I think it’s fair to say that no matter what they do VTech has a lot to answer for.

Pensioner Demands Compensation After Apple ‘Wiped Away His Life’

Whether you love or hate Apple, the turnaround times for replacing iPhone models is very impressive and I wish more companies adopted such a swift procedure. However, as with any customer service, there are situations which leave people very unsatisfied. For example, 68-year-old Deric White received text messages informing him of a hardware fault and decided to visit Apple’s store in London’s Regent Street to book a repair. According to The Sun newspaper, during the visit, Deric claims, staff members inspected the handset and said the problem was “sorted”. Although, Deric wasn’t best pleased when he found out that all his data had been erased. He said:

“It was only after staff fiddled around they asked if I’d backed my things up.”

“My wife was in tears and I started crying when I realised what had gone.”

“My life was saved on that phone. I lost my favourite video of a giant tortoise biting my hand on honeymoon in the Seychelles.”

Deric is seeking £5,000 in damages for the loss of photographs from his honeymoon plus 15 years of contacts. Apple strong refutes the need for monetary compensation and said:

“The claimant has not demonstrated how he suffered any loss.”

The court courting begins today and if Deric wins, he will use the funds to jet off to a second honeymoon.

Edward Snowden Explains Why he Supports Ad-Blockers

Edward Snowden, the whistleblower-turned-press freedom advocate exiled in Russia after leaking NSA documents that demonstrated the terrifying scope of its mass surveillance program, has publicly endorsed ad-blocking software and has encouraged every internet user to employ it.

Speaking to The Intercept’s Micah Lee, Snowden, responding to the question “Do you think people should use adblock software?”, said, “We’ve seen internet providers like Comcast, AT&T, or whoever it is, insert their own ads into your plaintext http connections. … As long as service providers are serving ads with active content that require the use of Javascript to display, that have some kind of active content like Flash embedded in it, anything that can be a vector for attack in your web browser — you should be actively trying to block these.”

“Because if the service provider is not working to protect the sanctity of the relationship between reader and publisher,” he added. “you have not just a right but a duty to take every effort to protect yourself in response.”

While there are ethical arguments against the use of ad-blockers – mainly that users of ad-blocking software are depriving site owners of revenue – it makes sense, purely from a security perspective, for Snowden to recommend ad-blocking for all: anything that could potentially provide a backdoor into your computer is a threat, much like the recent worrying revelation that advertisers are tracking users over multiple devices via inaudible sounds.

Image courtesy of The Guardian.

TalkTalk Boss Argues ‘Customers Think We’re Doing Right Thing After Attack’

The TalkTalk cyberattack raised serious security questions about the company’s ability to properly encrypt sensitive customer information. Despite the negative publicity and widespread outrage, TalkTalk chief executive Dido Harding claims the:

 “majority of customers support our approach”. 

She also eluded that: 

“Very early indications that customers think that we’re doing the right thing”.

“The cyber attack, while not wishing to diminish it, has been smaller than we thought,”

However, the response on Twitter is quite hostile and clearly shows how frustrated customers are:

https://twitter.com/HarringtonC0/status/664130728263839744

To be fair, Twitter isn’t the most accurate basis of judging mass opinion and usually revolves around the angry minority. However, in this case, I think TalkTalk’s arrogant management really is underestimating the scale of this problem and how damaging it’s been from a PR perspective. Harding weighed in on the company’s future and said the ISP is:

 “very confident in the medium term future of TalkTalk”.

“Yesterday’s security might have been good enough but it’s not going to be good enough tomorrow,”

“I expect we will take security considerably more seriously than ever.”

I honestly think customers are struggling to take these promises seriously and there’s a great deal of apprehension regarding network security. The company claims many people decided not to cancel their contract. Although, this might be because leaving their current contract leads to hefty fines. Additionally, a large quantity of TalkTalk’s audience doesn’t feel comfortable switching providers and needs to assistance of someone technically minded. Whatever the case, the cyberattack has dramatically altered people’s perceptions towards TalkTalk and I can’t see that changing anytime soon.

Apple CEO Predicts ‘Dire Consequences’ For Privacy if Snooper’s Charter is Passed

The UK government’s Investigatory Powers Bill allows the police, and officials to record each person’s web activity for a 12 month period. Additionally, internet service providers are required by law to assist the state and break through any encryption. Technically, this could make it illegal for Apple to sell their products in the UK due to their handset encryption methods. Apple’s CEO weighed in on the bill and told The Telegraph:

“We believe very strongly in end-to-end encryption and no back doors,”

“We don’t think people want us to read their messages. We don’t feel we have the right to read their emails.”

“Any back door is a back door for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a back door can have very dire consequences.”

Tim Cook also discussed the latest TalkTalk data breach and proclaimed:

“It’s not the case that encryption is a rare thing that only two or three rich companies own and you can regulate them in some way. Encryption is widely available. It may make someone feel good for a moment but it’s not really of benefit. If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.”

Consumers rightfully do not trust huge corporations or governments to keep their data secure. History shows us that breaches are commonplace, and the huge amount of sensitive data from this bill could have catastrophic consequences. Furthermore, the voyeurism, and police state monitoring can only be described as disgraceful.

Schoolboy in TalkTalk Arrest Plans to Sue Newspapers Over Privacy Concerns

The TalkTalk data breach was allegedly masterminded by a 15-year-old schoolboy in County Antrim which caused a great deal of embarrassment and raised questions about TalkTalk’s encryption. Senior staff at TalkTalk believed the DDOS attack to be the work of a cyber-criminal gang or state-sponsored hack. Once the media had been told of the schoolboy’s arrest, various stories were published about his behavior and secluded lifestyle. Some outlets even published a picture of the young boy, with his face slightly covered.

Given the nature of these stories, the schoolboy believes he has a legal case against them in regards to privacy intrusion. He intends to sue three leading newspapers; The Daily Telegraph, The Daily Mail and The Sun. Additionally, according to RTE News, the boy’s lawyers have commenced proceedings against Google and Twitter.

This is an interesting turn of events as there is a legal case when you consider the misuse of private information. However, it’s unknown if this is allowed due to the free press reporting on a serious news issue. The legal proceedings will begin next month and rest assured, we will keep you up to date with all the latest information.

Do you think the press breached this young boy’s privacy?

Full Scope of UK’s Worrying Surveillance Bill Revealed

The UK Home Secretary, Conservative MP Theresa May, has outlined the full scope of the proposed Investigatory Powers Bill. The bill, which has been teased by both May and UK Prime Minister David Cameron as a legal means by which police and intelligence services can bypass internet and telecommunication encryption and access the internet history of any UK citizen without judicial oversight, has confirmed the fears of many that the concept of privacy on the internet will become a thing of the past in the UK.

The new powers, as revealed by May in Parliament on Wednesday (4th November) and in draft form on the UK Government’s website [PDF], grant UK law enforcement agencies the ability to access and intercept a user’s internet data, which internet service providers will be required by law to store for up to 12 months, and place a legal obligation on companies to allow the UK Government backdoors by which to bypass encryption, but will be powerless to ban end-to-end encryption since such facilities being protected under European Union law.

The response to the bill outside the House of Commons has been almost uniformly negative, with many fearing that it marks an end to internet human rights in the UK, and that tech companies could pull out of the country over it:

https://twitter.com/jamesrbuk/status/661904968404873216

https://twitter.com/carlynyst/status/661895043490430976

A full summary of the Investigatory Powers Bill (via The Guardian):

  • Requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and other public bodies.
  • Makes explicit in law for the first time security services’ powers for the “bulk collection” of large volumes of personal communications data.
  • Makes explicit in law for the first time the powers of the security services and police to hack into and bug computers and phones. Places new legal obligation on companies to assist in these operations to bypass encryption.
  • New “double-lock” on ministerial authorisation of intercept warrants with a panel of seven judicial commissioners given power of veto. But exemptions allowed in “urgent cases” of up to five days.
  • Existing system of three oversight commissioners replaced with single investigatory powers commissioner who will be a senior judge.
  • Prime minister to be consulted in all cases involving interception of MPs’ communications. Safeguards on requests for communications data in other “sensitive professions” such as journalists to be written into law.
  • New Home Office figures show there were 517,236 authorisations in 2014 of requests for communications data from the police and other public bodies as a result of 267,373 applications. There were 2,765 interception warrants authorised by ministers in 2014.
  • In the case of interception warrants involving confidential information relating to sensitive professions such as journalists, doctors and lawyers, the protections to be used for privileged information have to be spelled out when the minister approves the warrant.
  • Bill includes similar protections in the use of powers to hack or bug the computers and phones of those in sensitive professions as well.
  • Internet and phone companies will be required to maintain “permanent capabilities” to intercept and collect the personal data passing over their networks. They will also be under a wider power to assist the security services and the police in the interests of national security.
  • Enforcement of obligations on overseas web and phone companies, including the US internet giants, in the courts will be limited to interception and targeted communications data requests. Bulk communications data requests, including internet connection records, will not be enforceable.

Image courtesy of WikiMedia.

Snapchat Defends Privacy Policy Changes

Photo sharing on social media websites has become extraordinarily popular due to the “selfie” craze as smartphone users try to capture the moment. Snapchat is one of the most popular choices and revolves around quick snapshots which vanish once the recipient has viewed the photo. That’s the theory though, and there have been concerns about Snapchat’s data policy. Only recently, the company decided to update its privacy policy and disclose their data retention in a more transparent way.

However, the terms caused a great deal of controversy and appeared to allow partners to intrusively access your data:

…you also grant Snapchat and our business partners the unrestricted, worldwide, perpetual rights and license to use your name, likeness, and voice in any and all media and distribution channels…” 

Kal Penn highlighted the privacy issues in the following tweet:

In lieu of this information, Snapchat has released a statement on this blog which reads:

“First off, we want to be crystal clear: The Snaps and Chats you send your friends remain as private today as they were before the update. Our Privacy Policy continues to say—as it did before—that those messages “are automatically deleted from our servers once we detect that they have been viewed or have expired.” Of course, a recipient can always screenshot or save your Snaps or Chats. But the important point is that Snapchat is not—and never has been—stockpiling your private Snaps or Chats. And because we continue to delete them from our servers as soon as they’re read, we could not—and do not—share them with advertisers or business partners.”

“It’s true that our Terms of Service grant us a broad license to use the content you create—a license that’s common to services like ours. We need that license when it comes to, for example, Snaps submitted to Live Stories, where we have to be able to show those Stories around the world—and even replay them or syndicate them (something we’ve said we could do in previous versions of our Terms and Privacy Policy). But we tried to be clear that the Privacy Policy and your own privacy settings within the app could restrict the scope of that license so that your personal communications continue to remain truly personal.”

Snapchat handled this entire situation quite badly especially when you consider how other companies have implemented similar policies and caused public outrage. Their PR team should have known better and conducted things in a more communicative way. Whatever the case, I’m not a Snapchat user, and some might feel the terms are enough to make them uninstall the app. However, I’m pretty sure, Snapchat’s target demographic isn’t majorly concerned about the updated policy.

Controversial CISA Cybersecurity Bill Passed by US Senate

The CISA bill that allows the US Government to collect personal data without a warrant has been voted in by the Senate by 74 votes to 21, and without amendments that would protect the privacy rights of US citizens. CISA, according to the Electronic Frontier Foundation, a vocal opponent of the bill, “is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities” and that its approval “reflects the misunderstanding many lawmakers have about technology and security.”

The bill was negotiated in secret, championed outside of the Senate by corporate lobbyers The US Chamber of Commerce, with positive editorials popping up in the Wall Street Journal and the Washington Post, and gives US intelligence services to gather personal data – including names, addresses, credit card details, and even medical prescription records – from third-parties at will.

While Facebook has been accused of quietly supporting CISA, many major tech companies oppose the bill. Wikimedia, Reddit, Salesforce, DropBox, and Apple have all spoken out against CISA.  We don’t support the current CISA proposal,” a statement from Apple last week reads. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”

While the final wording of the bill is still to be determined by a conference of the House of Representatives and the Senate, semantics will not be able to protect against the violations of freedom and privacy of US citizens that CISA will make legal.

Morrison To Face Lawsuit Following Data Posted Online

This week has been a bad one for companies when it comes to personal information, what with TalkTalk now in the sights to take thousands of pounds (maybe even millions) of lawsuits after someone accessed their systems. This time, it refers to something that happened a little longer ago with almost 100,00 staff details being posted online.

The cause of the lawsuit refers back to 2013 when the staff details first appeared on various file-sharing websites. The cause of the post? One of the company auditors, Andrew Skelton, was responsible for posting the information online.

Skelton has since received an eight-year jail sentence for posting the details online, but the damage was done. With the details in the open the staff are now arguing that Morrisons should have done, and could have done, more to protect their data from being taken out and posted online.

Nick McAleenan is a data privacy lawyer representing the staff, who stated that his clients believe that the data led to the risk of identity theft and potential loss, all of which could have been prevented if the company had done more.

With the size of the claim unannounced, and Morrisons denying it is responsible it looks like yet another company could be facing financial trouble following from their customer data being exposed online.

TalkTalk Could be Put Out of Business by Compensation Claims

UK ISP TalkTalk could potentially be put out of business by compensation claims following the recent hack that compromised unencrypted user data. While TalkTalk admitted that it was a victim to a cyberattack last Thursday (22nd October), and has since claimed that it was not as serious as first feared, there is evidence to suggest that the company not only knew about the hack a week before revealing it and tried to cover it up, but that customers had received fraudulent phonecalls from parties that knew personal information as early as 16th October.

According to the Daily Star, city lawyers are drawing up compensation claims on behalf of thousands of customers, to the tune of around £1,000 each, which could cost TalkTalk up to £75 million, with further cases sure to follow.

“This is the Great Train Robbery of the 21st Century.,” Former Met Police detective and private security adviser Adrian Culley said. “There is a potentially huge liability for TalkTalk. Compensation payments could put them out of business.”

Meanwhile, TalkTalk CEO Dido Harding has claimed that it was not “legally required” to encrypt user data. Talking to The Sunday Times (paywalled content via Ars Technica), Harding said, “[Our data] wasn’t encrypted, nor are you legally required to encrypt it. We have complied with all of our legal obligations in terms of storing of financial information.” Giving your customers the finger isn’t illegal, either, but both demonstrate contempt for consumers, as does “leaving the backdoor open” for hackers to exploit.

Image courtesy of The Drum.

Tim Cook Tells NSA That Good Guys Shouldn’t Get Backdoors

Apple CEO Tim Cook has spoken out against proposals for backdoors in encrypted systems for intelligence agencies to exploit. Speaking at the Wall Street Journal Digital Live technology conference in Laguna Beach, California, Cook spoke out in support of encryption and posited that any backdoor would never benefit just “the good guys”.

“You can’t have a back door in the software because you can’t have a back door that’s only for the good guys,” Cook told the events audience.

Cook’s speech occurred shortly after NSA Director Admiral Michael Rogers took to the stage to talk about encryption. Rogers, responding to a question regarding his previous statement – “strong encryption is in our nation’s best interest” – as to whether he supported impenetrable encryption, said “That’s not what I said, strong encryption is in our nation’s best interests,” adding, “Security, encryption: good. The ability to generate insights as to criminal behavior and threats to our nation’s security, also good.”

But Cook disputed the idea that privacy and national security were mutually exclusive, saying, “Nobody should have to decide privacy and security. We should be smart enough to do both,” branding any compromise of user privacy as a “cop-out.”

“Both of these things were essential parts of our Constitution. It didn’t say prioritize this one above all of these,” he said. “I mean, these guys were really smart folks and they held all of these things and said all of these are what it means to be an American,” Cook added. “It will become increasingly more important to more and more people over time as they realize that intimate parts of their lives are in the open and being used for all sorts of things.”

Image courtesy of Valery Marchive.

California’s Legal System Now Supports Digital Privacy

In recent years, there has been a big uproar courtesy of a certain reveal by a man named Edward Snowden, regarding digital privacy. To be more precise, it was about the lengths that groups went to in order to avoid any legal requirements when it came to accessing and using your personal information. The Electronic Communications Privacy Act looks to be the first, and hopefully the first of many, to enforce a legal right to digital privacy.

Governor Gerry Brown signed the Act taking it into full effect and I have no doubt that a wide variety of people will be happy about it. The Electronics Communications Privacy Act states that any, I repeat, any state law enforcement agency or any other investigative entity are required to have a warrant in order to obtain digital information (including information stored in the cloud, such as emails or text messages) and that they cannot ‘compel’ businesses to hand over this information without a warrant. It doesn’t end there though if they want to use your GPS to track you or even to search your phone, they will need a warrant for that too.

While not the first to outline in a legal document the requirement of a warrant for your data, or even your location, it is the first to cover things like metadata and your device searches. Many hope that this could be the first of many laws, with other states taking up their own versions of the Electronics Communications Privacy Act or pushing for these conditions to be placed on a national scale, affecting all agencies regardless of state.

Thank you Wired for the information.

Image courtesy of Falkvinge

How DuckDuckGo Makes a Profit Without Tracking Users

Gabriel Weinberg, founder and CEO of ‘ethical’ Google search engine rival DuckDuckGo, recently took part in an AMA (Ask Me Anything) for YCombinator’s Hacker News, during which he revealed that his business makes a healthy profit, while taking a cheeky swipe at Google’s user tracking.

Weinberg launched DuckDuckGo seven years ago through Hacker News (formerly known as Startup News), described as a hybrid search engine due to its use of a number of APIs and algorithms from other vendors.

“DuckDuckGo is actually profitable. It is a myth you need to track people to make money in web search,” Weinberg said. “Most of the money is still made without tracking people by showing you ads based on your keyword, i.e. type in ‘car’ and get a car ad.”

“These ads are lucrative because people have buying intent. All that tracking is for the rest of the internet without this search intent, and that’s why you’re tracked across the internet with these same ads.”

Weinberg later gave a glimpse into his plans for the future of his search engine, explaining, “There is a recent PEW study showing that 40% of people would prefer a no-tracking search experience. And yet a very small percentage of people have ever heard of DuckDuckGo. As a result, we think we have a lot of room to focus on making the product better and growing, and that is really our future plans in a nutshell.”

Thank you International Business Times for providing us with this information.

Wikipedia Founder Says There’s “No Excuse” Not to Use Encryption

Wikipedia founder Jimmy Wales, a major proponent of both freedom and privacy online, as evidenced by him filing a lawsuit against the NSA following the reveal of its mass surveillance program by whistleblower Edward Snowden, has declared that there is “no excuse” for not using internet encryption, whether that is providers arguing that it is cost-prohibitive, or UK Prime Minister David Cameron moaning that it makes spying on people harder.

During his keynote speech at the 2015 IP Expo Europe IT conference, Wales said, “There’s really no excuse to have any major web property that’s not secure.”

“There is a massive trend on the internet towards SSL—secure connections,” citing figures from Sandvine that show nearly 30% of internet traffic was encrypted as of April 2015, which is expected to jump to 65% by 2016. “My expectation is that this is going to narrow; over the next couple of years, [unencrypted traffic] is going to end up being a five or six percent slice,” he said, adding, “All major traffic is going to be encrypted very, very soon.”

“It is not feasible in any sense of the word for the UK to ban end-to-end encryption,” Wales added, in a swipe against David Cameron. “Not only is it not feasible, it’s a completely moronic stupid thing to do.”

Thank you Vice for providing us with this information.

Microsoft Addresses Windows 10 Privacy Concerns by Pretending They Don’t Exist

Since the release of Windows 10 at the end of July this year, there’s been much frenzied concern – some hysterical, some justified – regarding the operating system’s approach to user privacy, but Microsoft has refused to directly comment on the issues, until now. Terry Myerson, Executive Vice President of the Windows and Devices Group, has this week paid lip service to user concerns over privacy in Windows 10, but has done so, bizarrely, by not mentioning them.

In the post, Myerson opens by assuring that all that data its collecting from you is encrypted which makes it fine – failing to acknowledge that the act of collecting user data itself is one of the prevailing issues Windows 10 owners are concerned about – and facilitates Microsoft’s desire to provide a “delightful” Windows experience. See, it’s for our own good, not for their benefit:

“We aspire to deliver a delightful and personalized Windows experience to you, which benefits from knowing some things about you to customize your experience, such as knowing whether you are a Seattle Seahawks fan or Real Madrid fan, in order to give you updates on game scores or recommend apps you might enjoy– or remembering the common words you type in text messaging conversations to provide you convenient text completion suggestions.”

Myerson follows up with a cheap, “Hey, at least we’re not Google!” jab:

“Unlike some other platforms, no matter what privacy options you choose, neither Windows 10 nor any other Microsoft software scans the content of your email or other communications, or your files, in order to deliver targeted advertising to you.”

The blog post is little more than an echo chamber – setting its own agenda, then responding to it – and does little to address the genuine concerns of Windows 10 users. In fact, that it doesn’t reveal exactly how it uses the data it collects is conspicuous by its absence.

Thank you TechDirt for providing us with this information.

Image courtesy of Windows Central.

One Plus 2 Equals Malware?

Well, yes, sort of, before I am lambasted for inserting a clickbate headline, let me explain, OnePlus 2 Smartphone’s have been somewhat of a revelation since its launch, from a repairable part design to more than decent specs which place it handily within the price point market. This all sounds exciting, the problem lies with the Chinese companies marketing that rely on the same notion of an invite-based system which has been utilized within this incarnation.

This rather convoluted purchase agreement has led to the synonymous and wide-spread unavailability which has befallen many consumers. Consumers are an interesting bunch, if a particular TV series or gadget is difficult to obtain, the next best thing is to locate said device through alternative means, this is what many people did after hearing that KSP, Israel’s largest digital store, would be in fact selling the phone without an invite.

Great, many paying consumers thought, the only downside lay with the unfortunate realization that the phone also came bundled with malware. The annoying process masqueraded in the form which utilizes Google Chrome while using the device. “Using said browser would automatically redirect to other sites with the word tracking in them or a site called global.mytracker, before giving permission to access the website requested”.

After further investigation, it turns out there were four potential threats which were found after running, yes we want your data to sell AVG. Honestly, you don’t know which is worse considering an Anti Virus which purports to safeguard your digital identity is also caught offering your browsing history to ad companies, kudos John Williamson at eTeknix for analysing this story. It has also become apparent that users in the US are also being screwed after purchasing this phone through an online retailer by the name Gearbest.

The solution is to undertake an entire operating system reinstall with the aim of banishing the malware. There are suspicions of third-party outlets injecting dodgy operating processes and apps within the phone, rather than an outright deception by the manufacturer who have warned against purchasing the device through other means.

As a tech fan I am finding the relentless pursuit of nefarious attacks against consumers rather wearying, any individual should have confidence in the retailer and also the product without the fear of a virus or malware. If you’re interested in this smartphone, then only buy from official channels and be careful of any deals which sound too good to be true.

Thank you geektime for providing us with this information.

Image courtesy of frandroid

Tor Network Receives Anonymity Boost

The Tor network is commonly referred to as ‘The Dark Web’ and perceived as an encrypted space to exchange illegal goods or engage in unscrupulous activities. While this is generally true, it only accounts for a specific portion of TOR users and there are legitimate case scenarios. This viewpoint is shared by the Internet Assigned Numbers Authority (IANA), Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Engineering Task Force (IETF).

These are three major internet regulators publicly advocating the use of Tor in certain circumstances and designated the .onion domain, for sites hosted on the Tor network. Additionally the .onion domain was described as a “Special use Domain” which enhances its legitimacy. Richard Barnes, Mozilla’s security head for Firefox told Motherboard:

“This enables the Tor .onion ecosystem to benefit from the same level of security you can get in the rest of the web,”

“It adds a layer of security on top.”

This also means that sites can be verified to see who the real owner is through SSL and TLS security certificates. Using Tor is a contentious issue as many users feel it’s a mysterious and unknown portion of the internet. Governments have overstepped the mark and intruded on people’s privacy in the last couple of years. Therefore, Tor could bring about improved privacy and protect individual’s data. Although, there are concerns about the type of individuals using ‘The Dark Web” including drug smugglers and other criminals.

Thank you Motherboard for providing us with this information.

Facebook Is Sued (Again) This Time For Storing a Billion Face Prints

Facebook’s business model is a paradox for consumers who yearn for privacy yet share their selfies, intimate images and sometimes bizarre postings within its borders. How much privacy would you expect from a company built on making a substantial profit from your data? Facebook has decided to push the storage of your information even further and has subsequently been handed a class action complaint over consumer biometric retention.

So what and who, have Facebook violated this time? According to the filed complaint, Facebook “has created, collected and stored over a billion ‘face templates’ (or ‘face prints’)”, which, ostensibly, are as uniquely identifiable as fingerprints. These have been gathered “from over a billion individuals, millions of whom reside in the State of Illinois”. It is alleged that by harvesting this sensitive data, Mark Zuckerberg is in violation of the state of Illinois Biometric Information Privacy Act (BIPA), which was passed by the state legislature in 2008.

Now for the punchline, as noted in the complaint, under BIPA a private entity such as Facebook is prohibited from obtaining or possessing an individual’s biometrics unless it achieves suitable consent, which is constituted by the following:

  • Informing that person in writing that biometric identifiers or information will be collected or stored
  • Informing that person in writing of the specific purpose and length of term for which such biometric identifiers or biometric information is being collected, stored and used
  • Receiving a written release from the person for the collection of his or her biometric identifiers or information
  • Publishing publicly available written retention schedules and guidelines for permanently destroying biometric identifiers and biometric information

The group of plaintiffs state that they have not and never had a Facebook account, but their images were uploaded onto the site which resulted in the creation of a biometric template which was then stored by Facebook..

It’s difficult to imagine the social networking giant complying with the current legal and acceptable definitions enshrined in law. If Facebook loses this case then it would effectively open the door to millions of possible claimants who would seek damages for breaches of privacy. This stand-off is very much a .com terms and conditions VS real world laws and consequences, Facebook will no doubt argue that consumers shared this information voluntarily regardless of who actually shared it for the corporation to handle as they wish, one thing is certain; the outcome could pinpoint the paths which define consumer protection in the face of a growing will to collect more and more info by large corporations.

Who owns your image once it’s uploaded onto Facebook or any other site?

Thank you theregister for providing us with this information

Image courtesy of 1en

How to Stop Windows 7 and 8 From Spying on You

By now, the internet is saturated with articles advising Windows 10 users how to stop the new operating system from tracking and collecting their data, with many existing Windows 7 and 8.1 users breathing a sigh of relief that they rejected their free Windows 10 update. What many are unaware of, though, is that Microsoft has updated its user agreement to introduced exactly the same spying tools into the previous two Windows iterations.

The following four Windows Updates for Windows 7 and Windows 8.1 are responsible for turning your operating system into a user data collection conduit:

KB3068708 This update introduces the Diagnostics and Telemetry tracking service to existing devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

KB3022345 (replaced by KB3068708) This update introduces the Diagnostics and Telemetry tracking service to in-market devices. By applying this service, you can add benefits from the latest version of Windows to systems that have not yet been upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

KB3075249 This update adds telemetry points to the User Account Control (UAC) feature to collect information on elevations that come from low integrity levels.

KB3080149 This package updates the Diagnostics and Telemetry tracking service to existing devices. This service provides benefits from the latest version of Windows to systems that have not yet upgraded. The update also supports applications that are subscribed to Visual Studio Application Insights.

If you are a Windows 7 or 8.1 user that handles their Windows Updates manually, simply right-click on the offending updates in the list (Control Panel > Windows Update > Select updates to install) and click ‘Hide’. Don’t panic if the updates have already been installed, though, as you can still uninstall them. Navigate to Control Panel > Programs and Features > Installed Updates, find the relevant items under the Microsoft Windows sublist, right-click, and select Uninstall.

Alternatively, you can use an elevated command prompt to execute the following commands:

  • wusa /uninstall /kb:3068708 /quiet /norestart
  • wusa /uninstall /kb:3022345 /quiet /norestart
  • wusa /uninstall /kb:3075249 /quiet /norestart
  • wusa /uninstall /kb:3080149 /quiet /norestart

Thank you BGR for providing us with this information.

Windows 10 is Spying on Kids and Not Everyone is Happy About it

Windows 10 spies on its users. This is no secret. But did you know that it specifically spies on kids and sends weekly reports of children’s computer history and internet browsing details to parents in a weekly report? It’s one of the best-kept secrets contained within Microsoft’s new operating system, and that lack of disclosure alone is potentially damaging to vulnerable adolescents. In an ideal world, these weekly reports could be seen as a healthy precaution to monitor kids’ visits to potentially inappropriate sites. But we don’t live in an ideal world. We inhabit a planet in which bigots, bullies, and abusers punish children for being themselves.

Revealing the internet habits of a child to the wrong kind of parent could put that child at risk. That’s the argument put forward by members of the LGBTQ community, who are worried that confused kids looking for answers regarding their sexuality could have their support systems stripped away from them, and could be victimised if their search histories are revealed to unsympathetic parents.

The feature that sends reports on children’s computer history to parents was revealed anecdotally following reports from adult users surprised to see an itemised list of their kids’ browsing and activity.

Kirk sent the following e-mail to BoingBoing, expressing his surprise and concern over the Windows 10 spying feature:

“This weekend we upgraded my 14-year-old son’s laptop from Windows 8 to Windows 10. Today I got a creepy-ass email from Microsoft titled ‘Weekly activity report for [my kid]’, including which websites he’s visited, how many hours per day he’s used it, and how many minutes he used each of his favorite apps.

I don’t want this. I have no desire to spy on my boy. I fixed it by going into my Microsoft account’s website, hitting the “Family” section, then turning off “Email weekly reports to me” and “Activity reporting”.

OK, I admit that the timing might be coincidental but that would be one hell of a coincidence. I’ve never seen anything like this until we upgraded to Windows 10, and then I got the spy report the following business day.

A message to young readers: if you have Windows 10 now, your parents might be getting the same kind of report I did. Don’t assume your own computer has your back.”

Though Windows 8.1 has a similar feature, it is opt-in. It would be interesting to hear from Microsoft regarding its reasoning for changing permissions for Windows 10’s child monitoring feature to opt-out.

Thank you WCCF Tech for providing us with this information.

Windows 10 Data Policy is Optionally Coming to Older Operating Systems

The recently revised “Microsoft Services Agreement” has caused a great deal of controversy and could theoretically disable pirated games and unauthorized software. Additionally there are concerns about Microsoft’s data policy in regards to monitoring user activity. It’s still unclear what the true extent of these updated terms are, but some users have reverted back to older operating systems due to privacy concerns. However, Microsoft is now implementing updates in Windows 7, 8 and 8.1 which report information back to Microsoft’s servers.  The updates in question are KB3075249 and KB3080149 and designed to:

KB3075249 “Update that adds telemetry points to consent.exe in Windows 8.1 and Windows 7 ”

KB3080149 “This update aligns down-level devices on the same UTC binary that’s released in Windows 10. This update would enable all the down-level devices to receive the software updates, design updates, and additional power and performance tuning.”

Once updated, your PC will share data in a similar vein to Windows 10. Whether you’re happy with this or not is all down to user-preference. You could argue, that there is no privacy online, and Microsoft requires this information to customizable apps such as Cortana to your needs. On the other hand, other users will feel aggrieved by this intrusive data sharing and decided to dismiss Windows 10 for this very reason. Most importantly, the updates are optional and Windows cannot under any circumstances, apply the updates automatically. Although, this could change in the future.

If Microsoft do make this an integral system update, you can always disable Windows Update.

Are you concerned with the new Microsoft Services Agreement or feel people are being overly paranoid?

Thank you TechWorm for providing us with this information. 

UN Expert Calls UK Surveillance “Worse Than 1984”

The new Special Rapporteur on Privacy for the United Nations, Joseph Cannataci, has branded the UK surveillance state “a rather bad joke at its citizen’s expense” that is “worse” than the dystopian vision of the future from George Orwell’s 1984. An obvious point of reference, to the point of cliché, but still sadly apposite.

“At least Winston [from Orwell’s 1984] was able to go out in the countryside and go under a tree and expect there wouldn’t be any screen, as it was called,” Cannataci lamented. “Whereas today there are many parts of the English countryside where there are more cameras than George Orwell could ever have imagined. So the situation in some cases is far worse already.”

Cannataci’s fear extends beyond an invasion of privacy, complaining that the commercialisation of user data is just as insidious as state surveillance. “They just went out and created a model where people’s data has become the new currency,” he said. “And unfortunately, the vast bulk of people sign their rights away without knowing or thinking too much about it,” Cannataci told The Guardian.

The UN’s new privacy chief believes the only way to tackle flagrant invasion of privacy is with a Geneva convention-style law to protect against unwarranted digital surveillance, and keep both governments and corporations in line.

“We have a number of corporations that have set up a business model that is bringing in hundreds of thousands of millions of euros and dollars every year and they didn’t ask anybody’s permission. They didn’t go out and say: ‘Oh, we’d like to have a licensing law.’ No, they just went out and created a model where people’s data has become the new currency. And unfortunately, the vast bulk of people sign their rights away without knowing or thinking too much about it,” he said.

Thank you The Guardian for providing us with this information.

Microsoft is Keeping its Windows 10 Updates Secret

Microsoft has refused to reveal the content of its Windows 10 updates, unless the revisions to its operating system are what it deems “significant”. Microsoft was asked by The Register to clarify its policy following the new cumulative update for Windows 10, the details of which are unclear. In a statement, Microsoft refused to reveal the contents of the update, saying only that it offered “improvements to enhance the functionality of Windows 10.”

Regarding its overall policy to Windows 10 updates, the Microsoft spokesperson said, “As we have done in the past, we post KB articles relevant to most updates which we’ll deliver with Windows as a service. Depending on the significance of the update and if it is bringing new functionality to Windows customers, we may choose to do additional promotion of new features as we deploy them.”

Microsoft’s decision to keep the contents of its Windows updates a secret is a legitimate security concern. If the company is, say, patching vulnerabilities in the operating system, it is in the user’s interests for any potential security holes to be disclosed; if the security guard left the back door open, we need to be told. Or maybe Microsoft is rolling out more ways in which it can collect user data for itself. Either way, the reasons for keeping the content of Windows 10 updates a secret is never a good thing for the user.

Thank you The Register for providing us with this information.

Image courtesy of ITPro.