May 17, 2012

You are here: Home / Archives for Privacy

Yahoo’s Privacy Chief Moves to Google

October 25, 2011 By

(LiveHacking.Com) - Yahoo’s chief trust officer Anne Toth has joined Google as head of privacy for Google+. Although Google already has a privacy chief, Google needs as much help as it can get in the forming it privacy policies after it agreed earlier this year to undergo regular privacy audits for the next 20 years.

The deal, which was struck with the US Federal Trade Commission, came in the aftermath of Google’s failed Buzz social network which Google incorporated into Gmail without seeking the permission of its users. In the deal Google must hire an outside auditor to conduct an independent review of its privacy policies every two years and obtain users’ permission before altering how it shares user information with third parties.

Anne announced her move on Google+ on Friday:

Excited to be joining Google and the Google+ team next week. Today I’m enjoying my one, solitary day of unemployment. I love everyone who told me to take time off between jobs but I’m too Type A for my own good.

During her tenure at Yahoo!, Anne tried to embed privacy as part of the culture and headed a “privacy by design” approach to developing new products and features.

Filed Under: Google, Security Tagged With: , , ,

Will the Kindle Fire be Safe for Web Browsing?

September 29, 2011 By

(LiveHacking.Com) - Amazon has just announced its new 7 inch Android based tablet which includes what Amazon are calling “Revolutionary Cloud-Accelerated” web browsing. Amazon Silk, as it is known, splits web browsing into two domains – the things that run on the tablet and the things that run on the Amazon Elastic Compute Cloud (Amazon EC2).

As some of the world’s top web sites are hosted on EC2, Amazon say that web surfing will be faster as “many web requests will never leave the extended infrastructure of AWS, reducing transit times to only a few milliseconds.”

However the real worry is that with Silk all fetching, and probably some form of optimization and compression, will be performed on the cloud and the result send to the Kindle. Amazon explain it like this:

Silk uses the power and speed of the EC2 server fleet to retrieve all of the components of a website simultaneously, and delivers them to Kindle Fire in a single, fast stream. Transferring computing-intensive tasks to EC2 helps to conserve your Kindle Fire battery life.

To do all this Amazon needs to keep a record of what web sites you have been using. The FAQ explains it like this:

Amazon Silk optimizes and accelerates the delivery of web content by using Amazon’s cloud computing services.  To do this, the content of web pages you visit using Amazon Silk may be cached to improve performance and certain web address information will be collected to help troubleshoot and diagnose Amazon Silk technical issues.

So what about secure connections like https:

We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g.https://siteaddress.com). Amazon Silk will facilitate a direct connection between your device and that site.  Any security provided by these particular sites to their users would still exist.

A look in the terms and conditions reveals that Amazon will keep a log of your websites for “generally” no more than 30 days:

Amazon Silk also temporarily logs web addresses  known as uniform resource locators (“URLs”)  for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues.  We generally do not keep this information for longer than 30 days.

Obviously the privacy implications are enormous. It is very likely that a court order can be issued to Amazon to hand over the details of all your browsing.

There is one good bit of news however:

You can also choose to operate Amazon Silk in basic or “off-cloud” mode.  Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers.  As such, it does not take advantage of Amazon’s cloud computing services to speed-up web content delivery.

Filed Under: Amazon Tagged With: , , ,

Facebook Change Privacy Controls – Again

August 24, 2011 By

(LiveHacking.Com) - Facebook, the popular social media network, has redesigned its privacy controls allowing users to manage the sharing setting for each and every item posted online. Facebook has often been criticized over its security and privacy policies especially since it has more than 750 million active users who are posting, often personal, details to the site.

According to the blog post one of the most common privacy complaints was that users were unsure who could see their postings and that these settings could be clearer across the whole Facebook site.

To make the system more straightforward, Facebook are moving most of the privacy controls from the settings page to right next to the posts, photos and tags they affect.

Other changes include:

  • In line controls - each item on a user’s wall has individual privacy options, such as public, friends and custom
  • Tag takedown - the ability to remove tags of self, ask the person who tagged you to remove it, or block the tagger
  • Universal tagging - users can tag anyone, not just Facebook friends. Other person can choose not to accept the tagged post on their profile
  • Location tagging - geographic locations can be added in all versions of Facebook, not just mobile app
  • Profile view - the option to see how others view your profile is added above the news feed

The new privacy options will begin to be rolled out across the site from Thursday 25 August.

Filed Under: Facebook Tagged With: ,

Apple Releases iOS 4.3.3 to Fix Locationgate Bugs

May 5, 2011 By

iOS 4.3.3 has been released to fix the so-called Locationgate tracking bugs that have caused Apple so much recent controversy. This update fixes the bugs which caused iPhones to store up to a years worth of cell tower information which is then synced with iTunes.

A few weeks ago Alasdair Allan and Pete Warden released a proof-of-concept application for Mac OS X that demonstrates how the iPhone is tracking its location.

Apple responded with a press release saying that the iPhone is not logging its location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers to help the phone rapidly and accurately calculate its location when requested. In other words a cache. They also promised a software update which is what has been released today.

The update contains changes to how iOS manages this crowd-sourced location database cache. Specifically the update:

  • Reduces the size of the cache
  • No longer backs up the cache to iTunes
  • Deletes the cache entirely when location services is turned off
Filed Under: Apple Tagged With: , , , , ,

Apple to Issue Software Update to Clear Cell Tower Cache

April 28, 2011 By

In the continuing controversy, that has now been dubbed Locationgate, about iPhones storing up to a years worth of cell tower information and syncing this with iTunes, Apple has now issued a press release to try and clarify the situation. In summary Apple is saying that the iPhone is not logging its location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers to help the phone rapidly and accurately calculate its location when requested. In other words a cache.

The press release also deals with why this cache contains entries for more than a year. Apples answer, “the reason the iPhone stores so much data is a bug.” According to ZDNet, Scott Forstall (the senior vice president of iOS Software) has revealed that the problem is actually the size of the cache and not explicitly how long it holds entries for, “we picked a size, around 2MB, which is less than half a song. It turns out it was fairly large and could hold items for a long time.”

OK, but when a user turns off Location Services, why does the iPhone sometimes continue updating its Wi-Fi and cell tower data?  Apple says, “It shouldn’t. This is a bug, which we plan to fix shortly.”

Apple’s argument is that it is legitimate to store cell tower information on a short term basis n the phone but because of bugs in iOS too much data is being stored. Apple is promsing an update to iOS in the near future which will

  • reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
  • cease backing up this cache, and
  • delete this cache entirely when Location Services is turned off.

Apple is also promising that in the next major iOS software release (4.4? 5.0?) the cache will also be encrypted on the iPhone.

So is this the end of Locationgate? Please comment below.

 

Filed Under: Apple Tagged With: , , , , ,

Your iPhone is Watching You! New Proof-of-Concept App Shows How Your iPhone is Tracking Your Every Movement

April 21, 2011 By

Alasdair Allan and Pete Warden have released a new proof-of-concept application for Mac OS X that demonstrates that your iPhone is tracking your movements and recording the information. We have tested the application and it is 100% true, Apple are watching you!

Since the release of iOS 4.0 the iPhone has started storing cell-phone tower information and this information is copied to your Mac or PC when you sync your phone with iTunes. The application that Alasdair and Pete have released searches through your old sync data on your Mac and finds this cell-phone tower information and then displays it on a map, courtesy of OpenStreetMap.

How bad is this?

  • Other applications on your Mac can access this data.
  • Apple shouldn’t be collecting this information. Mobile phone operators collect tower information as part of their operations but it is private and it normally requires a court order to gain access to it. Your iPhone tower information is available to anyone who can get their hands on your phone or computer.
  • By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.
  • If you sell or exchange your iPhone the tower data might still be on the phone. My iPhone is second-hand and I have discovered that I now have a map of the movements of its previous owner going back to October 2010.

Was it right for Allan and Warden to release this app? They mention this on their site:

We did hesitate over the right thing to do in this case, but when it became clear that “Individuals familiar with iPhone forensic analysis will be quite familiar” with it, as Ryan Neal puts it and that at least one other person had tried to alert the public but apparently failed to make it clear what was going on, a demonstration application seemed the lesser evil.

Note: The application available from the iPhone Tracker site is for 64-bit Macs. If you have an early Intel Mac it is 32-bit only. I have built a 32-bit version here.

Are you worried about this? Please leave a comment below.

Filed Under: Apple, Open Source Tagged With: , , , , ,

Advertisers Know Your Unique Device Identifiers

December 29, 2010 By

Apple has been named in a class-action lawsuit alleging that the company allows iOS applications to provide advertisers with sensitive private user information according to CNN.

CNN reports of two separate class-action lawsuits filed last week in federal court allege that Apple and as many as eight makers of popular applications for the iPhone facilitated the sharing of private information about their customers to advertisers.

Apparently, the complaint goes on to allege that iOS devices’ Unique Device Identifiers (UDIDs) used to track the users. The lawsuits together target : Dictionary.com, the Weather Channel, internet radio service Pandora, the messaging app textPlus 4, as well as the makers of entertainment or game apps Talking Tom Cat, Paper Toss, Pumpkin Maker and Pimple Popper Lite.

Filed Under: Apple, Security Tagged With: , , ,