Privacy Roundup #0116 • March 2016
March 2016 was dominated by the Apple versus FBI encryption fight, a wave of payroll phishing and healthcare breaches, and fresh moves by regulators and courts to rein in surveillance.
1. FBI director and Apple clash over encryption before Congress
On 1 March, FBI director James Comey told the House Judiciary Committee that strong encryption was creating warrant-proof devices. Apple's general counsel sat in the same hearing and argued that forcing the company to weaken iOS would set a dangerous precedent.
2. The FBI unlocks the San Bernardino iPhone and drops its case
On 28 March, the FBI said it had unlocked the shooter's iPhone with the help of an unnamed third party. The Justice Department then withdrew its demand that Apple build a tool to bypass the phone's security.
3. Verizon pays to settle the FCC supercookie investigation
On 7 March, the FCC announced a 1.35 million dollar settlement with Verizon Wireless over hidden tracking headers known as supercookies. Verizon agreed to obtain opt-in consent before sharing the identifiers with advertisers.
4. The FCC proposes privacy rules for broadband providers
On 31 March, the FCC voted to propose rules requiring internet service providers to seek consent before using or sharing customer data. The plan rested on the principles of choice, transparency and security.
5. EFF says the Privacy Shield is riddled with surveillance holes
On 3 March, the EFF published a critique of the new EU-US Privacy Shield framework for transatlantic data transfers. It argued that the deal still allowed mass surveillance of Europeans and offered them no effective remedy.
6. DROWN attack exposes a third of all HTTPS sites
On 1 March, researchers disclosed DROWN, a cross-protocol attack that uses obsolete SSLv2 support to break modern TLS connections. They estimated that roughly a third of all HTTPS servers were vulnerable.
7. Seagate hands over every employee W-2 in a phishing scam
On 1 March, a Seagate employee sent the 2015 W-2 tax records of current and former US staff to a scammer posing as the chief executive. The exposed data included names, salaries and social security numbers, fuelling tax-refund fraud.
8. Snapchat loses payroll data to a CEO impersonation email
In early March, Snapchat disclosed that an employee had been tricked by an email impersonating the chief executive. The worker sent payroll details, including names and social security numbers, for around 700 staff.
9. 21st Century Oncology tells 2.2 million patients of a breach
On 4 March, the cancer-care provider disclosed that an intruder had accessed a database holding patient records. The exposed information included names, social security numbers, diagnoses and insurance details for about 2.2 million people.
10. Home Depot settles its data breach lawsuit for 19.5 million dollars
On 9 March, Home Depot agreed to pay 19.5 million dollars to settle claims from its 2014 payment card breach. The deal funded reimbursements, identity protection and a commitment to hire a chief information security officer.
11. Ransomware cripples the MedStar Health hospital network
On 28 March, MedStar Health shut down its computer systems after malware infected its network. The ten-hospital chain reverted to paper records, and staff reported a ransom demand paid in bitcoin.
12. Microsoft apologises after the Tay chatbot turns abusive
On 25 March, Microsoft pulled its Tay chatbot from Twitter after users taught it to post racist and offensive messages within a day. The company apologised and admitted it had failed to anticipate the coordinated attack.
13. Philippine election database breached, exposing millions of voters
On 27 March, hackers defaced the website of the Philippine Commission on Elections and a second group leaked its voter database. The records covered tens of millions of registered voters, including fingerprints and passport details.
14. Maryland court rules police need a warrant for stingrays
On 31 March, a Maryland appellate court held that police violated the Fourth Amendment by using a cell-site simulator without a warrant. The ruling also rebuked officers for concealing the device behind nondisclosure agreements.
15. Reddit quietly removes its warrant canary
At the end of March, Reddit deleted a line from its transparency report stating it had never received a national security letter. The silent removal strongly suggested the company had received a secret surveillance order it could not disclose.
16. Schneier warns of a possible government demand for a WhatsApp backdoor
On 15 March, Bruce Schneier wrote about reports that the FBI might press WhatsApp over encrypted messages it could not read. He noted that this would require building a new vulnerability rather than exploiting an existing one.
17. EFF opposes a flawed Georgia license plate reader bill
On 23 March, the EFF criticised a Georgia bill meant to regulate automated license plate readers. It argued the measure failed to protect the location data of ordinary drivers, and the bill died by the legislative deadline.
18. Crooks steal and sell Verizon Enterprise customer data
In late March, a database holding contact details for around 1.5 million Verizon Enterprise customers appeared for sale on a cybercrime forum. Verizon confirmed it had patched a flaw in its client portal that exposed the information.
19. UK Investigatory Powers Bill clears its second reading
On 15 March, the UK House of Commons passed the Investigatory Powers Bill at its second reading, with opposition parties abstaining. Privacy International called the vote a missed opportunity to curb sweeping new surveillance powers.
→ www.privacyinternational.org
20. Amazon reverses course on Fire device encryption
In early March, users discovered that Amazon had removed local device encryption from its Fire OS software. After a public backlash amid the Apple encryption fight, Amazon said it would restore the option in a future update.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: