Privacy Roundup #0117 • April 2016
April 2016 was the month encryption went mainstream and lawmakers pushed back, as WhatsApp and Viber locked down a billion chats, Europe adopted the GDPR, and giant leaks from Panama to the Philippines laid bare how poorly personal data was guarded.
1. Reddit removed its warrant canary, hinting at a secret surveillance order
Reddit quietly deleted the line in its transparency report stating that it had never received a national security letter, the classic signal that one had now arrived. Chief executive Steve Huffman said he had been advised not to comment either way, which only strengthened the inference.
2. The FCC proposed opt-in privacy rules for broadband providers
The Federal Communications Commission released proposed rules that would force internet service providers to obtain explicit consent before using or sharing most customer data. Chairman Tom Wheeler argued that providers deserve stricter oversight because they see all of a subscriber's unencrypted traffic.
3. The Panama Papers exposed the offshore secrets of the rich and powerful
A leak of 11.5 million files from the law firm Mossack Fonseca revealed how politicians, celebrities and criminals hid wealth offshore. More than a hundred news organisations published the first stories on 3 April, naming twelve national leaders among the firm's clients.
4. Italy revoked Hacking Team's global export licence
Italian authorities cancelled the blanket licence that had let the surveillance vendor Hacking Team ship its Galileo spyware to forty-six countries. The firm would now have to seek country-by-country permission, a sharp constraint following the 2015 breach that exposed its dealings with repressive governments.
5. WhatsApp turned on end-to-end encryption for over a billion users
WhatsApp finished rolling out default end-to-end encryption built on the Signal protocol, covering messages, calls, group chats and attachments. The change meant the company itself could no longer read user communications or hand them to authorities in plain form.
6. Personal records of nearly 50 million Turkish citizens leaked online
A 6.6GB database holding names, national identity numbers, addresses and birth dates for roughly 49.6 million Turkish citizens appeared on a foreign-hosted site. The Associated Press partially verified the data, which covered about two-thirds of the country's population, including the president.
7. The Philippine election commission lost data on 55 million voters
Hacktivists defaced the COMELEC website and then published its entire voter database online, exposing fingerprints, passport numbers and other records. Security researchers called it one of the largest government data breaches ever recorded.
8. The Justice Department kept pressing Apple over a Brooklyn iPhone
Having abandoned the San Bernardino case, the government said it would continue forcing Apple to help unlock an iPhone 5s tied to a Brooklyn drug investigation. The dispute again tested whether the All Writs Act could compel a company to defeat its own security.
9. Senators Burr and Feinstein released a bill to outlaw unbreakable encryption
The draft Compliance with Court Orders Act would require companies to hand over readable data or provide the technical means to do so when served a court order. Technologists and several lawmakers condemned it, and Senator Ron Wyden vowed to filibuster.
10. The Article 29 Working Party rejected the draft EU-US Privacy Shield
Europe's data protection regulators issued a critical opinion warning that the Privacy Shield draft did not adequately protect transferred data. They flagged weak limits on data retention, bulk surveillance and the independence of the proposed ombudsperson.
11. The European Parliament adopted the General Data Protection Regulation
Parliament gave final approval to the GDPR on 14 April, completing four years of negotiation over Europe's data protection overhaul. The regulation would take effect across the bloc two years later, in May 2018.
12. Microsoft sued the Justice Department over secret data-search gag orders
Microsoft challenged provisions of the Electronic Communications Privacy Act that let the government bar it from telling customers their cloud data had been searched. The company said it had received thousands of demands, nearly half carrying indefinite gag orders.
13. Canadian police were found to hold BlackBerry's global decryption key
Reporting revealed that the Royal Canadian Mounted Police had used BlackBerry's global encryption key to intercept and decrypt over a million BBM messages. The disclosure raised hard questions about how the force obtained a key that protected consumer handsets worldwide.
14. The man behind Maryland's Stingray ruling sued Baltimore police
Kerron Andrews, whose case produced a landmark ruling that warrantless cell-site simulator use was unconstitutional, filed a civil suit against Baltimore police. He sought damages and an injunction against the covert tracking that had helped detain him for nearly two years.
15. Viber added end-to-end encryption for its 700 million users
The messaging app Viber switched on end-to-end encryption for chats and calls, following the lead set by WhatsApp days earlier. Researchers criticised the lack of published technical documentation, and the company promised external audits would follow.
16. A huge Qatar National Bank leak exposed customer accounts in plain text
A 1.4GB trove from Qatar National Bank surfaced on Cryptome, holding payment card numbers, passwords and account details stored without encryption. The dump also flagged records linked to the royal family, Al Jazeera staff and intelligence agencies.
17. Verizon's annual breach report found attackers exploiting human nature
Verizon published its 2016 Data Breach Investigations Report, drawing on more than 2,260 confirmed breaches and tens of thousands of incidents. It found that phishing remained devastatingly effective and that attackers compromised systems within minutes in most cases.
18. A Minecraft community breach exposed seven million Lifeboat accounts
The Minecraft server community Lifeboat was found to have lost about seven million accounts with email addresses and weakly hashed passwords. The company had quietly reset passwords months earlier without telling affected players that their data had been stolen.
19. The Supreme Court approved Rule 41 changes expanding government hacking
The Supreme Court signed off on amendments to Rule 41 that let judges authorise remote searches of computers whose location is hidden, even outside their own districts. Critics warned a single warrant could now reach thousands of machines, many belonging to victims.
20. The FBI admitted paying more than a million dollars for an iPhone hack
Director James Comey indicated that the bureau had paid over a million dollars to a third party to break into the San Bernardino shooter's iPhone. He confirmed the tool worked only on older handsets and that the FBI had not bought the technical details behind it.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: