Privacy Roundup #0123 • October 2016
October 2016 was dominated by mass surveillance disclosures, record breaking botnet attacks on the open internet and a wave of breaches and rulings that tested how far governments and companies could reach into private data.
1. Reuters reveals Yahoo built a secret tool to scan every incoming email for the NSA and FBI
Reuters reported that Yahoo had quietly written custom software to search all of its customers' arriving messages for a string of characters supplied by United States intelligence officials. Privacy lawyers called the order unprecedented and warned it amounted to the kind of general, suspicionless search the Fourth Amendment was meant to forbid.
2. FBI subpoena to Signal maker Open Whisper Systems exposes overbroad data demands
The Justice Department served a grand jury subpoena on Open Whisper Systems seeking a sweeping list of account details tied to two phone numbers. Because Signal stores almost nothing, the company could hand over only an account creation date and a last connection time, and it fought a year long gag order with help from the ACLU.
3. ACLU exposes Geofeedia selling social media surveillance to police
The ACLU of California revealed that Geofeedia had tapped data feeds from Facebook, Instagram and Twitter to build a monitoring tool sold to law enforcement for tracking activists and protesters. Within days the three platforms cut off the company's access, and marketing materials showed it had pitched the tool around Ferguson and Baltimore.
4. Source code for the Mirai IoT botnet is dumped online
The author behind Mirai, the malware that had powered a record breaking attack on the KrebsOnSecurity site, released its source code on a hacking forum. The leak meant insecure routers, cameras and recorders running default passwords could now be enslaved by anyone, and it set the stage for far larger attacks.
5. Georgetown report finds half of American adults in police face recognition databases
The Center on Privacy and Technology at Georgetown Law published "The Perpetual Line-Up", finding that more than 117 million adults sat in face recognition networks used by police, largely drawn from driving licence and identity photos. The study warned that the systems were almost entirely unregulated and performed worse on the faces of African Americans, women and young people.
6. FCC adopts broadband privacy rules requiring opt-in consent
The Federal Communications Commission voted three to two to approve rules forcing internet providers to get affirmative consent before using sensitive customer data such as browsing history, location and the content of communications. The order also required breach notification and transparency about what providers collect and share.
→ iapp.org
7. Tribunal rules GCHQ and MI5 bulk data collection was unlawful for years
The Investigatory Powers Tribunal found that the secret gathering of bulk communications and personal data by GCHQ and MI5 had lacked adequate safeguards and oversight until late 2015. The ruling, brought by Privacy International, held that the regime breached Article 8 of the European Convention on Human Rights.
8. Google quietly drops its ban on personally identifiable web tracking
ProPublica revealed that Google had erased a longstanding privacy promise to keep DoubleClick browsing records separate from personally identifiable account data. The change meant the advertising profiles that follow people across the web could now be tied to names and other details held in Gmail and other services.
9. Weebly breach exposes more than 43 million accounts
LeakedSource disclosed that the website builder Weebly had been breached, exposing usernames, email addresses, IP addresses and hashed passwords for over 43 million customers. The company had not detected the intrusion itself and began resetting affected passwords after being notified.
10. Data aggregator leak spills records on 58 million people
A misconfigured MongoDB database belonging to Modern Business Solutions was found publicly accessible, exposing names, home addresses, dates of birth, phone numbers and email addresses for more than 58 million individuals. The aggregator never publicly acknowledged the exposure or explained how it had gathered the data.
11. Mirai botnet takes down Dyn and knocks major sites offline
A massive distributed denial of service attack against the DNS provider Dyn made Twitter, Reddit, Spotify, GitHub and many other sites unreachable across waves through the day. The traffic came in large part from the Mirai botnet of compromised cameras and recorders, the same family that had targeted Brian Krebs weeks earlier.
12. Chinese webcam maker recalls devices used in the Dyn attack
Hangzhou Xiongmai announced a recall of webcams built with its components after security researchers identified them among the insecure devices harnessed for the Dyn attack. The cameras shipped with default passwords that made them trivial to fold into the Mirai botnet.
13. WikiLeaks begins publishing hacked Podesta emails
WikiLeaks started releasing thousands of emails taken from the Gmail account of Clinton campaign chairman John Podesta, dripping out batches across the month. The account had been compromised in a spear phishing attack, and the disclosures raised sharp questions about hacking, leaks and the weaponising of private correspondence.
14. Independent tester confirms St Jude pacemakers can be hacked
A report by penetration testing firm Bishop Fox replicated many of the attacks first alleged against St Jude Medical cardiac devices, taking over systems from several metres away. The independent verification strengthened the claims that the implants used wireless protocols without proper encryption or authentication.
15. Australian Red Cross suffers the country's largest leak of personal data
A backup file holding registration details for roughly 550,000 prospective blood donors was left on a public web server by a third party contractor and then discovered by an outside researcher. The exposed records included contact information and sensitive answers about donor eligibility, and the Blood Service apologised and notified the public.
16. European regulators urge Facebook to stop tapping WhatsApp data
The Article 29 Working Party wrote to WhatsApp expressing serious concerns about its plan to share phone numbers and other details with Facebook for advertising. The data protection authorities urged the company to halt the data flows, and the UK regulator confirmed sharing had been paused for British users.
17. Amnesty International ranks messaging apps on privacy and finds many wanting
Amnesty International published a Message Privacy Ranking that scored eleven companies on how well their messaging services protected users through encryption. Snapchat and Skype scored poorly for failing to deploy end to end encryption by default, while only a handful of apps earned top marks.
18. United States officially blames Russia for election related hacking
The Department of Homeland Security and the Office of the Director of National Intelligence issued a joint statement saying they were confident the Russian government had directed the theft of emails from political organisations. They linked the leaks on WikiLeaks and DCLeaks to Russian efforts and said only the most senior officials could have authorised them.
19. German parliament passes a sweeping foreign surveillance law
The Bundestag adopted a reform of the law governing the BND intelligence service, codifying broad powers to conduct bulk surveillance of foreign communications and to share data with allied agencies. Press freedom and civil liberties groups warned that the law let the service monitor foreign journalists with few restrictions.
20. Yahoo disables email forwarding, making it harder to leave after the breach
In the wake of the breach and surveillance revelations, Yahoo turned off automatic email forwarding, a feature people relied on to move to a rival service. Critics said the timing looked like an attempt to keep users locked in, while the company claimed the feature was simply under development.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: