Privacy Roundup #0167 • June 2020
George Floyd protests pushed surveillance into the spotlight, as face recognition firms retreated, police data spilled online, and lawmakers reached again for encryption.
1. Zoom refused to give free users end-to-end encryption
Zoom said it would withhold end-to-end encryption from people who did not pay so it could keep helping law enforcement. The decision drew criticism from rights groups who argued the users most in need of protection would be left exposed.
2. Signal added a tool to blur faces in protest photos
Signal shipped a feature that automatically blurs faces in images, aimed at people photographing crowds at protests. The company framed the move as a direct answer to police use of face recognition against demonstrators.
3. Norway suspended its contact-tracing app after a privacy warning
Norway halted its Smittestopp app and deleted the location data it had gathered, after Amnesty International ranked it among the most invasive such tools in the world. The data protection authority found the constant tracking of users could not be justified.
4. IBM, Amazon and Microsoft pulled back from selling face recognition to police
IBM said it would leave the face recognition business, while Amazon and Microsoft announced moratoriums on sales to law enforcement. The moves followed weeks of protest over racist policing and mounting evidence of bias in the technology.
5. A faulty face recognition match led to a wrongful arrest in Detroit
Robert Williams was arrested in front of his family after Detroit police relied on a flawed face recognition match. His was the first publicly reported case of the technology causing a wrongful arrest in the United States.
6. Boston banned the city's use of face recognition
The Boston City Council voted unanimously to bar municipal use of face surveillance technology. Boston became the largest city on the east coast and the second largest in the country to do so.
7. EFF urged Amazon to end its Ring partnerships with police
EFF called on Amazon to stop pairing its Ring doorbell cameras with police departments through formal partnerships. The group warned the arrangements turned private homes into a sprawling surveillance network with little oversight.
8. Oracle's BlueKai left billions of web-tracking records exposed
A misconfigured Oracle BlueKai database spilled billions of records onto the open internet without a password. The trove tied names and addresses to detailed records of the websites people visited and the emails they opened.
9. BlueLeaks dumped files from hundreds of police departments
Hackers leaked roughly 270 gigabytes of internal documents from more than 200 American police agencies and fusion centres. The files traced back to a breach at Netsential, a web firm that hosted portals for law enforcement.
10. Twitter banned the group that published the BlueLeaks files
Twitter permanently suspended the account of Distributed Denial of Secrets for sharing the hacked police records. The platform also blocked links to the group's website, citing rules against the distribution of hacked materials.
11. Senators introduced an anti-encryption bill worse than EARN IT
Senators Graham, Cotton and Blackburn introduced the Lawful Access to Encrypted Data Act, which would force companies to break their own encryption on demand. Critics warned it would gut secure messaging far more bluntly than the EARN IT bill already under debate.
12. Facebook paid for a Tails exploit to help the FBI unmask a user
Facebook funded the development of a zero-day exploit against the privacy operating system Tails, then handed it to the FBI to identify a serial child predator. The case raised hard questions about a private company building surveillance tools and not telling the software's developers.
13. India banned TikTok and 58 other Chinese apps
India blocked 59 apps made by Chinese firms, including TikTok, citing threats to national security and to users' data. The order arrived amid a tense border standoff and affected services with hundreds of millions of users in the country.
14. A stolen master key forced Postbank to replace 12 million cards
South Africa's Postbank had to reissue around 12 million bank cards after employees copied the encryption master key that secured them. The lapse enabled thousands of fraudulent transactions and exposed millions of social grant recipients.
15. UK regulators ordered Facebook and Giphy to stay separate
The Competition and Markets Authority issued an initial enforcement order keeping Facebook and the newly acquired Giphy apart during its review. Regulators worried the deal would let Facebook fold yet more user data and advertising reach into its empire.
16. AWS disclosed it had blocked a record 2.3 Tbps denial-of-service attack
Amazon revealed it had mitigated a 2.3 terabit-per-second flood, the largest distributed denial-of-service attack ever publicly reported. The assault lasted three days and was nearly half again as large as anything Amazon had seen before.
17. Nintendo raised its account breach tally to 300,000
Nintendo revised its estimate of compromised accounts upward from 160,000 to 300,000 after further investigation. The exposed details included names, dates of birth, email addresses and country information, though payment cards were said to be safe.
18. Babylon Health leaked patients' video consultations
A software error in Babylon's GP at Hand app let users watch recordings of other patients' private video consultations with doctors. The company said it fixed the flaw within hours and notified regulators.
19. England's Test and Trace launched without a legally required privacy assessment
The Open Rights Group forced the UK government to admit its Test and Trace programme had run without the data protection impact assessment that the law demands. The admission cast doubt on the lawfulness of a scheme handling sensitive health and contact data.
20. Maze ransomware crew named Xerox and other firms as victims
The Maze gang added Xerox and several other organisations to its public leak portal, threatening to publish stolen internal files. The double-extortion tactic, stealing data before encrypting it, was fast becoming the standard for ransomware crews.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: