American Phone-Tracking Firm Demo’d Surveillance Powers By Spying On CIA and NSA

Anomaly Six, a secretive government contractor, claims to monitor the movements of billions of phones around the world and unmask spies with the press of a button. Reader BeerFartMoron shares a report: In the months leading up to Russia’s invasion of Ukraine, two obscure American startups met to discuss a potential surveillance partnership that would merge the ability to track the movements of billions of people via their phones with a constant stream of data purchased directly from Twitter. According to Brendon Clark of Anomaly Six — or “A6” — the combination of its cellphone location-tracking technology with the social media surveillance provided by Zignal Labs would permit the U.S. government to effortlessly spy on Russian forces as they amassed along the Ukrainian border, or similarly track Chinese nuclear submarines. To prove that the technology worked, Clark pointed A6’s powers inward, spying on the National Security Agency and CIA, using their own cellphones against them.

Virginia-based Anomaly Six was founded in 2018 by two ex-military intelligence officers and maintains a public presence that is scant to the point of mysterious, its website disclosing nothing about what the firm actually does. But there’s a good chance that A6 knows an immense amount about you. The company is one of many that purchases vast reams of location data, tracking hundreds of millions of people around the world by exploiting a poorly understood fact: Countless common smartphone apps are constantly harvesting your location and relaying it to advertisers, typically without your knowledge or informed consent, relying on disclosures buried in the legalese of the sprawling terms of service that the companies involved count on you never reading.

Read more of this story at Slashdot.

Police Records Show Women Are Stalked With Apple AirTags Across the Country

samleecole shares a report from Motherboard: Police records reviewed by Motherboard show that, as security experts immediately predicted when the product launched, this technology has been used as a tool to stalk and harass women. Motherboard requested records mentioning AirTags in a recent eight month period from dozens of the country’s largest police departments. We obtained records from eight police departments. Of the 150 total police reports mentioning AirTags, in 50 cases women called the police because they started getting notifications that their whereabouts were being tracked by an AirTag they didn’t own. Of those, 25 could identify a man in their lives — ex-partners, husbands, bosses — who they strongly suspected planted the AirTags on their cars in order to follow and harass them. Those women reported that current and former intimate partners — the most likely people to harm women overall — are using AirTags to stalk and harass them.

Multiple women who filed these reports said they feared physical violence. One woman called the police because a man she had a protective order against was harassing her with phone calls. She’d gotten notifications that an AirTag was tracking her, and could hear it chiming in her car, but couldn’t find it. When the cops arrived, she answered one of his calls in front of the officer, and the man described how he would physically harm her. Another who found an AirTag in her car had been wondering how a man she had an order of protection against seemed to always know where she was. The report said she was afraid he would assault or kill her. […] The overwhelming number of reports came from women. Only one case out of the 150 we reviewed involved a man who suspected an ex-girlfriend of tracking him with an AirTag.

Read more of this story at Slashdot.

Writing Google Reviews About Patients Is Actually a HIPAA Violation

“According to The Verge, health providers writing Google reviews about patients with identifiable information is a HIPAA violation,” writes Slashdot reader August Oleman. From the report: In the past few years, the phrase ‘HIPAA violation’ has been thrown around a lot, often incorrectly. People have cited the law, which protects patient health information, as a reason they can’t be asked if they’re vaccinated or get a doctor’s note for an employer. But asking someone if they’re vaccinated isn’t actually a HIPAA violation. That’s a fine and not-illegal thing for one non-doctor to ask another non-doctor. What is a HIPAA violation is what U. Phillip Igbinadolor, a dentist in North Carolina, did in September 2015, according to the Department of Health and Human Services. After a patient left an anonymous, negative Google review, he logged on and responded with his own post on the Google page, saying that the patient missed scheduled appointments. […]

In the post, he used the patient’s full name and described, in detail, the specific dental problem he was in for: “excruciating pain” from the lower left quadrant, which resulted in a referral for a root canal. That’s what a HIPAA violation actually looks like. The law says that healthcare providers and insurance companies can’t share identifiable, personal information without a patient’s consent. In this case, the dentist (a healthcare provider) publicly shared a patient’s name, medical condition, and medical history (personal information). As a result, the office was fined $50,000 (PDF).

Read more of this story at Slashdot.

Lapsus$ Found a Spreadsheet of Passwords as They Breached Okta, Documents Show

The Lapsus$ hackers used compromised credentials to break into the network of customer service giant Sitel in January, days before subsequently accessing the internal systems of authentication giant Okta, according to documents seen by TechCrunch that provide new details of the cyber intrusion that have not yet been reported. The report adds: […] The documents provide the most detailed account to date of the Sitel compromise, which allowed the hackers to later gain access to Okta’s network. […] The documents, obtained by independent security researcher Bill Demirkapi and shared with TechCrunch, include a Sitel customer communication sent on January 25 — more than a week after hackers first compromised its network — and a detailed timeline of the Sitel intrusion compiled by incident response firm Mandiant dated March 17 that was shared with Okta.

According to the documents, Sitel said it discovered the security incident in its VPN gateways on a legacy network belonging to Sykes, a customer service company working for Okta that Sitel acquired in 2021. The timeline details how the attackers used remote access services and publicly accessible hacking tools to compromise and navigate through Sitel’s network, gaining deeper visibility to the network over the five days that Lapsus$ had access. Sitel said that its Azure cloud infrastructure was also compromised by hackers. According to the timeline, the hackers accessed a spreadsheet on Sitel’s internal network early on January 21 called “DomAdmins-LastPass.xlsx.” The filename suggests that the spreadsheet contained passwords for domain administrator accounts that were exported from a Sitel employee’s LastPass password manager.

Read more of this story at Slashdot.

TikTok Shares Your Data More Than Any Other Social Media App, Study Says

According to a recent study published by mobile marketing company URL Genius, YouTube and TikTok track users’ personal data more than any other social media apps. However, while YouTube mostly collects your personal data for its own purposes to serve you more relevant ads, TikTok mostly allows third-party trackers to collect your data — “and from there, it’s hard to say what happens with it,” reports CNBC. From the report: With third-party trackers, it’s essentially impossible to know who’s tracking your data or what information they’re collecting, from which posts you interact with — and how long you spend on each one — to your physical location and any other personal information you share with the app. As the study noted, third-party trackers can track your activity on other sites even after you leave the app.

To conduct the study, URL Genius used the Record App Activity feature from Apple’s iOS to count how many different domains track a user’s activity across 10 different social media apps — YouTube, TikTok, Twitter, Telegram, LinkedIn, Instagram, Facebook, Snapchat, Messenger and Whatsapp — over the course of one visit, before you even log into your account. YouTube and TikTok topped the other apps with 14 network contacts apiece, significantly higher than the study’s average number of six network contacts per app. Those numbers are all probably higher for users who are logged into accounts on those apps, the study noted.

Ten of YouTube’s trackers were first-party network contacts, meaning the platform was tracking user activity for its own purposes. Four of the contacts were from third-party domains, meaning the social platform was allowing a handful of mystery outside parties to collect information and track user activity. For TikTok, the results were even more mysterious: 13 of the 14 network contacts on the popular social media app were from third parties. The third-party tracking still happened even when users didn’t opt into allowing tracking in each app’s settings, according to the study. “Consumers are currently unable to see what data is shared with third-party networks, or how their data will be used,” the report’s authors wrote.

Read more of this story at Slashdot.

It’s Back: Senators Want ‘EARN IT’ Bill To Scan All Online Messages

A group of lawmakers have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that “would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe,” writes Joe Mullin via the Electronic Frontier Foundation. “It’s a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online — backups, websites, cloud photos, and more — is scanned.” From the report: The bill empowers every U.S. state or territory to create sweeping new Internet regulations, by stripping away the critical legal protections for websites and apps that currently prevent such a free-for-all — specifically, Section 230. The states will be allowed to pass whatever type of law they want to hold private companies liable, as long as they somehow relate their new rules to online child abuse. The goal is to get states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services. This includes messaging services like WhatsApp, Signal, and iMessage, as well as web hosts like Amazon Web Services. […]

Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary “best practices” for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill’s sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites — the government will already have access to the user data, through the platform. […] Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.

The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That’s completely false, no matter whether it’s called “client side scanning” or another misleading new phrase. The EARN IT Act doesn’t target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies — from the largest ones to the very smallest ones — as its tools. The strategy is to get private companies to do the dirty work of mass surveillance.

Read more of this story at Slashdot.

Website Fined By German Court For Leaking Visitor’s IP Address Via Google Fonts

Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen’s third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff’s IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe’s General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user’s browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen’s IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn’t give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

The decision says IP addresses represent personal data because it’s theoretically possible to identify the person associated with an IP address, and that it’s irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed — the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers — Google’s or a CDN’s — that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

Read more of this story at Slashdot.

Apple Removes All References To Controversial CSAM Scanning Feature From Its Child Safety Webpage

Apple has quietly nixed all mentions of CSAM from its Child Safety webpage, suggesting its controversial plan to detect child sexual abuse images on iPhones and iPads may hang in the balance following significant criticism of its methods. From a report: Apple in August announced a planned suite of new child safety features, including scanning users’ iCloud Photos libraries for Child Sexual Abuse Material (CSAM), Communication Safety to warn children and their parents when receiving or sending sexually explicit photos, and expanded CSAM guidance in Siri and Search. Following their announcement, the features were criticized by a wide range of individuals and organizations, including security researchers, the privacy whistleblower Edward Snowden, the Electronic Frontier Foundation (EFF), Facebook’s former security chief, politicians, policy groups, university researchers, and even some Apple employees.

Read more of this story at Slashdot.