A sampling of stories from the past week that affect privacy and security and should be on your radar.
This was not a well-conducted study, and the article admits that, but it is worth noting. A Washington Post reporter randomly picked about two dozen apps from the App Store and noted that over a dozen of them were lying on their privacy labels. A more robust study is needed, but this initial finding would suggest that the new privacy labels can’t be fully trusted unfortunately. Don’t depend solely on those.
This week iOS 14.4 patched three severe exploits that were being used in the wild. One allowed attackers to gain root access and two affected Safari (and, from what I understand, every other possible iOS browser by extension). Update if you’re an iPhone user.
In late January a researcher discovered a potential flaw in Linux’s Sudo program allowing an attacker to escalate even a non-admin user to admin status and attack a machine. It turns out that Macs also have Sudo installed, meaning this vulnerability affects them. At the time of this writing, the patch is being developed so be sure to check for updates frequently if you’re a Mac user.
I found this story interesting because it highlights how vehicle data is the next big thing. Microsoft is already in on it, Google just recently got into it, and now Apple is next. It should be noted that Google and Apple already had a slight handle in this industry as some systems come with or support integration with Apple Maps or Google Maps.
Another “worth knowing” story, Ring doorbells are popular for police because they can be used as no-cost (to them) surveillance cameras. In some cases in real time, but more often after-the-fact. This practice is growing.
Related to the previous story, government requests for user data from Amazon spiked. Most requests were for “non-user data,” aka metadata (not the actual content). Startling figures worth noting.
Another “worth knowing” story. Jeff Bezos is finally stepping down as Amazon CEO, however he will still be around and closely involved.
A slightly misleading title, a Redditor noticed that Raspbian – the “official” operating system for Raspberry Pis – secretly added a Microsoft repo to all their latest versions. That means every time you check for updates, you ping Microsoft’s servers even if you aren’t using any Microsoft offerings. This of course, is a privacy concern as now Microsoft can see who uses Raspbian even if they have no reason to know that. If you use Rasbian, be sure to delete this repo or redirect it to localhost (127.0.0.1)
EFF successfully won a case in New Jersey (USA) that a defendant has the right to see source code in cases where an algorithm or program helped to implicate a person. In this specific case, a man was implicated in a crime due to his DNA being identified by TrueAllele DNA analysis software. Because the software is the one making this allegation, the courts ruled that the man and his legal team had a right to have to the proprietary source code to check the algorithms and see how it came to that conclusion. This is a win for transparency.
South Africa’s highest court has ruled that “bulk surveillance” of online communication is illegal, preventing South Africa from legally scooping up all digital information NSA/GCHQ-style. The article goes into greater detail about how South African surveillance laws work and how the court interpreted all this, but the important thing is that mass surveillance is legally not okay in the country. A victory for privacy.
A highly controversial program in Baltimore had been grounded pending a lawsuit. Baltimore police were using spy plans for up to 11 hours per day to monitor the city from the air and identify criminals and other leads in crimes. The police claim they were retiring the program of their own accord because it had proven ineffective, not because of the lawsuit. Either way, the program is currently over and looks to stay that way. Another victory for privacy.
If you would like to know more about these stories and other privacy news, be sure to check out my weekly current events podcast with Techlore.