Tech Letter

Straightforward Tech Reporting

Category: Privacy 🔒 (page 1 of 5)

Security flaw in Twitter’s Android App allowed a single researcher to match 17 million phone numbers with users

Zack Whittaker, TechCrunch »

Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. “If you upload your phone number, it fetches user data in return,” he told TechCrunch.

He said Twitter’s contact upload feature doesn’t accept lists of phone numbers in sequential format — likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)

More » Security Affairs

Apple’s Platform Security guide details how customer data is used and protected

Malcolm Owen, Apple Insider »

The Apple Platform Security guide is a 157-page document that gives an overview of how Apple treats security across its entire ecosystem.


“Every Apple device combines hardware, software, and services designed to work together for maximum security and a transparent user experience in service of the ultimate goal of keeping personal information safe,” Apple writes. “Apple devices protect not only the device and its data, but the entire ecosystem, including everything users do locally, on networks, and with key Internet services.”

Apple (.pdf) »

This documentation provides details about how security technology and features are implemented within Apple platforms. It also helps organizations combine Apple platform security technology and features with their own policies and procedures to meet their specific security needs.


Apple continues to push the boundaries of what is possible in security and privacy. For example, Find My uses existing cryptographic primitives to enable the groundbreaking capability of distributed finding of an offline Mac — without exposing to anyone, including Apple, the identity or location data of any of the users involved. To enhance Mac firmware security, Apple has leveraged an analog to page tables to block inappropriate access from peripherals, but at a point so early in the boot process that RAM hasn’t yet been loaded. And as attackers continue to increase the sophistication of their exploit techniques, Apple is dynamically controlling memory execution privileges for iPhone and iPad by leveraging custom CPU instructions — unavailable on any other mobile devices — to thwart compromise. Just as important as the innovation of new security capabilities, new features are built with privacy and security at their center of their design.

More » The Mac Observer, iDownloadBlog

The reliability of facial recognition and artificial intelligence has come under scrutiny

AI is being widely deployed, sold to the public and users as being more reliable. We aren’t there yet, but security agencies and corporate interests are putting our safety and security at risk.

Jeff John Roberts, writing in Fortune Magazine »

Masks and simple photographs are enough to fool some facial recognition technology, highlighting a major shortcoming in what is billed as a more effective security tool.


More alarming were the tests deployed at transportation hubs. At the self-boarding terminal in Schiphol Airport, the Netherlands’ largest airport, the Kneron team tricked the sensor with just a photo on a phone screen. The team also says it was able to gain access in this way to rail stations in China where commuters use facial recognition to pay their fare and board trains.

The transportation experiments raise concerns about terrorism at a time when security agencies are exploring facial recognition as a means of saving money and improving efficiency. In the case of the payment tablets, the ability to fool WeChat and AliPay with masks raises the specter of fraud and identity theft.

Video » This is how AI is making it easier to kill you

Technology many use every day to make their lives easier is being weaponized. A tank that drives itself. A drone that picks its own targets. A machine gun with facial recognition software. Sounds like science fiction? These weapons already exist.

From the New York Times »

iPhone 11 Pro shares location data even when the option has been turned off in iOS 13

Apple, a company that prides itself on customer privacy, seems to have been caught with it’s privacy pants down around it’s ankles. It’s collecting user location data when it’s preaching to it’s customers that it’s better than everyone else.

Security researcher Brian Krebs has discovered Apple’s current flagship, the iPhone 11 Pro, continues to share a location data even after the functionality was turned off in iOS 13.

Kerbs on Security »

One of the more curious behaviors of Apple’s new iPhone 11 Pro is that it intermittently seeks the user’s location information even when all applications and system services on the phone are individually set to never request this data. Apple says this is by design, but that response seems at odds with the company’s own privacy policy.

Apple’s response to Kerbs »

“We do not see any actual security implications,” an Apple engineer wrote in a response to KrebsOnSecurity. “It is expected behavior that the Location Services icon appears in the status bar when Location Services is enabled. The icon appears for system services that do not have a switch in Settings” [emphasis added].

Read Brian Krebs’ whole post »

More » The Mac Observer, SiliconAngle, The Next Web, Fast Company, CNET, TechSpot, The Inquirer

Twitter announced it is moving all accounts of users outside of the U.S. and the EU from Dublin, Ireland to the San Francisco where it will be subject to U.S. and California privacy and surveillance laws

Twitter also launched the Twitter Privacy Center in an effort to be more transparent, to offer »

more clarity around what we’re doing to protect the information people share with us.

Elizabeth Culliford, writing for Reuters »

The changes, which will take effect on Jan. 1, 2020, will comply with the California Consumer Privacy Act (CCPA).

The California law requires large businesses to give consumers more transparency and control over their personal information, such as allowing them to request that their data be deleted and to opt out of having their data sold to third parties.


Twitter also announced on Monday that it is moving the accounts of users outside of the United States and European Union which were previously contracted by Twitter International Company in Dublin, Ireland, to the San Francisco-based Twitter Inc.

The company said this move would allow it the flexibility to test different settings and controls with these users, such as additional opt-in or opt-out privacy preferences, that would likely be restricted by the General Data Protection Regulation (GDPR), Europe’s landmark digital privacy law.

Read the whole article on Reuters »

More » Twitter’s Blog Post, Security Week, TechCrunch, CNet, Engadget, Fast Company

Your video doorbell company allowed police access to video that monitors customers

The Amazon Ring doorbell comes packaged with many security and privacy concerns. And Amazon makes it awfully easy for the local police to violate people’s privacy.

Alfred Ng, writing for CNet »

For more than a year, police departments partnered with Amazon’s Ring unit had access to a map showing where its video doorbells were installed, down to the street they were on, public documents revealed. So while Ring said it didn’t provide police with addresses for the devices, a feature in the map tool let them get extremely close. The feature was removed in July.


The heat maps feature was one of several surveillance tools that Ring told police “should not be shared with the public.” The first Ring police partnership listed started in March 2018, and the video doorbell company had at least 335 police partners by the time it disabled the feature, records show.

Ring, which Amazon purchased for $839 million in February 2018, has now partnered with up to 631 law enforcement agencies in the US, creating a public surveillance tool for police departments through its video doorbells.

Read the whole article on CNet »

» Shreyas Gandlur’s Amazon Ring Video Doorbell Documents

Shreyas Gandlur » Privacy researcher and Student at the University of Illinois at Urbana-Champaign

More » Engadget, Vox, Vice

Canadian courts powerless to order Facebook to hand over private messages

Result » Canadian federal legislators need to enact legislation that will be enforceable within Canadian jurisdiction.

If Facebook, and others, want to operate within Canadian borders, they must be expected to work within Canadian society’s rules, regulations, and customs.

Kate Dubinski, writing in CBC News »

The case involved Facebook messages that police in London, Ont., wanted to access in order to proceed with a homicide investigation and trial.

Because Facebook is an American company, the usual legal process involves Canadian authorities applying for evidence, in this case from the Facebook Messenger app, through a mutual legal assistance treaty (MLAT). The treaty has been used for decades by police on both sides of the border to get access to physical evidence.

In this case, a judge issued a production order — essentially a legal order for Facebook to give up the information. Authorities thought that would be quicker than the treaty process, which takes about four months.

But when it became clear this fall Facebook would fight tooth and nail against having to comply with a Canadian judge’s order, the Crown applied through the MLAT for the messages and received them.

Read the whole article in CBC News »

EU to investigate Google over data collection practices

Antitrust regulators in the European Union are investigating Google’s data collection practices, according to “exclusive” reporting at Reuters

Over the last couple of years, European Competition Commissioner Margrethe Vestager  has handed down fines totalling more than €8 billion (~ C$11 billion) to Google and ordered it to change its business ways.

Foo Yun Chee, writing for Reuters »

“The Commission has sent out questionnaires as part of a preliminary investigation into Google’s practices relating to Google’s collection and use of data. The preliminary investigation is ongoing,” the EU regulator told Reuters in an email.

Read the whole article on the Reuters web site »

More » The Guardian, CNN, International Business Times, Business Insider, The Mercury News

Canadian Privacy watchdogs finds that BC’s AggregateIQ broke federal and provincial data privacy laws after collecting personal info from US and British voters

Karin Larsen, writing in the CBC News »

Victoria-based AggregateIQ Data Services broke Canadian and B.C. privacy laws in work it carried out on behalf of the 2016 pro-Brexit Vote Leave campaign, as well as political campaigns in the U.S. and Canada, according to findings by the B.C. and federal privacy commissioners.

According to the reort, AIQ failed to obtain adequate consent for use and disclosure of the personal information of voters, which was used to produce microtargeted political ads.

It also said that AIQ “failed to take reasonable security measures” to protect personal information it collected in a database containing the names and contact information of 35 million people.

At a news conference, B.C. Information and Privacy Commissioner Michael McEvoy and Privacy Commissioner of Canada Daniel Therrien said even though AIQ works globally, it still must follow Canadian and B.C. privacy laws.

More » Canadian Press video, Globe & Mail, Times Colonist

« Older posts

© 2020 Tech Letter

Theme by Anders NorenUp ↑