Privacy Weekly Episode 1

Welcome To Episode One

πŸ‘‹ Welcome to my first Exciit Privacy Weekly post. I'll be providing a round up of all the privacy and technology related news on a weekly basis. I hope you enjoy the first episode.

A lot has happened in the last week regarding privacy and technology, so let's dive right in πŸ‘‡

Twitter Using Security Contact Details For Advertising

Twitter announced that it used telephone numbers and Email addresses that were provided by its users for security purposes to serve advertising. Twitter isn't sure how many users were affected by the issue. The phone numbers and Email address were used to match with data collected from third party advertising companies (presumably to match records from third parties with Twitter user accounts).

Why it matters: Big-tech users should be able to trust that contact details used for security purposes is only used for those purposes, otherwise people will pass up on using extra security measures such as two-factor authentication (2FA).

Links: The Verge, TechCrunch

Facebook Asked To Abandon Plans To Use End-To-End Encryption

High ranking law enforcement officials have asked Facebook to abandon plans to use end-to-end encryption. They've asked because use of end-to-end encryption would make it very difficult for law enforcement to intercept or eavesdrop on communications between (potential) criminals.

The government and law enforcement aren't against Facebook using encryption, it's just that they want to ensure that they have a means to access an unencrypted version if necessary, by using a backdoor.

WhatsApp, a popular chat application owned by Facebook, already uses end-to-end encryption. Meaning that government and law enforcement can't access the data of its users conversations.

The case for using end-to-end encryption: It provides a secure method of communication for its users, and no one can eavesdrop on it. That means no leaking of potentially sensitive information. People can trust the platform to keep their communications private.

The case for using weakened end-to-end encryption with a backdoor: Keeping communications safe for users is a great thing, unfortunately it keeps communications between criminals and terrorists secure as well, which hampers investigations into them. In fact, criminals and terrorists know this to be the case and use WhatsApp as a means to securely communicate amongst themselves. Adding weakened encryption with a backdoor will allow law enforcement to better investigate these groups.

The bigger picture for Facebook: Facebook has had a lot of privacy issues in the past and would be keen to be seen as a leader in privacy.

The bigger picture for the government: The world is becoming increasingly digital. Traditional techniques at catching criminals and terrorists are becoming less effective and gaining insight into their activities online is critical.

Links: CPO Magazine

Bruce Schneier On Australian Encryption Laws

Bruce Schneier, the famous security expert criticised Australia's eavesdropping laws, which are called the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018. It allows Australian government agencies, such as law enforcement and spy agencies, to request access to encrypted data and communications from companies and platform providers. It's intended to be used to break criminal and terrorist encrypted communications, helping to keep Australians stay safe.

Schneier says that breaking encryption of any kind will weaken overall security not just for criminals and terrorists, but also for world leaders, nuclear power plant operators, CEO's, judges and police officers.

Why it matters: This latest discussion is part of a wider discussion. Does society (big-tech companies, government and citizens) allow secure communication between all people including criminals and terrorists? Or, do we purposefully weaken security of phones, computers, online platforms so we can listen in on criminals and terrorists, but as a consequence potentially also weaken security of others within society?

Another interesting point that Schneier makes is that in the past the C (Confidentiality), of the CIA triad (Confidentiality, Integrity and Availability), has been most important, but in future the I (Integrity) and A (Availability) will be more important. That's because we'll have more and more connected systems like cars and medical devices where integrity and availability of data is crucial. For example, if medical data is altered, it could potentially result in a wrong diagnosis, wrong treatment, potentially with deadly results.

Links: Australian eavesdropping law, ZDNet, Schneier on Security, BBC

J-Pop Fan Zooming In πŸ”Ž

A Japanese fan finds his J-pop idol’s home by zooming in on her social media images. Hibiki Sato zoomed in on photos of Ena Matsuoka, who is a member of a J-pop group, and was able to see a train station in the reflection of her eyes. Using Google Street View he was able to find the train station. In other social media posts he was able to figure out what her curtains looked like (which presumably helped in figuring out her specific home).

Hibiki Sato followed the J-pop idol to her home where he assaulted her. Thankfully he was arrested and admitted to to the attack.

The takeaway: Things you post on social media can be used against you and can invade your privacy, perhaps even in ways you didn't think are possible.

Links: Vice, AsiaOne

Why Using Google Suite Isn't Safe For Journalists

Journalists, reporters and even bloggers can report on things that can go against the interests of a government.

They often use Google Suite (or G Suite), which is an online collection of productivity tools (similar to Word and Excel). Google Suite saves all data in the cloud, specifically on Google Cloud and thus on Google servers.

According to this post from Freedom of the Press Foundation, Google Suite is not end-to-end encrypted, meaning there are points within their system at which they can read Google Suite contents (documents, spreadsheets, etc.).

Google has no incentive to read your documents and secrets and they have many technical measures in place to prevent eavesdropping and hacking from third parties.

However, when asked by the government to provide access to Google Suite data, they must oblige under the right legal setting. And because the data is not end-to-end encrypted, they have access to the data and therefore must provide it to the government (i.e. law enforcement and spy agencies).

The takeaway: If you're an average user and not doing anything too sensitive, you're probably not at risk from using Google Suite because the government (i.e. law enforcement and spy agencies) won't ask about you. However, if you're a reporter, a journalist or someone else in the cross hairs of the government, you're at risk.

Fun fact: According to Google's transparency report, between July 2018 and December 2018, Google received over 60 thousand requests from government agencies about its users.

What can you do about it if you're a journalist: You can look for an alternative software solution that does provide end-to-end encryption of your data.

Link: Freedom of the Press Foundation, Google Transparency Report

  • On Twitter, @DigitalLawyer, shared that he was almost tricked into complying with a phishing scam that was after his bank details. It shows that even digital savvy people can (almost) be duped into providing details over the phone.
  • On Reddit Privacy, user freddyym, shared why he thinks privacy matters even if you have nothing to hide, which is a common counter point to arguments about (the importance of) privacy.