Weekly Privacy Roundup #2
Privacy is implied. Privacy is not up for discussion – Mikko Hypponen
Twitter warns users – Firefox might hold on to private messages
A bit of a brouhaha erupted at the end of last week – it wasn’t quite an argument between Twitter and Firefox, but it did get confusing pretty quickly.
The issue had to do with how long your browser might hang on to local copies of private data such as direct messages, even after they’d actually been posted.
Twitter published an blog article tagged “Privacy” that stated:
We recently learned that the way Mozilla Firefox stores cached data may have resulted in non-public information being inadvertently stored in the browser’s cache. This means that if you accessed Twitter from a shared or public computer via Mozilla Firefox and took actions like downloading your Twitter data archive or sending or receiving media via Direct Message, this information may have been stored in the browser’s cache even after you logged out of Twitter.Naked Security
Move Fast & Roll Your Own Crypto
A Quick Look at the Confidentiality of Zoom Meetings
Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.The CitizenLab
Email provider got hacked, data of 600,000 users now sold on the dark web
The data of more than 600,000 Email.it users is currently being sold on the dark web, ZDNet has learned following a tip from one of our readers.
“Unfortunately, we must confirm that we have suffered a hacker attack,” the Italian email service provider said in a statement to ZDNet on Monday.ZDNet
Coronavirus: Privacy in a pandemic
These are strange times. Germany, perhaps the most privacy conscious nation on earth, is considering a mobile phone app that would trace the contacts of anyone infected with Covid-19.
Earlier this week the British Prime Minister shared a picture of an online Cabinet meeting, complete with the Zoom meeting ID and the usernames of ministers. And millions of us are sharing views of our kitchens over this and other video-conferencing apps, without apparently being too concerned about poor privacy controls.BBC News
States use of digital surveillance technologies to fight pandemic must respect human rights
The COVID-19 pandemic is a global public health emergency that requires a coordinated and large-scale response by governments worldwide. However, States’ efforts to contain the virus must not be used as a cover to usher in a new era of greatly expanded systems of invasive digital surveillance.
We, the undersigned organizations, urge governments to show leadership in tackling the pandemic in a way that ensures that the use of digital technologies to track and monitor individuals and populations is carried out strictly in line with human rights.Open Rights Group
China’s “New IP” proposal to replace TCP/IP has a built in “shut up command” for censorship
The Chinese government and the Chinese telecommunications companies such as Huawei under its control are proposing a “New IP” addressing system for the internet to replace TCP/IP. The New IP system includes top-down checks and balances and such features as a “shut up command” that would allow a central controller to stop packets from being received or sent by a target “New IP address.” The China led proposal was first unveiled at the International Telecommunications Union (ITU) meeting in September 2019. The associated power point presentation and formal proposal have been made available by Financial Times.
In it, the Chinese government and its state controlled telecommunications service and hardware providers (i.e. Huawei) make the case that TCP/IP is broken and won’t scale for use in the future internet which will include things like holographs and space-terrestrial communications. China argues that these new technologies on the old system would require “complex translators” and increase the overall cost to society.Privacy News Online
12k+ Android apps contain master passwords, secret access keys, secret commands
A comprehensive academic study published this week has discovered hidden backdoor-like behavior — such as secret access keys, master passwords, and secret commands — in more than 12,700 Android applications.
To discover this hidden behavior, academics from Europe and the US developed a custom tool named InputScope, which they used to analyze input form fields found inside more than 150,000 Android applications.ZDNet