Three important wins for privacy go against the trend of assaults. Talk Liberation - Your Worldwide INTERNET REPORT (Issue 7, 2021)

Apple photo scanning halted, EU fines Facebook over WhatsApp, stalkerware app banned by FTC. Facebook launches "spy" glasses, iCloud use still risky and Walgreens exposes Covid-19 test information.

Issue 7, September 2021

Apple backs off from CSAM photo-scanning after widespread criticism

As covered previously in Talk Liberation, Apple was due to launch Child Sexual Abuse Material (CSAM) photo scanning across its products but has decided to halt the roll-out of “child safety features” after criticism across the Internet and actions by both civil liberties groups and privacy advocates. CSAM scanning would have occurred before photos are uploaded to Apple’s iCloud servers, where auditing for illicit material already occurs.

Talk Liberation is committed to providing equal access for individuals with disabilities. To view an accessible version of this article, click here.

The ACLU was one of the most vocal opponents of Apple’s CSAM scanning plans, warning:

“We are concerned that governments will exploit these changes to conduct far-reaching surveillance, and that the new system could normalize government spying on our personal phones and computers, leaving no remaining places where digital privacy is still possible. This should worry everyone: Privacy is central to our identities and our autonomy — our ability to control information and our sense of self, as well as our interactions with others, free from government intervention.”

An online petition gained steam with nearly 60,000 signatures and supported by organizations such as Surveillance Technology Oversight Project (S.T.O.P.) and Restore the Fourth. “No SpyPhone” protests were organized across the U.S. by Fight For The Future and with the support of the Electronic Frontier Foundation and local groups.

In a statement to 9to5Mac, Apple said:

“Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”

Apple has not clarified a timetable for launching these features and they were not touched upon at Apple’s recent iPhone 13 event.

Facebook and Ray-Ban team up to sell “spy glasses”

Essilor Luxottica’s Ray-Ban brand, known for its iconic wayfarer frames, has released smart glasses that contain Facebook recording technology. Ray-Ban Stories smart glasses incorporate two cameras that can capture still images and 30-second video clips, as well as record audio and take calls. Facebook says an LED light on the glasses alerts bystanders when a wearer is snapping photos or recording.

Privacy experts have voiced their concern over the product, noting that a wearer can record someone surreptitiously. As Susan Landau, professor at The Fletcher School at Tufts University, puts it:

“[T]he LED light, can you cover it up? Yes, you can cover it up. And if you can cover it up, and the  glasses still work, that’s not a whole lot of protection.”

Facebook CEO Mark Zuckerberg wearing Ray-Ban “smart” sunglasses.

Reactions across the web have likewise been skeptical. Buzzfeed's Katie Notopoulos described Ray-Ban Stories as “barely perceptible spy glasses” and culture critic Ella Dawson has called the product “another privacy disaster from Facebook.”

As is common with Facebook products, there are additional concerns related to the collection and processing of data. For example, Karissa Bell noted in Engadget that the glasses store transcripts of a wearer’s speech commands that are accessible to “trained reviewers.”

Facebook’s push into smart glasses and wearables is a part of its augmented reality (AR) or “metaverse” strategy. This conception of merging digital and physical spaces has been described as the frontier of technology, a dream of Big Tech companies that has emerged during the Covid-19 pandemic. Mark Zuckerberg has dubbed Facebook a “metaverse company” and Microsoft has also popularized the term.

Though Facebook and Ray-Ban’s smart glasses do not yet feature AR technology, it is planned for future versions. “AR glasses are what we’re working towards,” says Facebook product director Monisha Perkash.

Stalkerware app banned by FTC

Spyware application SpyFone has been banned from the surveillance industry in a unanimous vote by the  Federal Trade Commission (FTC). In an unprecedented move, the FTC determined the company was improperly collecting data from thousands of users and exposing it on the Internet. The decision makes it more difficult for SpyFone and its CEO Scott Zuckerman to continue business in the surveillance industry as the company is banned from promoting, offering or selling any spyware technology.

According to the FTC, SpyFone secretly collected and stored user data including physical movements and other online activities using a hidden device hack. Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection stated that “SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information.”

SpyFone is marketed as an app useful for parental control, however it is often used for other purposes including spying between family members and spouses. The spyware is secretly installed onto the target's phone and collects messages, images, online history and location. Additionally, the lack of security in the software put targets at risk. According to Vice, an insecure Amazon cloud storage server was sharing the data SpyFone spyware was collecting from more than 2,000 users’ phones.

The FTC has ordered SpyFone to delete all illegally obtained data and to notify the victims who had the software installed on their devices.

Cloud-based service iCloud poses a serious privacy risk

A California man has pleaded guilty to four felonies in a hacker-for-hire scam involving iCloud. Hao Kuo Chi used social engineering tactics by impersonating an Apple customer support technician. Chi then stole iCloud passwords, hacked into the accounts and stole nearly 620,000 photos and videos. According to a report in the LA Times, Chi intended to steal and share nude photos of young women.

The 40-year-old admitted to breaking into the accounts using the name “icloudripper4you,” obtaining the username and password from unsuspecting customers.

The case demonstrates the security and privacy risks associated with using cloud-based services from companies like Apple. This comes at a time when Apple announced its new feature Child Sexual Abuse Material (CSAM) aimed at targeting child sexual abuse through the scanning of iCloud images and videos, a measure which they have since delayed indefinitely amid widespread uproar over the negative privacy impacts for users.

Health app accused of selling the reproductive and sexual health data of its users

Flo Health Inc. is facing a class action complaint for allegedly sharing users’ health data with third parties without their consent. The Flo Health period and fertility tracking app helps women track their menstrual cycles and fertility while also collecting other health data including intimate information related to sexual health.

The claims against the company include breach of contract, invasion of privacy and “violation of the Federal Stored Communications Act.” The lawsuit combines seven proposed class actions from this year.

Filed in a California criminal court, the lawsuit reveals the third parties receiving this data include Facebook, Google, Flurry and AppsFlyer, who are listed as co-defendants. Additionally, the third parties are accused of “aiding and abetting.” The lawsuit claims that the Flo Health app collected and sold user data in violation of the company’s privacy policy which assures users that it will not share their information, according to a plaintiff.

EU charges Facebook with WhatsApp privacy violation

When WhatsApp, owned by social media giant Facebook, changed its terms of use in May, users were dismayed to find more extensive use of private information than disclosed. Demonstrations ensued at places such as Facebook’s Hamburg offices in Germany.

Now the Irish Data Protection Commission, acting on behalf of all of its EU counterparts, has formally imposed a fine of €225 million (US $266 million) on Facebook’s WhatsApp unit. The penalty was for failing to disclose the full extent of data collection practices and how the information was being shared with other parties, such as other units of Facebook.

Walgreens fails to protect Covid-19 testing data

A report by Vox Recode revealed that millions of Americans who received a Covid-19 test at Walgreens have had their personal data exposed on the open web for months, with the pharmacy chain denying this is a problem. This data includes name, date of birth, gender identity, phone number, address, and email. In many cases, results from tests are also included.

The URLs for test result pages are identical except for a unique patient ID contained in a “query string”. When this URL is accessed, the patient’s test record loads with sensitive personal information. That URL can persist in browser history, and might be accessed by anyone on a shared computer or by network intermediaries.

This privacy issue was reported to Walgreens by Alejandro Ruiz, a consultant with Interstitial Technology PBC, who discovered the problem in March. The pharmacy chain was not responsive.

Since the patient ID is shared in the query string, it can also be logged by web servers and scripts that load on the Walgreens pages.

Walgreens Covid-19 test appointment page with sensitive ID blurred.

Sean O’Brien, founder of Privacy Lab at Yale Law School and CSO at Panquake.com, was one of the security experts who verified these findings for Recode, saying:

“Security by obscurity is an awful model for health records, especially when phone numbers, email addresses, and other personally-identifiable information are revealed to anyone who has a URL. From a security standpoint, appointment systems have long surpassed the awful implementation that Walgreens is using. It may seem convenient to provide a simple link with tons of data on the patient available, but it is never good practice.”

Experts are also concerned about the number of advertising trackers Walgreens embeds in the test result pages. These trackers, which include Adobe, Akamai, Dotomi, Facebook, Google, InMoment, and Monetate, could be accessing patient IDs and other data tied to the patient record.

Zach Edwards, researcher from the firm Victory Medium, suspects this may be the case. He said: “This is either a purposeful ad tech data flow, which would be truly disappointing, or a colossal mistake that has been putting a huge portion of Walgreens customers at risk of data supply chain breaches.”

Walgreens did not respond to the report directly. After weeks of disclosure, the company has quietly added a form in front of test results that asks visitors for date of birth. It is unclear what effect this will have on overall privacy of the system and experts have yet to weigh in.

Apple changes app store to placate regulators

In an attempt by the Silicon Valley giant to preempt more severe regulatory scrutiny, Apple has unveiled significant changes to its App Store. Critics had pointed to abuse of its global dominance in the phone app market and suggested the recent move was aimed at placating regulators and staving off further investigations and lawsuits.

Joshua Davis, a University of San Francisco law professor, told AFP that Apple’s concessions were “extraordinary” and a rare move. Until now, Apple has been able to use its control over the App Store to extract up to 30% for purchases of apps and payments. Apple has now agreed to some loosening of restrictions on payments after a class-action lawsuit from small developers.

US Army biometric system left behind in Afghanistan could fall into wrong hands

The US Department of Defense has announced that it has adopted “prudent steps” to prevent its biometric surveillance system in Afghanistan from falling into the hands of the Taliban. The system contains personal information on millions of Afghans. Human rights advocates warn that it could be used by the Taliban to identify and target people who worked with the previous US puppet regime in Afghanistan or international organizations that promoted agendas not supported by the Taliban, such as women’s rights.

The 15-year-old system was put in place by the US military and was shared with the Afghan government. It contains millions of fingerprints, face photos and iris scans of Afghan citizens collected by the US forces and its auxiliary troops from other countries. Their objective had been to capture such data from as many people in Afghanistan as possible.

Thirty-six civil society organizations signed a joint letter calling on governments, aid organizations and private contractors that created databases in Afghanistan to close them down.

That concludes Your Worldwide INTERNET REPORT for this week! 

Remember to SUBSCRIBE and spread the word about this amazing news service.

This issue of Your Worldwide INTERNET REPORT was written by Taylor Hudak; Edited by Suzie Dawson and Sean O’Brien; Graphics by Kimber Maddox; with production support by David Sutton.

Talk Liberation - Your Worldwide INTERNET REPORT was brought to you by panquake.com. We Don’t Hope, We Build! 

© Talk Liberation CIC Limited. The original content of this article is licensed under a Creative Commons Attribution-ShareAlike 4.0 International license. Please attribute copies of this work to “Talk Liberation” or talkliberation.com. Some of the work(s) that this program incorporates may be separately licensed. For further information or additional permissions, contact licensing@talkliberation.com