iPhone Virus Lets Criminals Fake Your Face and Amazon Sent to Court for Alexa Voice Snooping (Issue 32, 2024)
Also, the European Court of Human Rights bans weakening of secure end-to-end encryption, and a US state's proposal for parental consent on social media raises free speech issues...
We’re delivering you the hottest internet news that affects all of us. Scroll down to read our full reporting below and if you love what we’re doing, please consider contributing $5 per month so that we can continue providing you with this vital, unique reporting.
Talk Liberation is committed to providing equal access for individuals with disabilities. To view an accessible version of this article, click here.
In this edition:
iPhone Trojan Targets Face Data in Bank Account Breaches
Microsoft & Twitter X Support KOSA Bill Opposed By Privacy Organizations
Alexa Users Hit Amazon with Lawsuit Over Voice Data Snooping
US State Governments Debate Use of Reproductive Data
Battle in Utah Over Parental Consent Laws Deemed Unconstitutional
US Face Data Used for Predictive Policing as Facial Recognition Expands
European Court of Human Rights Bans Weakening of Encryption
Instagram Rolls Out Client-Side Message Scanning for Minors
iPhone Trojan Targets Face Data in Bank Account Breaches
The GoldPickaxe trojan, a new form of Apple iOS malware developed by the clandestine group GoldFactory, is raising concerns among cybersecurity experts. This virus not only harvests facial recognition data and personal identification documents but also captures SMS text messages from infected devices such as the iPhone, creating a perfect storm for bank account breaches.
The malware's ability to blend stolen face data with AI technology to forge deepfakes is novel and underscores the security vulnerabilities introduced by biometrics. Deepfakes created with the help of data breached by GoldPickaxe enables criminals to bypass bank security measures that rely on face verification. This new virus is based upon the previous GoldDigger trojan for Android devices, but its ability to bypass all Apple security measures on the iPhone reveals a sophisticated level of attack planning.
While the immediate focus of the GoldFactory cybercriminals appears to be within the Asia-Pacific region, the rise of malware that steals face data is a global concern. This attack signifies an ominous new trend reminiscent of the first WannaCry ransomware, which also heralded in a new age of malware and a new approach to cybercrime.
Microsoft & Twitter X Support KOSA Bill Opposed by Privacy Organizations
The recent Senate hearing on the Kids Online Safety Act (KOSA) has raised significant privacy concerns. Microsoft and X have pledged their support of the bill despite widespread objections from digital privacy and civil liberties organizations. Privacy advocates, alongside security professionals and LGBTQ groups, express trepidation that KOSA could lead to widespread censorship and infringe on fundamental rights, potentially isolating and harming the very groups it aims to protect.
Activism director Jason Kelley of the Electronic Frontier Foundation (EFF) said KOSA “remains a dangerous and unconstitutional censorship bill” and wants to see the bill opposed despite recent changes to its text. The EFF is spearheading an online campaign against the bill, asking for Americans to “Tell Congress: KOSA Will Censor the Internet But Won't Help Kids.”
Backers of KOSA point out well-known mental health issues with social media, with a spokesperson for the advocacy group Fairplay stating, “The Kids Online Safety Act is our best chance to address social media’s toxic business model, which has claimed far too many children’s lives and helped spur a mental health crisis.”
Others are skeptical about KOSA’s intent and its capability to address these issues. “This bill still rests on the premise that there is consensus around the types of content and design features that cause harm. There isn’t, and this belief will limit young people from exercising their agency and accessing the communities they need to online,” said Aliya Bhatia, policy analyst for the Center for Democracy and Technology.
Microsoft and other large technology firms have been spending billions of dollars on large language models (LLMs) and AI. Advances in software such as OpenAI and Twitter X’s Grok have far-reaching implications for mainstream social media, as content recommendations and advertising surveillance are now powered by AI models.
Evan Greer, director of Fight For The Future, has emphasized the crossroads of KOSA and these recommendation engines, saying, “[T]he fundamental problem with KOSA is that its duty of care covers content specific aspects of content recommendation systems, and the new changes fail to address that.” Greer adds that applying KOSA to these systems could lead to more harm “by engaging in aggressive filtering and suppression of important, and in some cases lifesaving, content.”
Alexa Users Hit Amazon with Lawsuit Over Voice Data Snooping
Amazon users have reinstated their class action lawsuit against the company for using customer voices for targeted ads without disclosing the practice. The suit follows the the publication of the research paper “Your Echoes are Heard: Tracking, Profiling, and Ad Targeting in the Amazon Smart Speaker Ecosystem.”
This study reveals that Amazon utilizes Alexa voice data to target ads on Echo devices as well as off Amazon platforms with advertisers across the Internet. The class action suit claims that this practice contradicts Amazon’s privacy policies.
The report unveils an extensive data-sharing network between Amazon and as many as 41 advertisers who in turn share the data with 247 other third parties including advertising services. Advertisers bid as much as thirty times higher for particular users based upon their interest category.
Prior to this report, Amazon agreed to pay a $25 million civil penalty as part of a settlement with the US Federal Trade Commission (FTC) and the US Department of Justice for violating the Children’s Online Privacy Protection Act Rule (COPPA Rule). In that FTC action, Amazon was found to have retained recordings of child voices and their geolocation data by default.
US State Governments Debate Use of Reproductive Data
Amid a growing privacy crisis, US state governments and federal bodies are debating the usage of reproductive health information in the wake of a shocking federal report. This report unveiled that a data broker, Near Intelligence, collected smartphone location data to target millions of Americans with anti-abortion advertisements after they visited Planned Parenthood offices.
Although federal law prohibits medical providers from sharing patient health data without consent, there is no such restriction on tech companies from tracking and selling information related to menstrual cycles or location. This has intensified the debate on privacy in a country deeply divided over abortion rights, especially after the US Supreme Court's decision to overturn Roe v. Wade.
While some US states have tightened abortion laws, others work to preserve access, introducing concerns about the potential misuse of sensitive data in targeted ads, law enforcement, or by those opposing abortion.
Sean O'Brien, founder of Yale Privacy Lab and CTO for Panquake.com, says there is a pervasive problem with the way health information is being used. In a report by the Associated Press, he notes that the problems with location surveillance are widespread, saying, “The software supply chain is extremely polluted with location tracking of individuals.”
Battle in Utah Over Parental Consent Laws Deemed Unconstitutional
Legislation recently passed in the US state of Utah intends to restrict social media access by minors under the age of 18. Two bills were recently passed in Utah that split up Utah’s Social Media Regulation Act but maintained its broad outlines. Throughout 2023 and early 2024, the Social Media Regulation Act was broadly opposed by civil liberties groups for its far-reaching restriction of websites beyond social media like Facebook. Following this opposition, the Act was replaced by two separate bills that have now passed but have yet to be implemented.
All versions of these laws require websites and apps to obtain parental permission for users under 18 years of age, effectively requiring users of all ages to provide sensitive identity documents, such as a driver’s license or passport, or biometric identification via methods such as facial recognition. Even after minors obtain parental consent to access a website or app, the laws impose broad restrictions on the speech and interactions of minors.
Utah residents represented by the Foundation for Individual Rights and Expression (FIRE) asked a US District Court to declare Utah’s Social Media Act unconstitutional before it took effect on March 1, 2024. This followed a December 2023 lawsuit by tech industry group NetChoice. Such legal actions, coupled with grassroots support, resulted in the splitting of the legislation into multiple bills that include new provisions such as a private right of action for harms associated with a minor’s use of algorithmically curated content. Those bills were passed quickly in the Utah legislature and will take effect on October 1, 2024.
As these new laws are debated in Utah, the state has become a battleground for legislation across the US. This follows widespread dissatisfaction with current social media platforms. The negative impacts these platforms have on children in particular are now a hot topic across US government institutions, even resulting in an advisory by the US Surgeon General.
US Face Data Used for Predictive Policing as Facial Recognition Expands
Privacy advocates have been opposing the sharing of data obtained from facial recognition technology (FRT) for decades, as implementation of FRT has become commonplace across the globe. Due to the labyrinthine laws and agreements surrounding the usage of biometric data, it can be very difficult to find out who has a copy of your face data. The EFF’s “Who Has Your Face?” reveals the broad sharing of face data in the US, but this can only give hints as to which agencies might be using your face in their datasets.
This data obtained from real faces is being coupled with predictive policing and systems designed to guess what a criminal’s face looks like. US police are now taking DNA samples from a crime scene and running them through a service operated by Parabon NanoLabs that creates a potential version of the perpetrator’s face, piping this rendered image into FRT software to build a suspect list. Since 2014, Parabon Nanolabs claims that it can create an image of the suspect’s face from their DNA based upon machine learning (ML) and AI models.
US federal agencies such as the Transportation Security Administration (TSA) are also expanding their use of FRT. TSA is expanding its facial recognition program to 430 airports over the next “several years.” The list of vendors who will have access to the data collected is unknown, and biometric data has in the past been sent to US Homeland Security’s AI research group to “determine the efficacy of the algorithms” that were used.
Civil liberties groups such as the American Civil Liberties Union (ACLU) have continued to point out the problems with such collection, usage, and collation of face data, asking US citizens to oppose these latest advances of FRT at the TSA.
European Court of Human Rights Bans Weakening of Encryption
The European Court of Human Rights has delivered a pivotal judgment prohibiting any general weakening of secure end-to-end encryption (E2EE), underlining the vital role encryption plays in safeguarding against criminal hacking, identity theft, government surveillance, and unauthorized information disclosure.
The Court emphasized that alternatives exist for monitoring encrypted communications that do not compromise overall user security, such as exploiting software vulnerabilities or deploying targeted implants. This ruling categorically deems the EU Commission's proposed “client-side scanning” within its chat control bill as illegal, highlighting this technology’s potential to compromise the privacy of all users rather than focusing on specific suspects.
Patrick Breyer of the Pirate Party hailed the decision as a landmark victory for digital privacy, stressing that secure encryption is essential for protecting communications and criticizing an EU Council draft that still threatens to undermine encryption technology.
Instagram Rolls Out Client-Side Message Scanning for Minors
Meta's new feature on Instagram to shield minors from "inappropriate images" using client-side scanning has raised significant privacy concerns. This deployment is part of a larger effort by Meta to alter the experience on its platform for young users, including stricter default settings.
Client-side scanning for content that may be inappropriate or illegal has been criticized by privacy advocates since the earliest proposals by Apple, who has since backed down from its implementation. Opponents of client-side scanning of user devices point out the high potential for abuse and backdoors, which could be used for government or corporate surveillance and cybercriminals, as well as the likelihood of false positives leading to bogus lawsuits and prosecution.
Meta has also been taking a strong approach to content curation and removal, limiting the recommendation of content that may be political or inflammatory. This change occurred without any prior notice for users on Instagram, which now limits political content by default. Such “automated censorship” has recently been the focus of a series of journalistic reports about social media and the publication power of Big Tech platforms.
That concludes this edition of Your Worldwide INTERNET REPORT!
Remember to SUBSCRIBE and spread the word about this unique news service.
This issue of Your Worldwide INTERNET REPORT was written by Matt Millen of WillenRimer; Edited by Suzie Dawson and Sean O’Brien; Graphics by K4t4rt; with production support by Beth Bracken.
Talk Liberation - Your Worldwide INTERNET REPORT was brought to you by Panquake.com. We Don’t Hope, We Build!
© Talk Liberation Limited. The original content of this article is licensed under a Creative Commons Attribution-ShareAlike 4.0 International license. Please attribute copies of this work to “Talk Liberation” or talkliberation.com. Some of the work(s) that this program incorporates may be separately licensed. For further information or additional permissions, contact licensing@talkliberation.com